Victorian Government releases its first cyber security strategy

Gavin Jennings the Special Minister of State announced the Victorian Government Cyber Security Strategy on 25 August 2017.  The Victorian Government Solicitor's Office is proud to host a panel discussion on Monday 23 October 2017 regarding Cyber Security and the whole of Victorian Government approach to improve capability and resilience. The event is free and all members of the Victorian Public Service are welcome to attend. You can register for the event here.

The Strategy is to bring a whole of government approach to cyber security to help Victorian Government digital infrastructure better respond to the evolving cyber security environment.  The strategy notes that the security environment is becoming significantly more sophisticated, and as such a more sophisticated approach to cyber security is warranted. This is addressed in 23 action points in 5 categories of action.

Previously, cyber security has been managed on an agency by agency basis, with guidance from sources such as the Victorian Protective Data Security Framework.  The strategy aims to leverage all Government learning in the area, in recognition that not all agencies have the same resources to deal with the cyber threat.

The key element announced is the creation of the Chief Information Security Officer within the Department of Premier and Cabinet. Mr John O'Driscoll has been appointed to the role and will be responsible for overseeing Government's response to the cyber threat, developing best practice, providing assurance, reporting internally on the Government's cyber security status and coordinating cross Government action. You can read the media release announcing the appointment here.

The strategy also aims to enhance Government capability in terms of strategic planning, reporting and technical proficiency, both through partnering agreements and a dedicated push for skilled workers.

We anticipate rapid change in this space, with 19 of the 23 action points due to be delivered by April 2018.

If you'd like to discuss managing the legal risks relating to a cyber security breach, please contact us:

Isabel Parsons
Managing Principal Solicitor
9947 1405

Tina Lee
Principal Solicitor
9947 1426

James Stephens
Principal Solicitor
9947 1422

Stuart Taylor
Solicitor
9947 1415

Coming soon! Cyber security audits announced by VAGO

The Victorian Auditor-General’s Office (VAGO) has this month announced plans to conduct audits on departments and agencies to assess their implementation of the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS), as well as cyber security strategy.

The audits, to run in 2018-19, will ascertain whether the VPDSF and VPDSS have been effective in improving cyber resilience in government to determine whether departments and agencies can adequately prevent, respond to and recover from cyber security attacks.

The Commissioner for Privacy and Data Protection released the VPDSF and VPDSS in mid-2016 to provide direction for Victorian public sector agencies on their data security obligations.  Department heads must prepare Protective Data Security Plans to address the VPDSS and submit the plan to the Commissioner.

Whilst VAGO will be undertaking performance audits for the purpose of ascertaining the effectiveness of the VPDSF and VPDSS in improving government's cyber resilience, the Commissioner may also conduct monitoring and assurance activities, including audits, to ascertain whether departments and agencies are complying with data security standards.

If you would like to know more, contact:

Rebecca Radford
9947 1403

Snezana Stojanoska
9947 1412

James Stephens
 9947 1422

Personal Information and Metadata: Is the Telstra case really the most important Australian Privacy case to date? We're not so sure.

The Full Federal Court has taken a narrower view of 'personal information' under Commonwealth privacy law than the view preferred by the Australian Privacy Commissioner. However, the decision does not necessarily narrow the statutory definition.

The case related to a journalist's request to Telstra for metadata regarding his mobile phone. The Full Court disagreed with the Commissioner's appeal and confirmed that personal information must be 'about' an individual, and not only information from which the individual's identity could be reasonably ascertained.

The Court expressed doubts about the usefulness of the orders that the Commissioner wanted, and noted that applications by non-parties to make submissions relied on overseas laws with different wording, and appeared to raise issues that went beyond the point being appealed.

While a high level of attention has been given to the case, some commentary has not been substantiated in the decision itself. The case is likely to have limited impact on how the Victorian definition of 'personal information' is interpreted, and might have limited impact more generally because the decision itself is a narrow one. The Full Court did not decide whether the 'metadata' requested in that case was personal information, or rule on hypothetical examples or criteria to assess whether it was. Rather, it confirmed an evaluation will still be necessary in each case based on the facts and circumstances. This includes whether an item of information might be 'about' a person when considered along with other information. Also, the definition of 'personal information' in Commonwealth privacy law has changed since the time the decision relates to.

If you'd like to discuss any of the issues raised by this decision please call James Stephens or Snezana Stojanoska.

James Stephens
Principal Solicitor
03 9947 1422

Snezana Stojanoska
Solicitor
03 9947 1412

Shining a light on innovation…

Everyone is talking about innovation - the Commonwealth Government wants us to be an 'innovation nation' and entrepreneurs like Elon Musk and Steve Jobs are the rock stars of our era.  Innovation is often associated with technology, investment banking and start ups.  Like all stereotypes, it tells only part of the story.  Some of the most interesting innovation is happening in our backyard - the Victorian public sector.

In addition to encouraging innovation in the private sector, the Victorian Government is encouraging the public sector to consider how we can perform our functions and deliver public services better. What is better depends on what you are trying to achieve - it might mean 'better', in the sense that a citizen gets the public service they need more quickly and easily; it might mean 'better', in the sense of more efficient use of public money; or maybe it means 'better' in the sense of a new function being performed that was previously thought to be impossible or outside of the capacity of the public sector.

The Victorian Government is supporting the public sector to act on their innovative ideas through:

• The Public Sector Innovation Fund provides funding support for pilot projects that test or prove new knowledge, technologies, processes or practices to deliver public value and that can be scaled or replicated across government.  Grants of $50,000 to $400,000 are available.
• At the Australian Information Industry Association iAwards, the Premier will award the inaugural iAward for Public Sector Innovation.The winner will be revealed on 1 September 2016.

Examples of projects already funded by the Public Sector Innovation Fund include:

• Code for Victoria Challenge, in which three teams of Code for Australia Fellows will be placed within government departments for six months . The Fellows will create new tools or streamline processes that will make government information more open and accessible online, and improve the delivery of government services.   The first round of the Code for Victoria Innovation Challenge recipients have just been announced this week. 
• The 2016 Budget Hack brought together the public sector, the tech community and industry leaders to find new and better ways to visualise, use and leverage data from the State Budget.  The winning entry, Bling My Suburbs, allows users to search budget information by suburb.  The other entries in the top three included Budget Pie, which allows a user to see how much funding was allocated to the issues affecting them (I.e. How much of the pie do my issues get?!), and Ask Budget, which uses a word cloud to identify how frequently an issue was mentioned and then summarises the mentions.

Many of the innovations are not complicated and nor did they require a Steve Jobs to think of them. Many of the examples of public sector innovation start with an idea or feedback from a citizen.  For example:

• Service Victoria is creating a 'one stop shop' for citizens looking for government information.  I tried it out on my sister, who is moving house this weekend. Through some simple questions asked of the website over dinner, my sister found the right places to change her driver's licence, find out who her new council and MPs are, when her hard rubbish collection is and how much her rates will be.  Service Victoria received additional funding in the recent State Budget, which will enable them to implement its objective of digitising more government transactions. 
• EPA AirWatch provides visual information on air quality on an hourly basis.  Using a Google map, the user can see the status of air quality at a monitoring station (Very Good, Good, Poor, etc) and then see a more detailed break down of the readings, including a health category.
• The online family violence intervention application form [] allows people to apply for intervention orders online, rather than by submitting a paper form.  The online format allows high risk cases to be flagged and brought to the attention of a magistrate earlier.  The form has been piloted at the Neighbourhood Justice Centre and, with a grant from the Public Sector Innovation Fund, will now be rolled out to the Magistrates' Court.

Innovation is also happening in government legal services.

• Government departments are exploring ways in which government can benefit from 'the new legal paradigm', in which technology and new business models are reducing legal costs and communication styles are changing.  Some departments have started the conversation with panel law firms.
• VGSO has appointed its first Innovation Counsel who has challenged and evangelised our lawyers to explore with government agencies how legal services can be delivered in ways that better meet the needs of government.

Everyone is talking innovation - and the Victorian public sector is doing innovation.  How is your agency innovating?  What do you think the public sector could do differently or better?  Tell us your thoughts in the comments.

To find out more please contact:

Katie Miller
Innovation Counsel

Andrew Suddick
General Counsel

Joanne Kummrow
Special Counsel

Smile, you could be on 'body worn camera'

Take a closer look at all the gadgets and equipment worn by your local police officer and you might notice a small vest-mounted video camera attached to his or her lapel.  The camera,  called a body worn camera (BWC), records police interactions with the public and they may soon be worn by front line officers across the country.

According to news reports, BWCs are popular and have been trialled in every Australian state. For example:

• In the Northern Territory a reported 40 front line officers are officially trialling the equipment, and the Northern Territory Police Association estimates that three-quarters of their force have already bought and are using personal cameras;
• In Queensland, the Palaszczuk government reportedly has committed significant funds for BWCs;  
• In Victoria, Frankston police trialled 22 BWCs in 2013-2014, and Victoria Police is currently evaluating the project in anticipation of expansion.  

Even in the US, President Obama has reportedly asked Congress for $263 million over three years for 50,000 BWCs across the country following the tragic events in Ferguson, Missouri. It wouldn't be surprising to see the use of BWC's extend beyond policing to other areas of enforcement - perhaps parking inspectors, park rangers or fisheries officers keen to document their encounters on duty.

What are their key advantages?

1. Potential reduction in violence.

There is little data on the efficacy of BWCs, but what exists is positive.  The most widely cited study tracked their use by police in Rialto, California.  There, Cambridge researchers found that the use of BWCs decreased incidents of the use of force by 59% and complaints against police by 87%.

Although limited, the study suggests that people are less willing to resort to violence and that police behaviour improves when both parties know they are being recorded, and it also appears to deter members of the public from bringing spurious complaints.

2. Use as an evidentiary tool.

For investigating and prosecuting agencies, the BWC is no doubt appealing as an evidentiary tool.  Clear, verifiable footage captured by BWCs could reduce hours in court examining and verifying the veracity of oral accounts.  This in turn would reduce the public resources spent on each trial and enable courts to hear more cases in less time.

However, investigating agencies using or considering using BWC footage as evidence will need to take into account a range of factors including:

• Admissibility requirements. The admissibility of footage captured by body worn cameras will generally be governed by the principles which apply to the admissibility of evidence in general.  In Victoria these principles are set out in the Evidence Act 2008, which generally provides that evidence is admissible if it is relevant to the issues in dispute between the parties and either is not hearsay or, if hearsay, falls within an exception to the hearsay rule.  However, depending on the jurisdiction in which the dispute is brought, other provisions may be applicable: see for example s 98(1)(b) of the Victorian Civil and Administrative Tribunal Act 1998.
• Pre-trial disclosure requirements. Agencies will need to be equipped to hand over relevant footage, or at least have facilities for defence lawyers to view the footage in a secure setting.  Whether interested parties, including the media, can access footage when no prosecution is on foot will be another matter for determination.

Other legal considerations

Privacy 

To date, no specific Victorian legislation removes the statutory privacy obligations of police and other agencies using BWCs.  Agencies intending to use BWCs should therefore ensure that their use complies with legislation regulating the collection, use and disclosure of personal and health information, and in particular the Charter of Human Rights and Responsibilities Act 2006, the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001. Notably, the law enforcement exemption to the PDP Act, if applicable, would allow Victoria Police to collect, use, disclose and restrict access to information recorded by BWCs when reasonably necessary to carry out law enforcement functions. In some circumstances the Surveillance Devices Act 1999 may also apply. Amendments to privacy notices are likely to be required.

The law also restricts publication of personal and sensitive information including details of sexual assault, family violence victims and children involved in court proceedings, and information that could prejudice the fairness of any pending or in progress trials.  Agencies will need to be especially careful to identify and appropriately deal with personal information of third parties that is captured in background events and peripheral conversations.

Data retention

Information collected via BWCs must be securely stored and otherwise dealt with in accordance with legislation, including the Public Records Act 1973 and the PDP Act Parts 4 and 5 as applicable.  From a practical perspective, continuous recording could mean enormous data storage costs, so agencies will need to develop policies on when to turn the cameras on and off. For example, it has been reported that the practice in the Northern Territory is to turn on the BWC only when police exercise their powers or 'make customer contact or custody'.

For further information on these issues please contact members of our Policing Practice Group or Technology and Data Protection Practice Group:

Louise Jarrett
Managing Principal Solicitor
t 9247 6798
louise.jarrett@vgso.vic.gov.au

Grahame Best
Solicitor
t 9247 6425
grahame.best@vgso.vic.gov.au

Deidre Missingham
Senior Solicitor
t 8684 0483
deidre.missingham@vgso.vic.gov.au

WA Supreme Court delivers explicit message on privacy: compensation awarded to Facebook post victim

A woman who was the subject of sexually explicit social media posts by her ex-boyfriend has been awarded almost $50,000 in damages, in a further development of the protection of privacy in Australia.

The facts

In the recent case of Wilson v Ferguson, the plaintiff claimed that her former partner had breached an equitable duty of confidence by posting sexually explicit photographs and videos of her on the internet.

The couple had sent each other explicit photographs over the course of their relationship.  The defendant also took naked photographs of the plaintiff with her consent.  On one occasion, the defendant accessed the plaintiff's phone without her permission and emailed himself videos of the plaintiff engaging in sexual activity.

Following the break-down of the relationship, the defendant posted 16 explicit photographs and two videos of the plaintiff on his Facebook page, along with offensive comments.  The images were accessible to hundreds of the defendant's 'Facebook friends' - many of whom also knew the plaintiff - before they were removed several hours later.

Judgment

The Supreme Court of Western Australia found that the defendant had breached an equitable duty of confidence owed to the plaintiff.  The elements for succeeding in an action for breach of confidence are:

• the information in question was of a confidential nature (i.e., not widely known);
• the information was communicated or obtained in circumstances importing an obligation of confidence; and
• the information was used or disclosed without authorisation.

The Court found that where a person shares intimate photographs in the context of a relationship, it is ordinarily on the implied condition that the photographs are to be kept confidential.  In this case, the plaintiff's expectation that the material be kept private was confirmed in her conversations with the defendant.  The Court also found that by accessing sexually explicit videos from the plaintiff's phone without her knowledge, the defendant was placed under a duty to keep those videos confidential.  The Court was satisfied that posting the material on Facebook was a clear misuse of the confidential information.

A new avenue of redress for victims?

While there are numerous criminal offences which involve breaches of privacy (such as stalking, the use of surveillance devices and the interception of telecommunications), the common law action for breach of privacy remains relatively undeveloped in Australia.   As recently reported by the Australian Law Reform Commission, this means there are limited avenues of redress for persons who have suffered from serious intrusions on their privacy.

Plaintiffs have occasionally brought actions for breach of confidence, where the usual remedy is an injunction to prevent the publication, or further publication, of the confidential information.  Equitable damages have traditionally been awarded for economic loss, but not for distress that falls short of a psychiatric injury.  Accordingly, this cause of action has not been seen as useful for plaintiffs who suffer embarrassment, but no financial harm.

Importantly, in Wilson v Ferguson, the Court not only granted an injunction preventing the defendant from republishing the explicit images of the plaintiff, but also awarded equitable damages of $35,000 to the plaintiff as compensation for the distress caused by the dissemination of the images.  The Court expressly relied upon the 2008 Victorian Court of Appeal decision of Giller v Procopets  in determining that such damages were available.  The defendant was ordered to pay a further $13,404 in equitable damages for economic loss, to cover the plaintiff's time off work following the incident.

As such, this case represents a potentially significant precedent on the award of equitable damages for emotional distress for the misuse of personal information.  If the decision is followed, bringing a legal action for breach of confidence may become a far more attractive avenue of redress for people who have suffered from serious invasions of their privacy where there was an obligation of confidentiality.

A cautionary tale of the use of technology…

One of the Court's key reasons for expanding the award of equitable damages was the recognition that the law needs to keep pace with the use of technology on modern society. As Justice Mitchell remarked, it is not uncommon for people in relationships to use mobile phones to share intimate communications, and the internet is an easily accessible platform to disseminate those communications with the world.  Although the explicit images in this case were removed from the defendant's Facebook page just hours after being posted, the damage had already been done.  The award of almost $50,000 damages against the defendant comes as a timely reminder that comments and postings made online in the spur-of the-moment can have far-reaching 'real world' consequences.

For information on privacy law and related criminal offences, please contact:

Louise Jarrett
Acting Managing Principal Solicitor
louise.jarret@vgso.vic.gov.au 

Amy Galeotti
Solicitor
amy.galeotti@vgso.vic.gov.au

eServices Contract released!

Victorian government purchasers are required to engage suppliers of information and communication technology (ICT) products and services using a cloud based procurement platform called the eServices Register. The eServices Register provides a streamlined process for engaging suppliers of eServices.  It is mandatory to use for inner budget agencies and administrative offices as defined in the Public Administration Act 2004.

The eServices Contract was released on 8 April 2014,  it replaces an interim eServices Contract that was previously in place.  The contract was finalised after extensive consultation with various government and industry stakeholders.  The release of the contract means that government purchasers are able to approach suppliers for each procurement using a known set of terms. 

The contract is mandatory for use with all engagements under the eServices Register for  new procurements.  The interim contract can still be used for projects that were 'in flight'  at the date of the release of the final contract. 

What types of eServices are covered by the contract?

There are various categories of eServices that are covered by the eServices Contract.  These include:

• Professional Services - that is, ICT consultancy services;
• Cloud Services -  including Software as a Service (SaaS) or Infrastructure as a Service (IaaS) and related services;
• Implementation Services - the implementation of new software applications.  It does not cover the implementation of commercial off-the-shelf software;
• Development Services - the development of new software applications.  This does not include customising commercial off-the-shelf software;
• Hosting Services - the hosting of an agency's software application or website on a supplier's server;
• Managed Services - the management by a supplier of an agency's software application or function;
• Maintenance and Support Services - maintenance and support services in relation to software; and
• Hardware Services - maintenance and support services in relation to ICT hardware.  

The eServices Contract should not be used to purchase software licences (where there will be no associated eServices) or hardware.

Structure of Contract

The eServices Contract consists of the following documents (in descending order of priority):

•  the eServices Terms;
• the Contract Variables;
• the Purchaser's Request; and
• the Supplier's Response.

Each of these documents is explained below:

The eServices Terms

The eServices Terms are the standard terms and conditions for the eServices Contract.  The parties will not be able to negotiate or amend these terms.

The eServices Terms states that the Contract Variables, the Purchaser's Request and the Supplier's Response all form part of the contract.

The Contract Variables

The Contract Variables is the only document that can be negotiated by the parties.  It has been structured to enable the parties to specify:

• the particular categories of sServices that apply under the contract; and
• the specific arrangements that apply under the contract.

If the Contract Variables specify that specific categories of eServices apply, corresponding clauses in the eServices terms are adopted.

The Purchaser's Request

The Purchaser's Request is the document that invites suppliers to submit a bid for the services.  It is made available to suppliers via the eServices Register. 

It should specify, amongst other things, the scope of the services to be provided and the criteria that will be used to evaluate bids by the supplier. 

Common examples of a Purchaser's Request include:

• Request for Tender (RFT);
• Request for Quotation (RFQ); and
• Request for Proposal (RFP). 

The Supplier's Response

The Supplier's Response is the document that comprises the bid that has been submitted by the preferred supplier on the eServices Register in response to the Purchaser's Request.  This document would normally provide a description of the approach that has been proposed by the supplier in delivering the project.

Further Information

If you would like to access the eServices Contract, it can be found on the eServices Register Gateway.

To discuss the eServices Contract or the eServices Register generally, please contact:

Isabel Parsons

9947 1405

isabel.parsons@vgso.vic.gov.au

Sam Funnell

9947 1407

sam.funnell@vgso.vic.gov.au

Tina Lee

9947 1426

tina.lee@vgso.vic.gov.au

Nick Busietta

9947 1402

nick.busietta@vgso.vic.gov.au

The VGSO’s guide to sexting

An employer in a Federal Court proceeding was recently forced to defend an attempt by a dismissed employee to have a number of private text messages - allegedly left on a work-issued mobile phone after it was issued to another employee - admitted into evidence.

Shea v TruEnergy Services Pty Ltd concerned an employee who had been dismissed by her employer, TruEnergy, on the grounds that her position had become redundant. The employee brought proceedings alleging that she had actually been dismissed for exercising a workplace right by making a number of complaints, and that her dismissal therefore constituted adverse action within the meaning of the Fair Work Act 2009 (Cth).

One of the employee's allegations during the course of the trial was that a culture of lewdness and sexual harassment prevailed in the workplace and that it was condoned by the managing director. She sought to have admitted into evidence a number of mobile phone text messages, apparently between the managing director and a former general counsel at TruEnergy with whom he was allegedly having an affair. Their content was, it was alleged, of a sexually explicit nature, and the employee submitted that this established the managing director's propensity to use lewd and sexualised language in the workplace.

The employee obtained the text messages via another former employee of TruEnergy who allegedly had been given a work-issued mobile phone that had not been cleared of its messages. That former employee still had possession of the phone and had failed to return it following the cessation of her employment.

TruEnergy sought to resist the admission of the text messages as evidence on the grounds that they were not relevant to any issue in the dispute, and in any event should be excluded as they were improperly or illegally obtained.

Justice Dodds-Streeton of the Federal Court agreed with TruEnergy and refused the admission of the evidence, finding that not only were the text messages 'intensely personal' communications, they were not relevant to any issue in the litigation. Her Honour also rejected the submission that, even if their contents could be described as 'lewd', it did not follow that the managing director would use such language in the workplace. Further, the messages were inadmissible due to the irregular or improper manner in which the employee had obtained this confidential material.

Although the contents of the mobile phone in this instance was held not to be admissible, this case serves as an important reminder to departments and agencies to ensure that employer-issued IT hardware, such as mobile phones and laptops, is properly wiped prior to being issued to a new employee, and that all equipment issued to an employee is recovered and retained when that employee leaves.

The case is also a reminder that, when it comes to evidence, relevance is still king. Even though litigators today have access to so much more information on phones, computers and social media, it's only going to be admitted into evidence if it is relevant to issues that the court or tribunal have to decide. In this sense, this case is just an example of old principles being applied to new (and fantastically salacious) facts.

If you are in the Victorian Government and you are thinking about sexting from a work phone, how about you first seek advice from:

Katie Miller
Managing Principal Solicitor
t 8684 0460
katie.miller@vgso.vic.gov.au

Retta Berryman
Trainee Solicitor
t 8684 0468
retta.berryman@vgso.vic.gov.au