Back in December 2012, the Victorian Attorney-General announced reforms to strengthen data security and privacy within the Victorian public sector, including establishing a new Privacy and Data Protection Commissioner.
In June 2014, the Victorian Government introduced the Privacy and Data Protection Bill 2014 (Bill), which, if made, will implement these reforms (including the repeal of the Information Privacy Act 2000 (Vic) (IPA) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) (CLEDS Act). This update gives an overview of the Bill and its implications for the Victorian public sector, including Councils.
Overview of reforms
New Commissioner for Privacy and Data Protection
If made, there will be a Commissioner for Privacy and Data Protection, with the existing offices of the Privacy Commissioner and Commissioner for Law Enforcement Data Security abolished. The Commissioner has particular functions in relation to information privacy, such as promoting understanding of the Information Privacy Principles (IPPs), receiving complaints, issuing compliance notices and conducting audits. The Commissioner also has particular functions with respect to protective data security and law enforcement data, including issuing protective data security standards and law enforcement data security standards and developing the Victorian protective data security framework. Part 6 of the Bill discusses the functions and powers of the new Commissioner.
The Bill repeals the IPA. In its place, Part 3 of the Bill deals with Information Privacy and largely follows what was in the IPA, including re-enacting unchanged the IPPs as listed in Schedule 1.
So, public sector agencies and Councils must not do an act, or engage in a practice, that contravenes an IPP in respect of personal information collected, held, managed, used, disclosed or transferred by them. Doing so constitutes an interference with privacy. The IPPs apply in relation to all personal information, whether collected before or after the commencement of the Act.
Three new developments are public interest determinations, approved information usage arrangements, and current certificates. Anything done contrary to, or inconsistent with these is an interference with privacy. These are in addition to codes of practice, which continue to be available to be developed.
Public interest determinations
Public interest determinations, and temporary public interest determinations, can be sought for an act or practice that contravenes an IPP (other than IPP 4 or 6) or an approved code of practice. Applications are made to the Commissioner and may be made where the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in complying with the IPP or approved code of practice. These determinations are subject to disallowance by the Parliament. A temporary determination is suitable if circumstances require a determination be made urgently. Such determinations must not exceed 12 months and may also be disallowed by the Parliament.
Approved information usage arrangements
As for approved information usage arrangements, this is an arrangement that sets out acts or practices for handling personal information to be undertaken in relation to one or more public purpose. It also either modifies the application of the IPPs or an approved code of practice, provides that the practice does not need to comply with an IPP or approved code of practice, or permits handling personal information for the purposes of an 'information handling provision'. The latter means a provision of an Act that permits handling of personal information as authorised or required by law or by or under an Act, or in circumstances or for purposes required by law or by or under an Act. As explained by the Explanatory Memorandum:
Information handling provisions are intended to address the situation where organisations are uncertain about the interpretation of information sharing provisions in their legislation, or there is disagreement between relevant organisations as to the correct interpretation of or interaction between information management provisions in relevant statutes.
The Bill sets out what information usage arrangements must contain. Applications for approval of an information usage arrangement are made to the Commissioner. The Commissioner must issue a report about the arrangement and, if satisfied of certain matters, a certificate about the arrangement. This is then sent to the responsible Minister for approval.
The Commissioner may also issue a current certificate that certifies a specified act or practice or an organisation is consistent with an IPP, approved code of practice or information handling provision. This could be likened to an ATO Ruling. The decision to issue a current certificate is reviewable at VCAT.
Administering public registers
Public sector agencies and Councils must also, in administering a public register, so far as is reasonably practicable, not do an act or engage in a practice that would contravene an IPP. This does not apply if the act or practice is permitted under a public interest determination or approved information usage arrangement.
The Explanatory Memorandum to the Bill states that public registers are 'not immune from information privacy regulation' because of 'the potential for abuse through, for example, bulk commercial use of information'. The use of online public registers in particular is singled out. The Explanatory Memorandum states:
It is envisaged that organisations having responsibility for maintaining public registers that are made available over the internet will maintain a high standard of currency and accuracy of information on their website. In addition, it is expected that these organisations will ensure that other search engines that tap into the site, and archives that store information on it, do not retain any inaccurate data.
The Explanatory Memorandum notes that it is open to organisations to seek a code of practice on 'how they will manage personal information on a public register responsibly and transparently according to their statutory obligations, and to restrict any potential for abuse.'
Exemptions – law enforcement and Parliamentary Committees
There continues to be a law enforcement exemption under the Bill but the definition of 'law enforcement agency' has changed. It includes particular organisations whose functions include law enforcement, as well as organisations that exercise law enforcement functions even if those functions are a small part of its overall operations. Examples given in the Explanatory Memorandum are the Department of Environment and Primary Industries investigating and prosecuting specific environmental offences, and the Department of Human Services undertaking investigations into notifications of possible child abuse. It would also clearly cover Councils exercising their law enforcement functions, such as building, planning and local law enforcement.
There is a new exemption for Parliamentary Committees. The Bill provides that nothing in the Act, an IPP or a data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Parliamentary Committee in the course of carrying out its functions as a Parliamentary Committee. The existing exemptions for Courts and Tribunals, and publicly available information, continue to operate.
Parts 4 and 5 of the Bill deal with data security.
Part 4 applies to public sector agencies, including Victorian Government Departments and Victorian Administrative Offices (such as the Environment Protection Authority and Public Records Office).
It does not apply to:
- public hospitals
- ambulance services.
Under Part 4, the Commissioner must develop the Victorian protective data security framework for monitoring and assuring the security of public sector data.
The Explanatory Memorandum notes:
It is recognised that a number of public sector entities have previously adapted other existing guidance on protective data security to their entity's needs. For this reason, the Victorian protective data security framework is required to be as consistent as possible with recognised existing guidance in this field as prescribed.
The Commissioner may issue standards, consistent with this framework, for the security, confidentiality and integrity of public sector data and access to public sector data (to be known as 'protective data security standards'). The Explanatory Memorandum states:
Both the framework and the related standards … are expected to draw on the principal elements of existing whole of Victorian government security policies, Australian and international security standards, policies, schemes, frameworks and benchmarks including alignment with the Australian Government Protective Security Policy Framework (PSPF) in relation to data security specifically. However the Victorian standards will depart from the PSPF in a number of ways designed to support State government service delivery functions and reflect contemporary security standards.
The Commissioner must not issue a protective data security standard unless it has been agreed by both the Attorney-General and the Minister for Technology.
Obligations for public sector bodies
A public sector body Head for an agency must ensure that the agency does not do an act or engage in a practice that contravenes a protective data security standard in respect of public sector data held by it and public sector data systems kept by it. This obligation extends to ensuring that these requirements are also met by any contracted service provider. Accordingly, the public sector body Head must ensure that its contract with a contracted service provider imposes appropriate obligations on it to comply with any relevant protective data security standards.
Looking forward, a public sector body Head must ensure that a security risk profile assessment is undertaken and a protective data security plan is developed for the public sector agency, including an assessment of a contracted service provider. This plan must be provided to the Commissioner and must be reviewed if there is a significant change in the operating environment or the security risks relevant to that agency or body, or otherwise every two years. Additionally, the Commissioner can request access to any public sector data or any public sector organisation’s data system to allow the Commissioner to monitor compliance with data security standards and to undertake reviews relating to protective data security as requested by the Minister.
Part 5 of the Bill applies to Victoria Police and the Chief Statistician and associated persons in respect of crime statistics data. Under Part 5, the Commissioner may issue standards for the security and integrity of law enforcement data systems and crime statistics data systems, and access to, and release of, law enforcement and crime statistics data. These bodies must then comply with any such standards.
Summary of changes
Some of the key changes as a result of the introduction of the Bill are:
- the Bill repeals and consolidates the IPA and the CLEDS Act
- the Bill establishes the Commissioner for Privacy and Data Protection
- the Bill deals with information privacy and largely follows what was in the IPA, including re-enacting unchanged IPPs
- in the privacy space, the Bill introduces three new developments (public interest determinations, approved information usage arrangements, and current certificates)
- the Bill introduces the protective data security arrangements which will apply to Victorian public sector agencies or bodies
- the Bill also provides for the issuing of standards for the security and integrity of law enforcement data systems and crime statistics data systems.
Implications for Victorian Public Sector
If made, the Act will come into operation on a day to be proclaimed or on 9 December 2014, whichever is earlier. This means there is only six months at most for the Victorian public sector to get ready for the changes.
This will include updating:
- privacy policies
- collection statements
- contractual clauses to be used when outsourcing.
All public registers should also be reviewed to ensure they comply with the IPPs and, if not, consideration should be given to seeking approval for a code of practice, public interest determination or information usage arrangement. Particular care should be given to online public registers. For public sector agencies, it will be important to monitor the implementation of the protective data security framework and standards and then align internal policies with these to ensure compliance. Action will also need to be taken to ensure contracts impose appropriate obligations on contracted service providers to comply with any relevant protective data security standards.