Victorian public sector bodies will need to review their data systems and security.
New legislation assented to on 2 September 2014 significantly changes the regulatory landscape for privacy and data protection in the Victorian public sector.
The Privacy and Data Protection Act 2014 will replace the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005 with a single Act that is intended to strengthen the protection of personal information and other data held by the Victorian public sector. The new Act:
- enables public sector organisations to vary or avoid the application of some Information Privacy Principles (IPPs) in the public interest;
- provides for the development of a protective data security framework for the public sector; and
- merges the functions of the Privacy Commissioner and the Commissioner for Law Enforcement Data Security into a single Privacy and Data Protection Commissioner.
While the new Act re-enacts the existing IPPs and much of the existing privacy compliance framework, it has implications both for government departments and agencies and for private sector organisations that contract with them.
Most provisions of the Act will come into operation on 9 December 2014 (although they may be proclaimed to commence on an earlier date).
Modifying privacy obligations
The Act establishes three mechanisms by which acts or practices which would otherwise breach privacy requirements may be engaged in, provided it is in the public interest.
First, the Act provides for Information Usage Arrangements (IUAs). IUAs can either:
- modify the application of specified IPPs (other than IPP 4 (security) or IPP 6 (access and correction)) to, or exempt from the application of such IPPs, specified acts or practices involving the handling of personal information; or
- provide that an act or practice that is covered by the arrangement is required or authorised for the purposes of an information handling provision in another Act.
An organisation may apply to the Commissioner for approval of an IUA on its own behalf or in conjunction with one or more other organisations (including private sector bodies).
The Commissioner must consider whether the public interest in the applicant(s) engaging in the specified acts or practices substantially outweighs the public interest in adhering to the applicable IPPs. If satisfied that it does, the Commissioner is required to certify the IUA. Approval of relevant Ministers is also required.
Second, the Act provides for the Commissioner to certify that specified acts or practices are consistent with applicable privacy requirements. The effect of certification is that a person who engages in the act or practice in good faith does not contravene the specified requirement(s).
Third, the Act also makes provision for the Commissioner to make public interest determinations. Like similar mechanisms in the Commonwealth Privacy Act 1988, these are determinations that the public interest of engaging in an act or practice that may contravene a specified IPP (other than IPP 4 or 6) substantially outweighs the public interest in complying with that IPP. Engaging in an act or practice that is permitted by a public interest determination will not be an interference with privacy. Public interest determinations may be made on a temporary (up to 12 months) or ongoing basis.
These measures have the potential to provide certainty to organisations handling personal information in areas which presently involve some legal risk, such as inter-agency data sharing and matching, outsourced service provision and use of cloud and offshore ICT providers.
However, the Commissioner's office has made clear that while these measures may enable the development of more efficient and effective ways to protect privacy, they are not intended to lead to a reduction in overall standards of privacy protection. Organisations seeking use one of the new mechanisms will bear the onus of satisfying the requirements set out in the new Act.
Protective data security
Part 4 of the Act provides for the development of protective data security frameworks and standards for public sector bodies. This Part applies to most government agencies, but there are some important exclusions, including councils, universities and some health service providers.
Part 4 gives the Commissioner power to issue standards for the security, confidentiality and integrity of, public sector data and requires the Commissioner to develop a protective data security framework for monitoring the security of public sector data in accordance with those standards.
Public sector agencies covered by Part 4 will be required to comply with applicable data security standards in respect of their data systems and all public sector data they collect and hold. They may also be required to carry out their own data security risk assessments and put in place protective data security plans.
Current provisions relating to law enforcement data security are substantially continued under the new Act.
Information Privacy Principles
In March this year, amendments to the Commonwealth Privacy Act 1988 introduced new Australian Privacy Principles (APPs) to replace the two sets of principles which, since 2001, have applied to Commonwealth public sector and private sector organisations (that is: Commonwealth IPPs and National Privacy Principles, or NPPs).
There had been some expectation that the new Act would replace the current Victorian IPPs with new principles based on the APPs. However, the current IPPs have been retained.
Substantial similarity between the Victorian IPPs and the NPPs had, until March this year, made exchange of personal information between government agencies and private sector contractors relatively straightforward. However, not aligning the Victorian principles with the APPs is likely to have created a new area of complexity.
Implications for the public sector
Victorian public sector organisations continue to be bound by IPPs in respect of personal information. In addition, some will need to:
- ensure data systems and practices comply with new data security standards;
- assess data security risks and develop protective data security plans; and
- consider differences between IPPs and APPs in dealings with Commonwealth agencies and private sector organisations.
Implications for the private sector
Private sector organisations dealing with Victorian government agencies may need to:
- consider seeking protection of an IUA where accessing or handling personal information held by a government agency;
- consider whether their obligations under the APPs are consistent with privacy obligations they might assume as a contracted service provider to a Victorian government agency.