In July, we advised of proposed reforms to Victorian Privacy Laws, brought about by the Privacy and Data Protection Bill 2014 (Bill).
To access our previous article titled 'Proposed Change to Victorian Privacy Laws', which sets out an overview of the reforms and the implications for the Victorian Public Sector, click here.
This week, the Bill was given royal assent and has now become law.
Most of the Act will come into operation on a day to be proclaimed or on 9 December 2014, whichever is earlier. This includes the repeal of the Information Privacy Act 2000 and theCommissioner for Law Enforcement Data Security Act 2005. This means there is only three months at most for the Victorian public sector to get ready for the changes.
It will be essential for public sector agencies to update the following:
- privacy policies
- collection statements
- contractual clauses to be used when outsourcing.
All public registers should also be reviewed to ensure they comply with the privacy principles and, if not, consideration should be given to seeking approval for a code of practice, public interest determination or information usage arrangement. Particular care should be given to online public registers.
For those public sector agencies subject to the new data protection provisions (Parts 4 and 5 of the Act), it will be important to monitor the implementation of the protective data security framework and standards and then take steps to ensure compliance with them. Action will also need to be taken to ensure contracts impose appropriate obligations on contracted service providers to comply with any relevant protective data security standards. Public sector agencies should be aware that the Commissioner has the power to conduct monitoring and assessment (including audits) to ascertain compliance with any data security standards. The Victorian Privacy Commissioner has indicated that a ‘grandfathering period’ may exist once the Act comes into force, depending on what protective data security standards have come into effect. While details of the potential grandfathering period are still unknown, it is clear that there is likely to be a staged approach to implementation of protective data security standards.
The impact of this new data protection regime is wide-ranging. According to the Victorian Privacy Commissioner, it will apply to around 2000 Victorian organisations.