13 June 2014

Privacy and Data Protection Bill 2014 (Vic)

In Victoria the Privacy and Data Protection Bill 2014 (Vic) has had its first reading.

The Bill is for an Act to provide for responsible collection and handling of personal information in the Victorian public sector, to establish a protective data security regime, to repeal the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) to make consequential amendments to other Acts and for other purposes.

The definition of personal information remains based on the Privacy Act 1988 (Cth) "in the interests of supporting a nationally consistent approach to the protection of information privacy. The definition only applies to information that is recorded in some form. It excludes health information, as defined in Schedule 2 of the Act, in recognition of the tailored treatment afforded to health records under the Health Records Act 2001 (Vic).

Clause 7 sets out rights and liabilities under the Bill, stating that the Bill must be taken not to create any general privacy right or any other rights additional to those which are specifically contained in the Bill. Similarly, nothing in the Bill is to be construed as giving rise to criminal liability except to the extent specifically described.

The Explanatory Memo states that
Clause 12 grants an exemption in respect of specified types of information that are regarded as publicly available information, including public registers. With limited exceptions, the Bill seeks only to regulate personal information and public sector data that is not publicly available. 
Subclause (2) refers to the use of information held on a public register. It is intended that the Bill will apply so far as is reasonably practicable to personal information held on public registers. Such information stores are collected and held for particular purposes. While public register information should be able to be used for the, or one of the, legitimate purposes for which it was collected, it is intended that the Bill will in most cases treat uses outside those purposes as interferences with personal privacy, unless the handling is the subject of a mechanism in effect pursuant to Divisions 5, 6 and 7 of Part 3. 
For example, it may be an interference with the privacy of an individual for a person to search the titles register at Land Victoria in order to identify and market products or services to a section of the Register that meets a particular socioeconomic profile. In these circumstances the organisation using that information may contravene the Act. 
It is envisaged that organisations having responsibility for maintaining public registers that are made available over the internet will maintain a high standard of currency and accuracy of information on their website. In addition, it is expected that these organisations will ensure that other search engines that tap into the site, and archives that store information on it, do not retain any inaccurate data.
The Memo goes on to state that
Clause 18 states that the IPPs are set out in Schedule 1. The Victorian IPPs were originally adapted from the former federal National Principles for the Fair Handling of Personal Information (the National Principles). The IPPs in Schedule 1 are reproduced from the Victorian Information Privacy Act 2000, in order to maintain the continuity and consistency of Victoria's privacy regime governing public sector organisations as far as possible. The IPPs must now be interpreted in light of section 13 of the Charter of Human Rights and Responsibilities Act 2006, which gives individuals a right not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with. 
The 13 Australian Privacy Principles (APPs), which came into force on 12 March 2014, have now replaced both the federal IPPs that previously applied to Australian and Norfolk Island Government agencies, and the National Privacy Principles (NPPs) that previously applied to private sector organisations. 
The APPs regulate the handling of personal information, including health information, by Australian government agencies and some private sector organisations. A number of the APPs are significantly different from the previous federal principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information. The ACT will enact new privacy legislation in 2014. 
Victoria's IPPs do not include provisions specifically for health information. Health information privacy in Victoria continues to be regulated by the Health Records Act 2001. Nothing in the IPPs is intended to be taken to override any exemption in Part 2 of the Bill. 
Clause 19 The Information Privacy Principles apply in relation to all personal information, whether collected by the organisation before or after the commencement of this section. It is intended that there be no gap between the operation of the Information Privacy Act 2000 and this Bill.
The Memo also states that -
Clause 85 provides that the Commissioner must develop the Victorian protective data security framework. It is recognised that a number of public sector entities have previously adapted other existing guidance on protective data security to their entity's needs. For this reason, the Victorian protective data security framework is required to be as consistent as possible with recognised existing guidance in this field as prescribed. 
Both the framework and the related standards provided for in clause 86 are expected to draw on the principal elements of existing whole of Victorian government security policies, Australian and international security standards, policies, schemes, frameworks and benchmarks including alignment with the Australian Government Protective Security Policy Framework (PSPF) in relation to data security specifically. However the Victorian standards will depart from the PSPF in a number of ways designed to support State government service delivery functions and reflect contemporary security standards. 
Clause 86 provides that the Commissioner may issue general protective data security standards or customised protective data security standards tailored to specific circumstances. A customised protective data security standard will prevail over a general one to the extent of any inconsistency. 
However, the Commissioner must not issue a protective data security standard unless it has been agreed by both the Attorney-General and the Minister for Technology. It is intended that ongoing consultation between relevant government departments will occur to assist in consistent future development and implementation of the framework and standards. 
Clause 87 provides that protective data security standards may be amended, revoked or reissued in accordance with the procedures set out in clause 86. 
Clause 88 provides that a public sector body Head for an agency or body to which Part 4 applies must ensure that that agency or body does not do an act or contravene a protective data security standard in respect of the public sector data collected, held, managed or disclosed by it or public sector data systems kept by it. 
This obligation extends to ensuring that these requirements are also met by any contracted service provider for the relevant agency or body. Accordingly the public sector body Head must ensure that its contract with a contracted service provider imposes appropriate obligations on the contracted service provider to comply with any relevant protective data security standards. The Commissioner does not have direct authority over contracted service providers in respect of protective data security. However, it is considered that the general powers of the Commissioner under clause 104 would allow for the publication of model terms in respect of this obligation that are capable of being adopted into a State contract. 
Clause 89 provides that within 2 years after the issue of protective data security standards, public sector body Heads must ensure that a security risk profile assessment is undertaken for their agency or body; and that a protective data security plan is developed for the agency or body that addresses the standards applicable to their agency or body. Because it is recognised that not all agencies or bodies subject to Part 4 have equal capacity or resources to meet their obligations under this Part, the Bill's head of power for the making of regulations provided for at clause 125 will enable differential application as required. 
Under subclauses (2) and (3) the public sector body Head must ensure that the security risk profile assessment and plan developed for their agency or body covers its contracted service providers to the extent that the contracted service providers handle public sector data for the public sector body. 
Public sector body Heads are required to ensure that the protective data security plan is reviewed if there is a significant change to their body or agency's operating environment or applicable security risks, or otherwise every 2 years. A copy of each protective data security plan must also be given to the Commissioner. 
Clause 90 provides that protective data security plans are not subject to the FOI Act, because it is not considered to be in the public interest to make details of relevant entities' data security arrangements available to the public.
The Bill provides for establishment of a Commissioner for Privacy and Data Protection.

A person is not eligible for appointment as Commissioner if the person is a member of the Parliament of Victoria, or of the Commonwealth or of another State or Territory. The Public Administration Act 2004 does not apply to the Commissioner in respect of the office of Commissioner, except as provided in section 16 of that Act in relation to employees.The Commissioner ceases to hold office if he or she becomes insolvent, is convicted of an indictable offence or nominates for election for either House of the Parliament of Victoria, the Commonwealth or of any other State or Territory.

Clause 100 contains the procedure for suspension of the Commissioner if the Governor in Council is satisfied on any ground that the Commissioner is unfit to hold to hold office. If the Governor in Council uses the power in subclause (1) to suspend the Commissioner, the Minister must provide each House of Parliament with a full statement of the grounds of suspension within 7 sitting days (subclause (2)). Under subclause (3), the Commissioner must be removed from office by the Governor in Council if each House of Parliament within 20 sitting days after the day when the statement was laid before it declares by resolution that the Commissioner ought to be removed from office. If the declaration by resolution is not made within the specified time period the Governor in Council must restore the Commissioner to office (subclause (4)). Subclause (5) provides that if the Commissioner is suspended from office under subsection (1), he or she is taken not to be the Commissioner during the period of suspension. Clause 101 provides that the Governor in Council may appoint a person to act in the office of the Commissioner during a vacancy in that office, or where the Commissioner is absent or otherwise unable to perform the functions of the office. The person appointed must not be a member of any Parliament in Australia. Appointment is for a period not exceeding 6 months, and the Governor in Council may remove the acting Commissioner at any time (subclause (3)). A person appointed as the acting Commissioner has all the powers and must perform all the duties of that office, and is entitled to the same remuneration and allowances as the Commissioner.

Clause 103 outlines the functions of the Commissioner. Clause 104 gives the Commissioner the general power to perform his or her functions. Clause 105 provides that the Commissioner must have regard to the objects of the Bill in performing his or her functions. The objects of the Bill are set out in Clause 5 of the Bill. Clause 106 provides that the Commissioner may require access to data and data systems in respect of protective data security. Though the Commissioner does not have direct statutory authority in respect of the CSP, it is expected that public sector entities to which Part 4 applies could give a contractual direction to their CSP to produce data or give access to data systems to the Commissioner or otherwise cooperate with the Commissioner. Clause 107 provides that the Commissioner may require the Chief Commissioner of Police to give the Commissioner access to law enforcement data or the Victoria Police law enforcement data system. The Chief Commissioner of Police may refuse to comply with the requirement. This provision has been included to ensure that in meeting the requirements of the Commissioner, the provision of access to data or systems does not impede the capacity of Victoria Police to carry out its law enforcement functions. The grounds upon which the Chief Commissioner may refuse to comply include instances in which giving access to law enforcement data or systems is reasonably likely to prejudice an investigation, prejudice a fair trial, disclose the identity of a confidential source of information or endanger the lives or physical safety of persons.

Clause 109 provides that the Commissioner may copy or take extracts from any data or documents accessed under clauses 106, 107 or 108 despite anything to the contrary in any other Act except the Charter of Human Rights and Responsibilities Act 2006. Clause 110 provides that the Commissioner may request that a public sector body Head as defined in the Public Administration Act 2004 provide him or her with any assistance that the Commissioner reasonably considers appropriate to perform his or her functions under this Bill relating to protective data security and law enforcement data security. Clause 111 provides that at the request of the Minister, the Commissioner must provide the Minister with reports on any matter relating to information privacy, protective data security, crime statistics data security or law enforcement data security functions. The Minister may table a copy of such a report before each House of Parliament. The Commissioner, in the public interest, is able to publish reports and recommendations relating to any act or practice that the Commissioner considers to be an interference with the privacy of an individual or generally to the Commissioner's functions, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.