The Victorian government has introduced into Parliament a Bill that would substantially change the governance of privacy and data protection in Victoria. There has been no significant public comment or discussion concerning the Bill which is to be debated in the forthcoming parliamentary session.
Under current legislation, my role includes consulting with those who are concerned with information privacy and publication, in the public interest, of reports and recommendations relating to my functions.
This paper is designed to ensure that those concerned with privacy and data protection issues in Victoria are aware of and have an opportunity to understand and comment on the proposals.
Freedom of Information issues
The Bill brings together in a single administrative structure the regulation of: • freedom of information (FOI); and • privacy and data protection.
As FOI policy falls outside my functions under Part 6 Division 2 of the Privacy and Data Protection Act 2014 my views on the Bill chiefly relate to proposals the Bill makes regarding privacy and data protection.
There are however some aspects of the Bill dealing with FOI issues ultimately relate to data management and so interact with my functions. The first of these issues is that the FOI changes are minor compared to community expectations for the future of FOI. The government has indicated that a root and branch review of FOI is to occur at some unspecified future time. In this context, the Bill is an opportunity lost. The changes proposed by the Bill to FOI are largely process changes rather than substantive. The regime could be significantly more effective if supported by improvements in the substantive requirements for disclosure.
The second issue relates to the community’s dissatisfaction with current FOI arrangements that stem from its inefficiency. Requests are frustrated and unnecessarily delayed because the system presupposes the paper-based data management environment that prevailed some decades ago. The proposal in the Bill to reduce FOI response times from forty five to thirty days will be meaningless unless accompanied by either the significantly greater human resources support or a fundamental rethink of FOI systems and processes.
While the definition of ‘documents’ (that need to be searched and considered for disclosure) appears wide enough to include electronic material, the determined practice of agencies is to deal in paper for FOI purposes.
One consequence of this practice is that searching for and photocopying documents causes significant delays and constitutes a significant disincentive to FOI applications. The practice also utilises excessive public sector resources which could be better allocated elsewhere and generates unnecessary costs for the public sector and fees for applicants. If the legislation clarified the requirements so that electronic searching were expressly required, significant cost and delay could be avoided.
If Google can produce a consolidated search history result in fractions of a second for each user, it is disappointing that the Bill allows the disconnection between current document management practice and FOI practice to continue and fails to drive digital solutions and efficiencies. This issue has been identified in a number of publications. Of note is the by no means recent reference in Moira Paterson, Freedom of Information and Privacy in Australia, (Ed.1, 2005) at [2.25-6].
Finally, the proposed merger of: • FOI functions, which relate to the release of information; with • privacy and data protection functions, which usually do not, raises the issue of whether the Bill proposes to embed a conflict of interest into the administrative structure. Balancing this concern, there may be an argument that this apparent conflict provides a useful discipline with security including the need to provide assurance that the information is available for appropriate purposes, without hindrance. These complex issues deserve careful policy consideration before any misstep is taken. I will consider this issue further later in this paper.
A missed opportunity for reform
If the priority is to reform the administration of privacy and data protection through merging existing statutory bodies, the sensible first step would be to consolidate the administration of health privacy with the current framework that applies to all other personal information. The distinction between privacy issues in the context of health and other personal and sensitive information has presented a number of administrative challenges that are not justified by any public interest benefit. This is a more significant and urgent issue than the possibility of merging FOI and privacy functions.
The health privacy role of Health Services Commissioner has been seriously under- resourced since it was created and has not had the significant impact on the management of the privacy of health records that the public is entitled to expect on the basis of the legislation that created the role. This issue needs to be addressed.
As already noted, the main focus of the Bill appears to be on revisions to governance. The Bill proposes that three areas of activity - freedom of information, privacy and data protection - should be administered in a single statutory body through creation of an overarching Information Commissioner, overseeing the three functions, with 2 Assistant Commissioners also appointed. I refer to this structure as the ‘information commissioner model’.
Introduction of the information commissioner model in Victoria
This structure has not been the subject of consultation – either within government, (including with my office or that of the FOI Commissioner), with non-government stakeholders or with the community in general. It is modelled on a similar structure adopted in other jurisdictions, including the Commonwealth and NSW. In those contexts there does not appear to have been any substantial policy basis for the introduction of the structure.
In Victoria, the normal processes applicable to the development of policy proposals and obtaining approval in principle from Cabinet do not appear to have been followed. The policy proposal for the Bill appears to have been developed within the Department of Premier and Cabinet (DPC) in apparent secrecy.
I was first advised that the proposal had been considered and approved by Cabinet at a meeting on 3 March 2016. The concerns I expressed were dismissed as being ‘too late’ because Cabinet had already approved the proposal - presumably at the immediately previous scheduled meeting on 29 February 2016.
At that meeting I was advised that my comments on the Bill, when it was drafted, would be sought. When this occurred I chose not to so because the fundamentals of the Bill had been predetermined.
Policy basis of the information commissioner model
The information commissioner model was first implemented in Australia by the Rudd government. Research has not identified policy material or an evidence base to support it.
Senator Sherry said in the second reading speech for the Australian Information Commissioner Bill 2010, which first introduced the structure: ‘The Government considers that the co-location of privacy and FOI policy will enhance oversight and allow for consistent information policy.’ and: and: The a priori policy hopes behind these views have proven to be wrong. Experience in a number of jurisdictions indicates that the model does not work. The current position is that either these structures are not filled, or are not functional.
The experience in NSW is that the structure has led to conflict. This dysfunction has led to persistent and intractable disputes between commissioners. In Queensland, the privacy commissioner position was not permanently filled for years.
Similar issues with the Commonwealth legislation have led to significant turnover in the roles, with two of the three not currently filled and the senior role currently the subject of an acting appointment. In the case of the Commonwealth, the article at: ‘The nature of the FOI functions and privacy functions are too extensive for one office holder to effectively manage.’ ‘...the Government expects that the three office holders will work together cooperatively ...’ 3 http://www.canberratimes.com.au/national/public-service/the-slow-death-of-the- office-of-the-australian-information-commissioner-20150826-gj81dl.html sums up the situation well, albeit with some unsurprising journalistic spin. In short, the evidence base that has emerged following implementation of the information commissioner model elsewhere in Australia suggests that structural dysfunction will be the outcome of passing the Bill.
The operational consequences of this dysfunction have meant that the community has not been well served. Each of the Commonwealth, NSW and Queensland offices has been held back in their response to the complex digital-age issues relevant to privacy and FOI. In a privacy context, this has meant that key contemporary and sophisticated issues such as guidance and thought leadership about information sharing, information security, cloud computing, de-identification and the phenomenon of big data have been hampered.
Protective Data Security
Victoria’s information management framework is substantially different to those of other jurisdictions and cannot properly be compared them. The Privacy and Data Protection Act 2014 (PDPA) addressed long-outstanding recommendations from the Auditor-General and the Ombudsman that highlighted security deficits within the Victorian public sector. The PDPA responded by providing structural support for a statutory protective data security framework for the Victorian public sector that extends to all government information, not just personal information. There is no counterpart elsewhere in Australia. Victoria is the only jurisdiction that mandates transparency and independent assurance and oversight for security.
The Victorian public sector is significantly divided on the attractiveness of this approach. A number of agencies that encounter difficult data security issues through delivery of higher risk services have become supporters of the assurance that the legislation provides. Other, predominantly central, agencies are less aware of the risks they face and being at a very early stage of cultural change, in some cases display fairly open opposition to the legislation.
The Bill may endanger the progress achieved to date in implementing this reform, without any policy-based indication that this risk is justified by likely public benefit. There is a significant likelihood that stakeholders productively involved in improving data security will suffer a drop in confidence in the process that has achieved a great deal of progress in the last 2 years. If the Bill is passed without the support of a preliminary and durable policy process public and media perception can be expected to criticise the merger of functions as giving rise to conflict of interest. It should be expected that public trust and confidence in both security and FOI will suffer as a result.
The PDPA has been in place for something less than 2 years. In the context of: • the 5 year appointment of the existing CPDP; and • the significant cultural challenge for the public sector represented by introduction of the PDPA replacement of the governance regime for privacy and data protection appears premature. In this short period it is inconceivable that government could have tested the existing governance arrangements, found them wanting and developed a more effective model.
Since 2014 significant progress has been made in developing privacy and data protection policy and frameworks and in encouraging sensible operational responses to adverse incidents involving privacy and data protection. Despite this progress, the developments are still at an early stage and need to be consolidated. A governance change at this stage can be expected to damage and at least to some degree reverse this process. It is tempting to conclude that the proposed changes are a reaction to discomfort caused by the existing governance structure and the effectiveness of developments. This is not a positive conclusion.
Fundamentally, the PDPA was designed to drive public sector cultural change. The change process the PDPA mandates is not welcome in many parts of the Victorian public sector.
In the context of data security, resistance to cultural change has caused significant delay since the PDPA came into force. The start date of the Victorian Protective Data Security Standards (VPDSS) was delayed three times either without explanation or on the pretext that further consultation was needed. This further proposed consultation involved minor or trivial matters that could have been addressed within days. The Department of Premier and Cabinet, being the party proposing this consultation, did not undertake it. Ultimately other stakeholders within government were in the interesting position of seeking the change that the Department primarily responsible for the policy area was resisting. While this reaction to cultural change is understandable, it is not laudable.
There is more than a passing appearance that the proposals for change to governance in the Bill are intended to further inhibit the change process commenced by the PDPA.
Terms of Appointment
I currently hold the role of Commissioner for Privacy and Data Protection (CPDP).
The CPDP is appointed by the Governor in Council and once appointed can be: • suspended by the Governor in Council, with the reasons for that suspension reported to Parliament within 7 days; and • removed by a resolution of both houses of Parliament. If suspension occurs and removal does not follow within 20 sitting days, the suspension ceases and the appointment continues (see s.100 of the PDPA).
These arrangements are the same as those for other governance appointments under Parliament, such as the Auditor-General, the Ombudsman and the heads of IBAC and the Victorian Inspectorate. In other words, privacy and data protection is a subject area ultimately administered by Parliament in the same way as other key governance issues within the public sector.
The Bill proposes that the balance of these arrangements changes so that the Governor in Council (that is the Executive) can suspend or remove either of the 2 Commissioners responsible for privacy and data protection, with only a requirement to report the grounds for that action to Parliament, within 10 sitting days (see clauses 6 (proposed s. 6N) and 80 (proposed s. 8L) of the Bill).
This change represents a significant weakening of: • the independence of the Commissioners; and • the effect of the provisions in the proposed legislation that the Commissioners are not subject to the direction of the Minister (Clauses 6 (proposed s. 6B(3)(a)) and 80 (proposed s. 8L) of the Bill).
A threat of removal may be used to similar effect as a power of direction.
These issues warrant careful consideration. I recommend that the Bill should be examined carefully for both intended and unintended consequences before it is passed. It would be appropriate for these issues to be dealt with in the course of the committee stages of Parliament considering the Bill.