15 March 2017

Victorian Privacy

The Victorian Commissioner for Privacy and Data Protection has released a disquieting - and brave - report titled Forensic Audit of Mobile Telephone Records - Final Report - March 2017.

The report highlights concerns regarding both privacy protection under Victorian statute law and the functioning of the Commissioner's office. The Commissioner notes that
Taking action to require the Premier, as the leader of the government of Victoria, to undertake his privacy obligations in a manner required by the law is a significant step.
The Commissioner omits the bureaucratic obfuscation (reflecting regulatory capture) evident in reports by the OAIC and goes on to refer to a response as being 'evasive, non-cooperative and misleading'.

The report states
On 12 January 2017 I issued an interim report regarding a forensic audit of the mobile telephones of certain Victorian politicians and public servants being undertaken at the request or direction of the Premier of Victoria. The audit was in response to the apparent leak of information regarding an increase in police numbers to the radio journalist, Mr Neil Mitchell. The interim report is Attachment 1.
In the interim report I advised that my office would continue investigating this matter, despite the Secretary of the Department of Premier and Cabinet (DPC) having issued a certificate under s79(3) of the Privacy and Data Protection Act 2014 (PDPA), claiming cabinet confidentiality in the information that I had formally sought from the Premier about the forensic audit. I also urged any person who had information relevant to my inquiries to come forward and contact me.
This final report:
  • provides an account of the circumstances as I understand them; 
  • discusses issues relevant to those circumstances; 
  • provides relevant documentation for public scrutiny; and 
  • discusses how legislation permits or encourages me to respond in my role as Commissioner.
In preparing this report, I have had careful regard to the objects of the PDPA, including balancing open access to public sector information with the public interest in protecting its security and to promote:
  • awareness of responsible personal information handling practices; 
  • responsible and transparent handling of personal information; and 
  • responsible data security practices in the public sector.
I have also had regard to the right to privacy supported by s. 13 of the Charter of Human Rights and Responsibilities Act 2006.
The circumstances
The circumstances have been widely reported. On 13 December 2016, at or immediately after the conclusion of a then recent cabinet meeting, the Premier told those in attendance that a forensic audit of their mobile telephones would take place at his instigation and that this audit would extend to all members of Cabinet. The purpose of the forensic audit was to determine who had leaked information about a proposed increase in police numbers to Mr Neil Mitchell. The Premier stated that the global consulting firm KPMG would undertake the forensic audit.
The audit would require handing over possession of mobile phones to the KPMG forensic audit team who would then analyse data embodied in them, presumably to identify who had communicated with Mr Mitchell, when the communication took place and the content of the communication. The audit would also extend to public servants, presumably those involved in developing the proposal to increase police numbers and those who otherwise could have had access to the information as it was processed through government.
Initial analysis
Immediately following the press reports on 13 December 2016 I was contacted regarding the proposed forensic audit. I had already considered the reports and had formed the opinion that there was an appearance that: • the reports were correct, as there had been no contrary or qualifying report; and • one or more of the Information Privacy Principles (IPPs) would be contravened by the forensic audit.
The immediate impression I gained from the information available to me was that the proposed audit appeared to constitute an investigation that was not supported by the usual legal safeguards relating to intrusion into the human rights of citizens. It is usual when investigative powers are granted to ensure that appropriate checks and balances are in place. This would have been the case for example if the audit were conducted as an investigation managed by Victoria Police. The same would have been true if the Ombudsman or any other usual investigative organisation had commenced an investigation. There was however an appearance that none of those organisations would be able to investigate, as there was no apparent illegal or wrongful behaviour which could be the subject matter of an investigation by them. While this caused me concern, my statutory concern is with issues of privacy and data security.
In this context there was an appearance that almost the entirety of IPP 1 – Collection would be contravened. Perhaps of greatest immediate concern was that:
  • the collection of personal information may not have been necessary for a function or activity of the collecting party; 
  • the collection of personal information may not have been lawful or fair, and appeared to be unreasonably intrusive; 
  • the individuals whose personal information was to be collected may not be given notice of the information set out in IPP 1.3, including the organisation collecting and the purpose of collection; and 
  • consideration did not appear to have been given to collection from the individual whose information was being collected.
Aside from those whose mobile phones were to be examined, the audit would involve gaining access to the personal information of anyone who had interacted with the politician or public servant being audited. In short, while the number of mobile phones examined may be fewer than 100, a reasonable estimate of the number of people whose personal information would be involved is very significantly greater.
The strong appearance that significant aspects of the IPPs were to be contravened also appeared to constitute a serious or flagrant contravention. This suggested that I might reasonably proceed to issue a compliance notice in relation to the proposed audit.
Taking action to require the Premier, as the leader of the government of Victoria, to undertake his privacy obligations in a manner required by the law is a significant step. I was inclined to seek an explanation from the Premier or from others involved before taking this step in the hope that the appearance I have described was mistaken or that interferences with privacy could be avoided. This would be consistent with the objects of the PDPA and the nature of a compliance notice as an educational tool for developing a compliance culture in the public sector.
Under the PDPA, I do not have a full range of investigative powers. Rather I have limited formal means of obtaining information and documents. As a result, I have few means of making enquiries such as were required. In this context I decided to issue a relatively informal request for information (rather than documents) and frame the request in the style of a notice under s. 79 of the PDPA.
A request for information rather than documents also had the virtue of permitting the Premier to comment on the course of action intended and so perhaps provide an opportunity for me to be reassured about the manner in which any process would proceed, so as to comply with privacy requirements. In this sense, the request for information functioned as a notice to show cause why further action should not be taken.
What information was sought from the Premier?
A notice under s. 79(1) of the PDPA was dated and served on the Premier of Victoria on 16 December 2016 and is Attachment 2 (the notice to the Premier). The notice to the Premier sought information about the basis of the Premier’s authority to undertake a forensic audit of information embodied in the mobile telephones of Ministers of the Crown and public servants. It did not explicitly or implicitly seek information about cabinet material, deliberations or discussions. The questions addressed to the Premier focused on the requirements for collecting personal information under IPP 1. They were designed to elicit information about the Premier’s understanding of his legal authority to collect personal information for the purposes of the forensic audit.
The response – conclusive certificate issued by the Secretary, DPC
On 23 December 2016, I received a certificate under s. 79(3) of the PDPA from the Secretary, DPC dated 23 December 2016 (Attachment 3). The Secretary certified that the provision of the information sought in the notice to the Premier ‘would involve the disclosure of information which, if included in a document of the agency or an official document of the Minister, would cause the document to be an exempt document of a kind referred to in section 28(1) of the Freedom of Information Act 1982.’ The effect of the certificate was to claim cabinet con dentiality in respect of all the information sought from the Premier.
Analysis in light of that certificate
This response heightened the appearance of contravention. There was no suggestion in the response either that the forensic audit would not proceed or that if it proceeded it would not involve any contravention.
The certification of cabinet confidentiality in respect of the entire request is worthy of comment. My statutory powers do not permit me to investigate a certificate or to question whether information referred to in a certificate is cabinet in confidence material. If I am inclined to seek a review of a certificate I must apply to the courts or to the Victorian Civil and Administrative Tribunal under ss. 73(3) and 76 of the PDPA. Nevertheless I am entitled to take account of the effect a certificate has on the appearance of the circumstances which are the focus of my enquiries.
The request did not seek any material related to cabinet proceedings. The certificate in response did not suggest that any attempt had been made to separate materials that were cabinet in con dence from other materials relevant to the audit. This appeared to be an unsophisticated and unhelpful response which adopted the wording of s. 79(3) by reiteration in an apparently indiscriminate manner so as to claim a complete exemption. In short the response did nothing to create an appearance of compliance, rather the reverse.
Confronted with this response, I decided that I could not conclude my enquiries at that point and decided to seek information from a source that was clearly outside the boundaries of cabinet confidentiality. I sought information from KPMG as the contractor apparently performing forensic audit activities.
What information was sought from KPMG?
Notices under s. 79(1) of the PDPA were dated and served on each of the Chief Executive Officer and the Victorian Chairman of KPMG on 5 January 2017 and are Attachments 4 and 5 (KPMG notices). The KPMG notices were designed to ascertain whether KPMG had been instructed to undertake the forensic audit and, if so, the scope of work it had been engaged to perform.
KPMG’s response
For some time, no response was received from KPMG. On 12 January 2017 I published the interim report regarding my enquiries. The following day I received correspondence from KPMG seeking a further copy of the notices and stating that their o ce had been closed until 3 days prior to the day that the notice was served and that each of the addressees of a notice were on annual leave. I provided that copy and in the meantime, KPMG located the notice that had been served earlier. On 16 January 2017 I received correspondence from KPMG stating that ‘KPMG has no documents to produce in response to the Notice’. This response was not entirely unambiguous. As a result I arranged for a discussion to occur, confirming that KPMG held no documents of the description set out in the notice.
Analysis in light of that response
The response from KPMG had, at most, a neutral effect on the appearance of the circumstances. The previous appearance remained unchanged and further action was warranted. It appeared that of those who might have an administrative role related to the audit and which was not the subject of cabinet in con dence restrictions, it was likely to be the Secretary of DPC.
Request for information from the Secretary, DPC
A notice under s. 79(1) of the PDPA was dated and served on the Secretary, DPC on 13 January 2017 and is Attachment 6. The notice sought information relating to the engagement of any contractor outside the Victorian public sector to undertake the audit and the scope of any such engagement.
The response – letter from the Acting General Counsel, DPC dated 20 January 2017 and conclusive certiffcate issued by the Secretary, DPC, dated 20 January 2017. On 20 January 2017, I received: • a letter from the Acting General Counsel of DPC marked ‘Confidential’ (Attachment 7), enclosing; • a certificate under s. 79(3) of the PDPA from the Secretary, Department of Premier and Cabinet (Attachment 8).
The letter marked ‘Confidential’ noted the secrecy provisions set out in s. 120 of the Act. It stated that ‘DPC does not consent to you disclosing or communicating this response’. I understood that that notification of non-consent was provided in the context of that provision. The effect of the reference to s 120 of the PDPA was to assert a secrecy claim in relation to the claim of cabinet in confidence.
Analysis in light of that response
That response was evasive, non-cooperative and misleading. It heightened the pre-existing appearance of wrongdoing. The response was misleading in that dealings between executive government and private sector contractors are universally accepted as not being within the boundaries of cabinet con dentiality. I would also expect that in a context where government has made a number of recent announcements regarding the improvement of privacy governance, the same government would seek to cooperate with and learn from an initiative taken by a regulator, such as myself, pursuing the same goals. When the only response to the initiative is an attempt to avoid scrutiny, this gives an appearance of wrongdoing.
Transmission of the response
I should also deal with the manner in which the response from the Department of Premier and Cabinet was framed and delivered. The letter from the Acting General Counsel of 20 January 2017 was endorsed “Confidential’ and by making reference to s. 120 of the PDPA expressly sought to ensure that both the letter and the certificate it transmitted would not be published.
In a Victorian government context, a claim of confidentiality should comply with the Victorian Protective Data Security Framework (VPDSF). The VPDSF permits a document to be protectively marked as ‘Confidential’ if disclosure of the content of the document could be expected to cause significant harm or damage to government operations, organisations and individuals. Such a marking asserts a business impact level of ‘Very High.’ There is only one higher category – ‘Extreme.’ It is difficult to imagine how the letter could reasonably be considered as falling within the claimed category. Even if this assessment is mistaken, the context in which this claim is made is mistaken, as will be examined more closely later in this discussion. The VPDSF includes explicit warnings about the inappropriate use of protective markings. It states that: Official information should only be protectively marked where there is a clear and justi able need to do so.
In no case should official information be protectively marked to: • hide violations of the law... • prevent embarrassment to an individual, organisation or agency
There is at least an appearance that the letter was protectively marked as ‘Confidential’ for either or both of these reasons and that the warnings set out in the VPDSF have been disregarded.
As noted above, the letter also referred to s 120 of the Act. Section 120 is a secrecy provision. It prevents me from communicating or disclosing information obtained or received in the course of performing my functions or exercising my powers under the PDPA except as permitted by s120(3).
Section 120(3) states: A person to whom this section applies may make a record, disclosure or communication referred to in subsection (2) if— a) it is necessary to do so for the purposes of, or in connection with, the performance of a function or duty or the exercise of a power under this Act or a former Act; or b) the individual or organisation to whom the information relates gives written consent to the making of the record, disclosure or communication.
So far as is relevant to the current circumstances, s.120 of the PDPA is designed to prevent the use of official material other than for the necessary purpose of the performance of the functions or duties or the exercise of a power under the PDPA, that is render that material secret, except with the consent of the person or organisation to whom the information relates. In my opinion it is necessary for those purposes to publish the documents attached to this report. Finally, the letter can be construed as a threat. Under s.121 of the PDPA it is an offence for me to disclose or communicate any information given to me ‘pursuant to a prescribed requirement’ unless I notify the person who provided the information of any proposal to disclose or communicate the information and give that person a reasonable opportunity to object.
However, the information I have received or obtained from DPC was not given to me pursuant to a prescribed requirement as defined in the PDPA. It follows that these are not circumstances in which the notice requirements of s. 121 of the PDPA apply.
It is inconceivable that the Acting General Counsel was unaware of this straightforward legal issue. There seems to be no substantive reason for him to provide advice to me about whether or not DPC consented to the disclosure of material other than to send a clear signal that the relevant material should not be published. In the current circumstances, the claims of confidentiality and secrecy are inappropriate in respect of both the certificate and the correspondence under cover of which it was transmitted. A certificate created under s. 79 of the PDPA is in the nature of a legislative instrument made under power delegated by legislation to the Secretary of the Department of Premier and Cabinet. It is not a document that is either necessary or desirable to hide from scrutiny. The same is true for the dealings surrounding a certificate. I consider that disclosure of the documents published with this report is necessary in pursuit of the objects of the PDPA.
The options for further action in relation to these issues, assuming that no more cooperative or compliance focussed communication occurs, are to: • issue a compliance notice to relevant persons regarding the conduct of any audit of mobile phone records; or • seek formal legal review of the information and documents in respect of which the two certificates given in response to notices discussed in this report with a view to seeking to have some or all of that material released to me; or • seek a declaration that those certificates were wrongly given and that they are ineffective.