The Office of the Victorian Information Commissioner has published its
Regulatory Action Policy 2019 – 2021,
commenting
even though most agencies want to do the right thing, sometimes mistakes are made. At other times, actions are taken for the wrong reasons. And when rules are broken, the community rightly expects that its regulators will take strong action. To allow this to occur, the Freedom of Information Act 1982 (Vic) (FOI Act) and the Privacy and Data Protection Act 2014 (Vic) (PDP Act) provide the Office of the Victorian Information Commissioner (OVIC) with a wide range of powers to conduct regulatory action.
The regulatory action that OVIC can take includes informal preliminary enquiries and engagement, audits and examinations, investigations, compliance notices and associated penalties as well as public reports.
This Regulatory Action Policy explains how OVIC will use its powers. Our goal is to continue to instil in the Victorian public sector a culture that promotes fair public access to information while ensuring its proper use and protection. By doing so, we aim to build community trust in government handling of information.
Our focus will continue to be on education, guidance and constructive feedback. But where necessary and appropriate, OVIC will use its statutory powers to investigate serious or concerning practices under both the FOI Act and PDP Act.
Our response to any incident or allegation will be guided by the factors outlined in this policy, which describe a risk-based, proportional and targeted approach to regulatory action.
The Policy states, in part,
OVIC regulates the Victorian Government and advises the community about how the public sector collects, protects, uses and shares information.
This policy articulates OVIC’s regulatory approach. In this policy “regulatory action” means OVIC activity that promotes, assures or enforces the Freedom of Information Act 1982 (Vic) (FOI Act) and the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
The Regulatory Action Policy consists of two parts:
The first part sets out OVIC’s general approach to regulatory action and the common principles that guide OVIC’s regulatory activities. It also outlines how OVIC monitors and reports on its performance.
The second part consists of three schedules [omitted here] dealing with OVIC’s three functional areas: privacy, freedom of information and information security. These schedules outline the regulatory functions and powers the PDP Act and the FOI Act confer on OVIC and OVIC’s approach to how they are exercised.
Who OVIC regulates
OVIC regulates these bodies under the PDP Act and FOI Act (regulated body or regulated bodies).
Privacy – “organisations” defined in section 3 and section 13 of the PDP Act including departments, councils, Victoria Police, public entities, courts and tribunals.
Freedom of Information – Section 13 of the FOI Act gives a right to access documents of Ministers and “agencies” such as departments, councils, TAFES, public hospitals and public schools.
Information security – Public sector agencies and bodies defined in section 84 of the PDP Act including departments, public entities and Victoria Police. The PDP Act excludes councils, universities, ambulance services, public hospitals, public health services and multipurpose services under the Health Services Act 1988 (Vic).
Goals of Regulatory action
OVIC uses the regulatory powers in the PDP Act and FOI Act to:
Engage constructively with the Victorian public sector to build capacity and embed a culture that promotes fair access to information while ensuring its proper use and protection.
Foster public trust and awareness of the Victorian public sector’s responsibility, ability and commitment to handling information in a responsible and accountable manner.
Influence government to consider information rights in developing new policies or programs.
Deter conduct that contravenes or is contrary to the objects of the PDP Act or FOI Act.
Guiding principles
When taking regulatory action, OVIC is guided by the following principles:
Independent – OVIC exercises its regulatory powers independent of government.
Collaborative – OVIC engages with the public and regulated bodies openly and constructively.
Targeted and proportional – OVIC targets issues based on how likely they are to occur and how severe the impact would be if they did occur. OVIC takes action that is proportionate to the issue being addressed.
Transparent and consistent – OVIC’s decisions, actions and performance are clearly explained and open to public scrutiny. OVIC’s regulatory action is consistent in similar circumstances.
Independent
In its three functional areas, as an independent regulator, OVIC has the following aims.
Privacy
Independently conciliate disputes about interferences with a person’s privacy.
Guide regulated bodies and the public about the PDP Act and Information Privacy Principles (IPPs).
Audit or investigate a regulated body’s privacy practices or prevalent privacy issues.
Freedom of information
Provide guidance to regulated bodies and the public about the FOI Act.
Review decisions of regulated body:
to refuse access to a document sought under an FOI request;
not to waive an application fee imposed in an FOI request;
not to amend or annotate a document.
Resolve complaints against regulated bodies about actions taken or failed to be taken under the FOI Act.
Develop Professional Standards that describe how regulated bodies should meet their obligations in the FOI Act to promote clear and consistent FOI decisions.
Investigate how a regulated body performed, or failed to perform, its FOI functions and obligations.
Information security
Promote continuous improvement through guidance and advice about information security.
Monitor and assure compliance with the Victorian Protective Data Security Framework (VPDSF) and the PDP Act by review of protective data security plans and audits.
Collaborative
OVIC prefers to provide education and support to regulated bodies to promote understanding and proactive adherence to the PDP Act and FOI Act. Nevertheless, OVIC also monitors compliance, and investigates issues that are brought to its attention – for example issues that are reported by the public, self-reported by a regulated body or referred to OVIC by another regulator.
When an issue is identified, OVIC usually starts by contacting the affected regulated body and any complainant. OVIC generally tries to resolve issues by agreement before resorting to formal regulatory action. This approach helps resolve issues or disputes quickly and efficiently.
Working with other regulators
OVIC is part of a broader integrity framework and works with other regulators to limit investigations being duplicated. OVIC works with other regulators formally through referral provisions, and informally through research and education. Regulators that OVIC works with include the Independent Broadbased Anti-corruption Commission, Victorian Ombudsman, the Health Complaints Commissioner, the Mental Health Complaints Commissioner, the Disability Services Commissioner, the Commission for Children and Young People and the Office of the Australian Information Commissioner.
Targeted and proportional
OVIC takes a risk-based approach in deciding when and how to take regulatory action. OVIC considers the harm that the PDP Act and FOI Act aim to reduce, then applies its resources to areas where the risk of that harm is greatest or where that harm would have the most serious impact.
OVIC also monitors trends and consults with regulated bodies to identify emerging issues and in proactively manage these issues.
When taking regulatory action, OVIC takes action that is proportionate to the issue or breach.
Transparent and accountable
Monitoring our performance
OVIC continuously monitors and evaluates its performance including the impact of its regulatory action on regulated bodies and the public. OVIC monitors and evaluates its performance to be accountable to OVIC’s use of public money and legislated powers.
OVIC also uses its performance reporting to analyse systemic issues which, in turn, helps OVIC to apply its resources effectively in future regulatory activity. Using qualitative and quantitative data, OVIC develops and implements strategic business plans, while continually improving its approach and performance.
Communicating our regulatory activity
Where appropriate, OVIC publicly reports the outcome of its regulatory action on its website.9 OVIC also publishes general statistics about its regulatory activity including in its Annual Reports.
OVIC publicly communicates its work in order to:
Encourage adherence to the PDP Act and FOI Act by increasing awareness and knowledge of information rights and obligations.
Promote public confidence in OVIC’s regulatory activities and enhance community trust in the information handling practices of the Victorian public sector.
Ensure OVIC’s use of regulatory powers is transparent and consistent.
Active investigations
OVIC generally does not comment on active regulatory matters. However, if a particular matter receives public discussion or media reporting, OVIC may confirm that it is taking regulatory action without giving detail. OVIC aims for its public statements to be accurate, fair and balanced.