Privacy and Data Protection Act 2014 (Vic)

David Littlejohn, Special Counsel

Richard Laufer, Lawyer

7 October 2014

“...privacy is a middle class invention by people with nothing else to worry about. Normally they would have every right to live in their moral fog, but not when their confusion permeates the feeble minds of law-makers and puts the innocent at risk.

The right to privacy is the adult equivalent of Santa Claus and unicorns. No one has yet been able to identify where the right to privacy comes from and why we need it.”

Mirko Bagaric (2007), “Privacy Is The Last Thing We Need”, The Age 22 April 2007

Is an author and lawyer who writes on law and moral and political philosophy

What is “Privacy Law”?

2

> Privacy Act 1988 (Cth)

> Regulates the handling of personal information about individuals – includes the collection, use, storage and disclosure of personal information, and access to and correction of that information

> Applies to some private sector organisations, and most Australian Government agencies

> Recent amendments commenced March 2014

> Other Commonwealth legislation

> Telecommunications Act 1997

> Aged Care Act 1997

> Personal Property and Securities Act 2009

> No express reference in Constitution

Privacy protection - Commonwealth

3

> Privacy and Data Protection Act 2014 (Vic)

> Health Records Act 2001 (Vic)

> Surveillance Devices Act 1999 (Vic)

> Freedom of Information Act 1982 (Vic)

> Public Records Act 1973 (Vic)

> Charter of Human Rights and Responsibilities Act 2006 (Vic)

Privacy protection - Victoria

4

> Received assent on 2 September 2014 and commenced 17 September 2014 (save for Division 2 of Part 9)

> provides for responsible collection and handling of personal information in the Victorian public sector

> provides remedies for interferences with the information privacy of an individual

> establishes a protective data security regime for the Victorian public sector and a regime for monitoring and assuring public sector data security

> Establishes new position – Commissioner for Privacy and Data Protection (David Watts)

> Repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005

Privacy and Data Protection Act 2014

5

> Same application as s 9 of the Information Privacy Act

> IPP’s re-enacted

> Codes of practice

> Complaints

> New mechanisms

> PID/TPID

> IUA

> Certificates

What does it do?

6

> Intended to strengthen the protection of personal information and other data held by the Victorian public sector.

> Establishes three mechanisms by which acts or practices which would otherwise breach privacy requirements may be engaged in, provided it is in the public interest.

1) Public Interest Determinations (PID) and Temporary Public Interest Determinations (TPID)

2) Information Usage Arrangements (IUAs)

3) Certification

Modifying privacy obligations

7

> Public sector:

> Government

> Council

> Body established for a public purpose

> Individuals holding certain positions

> Court or Tribunal

> Victoria Police

> Contracted service provider

> Any other body declared

Who the Act applies to

8

> Courts and Tribunals – when exercising judicial and quasi-judicial functions

> Parliamentary Committees

> Specified types of information that is publicly available information

Exempt from the Act

9

> Similar to mechanisms in Privacy Act 1988 (Cth).

> Determinations made where the public interest is outweighed by justification for compliance with privacy obligations.

> Public interest determinations may be made on a temporary (up to 12 months) or ongoing basis.

> Provide certainty regarding handling of personal information in areas which involve some legal risk eg inter-agency data sharing and matching.

> Primary difference in applying for a temporary determination is urgency.

Public Interest Determinations

10

> Provides that an act or practice that is covered by the arrangement is required or authorised for the purposes of an information handling provision in another Act.

> An organisation may apply to the Commissioner for approval of an IUA on its own behalf or in conjunction with one or more other organisations (including private sector bodies).

> The Commissioner must consider whether the public interest in the applicant engaging in the specified acts or practices substantially outweighs the public interest in adhering to the applicable IPPs.

Information Usage Arrangements

11

> The Commissioner can certify that specified acts or practices are consistent with applicable privacy requirements.

> The effect of certification is that a person who engages in the act or practice in good faith does not contravene the specified requirement.

Certification

12

> Establishes the Commissioner for Privacy and Data Protection – amalgamated position

> The Commissioner and this office will be responsible for overseeing privacy and data protection in Victoria.

> Under the Act, the public sector will be able to ask the Commissioner for a determination about whether a particular use of personal information is consistent with their privacy obligations, as well as seek approval to depart from certain information privacy principles if it is in the public interest to do so.

Commissioner

13

> Broad

> Functions split into separate categories

> Information Privacy

> Protective Data Security and Law Enforcement Data Security

> Wide ranging powers

Commissioner - Roles and functions

14

> Issue compliance notices

> Offence not to comply

> Power to compel

> Protection against self-incrimination

> Application for review - VCAT

Enforcement

15

> Who can make them?

> Threshold requirements for complaints

> Process for dealing with complaints

> Conciliation

> Commissioner / Minister may refer to VCAT

> Interim orders / Injunction

> Costs?

Information Privacy Complaints

16

> What can VCAT decide?

> Wide ranging options

> Restraining certain acts

> Enforce certain acts

> Award damages

> Costs

> Correction of public register

Information Privacy Complaints cont…

17

> Application

> Most public sector agencies, but does not apply to some key bodies

> Such bodies not obliged to comply with Data Security obligations, obligations in IPP 4 still apply!

Protective Data Security

18

> Covers public sector data and public sector data systems

> Commissioner’s functions

> Victorian Protective Data Security Framework (VPSPF)

Protective Data Security

19

> Gives the Commissioner power to issue standards for the security, confidentiality and integrity of, public sector data

> Public sector agencies will be required to comply with applicable data security standards in respect of their data systems and all public sector data they collect and hold.

> Current provisions relating to law enforcement data security are substantially continued under the new Act.

Protective Data Security

20

> Applies to Victoria Police

> Chief Statistician – new position

> Employee or consultant employed or engaged under section 6 of the Crime Statistics Act 2014

Law Enforcement Data

21

> Victorian public sector organisations continue to be bound by IPPs in respect of personal information. In addition, some will need to:

> ensure data systems and practices comply with new data security standards;

> assess data security risks and develop protective data security plans; and

> consider differences between IPPs and APPs in dealings with Commonwealth agencies and private sector organisations.

> Ensure compliance

> Privacy assessments ~ audit

> Mitigate risk

Implications – public sector

22

> Private sector organisations dealing with Victorian government agencies may need to:

> consider seeking protection of an IUA where accessing or handling personal information held by a government agency

> consider whether their obligations under the APPs are consistent with privacy obligations they might assume as a contracted service provider to a Victorian government agency

Implications – private sector

23

> Privacy Assessment

> What information is collected?

> How is it collected, used, stored, destroyed?

> How is it disclosed?

> What privacy policies are currently in place?

> What complaint procedures are currently in place?

> Outcome – recommendations as to changes to comply with new legislation

24

What should you have done/do

now?

> Privacy Amendment (Privacy Alerts) Bill 2013

> A tort of invasion of privacy?

> ALRC Discussion Paper – Serious Invasions of Privacy in the Digital Era

> A statutory cause of action for serious invasion of privacy should be contained in a new Commonwealth Act (the new Act).

25

Future Reform?

Questions?

26

David Littlejohn

Special Counsel

T: 03 8640 2300

E: dlittlejohn@rk.com.au

Richard Laufer

Lawyer

T: 03 8602 7216

E: rlaufer@rk.com.au

www.rk.com.au

The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly.

Disclaimer

27