Hansard Search

12 March 1991 - Current

 
PRIVACY AND DATA PROTECTION BILL 2014
Page 2106
12 June 2014
ASSEMBLY Statement of Compatibility CLARK
                     PRIVACY AND DATA PROTECTION BILL 2014
                           Statement of compatibility
Mr  CLARK  (Attorney-General)  tabled following  statement  in  accordance  with
Charter of Human Rights and Responsibilities Act 2006:
  In  accordance   with  section  28  of   the  Charter  of  Human   Rights  and
  Responsibilities Act  2006  (the  'charter act'),  I  make this  statement  of
  compatibility with  respect to the Privacy and Data Protection  Bill 2014 (the
  bill).
  In my opinion, the Privacy and Data Protection Bill 2014, as introduced to the
  Legislative Assembly, is  compatible  with human  rights  as  set out  in  the
  charter act. I base my opinion on the reasons outlined in this statement.

  Overview
  The key purposes of the bill are to:
    combine the  provisions of the Information Privacy Act 2000 (IP act) and the
    Commissioner  for Law  Enforcement  Data  Security  Act  2005  (CLEDS  act),
    modified  as  necessary  to  create the new office of the Privacy  and  Data
    Protection Commissioner;
    introduce legislative  provisions that  fulfil  the  government's  announced
    commitment to the implementation of a new Victorian protective data security
    regime; and

    introduce  two  mechanisms (public  interest determinations  and information
    usage  arrangements (IUAs)  to  provide  some  limited  flexibility  in  the
    application of certain of the existing information privacy principles (IPPs)
    and (in  the case of IUAs)  certain information handling provisions in other
    acts.
  Human rights issues
  Relevant charter act rights
  Section 13 -- a person has the right not to have his or her privacy unlawfully
  or arbitrarily interfered with.

  The explanatory memorandum to the charter act  stated  that  it was that act's
  intention that  the right to privacy it contained be  interpreted consistently
  with the existing information privacy and health records framework in Victoria
  to the extent that it protects against arbitrary interference.
  In  WBM  v. Chief Commissioner of Police [2012] VSCA 159 (WBM), the  Victorian
  Court of Appeal  considered  but  did not need to choose between two competing
  interpretations of 'arbitrary' for  the purposes of this right. The first  was
  the 'ordinary' or dictionary meaning: a decision or action, which is not based
  on any relevant identifiable criterion, but which stems from an act of caprice
  or whim (WBM, [99]).
  The second interpretation of 'arbitrary' was broader and was described by Bell
  J in PJB v. Melbourne Health [2011] VSC 327 [84] as follows:

  --[arbitrary']...extends   to   interferences   which,   in   the   particular
  circumstances  applying to  the  individual, are  capricious, unpredictable or
  unjust   and  also  to  interferences  which,  in  those  circumstances,   are
  unreasonable in the  sense  of not  being  proportionate to a  legitimate  aim
  sought--.
  In WBM, the Court of  Appeal  did not decide which interpretation was correct,
  but the broader meaning was preferred in obiter dicta by Warren  CJ ([104] and
  Hansen JA [133] and adopted by Bell AJA).
  In my  opinion, nothing in this  bill creates an  arbitrary  interference with
  privacy on either interpretation of the word.
  The  right to  privacy  is enhanced by  the  bill's substantive provisions  in
  relation to:

    protective data security (in part 4);
    law enforcement data security (in part 5) (based on the CLEDS act); and
    the information privacy provisions (in  part 3) which are unchanged from the
    IP act, including:
      its  scope  of   application in  respect   of privacy  to  public   sector
      organisations;
      the IPPs set out in schedule 1 of the bill; and
      the exemptions for certain organisations, such as courts and tribunals and
      law  enforcement agencies in specified circumstances, from the application
      of some or all of the IPPs, on public interest grounds.

  A table  of  re-enacted provisions is  included  in part  9  --  Consequential
  Amendments.
  Part 3 of the bill introduces two new mechanisms not contained in the IP act:


Page 2107
public interest determinations; information usage arrangements (IUAs); which allow for dispensations from the IPPs or approved codes of practice and (in the case of IUAs) allow for specified practices to be treated as authorised by information handling provisions in other acts. Public interest determinations The PDP commissioner can make public interest determinations (and temporary public interest determinations) (PIDs and TPIDs), and in part 3 division 6 -- Information usage arrangements (IUAs), allow for any IPP (except for IPP4 on data security and IPP6 on access and correction) or an approved code of practice to be departed from in respect of relevant organisations' proposed handling of personal information. The authorisation by a PID or TPID or an IUA or a certification of an act or practice which may contravene an IPP need not constitute an interference with privacy under the charter act. If a PID or TPID did authorise an interference with the privacy of an individual, such authorisation will be lawful and not arbitrary because: persons whose interests would be affected by a PID are afforded an opportunity to be heard before a PID is made; the PDP commissioner may only make a PID or TPID if satisfied that the public interest in the organisation engaging in the act or practice substantially outweighs the public interest in complying with the relevant IPP; for transparency, PIDs and TPIDs must be published on the PDP commissioner's website; an organisation subject to a PID must report on it to the commissioner at least annually and the PDP commissioner must revoke a PID or TPID where the public interest grounds are no longer met, and may revoke it if the reasons set out in the application no longer apply; a PID and TPID may be disallowed by Parliament. Information usage arrangements IUAs are designed to address many aspects of information handling between the parties, not just the IPPs. Subject to commissioner's satisfaction that relevant public interest tests have been met and the approval of relevant ministers, an IUA may authorise a departure from the IPPs (except IPPs 4 and 6) or an approved code of practice and may determine that an information handling practice is permitted for the purpose of an 'information handling provision' which is a provision of an act that permits handling of personal information as required or authorised by law or by or under an act. If an IUA did authorise an interference with privacy, such authorisation will be lawful and not arbitrary because: an IUA must be initiated by a Victorian government organisation and must set out practices for handling personal information to be undertaken in relation to one or more public purposes including the provision of services in the public interest; an IUA must be submitted for approval by the commissioner and relevant ministers; the information to be provided to the PDP commissioner and ministers in a IUA for consideration is extensive, including identification of any adverse actions that may be taken by organisations as a result of the operation of the IUA; the PDP commissioner must consider and certify that the acts and practices described in the IUA satisfy a net public interest test before any authorisation to depart from an IPP or approved code of practice or any permission for the purposes of an information handling provision is given; the PDP commissioner must report on a draft IUA to the responsible minister/s and the report may consider the appropriateness of any aspects of the IUA; the IUA must be approved by the responsible minister/s; and the IUA must be published on the PDP commissioner's website (redacted or summarised as necessary) and the lead party must report on the IUA to the commissioner at least annually. In addition, the PDP commissioner may issue compliance notices in respect of IUAs under part 3 division 9 if the terms of an IUA are not complied with by the organisations involved. Further, the responsible minister/s must revoke an IUA if the public interest tests are no longer met, or may revoke it if the reasons for application no longer apply. Certifications by the PDP commissioner The commissioner may also certify that a specified act or practice of an organisation is consistent with an IPP or an information handling provision or an approved code of practice. The certification process is not a means for authorising a departure from an IPP or information handling provision or an approved code of practice, but a means of providing an independent view that an act or practice is consistent with them. A person who acts in good faith in reliance on a current certificate does not contravene the relevant IPP or information handling provision or approved code of practice. Any person whose interests are affected by a certificate may seek review of the decision to issue the certificate in VCAT. VCAT or a court may set aside a certificate. Certificates must be published on the commissioner's website. In my opinion, the provision of a certificate of consistency by the commissioner, which is reviewable by a court or VCAT, does not limit the right to be free from arbitrary interferences with privacy. Robert Clark, MP Attorney-General