Hansard debates
Search Hansard
Search help
|
|
|||||||
PRIVACY AND DATA PROTECTION BILL 2014
|
|||||||
|
|||||||
12 June 2014
Statement of Compatibility
CLARK
|
|||||||
|
|||||||
PRIVACY AND DATA PROTECTION BILL 2014 Statement of compatibility Mr CLARK (Attorney-General) tabled following statement in accordance with Charter of Human Rights and Responsibilities Act 2006: In accordance with section 28 of the Charter of Human Rights and Responsibilities Act 2006 (the 'charter act'), I make this statement of compatibility with respect to the Privacy and Data Protection Bill 2014 (the bill). In my opinion, the Privacy and Data Protection Bill 2014, as introduced to the Legislative Assembly, is compatible with human rights as set out in the charter act. I base my opinion on the reasons outlined in this statement. Overview The key purposes of the bill are to: combine the provisions of the Information Privacy Act 2000 (IP act) and the Commissioner for Law Enforcement Data Security Act 2005 (CLEDS act), modified as necessary to create the new office of the Privacy and Data Protection Commissioner; introduce legislative provisions that fulfil the government's announced commitment to the implementation of a new Victorian protective data security regime; and introduce two mechanisms (public interest determinations and information usage arrangements (IUAs) to provide some limited flexibility in the application of certain of the existing information privacy principles (IPPs) and (in the case of IUAs) certain information handling provisions in other acts. Human rights issues Relevant charter act rights Section 13 -- a person has the right not to have his or her privacy unlawfully or arbitrarily interfered with. The explanatory memorandum to the charter act stated that it was that act's intention that the right to privacy it contained be interpreted consistently with the existing information privacy and health records framework in Victoria to the extent that it protects against arbitrary interference. In WBM v. Chief Commissioner of Police [2012] VSCA 159 (WBM), the Victorian Court of Appeal considered but did not need to choose between two competing interpretations of 'arbitrary' for the purposes of this right. The first was the 'ordinary' or dictionary meaning: a decision or action, which is not based on any relevant identifiable criterion, but which stems from an act of caprice or whim (WBM, [99]). The second interpretation of 'arbitrary' was broader and was described by Bell J in PJB v. Melbourne Health [2011] VSC 327 [84] as follows: --[arbitrary']...extends to interferences which, in the particular circumstances applying to the individual, are capricious, unpredictable or unjust and also to interferences which, in those circumstances, are unreasonable in the sense of not being proportionate to a legitimate aim sought--. In WBM, the Court of Appeal did not decide which interpretation was correct, but the broader meaning was preferred in obiter dicta by Warren CJ ([104] and Hansen JA [133] and adopted by Bell AJA). In my opinion, nothing in this bill creates an arbitrary interference with privacy on either interpretation of the word. The right to privacy is enhanced by the bill's substantive provisions in relation to: protective data security (in part 4); law enforcement data security (in part 5) (based on the CLEDS act); and the information privacy provisions (in part 3) which are unchanged from the IP act, including: its scope of application in respect of privacy to public sector organisations; the IPPs set out in schedule 1 of the bill; and the exemptions for certain organisations, such as courts and tribunals and law enforcement agencies in specified circumstances, from the application of some or all of the IPPs, on public interest grounds. A table of re-enacted provisions is included in part 9 -- Consequential Amendments. Part 3 of the bill introduces two new mechanisms not contained in the IP act:
Page 2107
public interest determinations; information usage arrangements (IUAs); which allow for dispensations from the IPPs or approved codes of practice and (in the case of IUAs) allow for specified practices to be treated as authorised by information handling provisions in other acts. Public interest determinations The PDP commissioner can make public interest determinations (and temporary public interest determinations) (PIDs and TPIDs), and in part 3 division 6 -- Information usage arrangements (IUAs), allow for any IPP (except for IPP4 on data security and IPP6 on access and correction) or an approved code of practice to be departed from in respect of relevant organisations' proposed handling of personal information. The authorisation by a PID or TPID or an IUA or a certification of an act or practice which may contravene an IPP need not constitute an interference with privacy under the charter act. If a PID or TPID did authorise an interference with the privacy of an individual, such authorisation will be lawful and not arbitrary because: persons whose interests would be affected by a PID are afforded an opportunity to be heard before a PID is made; the PDP commissioner may only make a PID or TPID if satisfied that the public interest in the organisation engaging in the act or practice substantially outweighs the public interest in complying with the relevant IPP; for transparency, PIDs and TPIDs must be published on the PDP commissioner's website; an organisation subject to a PID must report on it to the commissioner at least annually and the PDP commissioner must revoke a PID or TPID where the public interest grounds are no longer met, and may revoke it if the reasons set out in the application no longer apply; a PID and TPID may be disallowed by Parliament. Information usage arrangements IUAs are designed to address many aspects of information handling between the parties, not just the IPPs. Subject to commissioner's satisfaction that relevant public interest tests have been met and the approval of relevant ministers, an IUA may authorise a departure from the IPPs (except IPPs 4 and 6) or an approved code of practice and may determine that an information handling practice is permitted for the purpose of an 'information handling provision' which is a provision of an act that permits handling of personal information as required or authorised by law or by or under an act. If an IUA did authorise an interference with privacy, such authorisation will be lawful and not arbitrary because: an IUA must be initiated by a Victorian government organisation and must set out practices for handling personal information to be undertaken in relation to one or more public purposes including the provision of services in the public interest; an IUA must be submitted for approval by the commissioner and relevant ministers; the information to be provided to the PDP commissioner and ministers in a IUA for consideration is extensive, including identification of any adverse actions that may be taken by organisations as a result of the operation of the IUA; the PDP commissioner must consider and certify that the acts and practices described in the IUA satisfy a net public interest test before any authorisation to depart from an IPP or approved code of practice or any permission for the purposes of an information handling provision is given; the PDP commissioner must report on a draft IUA to the responsible minister/s and the report may consider the appropriateness of any aspects of the IUA; the IUA must be approved by the responsible minister/s; and the IUA must be published on the PDP commissioner's website (redacted or summarised as necessary) and the lead party must report on the IUA to the commissioner at least annually. In addition, the PDP commissioner may issue compliance notices in respect of IUAs under part 3 division 9 if the terms of an IUA are not complied with by the organisations involved. Further, the responsible minister/s must revoke an IUA if the public interest tests are no longer met, or may revoke it if the reasons for application no longer apply. Certifications by the PDP commissioner The commissioner may also certify that a specified act or practice of an organisation is consistent with an IPP or an information handling provision or an approved code of practice. The certification process is not a means for authorising a departure from an IPP or information handling provision or an approved code of practice, but a means of providing an independent view that an act or practice is consistent with them. A person who acts in good faith in reliance on a current certificate does not contravene the relevant IPP or information handling provision or approved code of practice. Any person whose interests are affected by a certificate may seek review of the decision to issue the certificate in VCAT. VCAT or a court may set aside a certificate. Certificates must be published on the commissioner's website. In my opinion, the provision of a certificate of consistency by the commissioner, which is reviewable by a court or VCAT, does not limit the right to be free from arbitrary interferences with privacy. Robert Clark, MP Attorney-General