Hansard debates
Search Hansard|
Search help
|
|
|
|||||||
|
PRIVACY AND DATA PROTECTION BILL 2014
|
|||||||
|
|
|||||||
|
12 June 2014
Statement of Compatibility
CLARK
|
|||||||
|
|
|||||||
PRIVACY AND DATA PROTECTION BILL 2014
Statement of compatibility
Mr CLARK (Attorney-General) tabled following statement in accordance with
Charter of Human Rights and Responsibilities Act 2006:
In accordance with section 28 of the Charter of Human Rights and
Responsibilities Act 2006 (the 'charter act'), I make this statement of
compatibility with respect to the Privacy and Data Protection Bill 2014 (the
bill).
In my opinion, the Privacy and Data Protection Bill 2014, as introduced to the
Legislative Assembly, is compatible with human rights as set out in the
charter act. I base my opinion on the reasons outlined in this statement.
Overview
The key purposes of the bill are to:
combine the provisions of the Information Privacy Act 2000 (IP act) and the
Commissioner for Law Enforcement Data Security Act 2005 (CLEDS act),
modified as necessary to create the new office of the Privacy and Data
Protection Commissioner;
introduce legislative provisions that fulfil the government's announced
commitment to the implementation of a new Victorian protective data security
regime; and
introduce two mechanisms (public interest determinations and information
usage arrangements (IUAs) to provide some limited flexibility in the
application of certain of the existing information privacy principles (IPPs)
and (in the case of IUAs) certain information handling provisions in other
acts.
Human rights issues
Relevant charter act rights
Section 13 -- a person has the right not to have his or her privacy unlawfully
or arbitrarily interfered with.
The explanatory memorandum to the charter act stated that it was that act's
intention that the right to privacy it contained be interpreted consistently
with the existing information privacy and health records framework in Victoria
to the extent that it protects against arbitrary interference.
In WBM v. Chief Commissioner of Police [2012] VSCA 159 (WBM), the Victorian
Court of Appeal considered but did not need to choose between two competing
interpretations of 'arbitrary' for the purposes of this right. The first was
the 'ordinary' or dictionary meaning: a decision or action, which is not based
on any relevant identifiable criterion, but which stems from an act of caprice
or whim (WBM, [99]).
The second interpretation of 'arbitrary' was broader and was described by Bell
J in PJB v. Melbourne Health [2011] VSC 327 [84] as follows:
--[arbitrary']...extends to interferences which, in the particular
circumstances applying to the individual, are capricious, unpredictable or
unjust and also to interferences which, in those circumstances, are
unreasonable in the sense of not being proportionate to a legitimate aim
sought--.
In WBM, the Court of Appeal did not decide which interpretation was correct,
but the broader meaning was preferred in obiter dicta by Warren CJ ([104] and
Hansen JA [133] and adopted by Bell AJA).
In my opinion, nothing in this bill creates an arbitrary interference with
privacy on either interpretation of the word.
The right to privacy is enhanced by the bill's substantive provisions in
relation to:
protective data security (in part 4);
law enforcement data security (in part 5) (based on the CLEDS act); and
the information privacy provisions (in part 3) which are unchanged from the
IP act, including:
its scope of application in respect of privacy to public sector
organisations;
the IPPs set out in schedule 1 of the bill; and
the exemptions for certain organisations, such as courts and tribunals and
law enforcement agencies in specified circumstances, from the application
of some or all of the IPPs, on public interest grounds.
A table of re-enacted provisions is included in part 9 -- Consequential
Amendments.
Part 3 of the bill introduces two new mechanisms not contained in the IP act:
Page 2107
public interest determinations;
information usage arrangements (IUAs);
which allow for dispensations from the IPPs or approved codes of practice and
(in the case of IUAs) allow for specified practices to be treated as
authorised by information handling provisions in other acts.
Public interest determinations
The PDP commissioner can make public interest determinations (and temporary
public interest determinations) (PIDs and TPIDs), and in part 3 division 6 --
Information usage arrangements (IUAs), allow for any IPP (except for IPP4 on
data security and IPP6 on access and correction) or an approved code of
practice to be departed from in respect of relevant organisations' proposed
handling of personal information.
The authorisation by a PID or TPID or an IUA or a certification of an act or
practice which may contravene an IPP need not constitute an interference with
privacy under the charter act.
If a PID or TPID did authorise an interference with the privacy of an
individual, such authorisation will be lawful and not arbitrary because:
persons whose interests would be affected by a PID are afforded an
opportunity to be heard before a PID is made;
the PDP commissioner may only make a PID or TPID if satisfied that the
public interest in the organisation engaging in the act or practice
substantially outweighs the public interest in complying with the relevant
IPP;
for transparency, PIDs and TPIDs must be published on the PDP commissioner's
website;
an organisation subject to a PID must report on it to the commissioner at
least annually and the PDP commissioner must revoke a PID or TPID where the
public interest grounds are no longer met, and may revoke it if the reasons
set out in the application no longer apply;
a PID and TPID may be disallowed by Parliament.
Information usage arrangements
IUAs are designed to address many aspects of information handling between the
parties, not just the IPPs. Subject to commissioner's satisfaction that
relevant public interest tests have been met and the approval of relevant
ministers, an IUA may authorise a departure from the IPPs (except IPPs 4 and
6) or an approved code of practice and may determine that an information
handling practice is permitted for the purpose of an 'information handling
provision' which is a provision of an act that permits handling of personal
information as required or authorised by law or by or under an act.
If an IUA did authorise an interference with privacy, such authorisation will
be lawful and not arbitrary because:
an IUA must be initiated by a Victorian government organisation and must set
out practices for handling personal information to be undertaken in relation
to one or more public purposes including the provision of services in the
public interest;
an IUA must be submitted for approval by the commissioner and relevant
ministers;
the information to be provided to the PDP commissioner and ministers in a
IUA for consideration is extensive, including identification of any adverse
actions that may be taken by organisations as a result of the operation of
the IUA;
the PDP commissioner must consider and certify that the acts and practices
described in the IUA satisfy a net public interest test before any
authorisation to depart from an IPP or approved code of practice or any
permission for the purposes of an information handling provision is given;
the PDP commissioner must report on a draft IUA to the responsible
minister/s and the report may consider the appropriateness of any aspects of
the IUA;
the IUA must be approved by the responsible minister/s; and
the IUA must be published on the PDP commissioner's website (redacted or
summarised as necessary) and the lead party must report on the IUA to the
commissioner at least annually.
In addition, the PDP commissioner may issue compliance notices in respect of
IUAs under part 3 division 9 if the terms of an IUA are not complied with by
the organisations involved. Further, the responsible minister/s must revoke an
IUA if the public interest tests are no longer met, or may revoke it if the
reasons for application no longer apply.
Certifications by the PDP commissioner
The commissioner may also certify that a specified act or practice of an
organisation is consistent with an IPP or an information handling provision or
an approved code of practice. The certification process is not a means for
authorising a departure from an IPP or information handling provision or an
approved code of practice, but a means of providing an independent view that
an act or practice is consistent with them.
A person who acts in good faith in reliance on a current certificate does not
contravene the relevant IPP or information handling provision or approved code
of practice. Any person whose interests are affected by a certificate may seek
review of the decision to issue the certificate in VCAT. VCAT or a court may
set aside a certificate. Certificates must be published on the commissioner's
website. In my opinion, the provision of a certificate of consistency by the
commissioner, which is reviewable by a court or VCAT, does not limit the right
to be free from arbitrary interferences with privacy.
Robert Clark, MP
Attorney-General