12 March 1991 - Current
PRIVACY AND DATA PROTECTION BILL 2014 Second reading Mr CLARK (Attorney-General) -- I move: That this bill be now read a second time.
Speech as follows incorporated into Hansard in accordance with resolution of house: The reforms introduced by the Privacy and Data Protection Bill 2014 will strengthen the protection of citizens' private information that is held by the Victorian public sector. For the first time in Victoria, the bill requires the development of a protective data security framework for monitoring and assuring the security of data held by the public sector. The framework will address a number of the data security issues identified by the Victorian Auditor-General in his 2009 report on Maintaining the Integrity and Confidentiality of Personal Information. The framework will include protective data security standards, protective data security plans prepared by public sector bodies to implement the standards, and law enforcement data security standards relating specifically to law enforcement data and crime statistics. Alongside clear standards for ensuring the security of data, the bill will establish clear avenues for departments and agencies to seek a determination about whether a particular use of personal information that it holds is authorised or required by law. The bill will also allow public sector organisations to apply to enter into arrangements allowing them to handle or share personal information in ways that vary the application of certain information privacy principles, if that use of the information is clearly in the public interest. The bill also merges the existing roles of Privacy Commissioner and the Commissioner for Law Enforcement Data Security to create a single Privacy and Data Protection Commissioner with responsibility for the oversight of the privacy regime in Victoria. The bill otherwise re-enacts, or re-enacts with clearer wording, many key provisions of the Information Privacy Act, notably the information privacy principles. The 'organisations' to which that act applied remain subject to the privacy provisions of this bill. I will now outline the main provisions of the bill. Use of public sector information The bill provides two new avenues for a public sector agency to determine whether a particular use of personal information is authorised or required by law. [IUA as to handling provisions and certification] The bill also provides two avenues for a public sector agency to seek to vary the application of, or not comply with, an information privacy principle, except for principles 4 and 6 relating to the security of data and access to or correction of it respectively. [IUA as to IPPs and PIDs] PIDs and TPIDs empower the commissioner to determine that specified actions in respect of personal information that do or may contravene an IPP (other than IPPs 4 (data security) or 6 (access and correction)) or a code of conduct are not unlawful. They will not be regarded as interferences with privacy while the determination is in force. The key functions of an IUA are to facilitate: compliance with a law; the performance of the functions of any Australian government agency (federal, state, territory); or a provision of a service in the public interest to the public or a section of the public. Victorian public sector entities may seek approval of an IUA involving as parties other Victorian public sector entities or external organisations including contracted service providers, commonwealth, state or territory government sector bodies, or private sector bodies including non-government organisations and overseas entities. External organisations will remain bound by whatever privacy obligations they have under the laws of other jurisdictions. Significantly, an IUA is also permitted, subject to safeguards, in circumstances where: a provision in a statute or regulation other than this bill permits such collection, use or disclosure where it is 'required or authorised by law'. The public interest in the protection of personal privacy is carefully safeguarded in respect of PIDs, TPIDs and IUAs in various ways. Among these is the bill's specification of grounds on which PIDs and TPIDs may be revoked by the PDP commissioner. PIDs and TPIDs are also subject to being disallowed by Parliament. For IUAs, the bill specifies in detail the procedure to apply to the PDP commissioner, parties and content, together with notification where adverse actions may be taken in consequence of the IUA, and provides for review of IUAs' operation. The PDP commissioner may issue compliance notices in respect of an IUA, and the relevant minister or ministers must revoke the IUA on specified grounds. The most significant safeguard of the public interest is that both these mechanisms require a public interest test to be met -- that the public interest in the applicant doing the acts or engaging in the practices specified in the application substantially outweighs the public interest in adhering to IPPs 1, 2, 3, 5, 7, 8, 9 or 10. For example, if an IUA provides for an organisation to transfer personal information out of Victoria, the organisation must either comply with IPP 9 (transborder data flows) or seek dispensation from IPP 9 pursuant to the IUA. Dispensation requires the PDP commissioner to certify that any such dispensation is justified on the public interest test, and the relevant minister or ministers to approve the dispensation after considering the PDP commissioner's report. The third new mechanism is certification by the PDP commissioner that a particular act or practice is consistent with the provisions of the IP act, this bill or the IPPs. This mechanism is intended to provide certainty to organisations where there may be doubt as to the legality of a proposed action, and to afford statutory protection to persons who act in good faith in reliance on the PDP commissioner's certification while it remains in force. An individual or organisation whose interests are affected by the decision to issue the certificate may apply to the Victorian Civil and Administrative Tribunal (VCAT) for review of the decision.
The availability of these mechanisms is expected to significantly assist in the delivery of public services in the public interest, in particular in areas such as the implementation of child protection programs where multiple agencies hold information, the performance of various land management functions, and the control of organised crime. Protective data security Aggregating the responsibility for oversight of the Victorian privacy and law enforcement data security regimes, as well as for the implementation of a new Victorian protective data security regime, is expected to reap the benefits of consistency and coordination in this fast-moving sphere. Part 4, Protective Data Security, is applicable to the entities set out in division 1. While the intention is that the whole of government will be covered by this regime, there are exceptions. Notable among these is the health services within the meaning of the Health Services Act 1988 that are specified in division 1 and which are governed by separate legislation. The key protective data security provisions in the bill concern development by the PDP commissioner of the Victorian protective data security framework, and protective data security standards. These standards may be either general or customised, and must be approved by the Attorney-General and the minister responsible for whole-of-government ICT. Within two (2) years of the issue of the standards applying to an agency or body to which part 4 applies, it must ensure that: a security risk profile assessment is undertaken for the agency or body; and a protective data security plan is developed that addresses the standards applicable to that agency or body. These plans will not be subject to the Freedom of Information Act 1982. There is provision for review of a plan if an agency or body's circumstances change, or otherwise every two years. Because it is recognised that not all agencies or bodies subject to part 4 will have equal capacity or resources to meet their obligations under this part, the bill's regulations provision will enable differential application as required. Law enforcement data security The law enforcement data security provisions in part 4 apply to both Victoria Police and the new chief statistician. They are largely based on the provisions of the CLEDS act, and the bill provides for continuity between the two regimes, including the 'Standards for Victoria Police law enforcement data security' issued in 2007. It should be noted that if a law enforcement data security standard is inconsistent with a protective data security standard, the law enforcement security standard prevails to the extent of the inconsistency. The reforms embodied in this bill create a more streamlined system that will have broader and more comprehensive oversight of the privacy and information security regime for the Victorian public sector. The bill also introduces flexibility in relation to handling of personal information held by the public sector where appropriate in the public interest. At the same time, the Victorian government is responding to trends worldwide towards more open access to information, which the government has endorsed through its DataVic Access Policy. PDP commissioner's functions In light of the scope of the bill, the PDP commissioner will be responsible for a broad range of functions. In respect of privacy these include: promoting an understanding of and acceptance of the IPPs and of the objects of those principles; examining the practices of organisations with respect to personal information they maintain; receiving complaints about the acts or practices of organisations that do or may contravene IPPs or adversely affect individuals' privacy; conducting or commissioning audits of organisations in respect of their handling of personal information; issuing compliance notices to organisations; and issuing guidelines and other materials in relation to the IPPs. In respect of protective data security and law enforcement data security, the PDP commissioner's functions include: issuing protective data security standards and law enforcement data security standards; developing the Victorian protective data security framework and promoting the uptake of protective data security standards by the public sector; conducting monitoring and assurance activities, including audits, to ascertain compliance with data security standards, and referring findings; undertaking reviews of matters relating to data security and crime statistics data security; and making reports and recommendations. I commend the bill to the house. Debate adjourned on motion of Mr NOONAN (Williamstown). Debate adjourned until Thursday, 26 June.