Hansard debates
Search Hansard|
Search help
|
|
|
|||||||
|
PRIVACY AND DATA PROTECTION BILL 2014
|
|||||||
|
|
|||||||
|
12 June 2014
Second Reading
CLARK
|
|||||||
|
|
|||||||
PRIVACY AND DATA PROTECTION BILL 2014
Second reading
Mr CLARK (Attorney-General) -- I move:
That this bill be now read a second time.
Page 2108
Speech as follows incorporated into Hansard in accordance with resolution of
house:
The reforms introduced by the Privacy and Data Protection Bill 2014 will
strengthen the protection of citizens' private information that is held by the
Victorian public sector.
For the first time in Victoria, the bill requires the development of a
protective data security framework for monitoring and assuring the security of
data held by the public sector.
The framework will address a number of the data security issues identified by
the Victorian Auditor-General in his 2009 report on Maintaining the Integrity
and Confidentiality of Personal Information.
The framework will include protective data security standards, protective data
security plans prepared by public sector bodies to implement the standards,
and law enforcement data security standards relating specifically to law
enforcement data and crime statistics.
Alongside clear standards for ensuring the security of data, the bill will
establish clear avenues for departments and agencies to seek a determination
about whether a particular use of personal information that it holds is
authorised or required by law.
The bill will also allow public sector organisations to apply to enter into
arrangements allowing them to handle or share personal information in ways
that vary the application of certain information privacy principles, if that
use of the information is clearly in the public interest.
The bill also merges the existing roles of Privacy Commissioner and the
Commissioner for Law Enforcement Data Security to create a single Privacy and
Data Protection Commissioner with responsibility for the oversight of the
privacy regime in Victoria.
The bill otherwise re-enacts, or re-enacts with clearer wording, many key
provisions of the Information Privacy Act, notably the information privacy
principles. The 'organisations' to which that act applied remain subject to
the privacy provisions of this bill.
I will now outline the main provisions of the bill.
Use of public sector information
The bill provides two new avenues for a public sector agency to determine
whether a particular use of personal information is authorised or required by
law. [IUA as to handling provisions and certification]
The bill also provides two avenues for a public sector agency to seek to vary
the application of, or not comply with, an information privacy principle,
except for principles 4 and 6 relating to the security of data and access to
or correction of it respectively. [IUA as to IPPs and PIDs]
PIDs and TPIDs empower the commissioner to determine that specified actions in
respect of personal information that do or may contravene an IPP (other than
IPPs 4 (data security) or 6 (access and correction)) or a code of conduct are
not unlawful. They will not be regarded as interferences with privacy while
the determination is in force.
The key functions of an IUA are to facilitate:
compliance with a law;
the performance of the functions of any Australian government agency
(federal, state, territory); or
a provision of a service in the public interest to the public or a section
of the public.
Victorian public sector entities may seek approval of an IUA involving as
parties other Victorian public sector entities or external organisations
including contracted service providers, commonwealth, state or territory
government sector bodies, or private sector bodies including non-government
organisations and overseas entities.
External organisations will remain bound by whatever privacy obligations they
have under the laws of other jurisdictions.
Significantly, an IUA is also permitted, subject to safeguards, in
circumstances where: a provision in a statute or regulation other than this
bill permits such collection, use or disclosure where it is 'required or
authorised by law'.
The public interest in the protection of personal privacy is carefully
safeguarded in respect of PIDs, TPIDs and IUAs in various ways.
Among these is the bill's specification of grounds on which PIDs and TPIDs may
be revoked by the PDP commissioner. PIDs and TPIDs are also subject to being
disallowed by Parliament.
For IUAs, the bill specifies in detail the procedure to apply to the PDP
commissioner, parties and content, together with notification where adverse
actions may be taken in consequence of the IUA, and provides for review of
IUAs' operation. The PDP commissioner may issue compliance notices in respect
of an IUA, and the relevant minister or ministers must revoke the IUA on
specified grounds.
The most significant safeguard of the public interest is that both these
mechanisms require a public interest test to be met -- that the public
interest in the applicant doing the acts or engaging in the practices
specified in the application substantially outweighs the public interest in
adhering to IPPs 1, 2, 3, 5, 7, 8, 9 or 10.
For example, if an IUA provides for an organisation to transfer personal
information out of Victoria, the organisation must either comply with IPP 9
(transborder data flows) or seek dispensation from IPP 9 pursuant to the IUA.
Dispensation requires the PDP commissioner to certify that any such
dispensation is justified on the public interest test, and the relevant
minister or ministers to approve the dispensation after considering the PDP
commissioner's report.
The third new mechanism is certification by the PDP commissioner that a
particular act or practice is consistent with the provisions of the IP act,
this bill or the IPPs. This mechanism is intended to provide certainty to
organisations where there may be doubt as to the legality of a proposed
action, and to afford statutory protection to persons who act in good faith in
reliance on the PDP commissioner's certification while it remains in force.
An individual or organisation whose interests are affected by the decision to
issue the certificate may apply to the Victorian Civil and Administrative
Tribunal (VCAT) for review of the decision.
Page 2109
The availability of these mechanisms is expected to significantly assist in
the delivery of public services in the public interest, in particular in areas
such as the implementation of child protection programs where multiple
agencies hold information, the performance of various land management
functions, and the control of organised crime.
Protective data security
Aggregating the responsibility for oversight of the Victorian privacy and law
enforcement data security regimes, as well as for the implementation of a new
Victorian protective data security regime, is expected to reap the benefits of
consistency and coordination in this fast-moving sphere.
Part 4, Protective Data Security, is applicable to the entities set out in
division 1.
While the intention is that the whole of government will be covered by this
regime, there are exceptions. Notable among these is the health services
within the meaning of the Health Services Act 1988 that are specified in
division 1 and which are governed by separate legislation.
The key protective data security provisions in the bill concern development by
the PDP commissioner of the Victorian protective data security framework, and
protective data security standards. These standards may be either general or
customised, and must be approved by the Attorney-General and the minister
responsible for whole-of-government ICT.
Within two (2) years of the issue of the standards applying to an agency or
body to which part 4 applies, it must ensure that:
a security risk profile assessment is undertaken for the agency or body; and
a protective data security plan is developed that addresses the standards
applicable to that agency or body.
These plans will not be subject to the Freedom of Information Act 1982.
There is provision for review of a plan if an agency or body's circumstances
change, or otherwise every two years.
Because it is recognised that not all agencies or bodies subject to part 4
will have equal capacity or resources to meet their obligations under this
part, the bill's regulations provision will enable differential application as
required.
Law enforcement data security
The law enforcement data security provisions in part 4 apply to both Victoria
Police and the new chief statistician. They are largely based on the
provisions of the CLEDS act, and the bill provides for continuity between the
two regimes, including the 'Standards for Victoria Police law enforcement data
security' issued in 2007. It should be noted that if a law enforcement data
security standard is inconsistent with a protective data security standard,
the law enforcement security standard prevails to the extent of the
inconsistency.
The reforms embodied in this bill create a more streamlined system that will
have broader and more comprehensive oversight of the privacy and information
security regime for the Victorian public sector. The bill also introduces
flexibility in relation to handling of personal information held by the public
sector where appropriate in the public interest.
At the same time, the Victorian government is responding to trends worldwide
towards more open access to information, which the government has endorsed
through its DataVic Access Policy.
PDP commissioner's functions
In light of the scope of the bill, the PDP commissioner will be responsible
for a broad range of functions. In respect of privacy these include:
promoting an understanding of and acceptance of the IPPs and of the objects
of those principles;
examining the practices of organisations with respect to personal
information they maintain;
receiving complaints about the acts or practices of organisations that do or
may contravene IPPs or adversely affect individuals' privacy;
conducting or commissioning audits of organisations in respect of their
handling of personal information;
issuing compliance notices to organisations; and
issuing guidelines and other materials in relation to the IPPs.
In respect of protective data security and law enforcement data security, the
PDP commissioner's functions include:
issuing protective data security standards and law enforcement data security
standards;
developing the Victorian protective data security framework and promoting
the uptake of protective data security standards by the public sector;
conducting monitoring and assurance activities, including audits, to
ascertain compliance with data security standards, and referring findings;
undertaking reviews of matters relating to data security and crime
statistics data security; and
making reports and recommendations.
I commend the bill to the house.
Debate adjourned on motion of Mr NOONAN (Williamstown).
Debate adjourned until Thursday, 26 June.