Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Privacy and Data Protection Act 2014 (VIC)

Chargement dans…3

Consultez-les par la suite

1 sur 27 Publicité

Privacy and Data Protection Act 2014 (VIC)

Télécharger pour lire hors ligne

An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.

The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.

The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.

An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.

The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.

The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.


Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (20)


Similaire à Privacy and Data Protection Act 2014 (VIC) (20)

Plus par Russell_Kennedy (20)


Plus récents (20)

Privacy and Data Protection Act 2014 (VIC)

  1. 1. Privacy and Data Protection Act 2014 (Vic) 7 October 2014 David Littlejohn, Special Counsel Richard Laufer, Lawyer
  2. 2. What is “Privacy Law”? “...privacy is a middle class invention by people with nothing else to worry about. Normally they would have every right to live in their moral fog, but not when their confusion permeates the feeble minds of law-makers and puts the innocent at risk. The right to privacy is the adult equivalent of Santa Claus and unicorns. No one has yet been able to identify where the right to privacy comes from and why we need it.” Mirko Bagaric (2007), “Privacy Is The Last Thing We Need”, The Age 22 April 2007 Is an author and lawyer who writes on law and moral and political philosophy 2
  3. 3. Privacy protection - Commonwealth > Privacy Act 1988 (Cth) > Regulates the handling of personal information about individuals – includes the collection, use, storage and disclosure of personal information, and access to and correction of that information > Applies to some private sector organisations, and most Australian Government agencies > Recent amendments commenced March 2014 > Other Commonwealth legislation > Telecommunications Act 1997 > Aged Care Act 1997 > Personal Property and Securities Act 2009 > No express reference in Constitution 3
  4. 4. Privacy protection - Victoria > Privacy and Data Protection Act 2014 (Vic) > Health Records Act 2001 (Vic) > Surveillance Devices Act 1999 (Vic) > Freedom of Information Act 1982 (Vic) > Public Records Act 1973 (Vic) > Charter of Human Rights and Responsibilities Act 2006 (Vic) 4
  5. 5. Privacy and Data Protection Act 2014 > Received assent on 2 September 2014 and commenced 17 September 2014 (save for Division 2 of Part 9) > provides for responsible collection and handling of personal information in the Victorian public sector > provides remedies for interferences with the information privacy of an individual > establishes a protective data security regime for the Victorian public sector and a regime for monitoring and assuring public sector data security > Establishes new position – Commissioner for Privacy and Data Protection (David Watts) > Repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005 5
  6. 6. What does it do? > Same application as s 9 of the Information Privacy Act > IPP’s re-enacted > Codes of practice > Complaints > New mechanisms > PID/TPID > IUA > Certificates 6
  7. 7. Modifying privacy obligations > Intended to strengthen the protection of personal information and other data held by the Victorian public sector. > Establishes three mechanisms by which acts or practices which would otherwise breach privacy requirements may be engaged in, provided it is in the public interest. 1) Public Interest Determinations (PID) and Temporary Public Interest Determinations (TPID) 2) Information Usage Arrangements (IUAs) 3) Certification 7
  8. 8. Who the Act applies to > Public sector: > Government > Council > Body established for a public purpose > Individuals holding certain positions > Court or Tribunal > Victoria Police > Contracted service provider > Any other body declared 8
  9. 9. Exempt from the Act > Courts and Tribunals – when exercising judicial and quasi-judicial functions > Parliamentary Committees > Specified types of information that is publicly available information 9
  10. 10. Public Interest Determinations > Similar to mechanisms in Privacy Act 1988 (Cth). > Determinations made where the public interest is outweighed by justification for compliance with privacy obligations. > Public interest determinations may be made on a temporary (up to 12 months) or ongoing basis. > Provide certainty regarding handling of personal information in areas which involve some legal risk eg inter-agency data sharing and matching. > Primary difference in applying for a temporary determination is urgency. 10
  11. 11. Information Usage Arrangements > Provides that an act or practice that is covered by the arrangement is required or authorised for the purposes of an information handling provision in another Act. > An organisation may apply to the Commissioner for approval of an IUA on its own behalf or in conjunction with one or more other organisations (including private sector bodies). > The Commissioner must consider whether the public interest in the applicant engaging in the specified acts or practices substantially outweighs the public interest in adhering to the applicable IPPs. 11
  12. 12. Certification > The Commissioner can certify that specified acts or practices are consistent with applicable privacy requirements. > The effect of certification is that a person who engages in the act or practice in good faith does not contravene the specified requirement. 12
  13. 13. Commissioner > Establishes the Commissioner for Privacy and Data Protection – amalgamated position > The Commissioner and this office will be responsible for overseeing privacy and data protection in Victoria. > Under the Act, the public sector will be able to ask the Commissioner for a determination about whether a particular use of personal information is consistent with their privacy obligations, as well as seek approval to depart from certain information privacy principles if it is in the public interest to do so. 13
  14. 14. Commissioner - Roles and functions > Broad > Functions split into separate categories > Information Privacy > Protective Data Security and Law Enforcement Data Security > Wide ranging powers 14
  15. 15. Enforcement > Issue compliance notices > Offence not to comply > Power to compel > Protection against self-incrimination > Application for review - VCAT 15
  16. 16. Information Privacy Complaints > Who can make them? > Threshold requirements for complaints > Process for dealing with complaints > Conciliation > Commissioner / Minister may refer to VCAT > Interim orders / Injunction > Costs? 16
  17. 17. Information Privacy Complaints cont… > What can VCAT decide? > Wide ranging options > Restraining certain acts > Enforce certain acts > Award damages > Costs > Correction of public register 17
  18. 18. Protective Data Security > Application > Most public sector agencies, but does not apply to some key bodies > Such bodies not obliged to comply with Data Security obligations, obligations in IPP 4 still apply! 18
  19. 19. Protective Data Security > Covers public sector data and public sector data systems > Commissioner’s functions > Victorian Protective Data Security Framework (VPSPF) 19
  20. 20. Protective Data Security > Gives the Commissioner power to issue standards for the security, confidentiality and integrity of, public sector data > Public sector agencies will be required to comply with applicable data security standards in respect of their data systems and all public sector data they collect and hold. > Current provisions relating to law enforcement data security are substantially continued under the new Act. 20
  21. 21. Law Enforcement Data > Applies to Victoria Police > Chief Statistician – new position > Employee or consultant employed or engaged under section 6 of the Crime Statistics Act 2014 21
  22. 22. Implications – public sector > Victorian public sector organisations continue to be bound by IPPs in respect of personal information. In addition, some will need to: > ensure data systems and practices comply with new data security standards; > assess data security risks and develop protective data security plans; and > consider differences between IPPs and APPs in dealings with Commonwealth agencies and private sector organisations. > Ensure compliance > Privacy assessments ~ audit > Mitigate risk 22
  23. 23. Implications – private sector > Private sector organisations dealing with Victorian government agencies may need to: > consider seeking protection of an IUA where accessing or handling personal information held by a government agency > consider whether their obligations under the APPs are consistent with privacy obligations they might assume as a contracted service provider to a Victorian government agency 23
  24. 24. > Privacy Assessment > What information is collected? > How is it collected, used, stored, destroyed? > How is it disclosed? > What privacy policies are currently in place? > What complaint procedures are currently in place? > Outcome – recommendations as to changes to comply with new legislation 24 What should you have done/do now?
  25. 25. > Privacy Amendment (Privacy Alerts) Bill 2013 > A tort of invasion of privacy? > ALRC Discussion Paper – Serious Invasions of Privacy in the Digital Era > A statutory cause of action for serious invasion of privacy should be contained in a new Commonwealth Act (the new Act). 25 Future Reform?
  26. 26. Questions? 26 David Littlejohn Special Counsel T: 03 8640 2300 E: dlittlejohn@rk.com.au Richard Laufer Lawyer T: 03 8602 7216 E: rlaufer@rk.com.au
  27. 27. Disclaimer The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly. 27

Notes de l'éditeur

  • Many (including me) would disagree with this statement, Bagaric is known to make provocative statements and is a co-author of an Australian Privacy law text book.

    There is some support for greater regulation through further reform –

    The general main concern of privacy practitioners is how “personal information” is collected, managed and disclosed.
  • In both Victoria and the Commonwealth, there is no statutory definition of privacy – but laws pertaining to privacy have multiple sources -

    Recent amendments to the Cth Privacy Act in March this year
    Of note, New laws –
    Replace the National Privacy Principles and Information Privacy Principles with the Australian Privacy Principles
    Privacy Act now includes enhanced powers for the Office of the Australian Information Commission which include:
    conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
    accepting enforceable undertakings
    seeking civil penalties in the case of serious or repeated breaches of privacy
  • Similar to the Commonwealth, the Victorian privacy regime has multiple sources

    There is no established general right to privacy, however – s 13 of the Charter of Human rights and responsibilities act

    A person has the right—
    (a) not to have his or her privacy, family, home
    or correspondence unlawfully or arbitrarily
    interfered with;…

    In the explanatory memorandum to the Act, it says that the IPP’s which have been reproduced in this act, must now be interpreted in light of section 13 of the Charter –

  • Provides for the responsible collection and handling of personal information in the Victorian public sector, and for the establishment of a protective data security regime for the Victorian public sector.
    Many of the Act’s privacy provisions mirror those of the former Information Privacy Act 2000, including preserving the Information Privacy Principles (IPPs).
    However, in common with other Australian privacy legislation, the Act introduces new mechanisms that will permit public sector agencies to depart from some IPPs where there is a substantial public interest in doing so.
    The Act empowers the Commissioner to develop, implement and oversee a comprehensive protective data security framework in Victoria. This includes issuing various data security standards for the confidentiality, integrity and availability of public sector data and law enforcement data security standards for the security and integrity of law enforcement data systems and crime statistics data systems.
    The Act repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005.
    It merges the previous roles of Privacy Commissioner and the Commissioner for Law Enforcement Data Security to create a single Commissioner for Privacy and Data Protection (‘the Commissioner’). Prior to this role David Watts, was the acting privacy commissioner as well as the commissioner for Law Enforcement Data Security.
  • The Attorney-general Robert clark has been reported as saying that these these laws are an important step in fixing some of the problems identified by the Victorian Auditor general in his 2009 report, the changes will address the auditor-generals finding the personal information collected and used by public agencies had been easily compromised under the previous government.

    As defined in the act, PI - means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies;

    The definition is based on Cth Privacy act in the interests of supporting a nationally consistent approach to the protection of information privacy.

    Organisations can discharge their duty to comply with an IPP in respect of personal information collected, held, used or disclosed by it through complying with an approved code of practice. This gives organizations flexibility in the way that they can manage personal information by developing such codes.

    Approved codes of practice are to set the standards for information handling that differ from the default scheme, as long as the standards are at least as stringent as those proposed by any IPP. It is important to note, codes can cover every part of the information handling process, from collection to complaint handling.

    The Act sets out new procedures, and enforcement mechanisms available to the commissioner in relation to Complaints – this includes a right to go to VCAT, and the potential of the tribunal to award damages.
  • According to the second reading speech, the reforms will “strengthen the protection of citizens’ private information that is held by the Victorian public sector.”

    Along with clear standards for ensuring the security of data, the Act, establishes clear avenues for departments and agencies to seek a determination about whether a particular use of personal information that it holds is authorised or required by law.

    The Act establishes three mechanisms by which acts or practices which would otherwise breach privacy requirements may be engaged in, provided it is in the public interest.
    public interest determinations are similar to the mechanisms in the Commonwealth Privacy Act 1988. these are determinations that the public interest of engaging in an act or practice that may contravene a specified IPP (other than IPP 4 or 6) substantially outweighs the public interest in complying with that IPP. Engaging in an act or practice that is permitted by a public interest determination will not be an interference with privacy.

    An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:
    sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
    in respect of any of those acts or practices, i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act.

    The approval of relevant Ministers is required for an IUA

    In relation to certification – the process is similar to the Cth Privacy Act - Under the Cth Act, an APP entity (or a body or association representing them) can develop a written code of practice for the handling of personal information, called an APP code. An APP code sets out how one or more of the APPs are to be applied or complied with, and the APP entities that are bound by the code.

    Under the new Act– the Commissioner may certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

    Mechanisms such as certification should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action

    Collectively such mechanisms will significantly assist in the delivery of public services in the public interests –and encourage Effective sharing of information across government agencies which can often be vital to the public interest, whether to save lives in bush fires or other emergencies, or to better protect potential victims in the context of family violence, child abuse, or other criminal activities
  • Act – conveniently broken up into parts – today we will mainly focus on Information privacy and Protective data security

    In relation to information privacy
    The organizations to which the former Information Privacy Act 2000 (Vic) applied remain subject to the privacy provisions of the PDPA. They include (but are not limited to) public sector agencies, councils, Ministers, special bodies, courts and tribunals, Victoria Police, contracted service providers and other bodies established under Victorian law.

    Protective data security
    Most public sector agencies are subject to the protective data security provisions under Part 4 of the Act, as well as other declared bodies, or bodies that are declared a special body within the meaning of the public administration act – these include bodies such as the Office of the ombudsman, electoral commission and health services commissioner . Bodies to which the provisions do not apply include:
    • councils
    • universities
    • certain health service providers under the Health Services Act 1988 and Ambulance Services Act 1986 – such as public hospitals, ambulance service, and public health services.
    However, while these bodies are not obliged comply with data security obligations set out in Part 4 of the PDPA, the data security obligations contained in IPP 4 still apply., which is in relation to storage and security.

    In relation to contracted service providers – the information privacy obligations remain unchanged.

    In relation to data security – the head of a public sector body must ensure that a contracted service provider of an agency does not contravene any protective data security standard applicable to the public sector body.
  • We have mentioned who the act applies to, but some important exemptions -
    Exemptions apply to Courts & Tribunals (judicial or quasi judicial functions) Parliamentary committees and Publicly available information which includes those kept in a library, exhibition, public record.

    Still applies to personal information collected for other functions such as staff records etc…