• Specific Year
    Any

From the Discussion Paper 'Information Privacy in Victoria' July 1998 Multimedia at p35 --- "Victoria's Data Protection Bill - An outline" [1998] PrivLawPRpr 41; (1998) 5(2) Privacy Law & Policy Reporter 25

Victoria’s Data Protection Bill - An outline

The following Outline is the full text of Appendix B ‘Outline of The Data Protection Bill’ from the Discussion Paper: Information Privacy in Victoria, Multimedia Victoria, July 1998 at p 35 — General Editor.

The Bill is currently being drafted, and its final form will be influenced by the response to this paper, but the following outline is presented as a means of providing the fullest possible explanation of how the data protection regime will operate.

Part 1 — Preliminary

Purpose

The purpose is to establish a regime for the protection of personal information in the public and private sectors in Victoria.

Commencement

The Act will come into effect when it receives Royal Assent but only the principles concerning data security, and access to and correction of records of personal information, will be fully enforceable from the outset.

The remaining principles will be fully enforceable twelve months after the Act comes into effect.

Voluntary codes will replace the legislative scheme for subscribers as soon as they are approved, and approval can occur any time after the Act comes into effect.

Definitions

These will be taken largely from the National Principles for the Fair Handling of Personal Information but will need to be modified as appropriate for a legal instrument and supplemented by definitions arising from the operation of the data protection regime.

A clause binding the Crown

The Act will bind the Crown in right of Victoria and, so far as the legislative power of the Parliament permits the Crown in all its other capacities.

Arrangement with the Commonwealth

The Governor in Council will be able to make an arrangement with the Common-wealth Governor General to facilitate the appointment of the federal Privacy Commiss-ioner as Victorian Privacy Commissioner.

Minimum standards

The Bill will set minimum standards that can be supplemented by additional measures or varied by approved codes.

Part 2 — Information Privacy Principles

This part of the Bill will contain a version of the National Principles for the Fair Handling of Personal Information. The language will need to be modified as appropriate for a legal instrument. In addition, changes to the principles as published in February 1998 (shown at Appendix A) are likely to be modified by the federal Privacy Commissioner as a result of current negotiations about their impact on law enforcement.

The principles will cover:

  • Data collection
  • Use and disclosure
  • Data quality
  • Data security
  • Openness
  • Access and correction
  • Identifiers
  • Anonymity
  • Transborder data flows
  • Sensitive information

Part 3 — Voluntary Codes

Voluntary codes will enable alternative means of compliance with the data protection regime, and may apply to information, organisations, activities or industries. Codes that have been approved will replace the legislative scheme for subscribers for as long as they continue to comply with their code.

To be approved, a code will be given to the Privacy Commissioner for certification that:

  • it is effective in substantially achieving the privacy objectives of the legislation; and
  • it is not contrary to the public interest.

In determining this, the Privacy Commissioner will need to consult business, consumers and other stakeholders. If there is a separate Victorian Privacy Commissioner, the federal Privacy Commissioner will need to be consulted as well.

The Privacy Commissioner will then recommend to the Governor in Council that the code be approved as part of the Victorian data protection regime. The approval will be notified in the Government Gazette. The date of effect of approval will be the date of gazettal.

Approval of a code will create a legal requirement for compliance, and failure to comply will be deemed to be a breach of an information privacy principle.

Submission to the Commissioner of a voluntary code will not be mandatory.

Part 4 — Investigations

This part will outline the default legislative scheme.

Division 1 — Complaints

An individual may complain to the Privacy Commissioner about conduct by an organisation that may have interfered with his/her privacy if the organisation does not subscribe to a voluntary code and it has been unable to resolve the complaint. An interference of privacy occurs when an organisation has not complied with an information privacy principle.

The complaint must be in writing and specify the respondent who allegedly engaged in the interference. Staff of the Privacy Commissioner will have a duty to provide assistance, as appropriate, to people who wish to make a complaint.

Complaints concerning an organisation that subscribes to an approved voluntary code, must be handled by mechanisms established under that code.

Division 2 — Investigations

The Privacy Commissioner will have a duty to investigate complaints about the interference of an individual’s privacy, except where the Commissioner believes that:

  • the complaint does not refer to a breach of an information privacy principle;
  • the complainant knew about the event more than twelve months before lodging a complaint about it;
  • it would more appropriately be handled by a code administering authority or another complaint handling body;
  • It has already been dealt with under another statute;
  • the complaint is frivolous, vexatious, misconceived or lacking in substance.

The Privacy Commissioner will have the discretion to cease investigating a complaint, or defer the investigation, if the respondent has dealt with the complaint, is dealing adequately with it, or has not had an adequate opportunity to do so.

The resolution of complaints should take place in private, but otherwise the Privacy Commissioner will determine the process. It will not be necessary for either the complainant or the respondent to appear before the Privacy Commissioner, but they will be given the opportunity if the process reaches a stage where a determination has to be issued.

The Privacy Commissioner will have powers to obtain information, call and examine witnesses under oath and call compulsory conferences of all parties.

Division 3 — Miscellaneous

This Division will provide for a fine to be imposed for refusing to give information, wilfully obstructing, hindering or resisting the Privacy Commissioner in the performance of his or her statutory functions, or providing false information.

The Privacy Commissioner will be able to call private compulsory conferences and failure to attend will attract a penalty.

There will be limits placed on the Privacy Commissioner’s ability to obtain personal information and documents. These will protect third parties who are not connected with a complaint. Certain documents will be exempt from disclosure if the Attorney-General certifies that disclosure would be contrary to the public interest. The grounds will primarily concern the confidentiality of Cabinet and inter-government deliberations and criminal investigations.

Division 4 — Determinations following investigation of complaints

If it is not conciliated, the Privacy Commissioner will be able to issue a determination either dismissing a complaint or finding it substantiated.

If the complaint is substantiated, the Privacy Commissioner will be able to issue a declaration that the act or practice be discontinued; loss or damage should be redressed; a specific amount of compensation be paid; or no further action need be taken. If the complaint concerned access to a record, there could be an order that it be corrected or otherwise altered. The Privacy Commissioner may also make a declaration that the complainant is entitled to be reimbursed for expenses reasonably incurred in making and pursuing the complaint.The determination will not be binding.

Division 5 — Referral, review of determinations

If the Privacy Commissioner refuses to make a determination, he or she may refer the complaint to the Victorian Civil and Administrative Tribunal. The people affected by a determination, or the failure to make one, will be able to apply to the Victorian Civil and Administrative Tribunal for it to be reviewed. This might require the prior approval of the Commissioner.

Part 5 — Privacy Commissioner

The Privacy Commissioner may be appointed pursuant to the Privacy Act 1988 (Cth), in arrangement with the Commonwealth Governor-General. The Bill will also provide for a Victorian Privacy Commissioner to be appointed if needed. The person would be appointed by the Governor in Council for a period of up to seven years.

This Part will contain terms and conditions of appointment, suspension, staff, reports and a detailed list of functions. The functions will probably include:

  • to promote an understanding and acceptance of the information privacy principles and of the objects of those principles;
  • to undertake educational programs for the purpose of promoting the protection of individual privacy;
  • to provide advice to an individual or organisation on any matter relevant to their obligations under the new Act;
  • to review any voluntary privacy code of conduct with a view to recommending it be approved by Governor in Council;
  • to investigate an act or practice that could breach an information privacy principle under the legislative scheme or have an adverse impact on the privacy of an individual and, where appropriate, to conciliate and resolve such matters;
  • to commission and direct audits for the purpose of ascertaining compliance with the information privacy principles
  • to assess and comment upon proposed legislation which may impact upon the privacy of individuals and to report to the Minister the results of such assessment;
  • to undertake research into, and to monitor developments in, privacy-intrusive uses of new technology, to ensure that any adverse effects of such developments on the privacy of individuals are minimised, and to report to the Minister the results of such research and monitoring;
  • to make public statements in relation to any matter affecting the privacy of individuals or any class of individuals;
  • to receive and invite representations from members of the public on any matter affecting the privacy of individuals;
  • issue reports and recommendations at any time which concern the privacy regime and/or privacy matters, and which are in the public interest;
  • prepare an annual report;

The Privacy Commissioner will be required to:

  • balance the public interest in the free flow of information against the interest in privacy of personal information;
  • have regard to national and international developments and obligations concerning privacy;
  • make recommendations that are capable of acceptance, adaptation and extension in Victoria and nationally; and
  • ensure that his or her directions and any approved codes of practice reflect the intentions of the Act.

Part 6 — General

This Part will include secrecy provisions for information handled within the Privacy Commissioner’s Office, penalties for obstructing the Privacy Commissioner, and a regulation-making power.

Part 7 — Consequential Amendments

This Part will amend the Public Sector Management and Employment Act 1998, the Freedom of Information Act 1982 and the Ombudsman Act 1973.

Download

No downloadable files available