Victoria rejigs privacy law

An important step forward on legislating for protective security standards but national harmonisation of privacy principles is drifting even further over the horizon.

Victorian Attorney General Robert Clark introduced the long awaited Privacy and Data Protection Bill in Parliament last week.

The Bill merges the existing roles of Privacy Commissioner and the Commissioner for Law Enforcement Data Security to create a single Commissioner for Privacy and Data Protection with responsibility for the oversight of the privacy and data protection regime in Victoria. The Privacy and Data Protection Bill 2014 also addresses a number of the data security issues identified by the Victorian Auditor-General in his 2009 Report on Maintaining the Integrity and Confidentiality of Personal Information, including measures to ensure that government handles personal information securely and consistently.
The Bill provides for the development of a new protective data security framework for the Victorian Government. The Commissioner for Privacy and Data Protection will be responsible for issuing protective security standards as part of the framework.
The Commissioner will also develop guidelines to assist Government agencies to develop plans and help ensure changes to current processes are implemented smoothly.
The framework will include protective data security standards, protective data security plans prepared by public sector bodies to implement the standards, and specific law enforcement data security standards.
The Bill provides for departments and agencies to seek a determination about whether a particular use of personal information that it holds is authorised or required by law.
The Bill will also allow public sector organisations to seek approval for arrangements allowing them to handle or share personal information in ways that vary the application of certain information privacy principles, if that use of the information is clearly in the public interest.
“These reforms enhance privacy protections for individuals while giving public sector agencies greater clarity about the appropriate use of personal information,” Mr Clark said.

The Bill also re-enacts key provisions of the Information Privacy Act, including the Information Privacy Principles. Those principles are based on what were the IPPs in the Commonwealth Privacy Act, substantially changed along with other provisions such as the definition of personal information with effect from 12 March 2014.

Six years ago the Australian Law Reform Commission recommended that the principles it put forward for new Federal legislation "also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information." 

In 2009 then minister Ludwig in announcing the Phase 1 Federal government response to the ALRC report undertook to

"work with the states and territories to harmonise privacy law across the nation. The first stage response will create a platform from which the Government can pursue national harmonisation through discussion with the states and territories. Ultimately, the aim will be a consistent set of privacy standards for the Commonwealth, state and territory public sectors, as well as the private sector. The Federal Government will be looking to the states and territories to repeal privacy laws including health privacy laws that apply to the private sector. Additional national consistency issues will be considered in the second stage response."

Harmonise? National consistency? Not in 2014 or anytime soon if Victoria is any indication.

Bruce Arnold has done the spadework on the provisions of the bill.