Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Privacy and Data Protection Act 2014 (VIC)

1.545 visualizaciones

Publicado el

An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.

The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.

The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.

Publicado en: Derecho
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Privacy and Data Protection Act 2014 (VIC)

  1. 1. Privacy and Data Protection Act 2014 (Vic) 7 October 2014 David Littlejohn, Special Counsel Richard Laufer, Lawyer
  2. 2. What is “Privacy Law”? “...privacy is a middle class invention by people with nothing else to worry about. Normally they would have every right to live in their moral fog, but not when their confusion permeates the feeble minds of law-makers and puts the innocent at risk. The right to privacy is the adult equivalent of Santa Claus and unicorns. No one has yet been able to identify where the right to privacy comes from and why we need it.” Mirko Bagaric (2007), “Privacy Is The Last Thing We Need”, The Age 22 April 2007 Is an author and lawyer who writes on law and moral and political philosophy 2
  3. 3. Privacy protection - Commonwealth > Privacy Act 1988 (Cth) > Regulates the handling of personal information about individuals – includes the collection, use, storage and disclosure of personal information, and access to and correction of that information > Applies to some private sector organisations, and most Australian Government agencies > Recent amendments commenced March 2014 > Other Commonwealth legislation > Telecommunications Act 1997 > Aged Care Act 1997 > Personal Property and Securities Act 2009 > No express reference in Constitution 3
  4. 4. Privacy protection - Victoria > Privacy and Data Protection Act 2014 (Vic) > Health Records Act 2001 (Vic) > Surveillance Devices Act 1999 (Vic) > Freedom of Information Act 1982 (Vic) > Public Records Act 1973 (Vic) > Charter of Human Rights and Responsibilities Act 2006 (Vic) 4
  5. 5. Privacy and Data Protection Act 2014 > Received assent on 2 September 2014 and commenced 17 September 2014 (save for Division 2 of Part 9) > provides for responsible collection and handling of personal information in the Victorian public sector > provides remedies for interferences with the information privacy of an individual > establishes a protective data security regime for the Victorian public sector and a regime for monitoring and assuring public sector data security > Establishes new position – Commissioner for Privacy and Data Protection (David Watts) > Repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005 5
  6. 6. What does it do? > Same application as s 9 of the Information Privacy Act > IPP’s re-enacted > Codes of practice > Complaints > New mechanisms > PID/TPID > IUA > Certificates 6
  7. 7. Modifying privacy obligations > Intended to strengthen the protection of personal information and other data held by the Victorian public sector. > Establishes three mechanisms by which acts or practices which would otherwise breach privacy requirements may be engaged in, provided it is in the public interest. 1) Public Interest Determinations (PID) and Temporary Public Interest Determinations (TPID) 2) Information Usage Arrangements (IUAs) 3) Certification 7
  8. 8. Who the Act applies to > Public sector: > Government > Council > Body established for a public purpose > Individuals holding certain positions > Court or Tribunal > Victoria Police > Contracted service provider > Any other body declared 8
  9. 9. Exempt from the Act > Courts and Tribunals – when exercising judicial and quasi-judicial functions > Parliamentary Committees > Specified types of information that is publicly available information 9
  10. 10. Public Interest Determinations > Similar to mechanisms in Privacy Act 1988 (Cth). > Determinations made where the public interest is outweighed by justification for compliance with privacy obligations. > Public interest determinations may be made on a temporary (up to 12 months) or ongoing basis. > Provide certainty regarding handling of personal information in areas which involve some legal risk eg inter-agency data sharing and matching. > Primary difference in applying for a temporary determination is urgency. 10
  11. 11. Information Usage Arrangements > Provides that an act or practice that is covered by the arrangement is required or authorised for the purposes of an information handling provision in another Act. > An organisation may apply to the Commissioner for approval of an IUA on its own behalf or in conjunction with one or more other organisations (including private sector bodies). > The Commissioner must consider whether the public interest in the applicant engaging in the specified acts or practices substantially outweighs the public interest in adhering to the applicable IPPs. 11
  12. 12. Certification > The Commissioner can certify that specified acts or practices are consistent with applicable privacy requirements. > The effect of certification is that a person who engages in the act or practice in good faith does not contravene the specified requirement. 12
  13. 13. Commissioner > Establishes the Commissioner for Privacy and Data Protection – amalgamated position > The Commissioner and this office will be responsible for overseeing privacy and data protection in Victoria. > Under the Act, the public sector will be able to ask the Commissioner for a determination about whether a particular use of personal information is consistent with their privacy obligations, as well as seek approval to depart from certain information privacy principles if it is in the public interest to do so. 13
  14. 14. Commissioner - Roles and functions > Broad > Functions split into separate categories > Information Privacy > Protective Data Security and Law Enforcement Data Security > Wide ranging powers 14
  15. 15. Enforcement > Issue compliance notices > Offence not to comply > Power to compel > Protection against self-incrimination > Application for review - VCAT 15
  16. 16. Information Privacy Complaints > Who can make them? > Threshold requirements for complaints > Process for dealing with complaints > Conciliation > Commissioner / Minister may refer to VCAT > Interim orders / Injunction > Costs? 16
  17. 17. Information Privacy Complaints cont… > What can VCAT decide? > Wide ranging options > Restraining certain acts > Enforce certain acts > Award damages > Costs > Correction of public register 17
  18. 18. Protective Data Security > Application > Most public sector agencies, but does not apply to some key bodies > Such bodies not obliged to comply with Data Security obligations, obligations in IPP 4 still apply! 18
  19. 19. Protective Data Security > Covers public sector data and public sector data systems > Commissioner’s functions > Victorian Protective Data Security Framework (VPSPF) 19
  20. 20. Protective Data Security > Gives the Commissioner power to issue standards for the security, confidentiality and integrity of, public sector data > Public sector agencies will be required to comply with applicable data security standards in respect of their data systems and all public sector data they collect and hold. > Current provisions relating to law enforcement data security are substantially continued under the new Act. 20
  21. 21. Law Enforcement Data > Applies to Victoria Police > Chief Statistician – new position > Employee or consultant employed or engaged under section 6 of the Crime Statistics Act 2014 21
  22. 22. Implications – public sector > Victorian public sector organisations continue to be bound by IPPs in respect of personal information. In addition, some will need to: > ensure data systems and practices comply with new data security standards; > assess data security risks and develop protective data security plans; and > consider differences between IPPs and APPs in dealings with Commonwealth agencies and private sector organisations. > Ensure compliance > Privacy assessments ~ audit > Mitigate risk 22
  23. 23. Implications – private sector > Private sector organisations dealing with Victorian government agencies may need to: > consider seeking protection of an IUA where accessing or handling personal information held by a government agency > consider whether their obligations under the APPs are consistent with privacy obligations they might assume as a contracted service provider to a Victorian government agency 23
  24. 24. > Privacy Assessment > What information is collected? > How is it collected, used, stored, destroyed? > How is it disclosed? > What privacy policies are currently in place? > What complaint procedures are currently in place? > Outcome – recommendations as to changes to comply with new legislation 24 What should you have done/do now?
  25. 25. > Privacy Amendment (Privacy Alerts) Bill 2013 > A tort of invasion of privacy? > ALRC Discussion Paper – Serious Invasions of Privacy in the Digital Era > A statutory cause of action for serious invasion of privacy should be contained in a new Commonwealth Act (the new Act). 25 Future Reform?
  26. 26. Questions? 26 David Littlejohn Special Counsel T: 03 8640 2300 E: Richard Laufer Lawyer T: 03 8602 7216 E:
  27. 27. Disclaimer The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly. 27