Privacy Law and Policy Reporter
The following Outline is the full text of Appendix B ‘Outline of The Data Protection Bill’ from the Discussion Paper: Information Privacy in Victoria, Multimedia Victoria, July 1998 at p 35 — General Editor.
The Bill is currently being drafted, and its final form will be influenced by the response to this paper, but the following outline is presented as a means of providing the fullest possible explanation of how the data protection regime will operate.
The purpose is to establish a regime for the protection of personal information in the public and private sectors in Victoria.
The Act will come into effect when it receives Royal Assent but only the principles concerning data security, and access to and correction of records of personal information, will be fully enforceable from the outset.
The remaining principles will be fully enforceable twelve months after the Act comes into effect.
Voluntary codes will replace the legislative scheme for subscribers as soon as they are approved, and approval can occur any time after the Act comes into effect.
These will be taken largely from the National Principles for the Fair Handling of Personal Information but will need to be modified as appropriate for a legal instrument and supplemented by definitions arising from the operation of the data protection regime.
The Act will bind the Crown in right of Victoria and, so far as the legislative power of the Parliament permits the Crown in all its other capacities.
The Governor in Council will be able to make an arrangement with the Common-wealth Governor General to facilitate the appointment of the federal Privacy Commiss-ioner as Victorian Privacy Commissioner.
The Bill will set minimum standards that can be supplemented by additional measures or varied by approved codes.
This part of the Bill will contain a version of the National Principles for the Fair Handling of Personal Information. The language will need to be modified as appropriate for a legal instrument. In addition, changes to the principles as published in February 1998 (shown at Appendix A) are likely to be modified by the federal Privacy Commissioner as a result of current negotiations about their impact on law enforcement.
The principles will cover:
Voluntary codes will enable alternative means of compliance with the data protection regime, and may apply to information, organisations, activities or industries. Codes that have been approved will replace the legislative scheme for subscribers for as long as they continue to comply with their code.
To be approved, a code will be given to the Privacy Commissioner for certification that:
In determining this, the Privacy Commissioner will need to consult business, consumers and other stakeholders. If there is a separate Victorian Privacy Commissioner, the federal Privacy Commissioner will need to be consulted as well.
The Privacy Commissioner will then recommend to the Governor in Council that the code be approved as part of the Victorian data protection regime. The approval will be notified in the Government Gazette. The date of effect of approval will be the date of gazettal.
Approval of a code will create a legal requirement for compliance, and failure to comply will be deemed to be a breach of an information privacy principle.
Submission to the Commissioner of a voluntary code will not be mandatory.
This part will outline the default legislative scheme.
An individual may complain to the Privacy Commissioner about conduct by an organisation that may have interfered with his/her privacy if the organisation does not subscribe to a voluntary code and it has been unable to resolve the complaint. An interference of privacy occurs when an organisation has not complied with an information privacy principle.
The complaint must be in writing and specify the respondent who allegedly engaged in the interference. Staff of the Privacy Commissioner will have a duty to provide assistance, as appropriate, to people who wish to make a complaint.
Complaints concerning an organisation that subscribes to an approved voluntary code, must be handled by mechanisms established under that code.
The Privacy Commissioner will have a duty to investigate complaints about the interference of an individual’s privacy, except where the Commissioner believes that:
The Privacy Commissioner will have the discretion to cease investigating a complaint, or defer the investigation, if the respondent has dealt with the complaint, is dealing adequately with it, or has not had an adequate opportunity to do so.
The resolution of complaints should take place in private, but otherwise the Privacy Commissioner will determine the process. It will not be necessary for either the complainant or the respondent to appear before the Privacy Commissioner, but they will be given the opportunity if the process reaches a stage where a determination has to be issued.
The Privacy Commissioner will have powers to obtain information, call and examine witnesses under oath and call compulsory conferences of all parties.
This Division will provide for a fine to be imposed for refusing to give information, wilfully obstructing, hindering or resisting the Privacy Commissioner in the performance of his or her statutory functions, or providing false information.
The Privacy Commissioner will be able to call private compulsory conferences and failure to attend will attract a penalty.
There will be limits placed on the Privacy Commissioner’s ability to obtain personal information and documents. These will protect third parties who are not connected with a complaint. Certain documents will be exempt from disclosure if the Attorney-General certifies that disclosure would be contrary to the public interest. The grounds will primarily concern the confidentiality of Cabinet and inter-government deliberations and criminal investigations.
If it is not conciliated, the Privacy Commissioner will be able to issue a determination either dismissing a complaint or finding it substantiated.
If the complaint is substantiated, the Privacy Commissioner will be able to issue a declaration that the act or practice be discontinued; loss or damage should be redressed; a specific amount of compensation be paid; or no further action need be taken. If the complaint concerned access to a record, there could be an order that it be corrected or otherwise altered. The Privacy Commissioner may also make a declaration that the complainant is entitled to be reimbursed for expenses reasonably incurred in making and pursuing the complaint.The determination will not be binding.
If the Privacy Commissioner refuses to make a determination, he or she may refer the complaint to the Victorian Civil and Administrative Tribunal. The people affected by a determination, or the failure to make one, will be able to apply to the Victorian Civil and Administrative Tribunal for it to be reviewed. This might require the prior approval of the Commissioner.
The Privacy Commissioner may be appointed pursuant to the Privacy Act 1988 (Cth), in arrangement with the Commonwealth Governor-General. The Bill will also provide for a Victorian Privacy Commissioner to be appointed if needed. The person would be appointed by the Governor in Council for a period of up to seven years.
This Part will contain terms and conditions of appointment, suspension, staff, reports and a detailed list of functions. The functions will probably include:
The Privacy Commissioner will be required to:
This Part will include secrecy provisions for information handled within the Privacy Commissioner’s Office, penalties for obstructing the Privacy Commissioner, and a regulation-making power.
This Part will amend the Public Sector Management and Employment Act 1998, the Freedom of Information Act 1982 and the Ombudsman Act 1973.