The Victorian Commissioner for Privacy and Data Protection (“PDP Commissioner”) reports to the Victorian Parliament through the Attorney-General. The PDP Commissioner’s functions include:
•to promote an understanding and acceptance of the Information Privacy Principles (IPPs);
•to educate people about information privacy;
•to receive complaints and facilitate conciliation in accordance with the Privacy and Data Protection Act 2014 (Vic) (“PDP Act”) relating to alleged breaches of the IPPs by Victorian public sector organisations;
•to audit records of personal information to ensure they are kept in accordance with the IPPs or an approved Code of Practice;
•to conduct investigations and issue compliance notices if it appears a public sector organisation has committed a serious or flagrant breach of the IPPS, a Code of Practice, or an approved information usage arrangement; or if a breach has occurred five or more times in the last two years;
•to produce guidelines on developing Codes of Practice under the PDP Act and to assess codes submitted for approval;
•to advise government on legislation and policies affecting privacy;
•to monitor developments in data processing and computer technology.
The PDP Commissioner has the power to make a public interest determination (PID) or a temporary public interest determination (TPID) that permits an organisation to contravene a specified IPP (except IPP 4 or 6) or an approved Code of Practice if the public interest in doing so substantially outweighs the public interest in complying with the IPP or Code of Practice (pt 3 div 5 PDP Act). A PID and TPID can be disallowed by parliament.
If an organisation wishes to handle personal information in a way that does not comply with one of the IPPs (other than IPP 4 or 6), or with an approved Code of Practice – and the manner of handling the information is not expressly permitted under the PDP Act (or another Act) – the organisation can form an information usage agreement with the relevant parties. This agreement must be approved by the PDP Commissioner.
The parties to an information usage arrangement can be a Commonwealth agency, a state or territory, and/or a private sector organisation (whether or not located in Victoria).
The PDP Commissioner must issue a report about each information usage arrangement. If the commissioner decides that there is a substantial public interest in permitting an arrangement, the commissioner also issues a certificate. The report and certificate must be sent (for approval) to the government minister who is responsible for each organisation that is a party to the arrangement.
Information usage agreements can be revoked (see pt 3 div 6 PDP Act). Also, organisations that are party to the arrangements must report to the PDP Commissioner at least annually (see pt 3 div 6).
The PDP Commissioner can certify that an act or practice is consistent with the IPPs – or with an approved Code of Practice or information handling provision – and that a person who acts in good faith in accordance with that certificate does not contravene the PDP Act. An individual or organisation whose interests are affected by the certificate can apply to VCAT for a review (pt 3 div 7 PDP Act). For detailed information about public interest determinations, information usage arrangements and certifications, see Guidelines to Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certification at www.cpdp.vic.gov.au>privacy>guidelines>privacy>guidelines.
The PDP Commissioner also has a number of functions under the PDP Act in relation to protective data security and law enforcement data security. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDP Act require of the Victorian public sector and law enforcement agencies. The type of information that is the subject of these functions includes, but is not limited to, personal information. For more information about these functions, see www.cpdp.vic.gov.au.
The Victorian Government has announced that the PDP Commissioner and the Office of the Freedom of Information Commissioner will be amalgamated into a new body: the Office of the Victorian Information Commissioner. This commissioner will have two deputies: the Public Access Deputy Commissioner and the Privacy and Data Protection Deputy Commissioner. At the time of writing (30 June 2016), the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Bill 2016 (Vic), which implements these changes, has been introduced into parliament and the second reading moved on 23 June 2016.