Office of the Victorian PrivacyCommissionerAnnual Report 2001/2002

>

The Hon. Rob Hulls, MPAttorney-General55 St Andrews PlaceMelbourne Victoria 3002

Dear Attorney-General,

I am pleased to present to you a report in accordance with Part Seven of the Financial Management Act 1994 and s. 62 of the Information Privacy Act 2000, for presentation toParliament. This is the first Annual Report of the Office of the Victorian Privacy Commissioner. It covers the period 1 September 2001, from when the legislation took effect, to 30 June 2002.

The majority of activity undertaken by the office during thisperiod has been preparation for the period after 1 September2002, when the legislation becomes enforceable.

Yours sincerely,

Paul ChadwickPrivacy CommissionerOctober 2002

Contents

Office of the Victorian Privacy Commissioner Annual Report 2001/2002 1

Commissioners Overview 2

Report on the Operations of the Office 5

Our Aims 5

Our Functions 5

Origins of the Act 6

Organisations covered by the Information Privacy Act 2000 6

Highlights 2001/2002 7

Management Group 7

Organisation Chart 8

Administration 9

Privacy Awareness 10

Privacy Protection 15

Technology 18

The Year Ahead 19

Privacy Victoria Founders 20

Financials 21

Appendices 41

A Compliance Index 41

B Major Outputs 44

C Other Available Information 45

D Information required under the Directions of the Commissioner for Public Employment 46

E Legal Opinion on Powers, Independenceand Accountability of the Office of theVictorian Privacy Commissioner 47

F Privacy Victoria Guiding Values 54

G A Brief History of Information Privacy 55

H Speeches and Presentations 58

I Victorias Privacy Protection Landscape 61

J The Functions of the Privacy Commissioner 62

K Publications 64

IPPs Summary

>

Ordered to be printedVictorian Government Printer 2002No. 188 Session 19992002

Commissioners Overview

2

Like walking alone to the middle of a big paddock with a spade and starting to dig. That is how it feels to establish a new statutory office.

Office of the Victorian Privacy Commissioner Annual Report 2001/20021

>

Paul Chadwick, Privacy Commissioner

My task over the five-year appointment as Victoriasfirst Privacy Commissioner is to lay the foundations.Others will build on them an organisation that, intime, should become a trusted contributor toVictorian public administration, like the offices ofthe Auditor-General (150 years) and Ombudsman(almost 30 years).

The Office of the Victorian Privacy Commissioner Privacy Victoria for short has to be independentyet accountable. It must be sensitive to privacyinstincts that everybody feels but few articulate. It has to be practical about workable compromise inan era of rapid change in information technologies.It must act according to law, leaving fundamentaladjustment to the balance between privacy anddisclosure under law to the appropriate account-able decision-makers in Parliament.

Information, much of it personal information, is thefuel for public administration. It is used to plan andrun the many services the community expects fromstate and local government. A law that applies newlegal standards to the collection and handling ofpersonal information will spread into every cornerof public administration.

The stated motivation for the Information Privacy Act 2000 (IPA) was similar to the impetus for similarlaws in other jurisdictions. In the Second ReadingSpeech for the legislation, the Minister said

The protection afforded to privacy is a key aspectof the democratic balance between governments,business and individuals. Communities whichcompromise on privacy compromise on freedom.This creates an environment of mistrust and cautionin which citizens are unwilling to volunteer infor-mation and the free flow of information is hindered.

In addition, governments should not, on the onehand, champion the benefits of electronic com-merce and develop an increasing range of onlinepublic services, and, on the other, offer no newprotection in that environment. Similarly, govern-ments should not urge consumers and

GmintgPAsg

Uoinc

BainP

Office of the Victorian Privacy Commissioner Annual Report 2001/2002 3

businesses to embrace new technology andelectronic commerce and ignore the dangers thatalso attend their use.

Until a culture is established which recognises andresponds to privacy concerns, Victorians will nottake full advantage of the considerable benefits thatnew information and communication technologieshave to offer. By the same token, those entities thatneed to collect and use information about peopleshould be able to do so confidently and within aframework that facilitates the exchange of infor-mation in a transparent and responsible manner. [Legislative Assembly 26 May 2000.]

The functions of the Privacy Commissioner are setout in full at Appendix J of this report. They can besummarised as

promote awareness of privacy;

conciliate complaints;

advise on practices and proposals affecting privacy; and

investigate, audit and monitor.

This report describes the early work of digging thefoundations for Privacy Victoria. At the same time,all of state and local government was preparing forthe Information Privacy Act to become enforceableon 1 September 2002.

In raising awareness in the public sector, I haveemphasised the following key messages

Privacy protection means balance, notabsolutism. Societies have always balancedprivacy with other good things like effectivedemocracy (think electoral rolls), public orderand safety (think licensing and police powers)and accountable public finances (think taxreturns, welfare applications).

Be open about the compromises. Whenprivacy gets traded-off for some other benefit, be open about it. Transparency is essential tothe legitimacy of the inevitable compromisesbetween competing rights. Withouttransparency, people react with suspicion,avoidance, intentionally inaccurate responsesand other counter-productive measures.

Privacy is not the same as confidentiality or secrecy. The flow of information remains an essential element of accountability. Privacy is

for the natural person, not governments orcorporations. The balance between opennessand secrecy in relation to government informationis struck primarily in freedom of information (FOI)law, not privacy law. Other legal rules, not privacy,deal with legitimate commercial confidentiality.

The Information Privacy Act differs from FOI inthree key ways:

1 Put broadly, FOI compels openness; the IPA compels discretion.

2 Under FOI, anyone can seek access. Underthe IPA, only the subject of the personalinformation can seek access.

3 FOI is fundamentally about disclosure and,less often, correction of information. The IPA is more sophisticated and deals also withcollection, use, quality, security, transfer andmatching of personal information.

Adapt confidently. The new privacy laws implysome shift in control, but not a total shift in control,from the collectors and users of personal infor-mation to the sources and subjects of it. In todaysworld, many of us are in all four categories:collector, user, source and subject. The newprivacy laws bring benefits to all, including thosewho must adapt to the new standards.

Experience still counts. Protecting privacymay seem new and difficult, but it is actually oldand we are all practised. Weve been dealingwith information privacy by other names fordecades and all that experience still counts.

ood privacy protection and good privacy decision-aking depend on the particular informationvolved and the particular context. It is essential

hat the many different parts of state and localovernment examine the impact of the Informationrivacy Principles (IPPs) on their particular work.dapting to the Information Privacy Act isomething that has to be done by state and localovernment, not to them or for them.

nless Privacy Victoria is independent of the partsf government it regulates, and is seen to bedependent, it will not be able to build essentialredibility and trust.

ut independence must be accompanied byccountability. Counsels advice on the powers,dependence and accountability of the Office ofrivacy Commissioner is at Appendix E.

Office of the Victorian Privacy Commissioner Annual Report 2001/20024

The importance of the independence of this newstatutory office was underscored by the recommend-ation of the Constitution Commission Victoria thatthe independence of certain Offices such as theAuditor-General, the Ombudsman, the ElectoralCommissioner and the Privacy Commissionershould be entrenched in an amended Constitution.

The Victorian Information Privacy Act becameeffective on 1 September 2001. On 11 Septemberplanes were flown into the World Trade Centre inNew York and the Pentagon in Washington DC.Within a year the reverberations of those eventsbegan to be felt in the balance in Australian lawbetween security and liberty. Privacy is part ofliberty. As Victoria adjusts, four guides can be usedto assess measures that would curtail privacy insecuritys name

Are the measures necessary, proportionate, andlikely to be effective?

Is due legislative process being followed withoutundue haste?

Is there judicial oversight of the exercise of anynew powers?

Do sunset clauses cause any new powers to expireautomatically so that they can be reconsidered inthe light of changed circumstances?

No one can establish a statutory office alone. I havebeen greatly assiste