The Victorian Information Commissioner (‘VI Commissioner’) has the same powers and functions as the previous Victorian Commissioner for Privacy and Data Protection.
The Victorian Privacy and Data Protection Deputy Commissioner (‘PDP Deputy Commissioner’) shares many of the functions of the VI Commissioner.
The VI Commissioner can delegate certain powers and functions to the PDP Deputy Commissioner, and authorise him or her to exercise functions reserved for the VI Commissioner, on a case-by-case basis.
The VI Commissioner reports to the Accountability and Oversight Committee and is not subject to the direction and control of the relevant minister when carrying out his or her regulatory duties under the PDP Act.
The VI Commissioner’s functions include:
- to promote an understanding and acceptance of the IPPs;
- to educate people about information privacy;
- to make public statements about any matter affecting personal privacy;
- to make reports and recommendations about information privacy;
- to receive complaints and facilitate conciliation of those complaints in accordance with the PDP Act relating to alleged breaches of the IPPs by Victorian public sector organisations;
- to audit records of personal information to ensure they are kept in accordance with the IPPs or an approved Code of Practice;
- to conduct investigations and issue compliance notices if it appears a public sector organisation has committed a serious or flagrant breach of the IPPs, a Code of Practice, or an approved information usage arrangement; or if a breach has occurred five or more times in the last two years;
- to produce guidelines on developing Codes of Practice under the PDP Act and to assess codes submitted for approval;
- to advise government on legislation and policies affecting privacy;
- to monitor developments in data processing and computer technology.
The VI Commissioner has the power to make a public interest determination (PID) or a temporary public interest determination (TPID) that permits an organisation to contravene a specified IPP (except IPP 4 or 6) or an approved Code of Practice if the public interest in doing so substantially outweighs the public interest in complying with the IPP or Code of Practice (pt 3 div 5 PDP Act). A PID and TPID can be disallowed by parliament.
If an organisation wishes to handle personal information in a way that does not comply with one of the IPPs (other than IPP 4 or 6), or with an approved Code of Practice – and the manner of handling the information is not expressly permitted under the PDP Act (or another Act) – the organisation can form an information usage agreement with the relevant parties. This agreement must be approved by the VI Commissioner.
The parties to an information usage arrangement can be a Commonwealth agency, a state or territory, and/or a private sector organisation (whether or not located in Victoria).
The VI Commissioner must issue a report about each information usage arrangement. If the commissioner decides that there is a substantial public interest in permitting an arrangement, the commissioner also issues a certificate. The report and certificate must be sent (for approval) to the government minister who is responsible for each organisation that is a party to the arrangement.
Information usage agreements can be revoked (see pt 3 div 6 PDP Act). Also, organisations that are party to the arrangements must report to the VI Commissioner at least annually (see pt 3 div 6).
The VI Commissioner can certify that an act or practice is consistent with the IPPs – or with an approved Code of Practice or information handling provision – and that a person who acts in good faith in accordance with that certificate does not contravene the PDP Act. An individual or organisation whose interests are affected by the certificate can apply to VCAT for a review (pt 3 div 7).
The VI Commissioner also has several functions under the PDP Act in relation to protective data security and law enforcement data security under Part 4 of the PDP Act. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDP Act requires of the Victorian public sector and law enforcement agencies. Part 4 does not apply to local councils, universities, public hospitals and public health services. The type of information that is the subject of these functions includes, but is not limited to, personal information.
On 28 October 2019, the VI Commissioner revoked the Victorian Protective Data Security Standards (VPDSS) that had been issued in July 2016 and introduced the VPDSS (Version 2.0). In February 2020, the VI Commissioner published the Victorian Protective Data Security Framework (Version 2.0), which provides direction to the Victorian public sector on their data security obligations.
For more information about these functions, the standards and the framework, see the OAIC’s website.