The VI Commissioner has the same powers and functions as the previous Victorian Commissioner for Privacy and Data Protection.
The Victorian Privacy and Data Protection Deputy Commissioner (‘PDP Deputy Commissioner’) shares many of the functions of the VI Commissioner.
The VI Commissioner can delegate certain powers and functions to the PDP Deputy Commissioner, and authorise him or her to exercise functions reserved for the VI Commissioner, on a case-by-case basis.
The VI Commissioner reports to the Accountability and Oversight Committee and is not subject to the A legally proper instruction by one person (or body) to another, so that the person is bound to take action, or make a decision, as instructed. Compare dictation. and control of the relevant minister when carrying out his or her regulatory duties under the PDP A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation..
The VI Commissioner’s functions include:
- to promote an understanding and acceptance of the IPPs;
- to educate people about information privacy;
- to make public statements about any matter affecting personal privacy;
- to make reports and recommendations about information privacy;
- to receive complaints and facilitate A form of alternative dispute resolution. The parties negotiate with the help of an independent person called a conciliator. The aim is to sort out the dispute by mutual agreement, rather than having a decision made by a court or tribunal. See also arbitration; mediation; negotiation. of those complaints in accordance with the PDP Act relating to Claimed but not proved. For example, the police can allege in court that a car was stolen, but they then have to prove it with evidence. If you say a person did something illegal you are making an allegation. Unless you can back it up, you will not be able to win a court case about it. breaches of the IPPs by Victorian public sector organisations;
- to audit records of personal information to ensure they are kept in accordance with the IPPs or an approved Guidelines setting out proper practice in an industry or occupation. For example, the franchising code of practice sets out rules for businesses operating under a franchise. Codes can be voluntary or statutory (required by legislation).;
- to conduct investigations and issue compliance notices if it appears a public sector organisation has committed a serious or flagrant breach of the IPPs, a Code of Practice, or an approved information usage arrangement; or if a breach has occurred five or more times in the last two years;
- to produce guidelines on developing Codes of Practice under the PDP Act and to assess codes submitted for approval;
- to advise government on Statutory rules made by parliament or by bodies the parliament delegates power to, for example a local council or a registration authority. See delegated legislation; statute. and policies affecting privacy;
- to monitor developments in data processing and computer technology.
The VI Commissioner has the power to make a public interest A finalisation, especially a decision made by a court or tribunal to finalise (determine) a case. (PID) or a temporary public interest determination (TPID) that permits an organisation to To break a legal rule or fail to carry out a legal obligation such as a court order. a specified IPP (except IPP 4 or 6) or an approved Code of Practice if the public interest in doing so substantially outweighs the public interest in complying with the IPP or Code of Practice (pt 3 div 5 PDP Act). A PID and TPID can be disallowed by parliament.
If an organisation wishes to handle personal information in a way that does not comply with one of the IPPs (other than IPP 4 or 6), or with an approved Code of Practice – and the manner of handling the information is not expressly permitted under the PDP Act (or another Act) – the organisation can form an information usage agreement with the relevant parties. This agreement must be approved by the VI Commissioner.
The parties to an information usage arrangement can be a Commonwealth agency, a state or territory, and/or a private sector organisation (whether or not located in Victoria).
The VI Commissioner must issue a report about each information usage arrangement. If the commissioner decides that there is a substantial public interest in permitting an arrangement, the commissioner also issues a certificate. The report and certificate must be sent (for approval) to the government minister who is responsible for each organisation that is a A person or organisation directly involved in a court case. Parties include the plaintiff or applicant, the defendant, and any third party added to the action, but not independent witnesses. to the arrangement.
Information usage agreements can be revoked (see pt 3 div 6 PDP Act). Also, organisations that are party to the arrangements must report to the VI Commissioner at least annually (see pt 3 div 6).
The VI Commissioner can certify that an act or practice is consistent with the IPPs – or with an approved Code of Practice or information handling provision – and that a person who acts in good faith in accordance with that certificate does not contravene the PDP Act. An individual or organisation whose interests are affected by the certificate can apply to VCAT for a review (pt 3 div 7). For detailed information about public interest determinations, information usage arrangements and certifications, see Guidelines to Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certification at https://ovic.vic.gov.au.
The VI Commissioner also has a number of functions under the PDP Act in relation to protective data Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions. and law enforcement data security under Part 4 of the PDP Act. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDP Act requires of the Victorian public sector and law enforcement agencies. Part 4 does not apply to local councils, universities, public hospitals and public health services. The type of information that is the subject of these functions includes, but is not limited to, personal information.
On 28 October 2019, the VI Commissioner revoked the Victorian Protective Data Security Standards (VPDSS) that had been issued in July 2016 and introduced the VPDSS (Version 2.0). In February 2020, the VI Commissioner published the Victorian Protective Data Security Framework (Version 2.0), which provides direction to the Victorian public sector on their data security obligations. For more information about these functions, the standards and the framework, see https://ovic.vic.gov.au.