New Victorian Public Sector Data Sharing Legislation

by Astrid Keir-Stanley, Chief Legislative Advisor
April 10, 2018
Privacy

New Victorian Public Sector Data Sharing Legislation

By Privacy 0 Comments

This training brochure applies to all VIC public, University and Government subscribers.

Victorian Data Sharing Act 2017 No.60 (Vic)

The Victorian Data Sharing Act 2017 No.60 (Vic) (the new Act) which has amended the Privacy and Data Protection Act 2014 (Vic) (the Act), commenced on 6 December 2017. The new Act has introduced a new legal framework to facilitate the sharing of public sector data to improve policy-making whilst ensuring the privacy of the data.

Data requests by the Chief Data Officer

The new Act establishes the statutory role of Chief Data Officer, who is responsible for performing data integration and analytics for informing Government policy-making, service planning and design.

Section 8 of the new Act allows the Chief Data Officer to request the responsible officer of a data sharing body to provide specified data. A data sharing body is defined in section 3 of the new Act as a public service body within the meaning of the Public Administration Act 2004 (Vic), or a public entity within the meaning of the Public Administration Act 2004 (Vic), or Victoria Police; or any of the following prescribed by the regulations:

  • a body established or appointed for a public purpose by or under an Act;
  • a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act;
  • a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act.

In short, a responsible officer is defined as the head of the relevant body that is considered to be a data sharing body (i.e. the chief executive officer).

Organisations that are data sharing bodies under the new Act should be aware that a data sharing body is required to respond to a request from the Chief Data Officer under section 8 of the new Act within 10 business days (unless a longer period is agreed with the Chief Data Officer), by providing the data or providing reasons as to why they will not be providing some or all the requested data. Section 14 of the new Act sets out a non-exhaustive list of reasons that a request from the Chief Data Officer can be refused. This includes where providing the data would breach legal professional privilege, a contract, an equitable obligation of confidence, a Court or Tribunal order or a law of the Commonwealth, State or a Territory.

It is important to note that section 15 of the new Act authorises the responsible officer of a data sharing body to disclose identifiable data to the Chief Data Officer in response to a request under section 8 and to a data analytics body for data integration.

Secrecy provisions and other privacy laws

Disclosure of data by the responsible officer of a data sharing body to the Chief Data Officer in accordance with the new Act will not contravene an applicable secrecy provision pursuant to section 20 of the new Act. However, if a secrecy provision (being a provision of an Act that restricts or prohibits the disclosure of information (whether that restriction or prohibition is absolute or subject to qualifications or exceptions), other than a provision prescribed in the regulations) applies to the data, the responsible officer is required to inform the Chief Data Officer of that fact under section 21 of the new Act.

Compliance with policies and guidelines

It is important to note that the Chief Data Officer is empowered by section 33 of the new Act to issue policies and guidelines in relation to the administration of the new Act. Under section 33, data sharing bodies, designated bodies and data analytics bodies are required to have regard to any such policies or guidelines. The new Act defines a designated body as an:

  • an exempt body; or
  • an exempt body official; or
  • a special body, other than Victoria Police; or
  • a special body Head, other than the Chief Commissioner of Victoria Police; or
  • a Board of Inquiry or a Formal Review; or
  • a member of a Board of Inquiry or a Formal Review; or
  • a Royal Commission; or
  • a commissioner of a Royal Commission.

A data analytics body is defined in the new Act as:

  • the Secretary to a Department; or
  • any of the following prescribed by the regulations for the purposes of this paragraph:
    • a body established or appointed for a public purpose by or under an Act;
    • a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act;
    • a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act;
    • any other data sharing body.

Collection of sensitive information under the Privacy and Data Protection Act 2014 (Vic)

Finally, it is important to note that the new Act has amended Information Privacy Principle (IPP) 10.1(b) in the Act to permit sensitive information to be collected when it is required or authorised by law. This is designed to achieve consistency with the collection practices throughout Victoria by organisations bound by the Australian Privacy Principles and/or the Health Privacy Principles.

Share this post

Ready to get in touch?

Related Posts

24 Jul

Kick in the teeth for ‘anonymous reviewers’

In Kabbabe v Google LLC [2020] FCA 126, the Court made a preliminary discovery order requiring Google to identify... read more

15 Jan

HealthEngine Face Big Fine for Misleading Reviews and Patient Referrals

In ACCC v HealthEngine Pty Ltd [2020] FCA 1203, HealthEngine was fined $2.9 million for breaches of the ACL... read more

02 Oct

APP 6.2 and Responding to Adverse Public Comments

In May 2018 the OAIC determined that the disclosure of an individual’s personal information in response to their adverse... read more

12 Feb

Case Note: Privacy and the Health Privacy Principles

The Victorian Civil and Administrative Tribunal found that the use of a person’s health information for the purpose of... read more

06 Feb

New data breach notification laws

The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)... read more

Spent convictions may now be disclosed to and considered by certain Commonwealth, State and Territory agencies in determining a job seeker’s suitability to work with people with disability under the NDIS.
11 Dec

New NDIS Worker Screening Laws

Spent convictions may now be disclosed to and considered by certain Commonwealth, State and Territory agencies in determining a... read more

06 Sep

Case Note: Privacy and Health Records

The New South Wales Civil and Administrative Tribunal found that certain hospital CCTV footage could be released under freedom... read more

15 Nov

Genomics and Privacy Law

A key challenge in genomic medicine is determining how Privacy laws affect the sharing of genomic and related health... read more

18 Jul

The EU’s new data protection framework – GDPR

On 25 May 2018, the European Union’s new data protection framework – the General Data Protection Regulation (‘GDPR’) –... read more

14 Mar

Case Note: Authorised Disclosures of Personal Information

In this case, the Federal Court held that the Department of Veterans’ Affairs did not breach the Information Privacy... read more