2009–10 annual report The Hon . Rob Hulls, MP Attorney-General 55 St Andrews Place Melbourne Victoria 3002

Dear Attorney-General

I am pleased to present to you a report in accordance with the Financial Management Act 1994 and Section 62 of the Information Privacy Act 2000, for the year ending 30 June 2010, for presentation to Parliament .

Yours sincerely

HELEN VERSEY Privacy Commissioner August 2010

COVER IMAGES: Top Left: Privacy Commissioner Helen Versey with Tjimba possum-Burns and Danny Ramzan from The Yung Warriors at the Watch this space conference, May 2010 Top Right: Noni Hazlehurst with members of Privacy Victoria’s Youth Advisory Group at the Watch this space conference Bottom Left: Year 9 students from CBC Ordered to be printed St Kilda at the Watch this space conference Victorian Government Printer 2010 Bottom Right: The Privacy Victoria and PP 320, Session 2006-10 Office of the Health Service Commissioner display at the 2009 Royal Melbourne show Editor David Taylor Cover photography Heather Venn 1 contents Office of the commissioner’s overview ...... 2

report on the operations of the office ...... 4 Victorian Privacy Commissioner functions of the office ...... 5

Advise and Guide ...... 5

Audit and Monitor ...... 13

Handle Complaints ...... 13

Handle Enquiries ...... 21

Investigate and Enforce ...... 26 2009–10

Liaise and Co-operate ...... 28

Promote Awareness ...... 32 annual report

Research and Report ...... 42

managing our office ...... 43

financial report ...... 50

Comprehensive Operating Statement ...... 50

Balance Sheet ...... 51

Statement of Changes in Equity ...... 52

Cash Flow Statement ...... 53

Notes to the Financial Statements ...... 54

Accountable Officer’s and Chief Financial and Accounting Officer’s Declaration ...... 68

Auditor-General’s Report ...... 69

appendices ...... 71

Appendix A Disclosure Index ...... 71

Appendix B Major Outputs ...... 73

Appendix C Additional Departmental Information Available on Request ...... 74

Appendix D Speeches and Presentations ...... 75

Appendix E Information Sheets ...... 76

Appendix F Case Notes ...... 86

Appendix G Privacy Victoria Publications at 30 June 2010 ...... 89

Appendix H Organisational Participation in Privacy Victoria’s Training and Awareness Activities during 2009-10 ...... 91

Appendix I Privacy Victoria OrationMelbourne, 1 September 2009 ...... 94

summary Victoria’s Information Privacy Principles (IPPs) ...... 97 2

commissioner’s overview Office of the Privacy Commissioner Helen Versey Mr Kirby used the story to Technology has also impacted illustrate how new technology on how government and local has changed our lives and government handle records and the challenges that privacy registers that they are required Victorian Privacy Commissioner regulators face with ever- by legislation to make available changing technology . to the public . In the past these records have been in paper Governments – rightly – form, available for inspection in a want to harness this new government office, usually for a fee . technology . They want to use However, technology now enables it to provide better services, organisations to publish these and to provide better security

Photo courtesy of The Border Mail records online, readily available to for the public . This has seen a anyone, and in bulk . While there is a move to ‘seamless’ or ‘joined legitimate public interest in making up’ government through data public records more available, 2009–10 sharing and data matching . organisations need to be conscious Technology has made large- that by publishing information online

annual report scale data matching between it becomes more readily available to organisations quicker and those who seek personal information easier . But depending on how for illegitimate purposes – and that it is conducted, data matching once published online it is out there also poses privacy risks such forever . Publication of planning as function creep, automated information is an example where decision making based on information, including individuals’ poor quality data and profiling . names, addresses and contact To address these legitimate information, is being published concerns Privacy Victoria online, often retrospectively and published during this reporting without notice . period a guide for the Victorian On 1 September 2009 the Hon . public sector Data Matching in Privacy Victoria’s submission to the 2 Michael Kirby AC CMG gave the the Public Interest . The title of the exposure draft of the Planning and inaugural Privacy Victoria Oration guide was intended to acknowledge Environment Bill 2009 highlighted to mark the 8th Anniversary of the that privacy is one of many public the privacy issues surrounding Information Privacy Act 2000 (Vic) interests that are relevant to data the publication of planning coming into force 1. His oration was matching activities . But those information online . It is important entitled ‘Privacy, MySpace, YouTube interests need to be balanced that new legislation dealing with and Facebook: Can the law cope?’ against the risks to privacy . public records addresses this new 3 Mr Kirby commenced by recounting environment . I am aware that public sector how he had recently been stranded organisations sometimes refuse at JFK airport, and, to while away to share information even where the time, had ‘googled’ his partner’s permitted under the Information name . Up came a story from an Privacy Act . In some cases, such Australian newspaper about a time as during emergencies, this can 20 years before when his partner potentially cause harm . Privacy owned a newsagency business and Victoria’s guidence Emergencies some unnamed lawyer claimed he and Privacy is designed to assist saw Mr Kirby delivering newspapers organisations involved in responding for his partner . As Mr Kirby said, to emergencies such as bushfires “Endearing or not, the story is and disasters to plan ahead and just false,” but, as he pointed out, to train staff about how personal “stories that once would have been information can be legitimately wrapping the fish and chips and shared . forgotten a few weeks or months 3 See Office of the Victorian Privacy later, are preserved forever .” Commissioner – Submission to the Department of Planning and Community Development February 2010 . See also Privacy Victoria Public registers and privacy – Guidelines for the Victorian public sector . Available www.privacy.vic.gov. 1 For full text of the oration see page 88 2 Available at www.privacy.vic.gov.au au>publications 3 Office of the This reporting period has also seen When reviewing the work of the In the forthcoming year we will both the Commonwealth and the office this year, there continues continue to monitor technological Victorian Governments, through to be a significant increase in advances . In particular, we will be their ‘Government 2 0’. initiatives, the number of consultations with examining the use or proposed use Victorian Privacy Commissioner seeking to make greater use of this Office by the Victorian public of cloud computing by the public Web 2 .0 technology for the sharing sector . While it is very pleasing sector and will provide guidance . of government information with the that organisations are more and We also propose conducting at least public . While the use by government more willing to engage with us to two audits or surveys examining of Web 2 .0 technology can give the address privacy issues there is public sector compliance with the public greater access to government still a tendency for consultation to Information Privacy Act . We will be information and processes, the occur late, when it is much more focussing on how to more effectively challenge is how to do this and at difficult for privacy protections to raise awareness in the Culturally and the same time protect the personal be included, especially in large Linguistically Diverse and Indigenous information government collects, often technology projects . In the area communities to ensure people in compulsorily . At the Commonwealth of legislative proposals it is often those communities understand their 2009–10 level it has been proposed that too late to effect change . It is rights and can access our services . personal information be de-identified . particularly disappointing when Our new updated website will be

However de-identification is, in there is no consultation at all on completed and launched . Our annual report practice, difficult to achieve and legislative proposals that clearly website is a vital part of how we raise resource intensive . Privacy Victoria impact significantly on privacy . awareness both within the Victorian will continue to engage with all levels A notable example of this is the public sector and the general public . of government to ensure privacy Summary Offences and Control During Privacy Awareness Week issues are recognised and effectively of Weapons Act Amendments Bill this year we launched an online quiz addressed . 2009 and the Control of Weapons (see page 36, 38) designed to assist Amendment Bill 2010 4. In spite people check their risk for identity The topic of Web 2 .0 technology of the significant impact on theft . This was a joint initiative of inevitably leads to a discussion about privacy these Bills involved, there the Asia Pacific Privacy Authorities children and young people and their was no consultation before they (see page 28-30), of which Privacy approach to privacy . Children and were introduced into Parliament . Victoria is a member . We will be young people have grown up with Even – or perhaps especially further promoting this tool, in part to social networking sites and mobile – when proposed legislation promote privacy with seniors . phones . It is often said (wrongly in my is controversial and is going view) that young people don’t care to severely impact on privacy, My thanks to Privacy Victoria staff about privacy, since they disclose so there is no reason not to consult . and contractors for their ongoing much information about themselves . Consultation may produce a better commitment to the work of this One of the functions of this office is outcome for Victorians in achieving office . To quote the Hon . Michael to promote personal privacy . How an appropriate balance between Kirby again, “For a small agency, better to do this than with young privacy and other public interests . Privacy Victoria has achieved much . people? This year Privacy Victoria But its greatest challenges lie set up a Youth Advisory Group made ahead .” up of young people aged from 15 to 25 (see page 33) . The group supported the Office in hosting a one-day conference in May 2010 Watch this space: Children, young people and privacy attended by Helen Versey almost 300 delegates (see page 34) . Privacy Commissioner In addition to members of the Youth Advisory Group, the conference was attended by over 50 secondary school students . What was clear from the conference was that young people do care about privacy and are receptive to being helped to protect themselves . Privacy Victoria will continue to work 4 See Office of the Victorian Privacy with our Youth Advisory Group in the Commissioner Submissions to the coming year to engage with young Parliamentary Scrutiny of Acts and Regulations Committee November 2009 people in developing ways to protect and June 2010 available at www.privacy. their personal information . vic.gov.au>publications 4 report on the operations of the office Office of the The Law 2007-2012 Our Values

The Office of the Victorian Privacy Strategic These values apply to all that we do, Victorian Privacy Commissioner Commissioner is an independent Framework both internally and externally: statutory Office created by the • Accessibility Information Privacy Act 2000. The Privacy Victoria’s aims Privacy Commissioner and staff, known have been expressed in the • Accountability as the Office of the Victorian Privacy strategic framework for 2007- • Discretion Commissioner (also known as Privacy 2012 as objectives: Victoria or OVPC) is the key body in • Impartiality • Promote and encourage a system regulating the way Victorian adherence to the • Quality government agencies and local councils Information Privacy collect and handle personal information . • Recognition Principles as common The Privacy Commissioner reports to the • Respect

2009–10 practice amongst the Victorian Parliament through the Attorney Victorian public sector . General . • Continually improve annual report understanding of privacy Objects and Functions issues, rights and good The objects of the Information privacy practice . Privacy Act 2000 are to: • Model fair and efficient • Balance the public interest in the free procedures for the handling flow of information with the public interest of enquiries and complaints in protecting the privacy of personal under the Information information; Privacy Act 2000 . • Promote awareness of responsible • Foster respectful and personal information handling practices; constructive relationships . and • Provide leadership in • Promote the responsible and transparent privacy issues . handling of personal information . • Operate a cohesive, well managed, accountable and The Privacy Commissioner independent Office . • Promotes understanding and acceptance of ten Information Privacy Principles (IPPs); • Educates people in the public sector and the wider community about information privacy; • Receives and deals with complaints of alleged breaches of privacy by public sector organisations; • Advises government on privacy legislation and policies and advises organisations on developing codes of practice; • Monitors developments in data processing and information technology; • Assesses and approves codes of practice submitted by public sector agencies; and • Makes public statements on any matter affecting personal privacy . 5 functions of the office Office of the Advise and Guide Privacy advice and A Privacy Impact Assessment (PIA) was consultations undertaken by an external consultant that raised a number of privacy Privacy Victoria’s 2007-2012 Strategic Privacy Victoria is regularly concerns largely echoed by Privacy Plan includes these three Objectives: Victorian Privacy Commissioner contacted by public sector Victoria . After further consultation with • Promote and encourage organisations across government Privacy Victoria, DEECD agreed to adopt adherence to the Information for advice and consultation most of the recommendations in the PIA . Privacy Principles as common on a wide variety of issues Privacy Victoria continues to work with practice amongst the Victorian which relate to privacy . Some DEECD to ensure that the privacy risks public sector; queries are handled by Policy inherent in the project are minimised . and Compliance staff through • Continually improve under- the Office’s enquiry line (see standing of privacy issues, rights ‘Handle Enquiries’) or via face Efficient Technology and good privacy practice; and to face meetings . Complex Services (ETS) Program • Provide leadership in privacy consultations requiring advice The Victorian Government’s ETS 2009–10 may require numerous meetings, issues . Program aims to bring together provision and analysis of common Information Communications

To meet these Objectives, Privacy documents, and extensive annual report Technology (ICT) services from across Victoria provides a range of advice research by Privacy Victoria staff . and guidance services and products . all 11 departments and four key These include privacy advice and The Privacy Commissioner agencies to produce one efficient ICT consultations with the public sector, strongly encourages early service by 2013 . Apart from reduced advice on legislative proposals and consultation to help facilitate a costs and productivity gains, the submissions to public inquiries . privacy-protective approach from main benefits are expected to include the start to the end of a project increased collaboration across these The total number of consultations or proposal . The general aim organisations . A significant step in the under this umbrella for 2009- of consultations is to provide ETS Program occurred in July 2008, 10 was 237 . This is a significant guidance, advice and to assist when CenITex (Centre for IT Excellence) increase from 2008-09, where organisations understand was created . 201 consultations were recorded, Information Privacy Act Government Services Division (GSD) of and the highest figure since the obligations . Consultations with the Department of Treasury and Finance inception of the office . This is an the Privacy Commissioner are is responsible for the development increase of 17 .91% (see Graph 1) treated with appropriate levels of and implementation of the ETS . GSD and signals increased public sector confidentiality and secrecy . engagement and consideration of has other responsibilities, including privacy issues, and potentially reflects The following are examples of production of ICT standards for Victorian stronger awareness of the role and proposals where advice has public sector agencies . been given: consultative function of Privacy The Privacy Commissioner initiated a Victoria . collective, ongoing consultation process Department of Education with both GSD and CenITex . The key Graph 1 Consultations for Policy and objectives of the process are to: Project Advice – Past Five Years and Early Childhood (DEECD) – Ultranet • Ensure that personal information is handled in accordance with the During the reporting period Information Privacy Act, regardless of Privacy Victoria was consulted by who has stewardship at any one time DEECD on a major project being (i .e . the client itself or CenITex as their developed called the Ultranet . agent); The Ultranet aims to connect students, teachers and parents • Ensure that CenITex’s role is clear through an extranet with a throughout, with clear notice being broad range of applications and available from CenITex and client functions . websites; • Promote enhanced ICT standards across all CenITex client organisations once transitional arrangements are complete; and 6

functions of the office Office of the Youth Advisory Group advertisement On 19 August 2009, the On 11 March 2010, the Deputy Deputy Commissioner, Dr Commissioner also attended Anthony Bendall, attended a Government 2 .0 Action Plan a roundtable discussion Workshop hosted by the Victorian Victorian Privacy Commissioner convened by the Taskforce Department of Premier and Cabinet to consult with Victorian (DPC) to examine similar issues Public Sector officials and in the Victorian context .This was regulators about the issues followed by further meetings and opportunities presented between consultants engaged by by Government 2 .0 . DPC to develop an action plan to further Web 2 .0 developments in the r e f e r The Deputy Commissioner Victorian public sector .

e g a p raised a number of concerns, which were also reiterated in Privacy Victoria will continue to 33

the Privacy Commissioner‘s consult all levels of government and 2009–10 submission on the Draft the community on issues involving Taskforce report in December technology and privacy, including

annual report 2009 (see below) . These Web 2 0,. in 2010-11 . concerns included the fact that, while the draft report addresses concerns over VicRoads – Registration and the privacy of personal Licensing (RandL) Project information, it does so only During the reporting period, Privacy in the area of the release of Victoria continued to be consulted Public Sector Information on the RandL Foundation project, (PSI), by suggesting that which is proposed to modernise agencies release information delivery of licensing services, in de-identified form . • Work with GSD to ensure privacy address the limitations and issues principles are always considered This is a difficult task, given the of the current systems used by during the implementation of increasing sophistication of data VicRoads, the Department of the various phases of the ETS mashing, data matching and the Sustainability & Environment (DSE) Program . risk of subsequent re-identification . and Marine Safety Victoria (MSV) and It would also require a monumental provide the platform to service the Privacy Victoria will produce amount of work and resources on range of licences across Victorian guidelines to assist departments and the part of public sector agencies . Government . agencies to focus on privacy issues These two factors could contribute Following further consultation during their transitional arrangements . to the task being done in a less than with Privacy Victoria, the Project uniform or less than effective way, commissioned a PIA . Privacy Victoria which would constitute a significant Government 2.0 will continue to be consulted as threat to personal privacy . Moreover, the recommendations of this PIA almost no attention was paid to the Privacy Victoria was consulted by are implemented and the project is equally important ‘other end’ of the both the Commonwealth and further developed . Victorian Governments over their information cycle: the collection of respective Government 2 0. proposals . personal information . The Taskforce’s final report was released on 22 On 22 June 2009 the Commonwealth December 2009 and is available at Minister for Finance and Deregulation, www.finance.gov.au/publications/ the Hon . Lindsay Tanner MP and the gov20taskforcereport/index.html. Special Minister of State, Senator Joe Ludwig, announced the formation of a Taskforce to investigate how the Australian Government can use new Web 2 .0 approaches to expand the uses of Commonwealth information and improve the way government consults and engages with citizens . 7 Office of the Table 1 Advice and Consultation on Legislative Proposals Legislative Review Session Bill or Regulation Description A function of the Privacy Commissioner under Section

July 2009 Transport Legislation Extended powers to various transport Victorian Privacy Commissioner Amendment Bill 2009 regulators. 58 of the Information Privacy Act involves assessing the potential July 2009 Racing Integrity Established Racing Integrity Commissioner with privacy impacts of various policy or Assurance Bill 2009 information collection and disclosure powers. legislative proposals . This requires September 2009 Education and Training Bill allows details of suspended/cancelled the Privacy Commissioner to Reform (International educational providers to be published. identify and impartially comment Student Safeguards) on a proposal which may adversely Amendment Bill 2009 impact on privacy and, where October 2009 Taxation Administration Ability to conduct feasibility studies and require appropriate, make suggestions to Amendment (Feasibility information. ameliorate the impact .

Studies) Bill 2009

Legislative review can occur in a 2009–10 October 2009 Serious Sex Offenders Electronic monitoring of offenders, disclosure variety of different ways: a verbal (Detention and of information. or written consultation with the

Supervision) Bill 2009 annual report relevant government department November 2009 Education and Training Extended ‘Register of Teachers’ to include at a policy development stage (see Reform (Amendment) suspended and cancelled teachers, expansion ‘Privacy advice and consultations’); Bill 2009 of Victorian Student Number (VSN) system. by commenting on draft Bills at a December 2009 Healthcare Identifiers Establishment of unique health identifier cabinet stage; or, once a Bill has Bill 2010 number for e-health proposals. been introduced into the Parliament, April 2010 Electoral Amendment Permits automatic enrolment from Victorian by making a written submission to (Electoral Participation) Curriculum and Assessment Authority data by the Scrutiny of Acts and Regulations Act 2010 the Victorian Electoral Commission. Committee (SARC) .

May 2010 Working with Children Clarifies enquiries by Secretary about SARC is required to assess the Amendment Bill 2010 applications, removes references to charges impact of Bills on personal privacy for offences that have been finally dealt with, allows exchange of information with relevant rights specifically under the bodies in other jurisdictions. Information Privacy Act but also the wider right to privacy under Section May 2010 Primary Industries Amendments to the Catchment and Land 13 of the Charter of Human Rights Legislation Amendment Protection Act and the Livestock Disease Bill 2010 Control Act, including information release to and Responsibilities Act 2006 . The improve prevention of outbreak of livestock Privacy Commissioner assists the disease. Committee in this role by providing written submissions on issues of May 2010 Personal Safety Replaces existing stalking intervention order Intervention Orders Bill system; establishes protection of individuals general or specific privacy concern 2010 from prohibited behaviour in non-family and publishes submissions to SARC situations. (see Table 2) .

Table 1 sets out legislative proposals of the Victorian and Commonwealth Parliaments on which advice was provided during 2009-10 (see also ‘Submissions to public inquiries’) . 8

functions of the office Office of the Privacy Victoria also engaged Table 2 Submissions to Public Inquiries in a number of other legislative consultations with various Date of Type of departments which are not listed in Submission Inquiring Body Inquiry Submission Victorian Privacy Commissioner Table 1 . These legislative proposals July 2009 Victorian Parliament – Review of the Members Oral evidence and draft bills were not introduced Law Reform Committee of Parliament (Register of by Privacy into Parliament, or generally made Interests) Act 1978 Commissioner to public, during 2009-10 . Privacy public hearing Victoria is unable to report on all July 2009 Victorian Law Reform Surveillance in public Written consultations due to confidentiality Commission places submission requirements . Additionally, some consultations occur at the cabinet July 2009 Commonwealth House Inquiry into Cyber Crime Written of Representatives – submission stage of the legislative process and Standing Committee on as such are subject to strict cabinet- Communications in-confidence requirements and 2009–10 cannot be disclosed . July 2009 National Registration Exposure draft of the Health Written and Accreditation Practitioner Regulation submission Implementation Project National Law 2009 annual report Submissions to July 2009 Senate Standing Personal Property Written Public Inquiries Committee on Legal and Securities Bill 2009 submission Constitutional Affairs Privacy Victoria made 31 August 2009 Commonwealth Attorney- Telecommunications Written submissions (either written or oral General’s Department (Interception and Access) submission appearances) to public inquiries Amendment Bill 2009 – in 2009-10 (See Table 2) . This is Network Protection a 182% increase on the previous August 2009 Australian Health Healthcare Identifiers and Written year’s figure (11), and is the highest Ministers’ Advisory Privacy submission number of submissions made to Council public inquiries by Privacy Victoria since its inception . October 2009 Department of Health Public Health and Wellbeing Written Regulations 2009 submission

Submissions generally relate October 2009 House of Representatives Inquiry into Cyber Crime Oral evidence to reviews of new or proposed – Standing Committee on by Deputy legislation (including bills introduced Communications Commissioner to into Parliament or exposure drafts of public hearing bills released for public comment) or November Victorian Parliament – Health Practitioner Written inquiries into general law reform or 2009 Scrutiny of Acts and Regulation National Law submission issues which concern privacy . Larger Regulations Committee (Victoria) Bill 2009 submissions often require significant November Senate Standing Personal Property Written research and analysis by Privacy 2009 Committee on Legal and Securities (Consequential submission Victoria staff . Constitutional Affairs Amendments) Bill 2009

Privacy Victoria focuses on November Victorian Parliament – Summary Offences and Written how the proposed legislation 2009 Scrutiny of Acts and Control of Weapons submission Regulations Committee Amendment Bill 2009 or issue impacts on the privacy rights of Victorians when making November Victorian Equal Report on the operation Written a submission . The Privacy 2009 Opportunity and Human of the Charter of Human submission Commissioner and Privacy Victoria Rights Commission Rights and Responsibilities Act 2006. staff also endeavour to make themselves available for public November Commonwealth Attorney- Discussion paper – Written hearings, when requested, to 2009 General’s Department Personal Property submission provide further information or advice Securities Regulations as required . November Victorian Parliament – Serious Sex Offenders Written 2009 Scrutiny of Acts and (Detention and Supervision) submission Copies of most written submissions Regulations Committee) Bill 2009 are available at www.privacy.vic.gov. au. 9 Office of the Graph 2 Submissions made to Public Date of Type of Submission Inquiring Body Inquiry Submission Inquiries (Written & Oral)

December Victorian Parliament – Proposal for a Register Oral evidence 2009 Law Reform Committee of Power of Attorney by Privacy Victorian Privacy Commissioner documents Commissioner to public hearing

December Government 2.0 Response to draft report Written 2009 Taskforce submission

December Senate Standing Taxation Laws Amendment Written 2009 Committee on Economics (Confidentiality of Taxpayer submission Information) Bill 2009

January 2010 Commonwealth Attorney- Part 1D of the Crimes Act Written General’s Department 1914 (Cth) – Forensic submission (Independent Review) Procedures 2009–10 January 2010 Commonwealth Healthcare Identifiers Bill Written Department of Health and 2010 submission Ageing annual report

January 2010 Senate Standing Freedom of Information Written Committee on Finance Reform Bill 2009 and submission and Public Administration Information Commissioner Bill 2009

February 2010 Department of Planning Planning and Environment Written EXAMPLES OF SUBMISSIONS and Community Amendment (General) Bill submission Development 2009 1. Victorian Law Reform Commission (VLRC) – Inquiry March 2010 Senate Committee on Healthcare Identifiers Written into Surveillance in Public Places Community Affairs Bill 2010 and Healthcare submission Identifiers (Consequential The VLRC conducted an inquiry into how the Amendments) Bill 2010 current law deals with surveillance in public places and potential options for law reform. April 2010 Senate Standing Future direction and role of Written In its submission, Privacy Victoria discussed Committee for the the Standing Committee submission principles to guide public place surveillance Scrutiny of Bills (including transparency and proportionality), April 2010 Victorian Parliament – Members of Parliament Written argued the need for a specific surveillance Scrutiny of Acts and (Standards) Bill 2010 submission regulator, canvassed the idea of a licensing Regulations Committee system for some invasive surveillance practices and called for clarification and April 2010 Victorian Parliament – Education and Training Written Scrutiny of Acts and Reform Act Amendment submission strengthening of the existing Surveillance Regulations Committee Bill 2010 Devices Act and a statutory cause of action for serious privacy invasions. May 2010 Essential Services Inquiry into electricity Written Commissioner smart meters. submission

May 2010 Commonwealth Attorney- Personal Property Written General’s Department Securities Regulations submission 2010

June 2010 Victorian Parliament – Control of Weapons Written Scrutiny of Acts and Amendment Bill 2010 submission Regulations Committee

June 2010 Senate Joint Select Cyber safety issues Written Committee on Cyber affecting young people submission Safety

June 2010 Victorian Parliament – Inquiry into arrangements Written Law Reform Committee for security and security submission of information gathering for State Government constructions projects 10

functions of the office Office of the 2. House of Representatives 4. Personal Property Securities Reform Project – Various Submissions Standing Committee on The aim of the Personal Property Securities Reform Project is to improve the ability and ease Communications (HRSCC) – by which business and individuals can use personal property they own (such as cars, boats, Inquiry into Cyber Crime Victorian Privacy Commissioner machinery etc.) as security to borrow money. Once complete, the reform will harmonise and The HRSCC commissioned an inquiry into streamline more than 70 existing pieces of Commonwealth, State and Territory legislation and the incidence of cyber-crime on consumers, establish a national personal property securities register (PPSR) with electronic registration the nature and prevalence of e-security risks and search processes that will replace more than 40 different registers of security interests. including theft of personal information, and Privacy Victoria submitted to the Senate Standing Committee on Legal and Constitutional Affairs measures and future initiatives to mitigate and the Commonwealth Attorney-General’s Department, not only that the amount of personal such risks. Privacy Victoria submitted to information publicly available needs to be strictly limited to that information necessary to fulfil the inquiry, explaining that many cyber- the purpose of the PPSR, but also that access to date-of-birth details should be limited, and crime issues are caused by over collection that there needs to be a clear ability for individuals to request suppression of their personal and data-security risks, and that attention information for a relevant reason. The reform project is ongoing. to risks of over collection, data-security

(encryption, audit controls and automatic

2009–10 notification) and permitting anonymous 5. Healthcare Identifiers (‘E-Health’) Legislation – Various Submissions interaction with organisations may aid Electronic health (or ‘e-health’) records are a feature of the existing health system, and their in reducing cyber risks. The submission use is increasing. The challenge is to maximise the protection of privacy and positive health annual report acknowledged privacy law promotes such outcomes. Fundamental components of the scheme include the creation and linkage of e-health principles, but does contain gaps within records and the implementation of a universal unique identifier for all patients. Privacy Victoria the existing privacy legislative framework submitted to the National Registration and Accreditation Implementation Project (NRAIR) and which reduces its effectiveness. The inquiry the Commonwealth Department of Health and Ageing, arguing not only that the arrangements requested the presence of a Privacy Victoria surrounding the healthcare identifier system are artificial and limited, but also that expressing staff member at its public hearing. Deputy concern that healthcare identifier information may be used for undefined functions, and that Commissioner Dr Anthony Bendall appeared provisions for use and disclosure were expressed in too general a manner (such as ‘provision in Sydney to explain the submission in of healthcare’). Ultimately, Privacy Victoria considered the safeguards implemented in the more detail. The HRSCC produced its final project may prove insufficient. The e-health reform project is continuing. report on 22 June 2010 and it is available at www.aph.gov.au/house/committee/coms/ cybercrime/report.htm. 6. Scrutiny of Acts and Regulations Committee (SARC) – Summary Offences and Control of Weapons Amendment Bill 2009 and Control of Weapons Amendment Bill 2010 3. Health Practitioner Regulation The Summary Offences and Control of Weapons Amendment Bill proposed to amend the National Law 2009 – National Registration and Accreditation Control of Weapons Act to permit police to conduct arbitrary weapons searches of any Implementation Project (NRAIP) individuals within a designated area following a police determination under the Act. Privacy Victoria submitted to the Committee, arguing that such arbitrary search powers were contrary Privacy Victoria submitted to NRAIP on the to the right to privacy under the Charter of Human Rights and Responsibilities Act 2006 exposure draft of the Health Practitioner (Vic), that the discretion afforded to police was exceptionally wide and that the Bill contained Regulation National Law Bill 2009. The Bill insufficient provisions for oversight and review. Privacy Victoria also submitted to SARC in proposed to establish a national scheme for relation to the second round of amendments (Control of Weapons Amendment Bill 2010) the regulation of health practitioners, and which purported to further expand the scheme. The second bill is currently before the Victorian create national registration databases and Parliament. parallel public registers relating to health practitioners. Privacy Victoria acknowledged the inherent public interest of a national 7. Review of Part 1D of the Crimes Act 1914 (Cth) (Forensic Procedures) – practitioner scheme, but considered that Commonwealth Attorney-General’s Independent Review some of the intrusions into the privacy Part 1D of the Crimes Act 1914 (Cth) outlines how forensic information about individuals of practitioners, which included identity (such as DNA information) is collected, stored and used under the commonwealth Crimes checking, criminal history (accuracy issues), Act, and establishes the National Criminal Investigation DNA Database (NCIDD or National DNA concerns relating to the proposed mandatory Database). The National DNA Database allows matches of crime scene forensic information reporting scheme and material to be made and information or profiles on the database. All Australian states and territories now participate public on the register, cannot be justified in the NCIDD. Privacy Victoria provided an extensive written submission to the review and on the basis of that public interest. Privacy the Privacy Commissioner attended a roundtable discussion of the issues held in Melbourne. Victoria also submitted to the Victorian Privacy Victoria submitted that the informed consent procedures of the Act require review, Scrutiny of Acts and Regulations Committee discussed privacy issues surrounding mass-screening, buccal swabs, innocence testing, and on the relevant Victorian legislation. the inadequacy of Crimes Act provisions for protecting genetic information. The submission called for increased auditing and reporting of the NCIDD, and covered general privacy issues arising from forensic procedures such as informal collection, familial testing, function creep in genetic testing and the use of force in collection, and suggested that the commonwealth Crimes Act should provide a model template for state and territory jurisdictions to follow. 11 Royal Melbourne Show poster Office of the 8. Scrutiny of Acts and Regulations Committee – Education and Training Reform Act Amendment Bill 2010 The Education and Training Reform Act Amendment Bill 2010 expanded the information to

be published on the publicly available ‘Register of Teachers’, including information relating Victorian Privacy Commissioner to cancellation and suspension. The Bill also expanded access, use and disclosure of the Victorian Student Number (VSN), a unique identifier assigned to all Victorian students to track their educational progress. Privacy Victoria submitted to the Committee, arguing that inclusion of status information may have an unfair prejudicial effect on teachers in other non-teaching areas of life (such as alternate employment) and may cause individuals r e f e r accessing the Register to unfairly speculate on the reasons behind the cancellation.

Privacy Victoria considered any publication should occur only after appeal mechanisms e g a p are exhausted and expressed concern that the Bill appeared to permit information to 35 stay on the Register indefinitely. The Privacy Commissioner also raised concern at the continued expansion in access, use and disclosure of the VSN. SARC referred the

Commissioner’s submission to the Minister for response. 2009–10

Table 3 Requests for Access to Voter Roll Information annual report

Body seeking public Date of interest disclosure of voter Advice Act: information Outcome

September Electoral Act Department of Justice, Strategic Supported access 2009 Communications Branch (subject to conditions)

October Electoral Act Victoria Police (Melbourne Crime Supported access 2009 Investigation Unit)

October Local Government Member of Public Not approved 2009 Act Voters’ Rolls – Public Interest Determination December Local Government Country Fire Authority Supported access 2009 Act (subject to conditions) Section 34 of the Electoral Act 2002 (Vic) requires the Victorian Electoral December Local Government Kennett River Association Not approved 2009 Act Commissioner to consult with the Privacy Commissioner regarding May 2010 Electoral Act Adoption and Family Records Supported access any requests for access to electoral Service roll information for a public interest purpose . In making a decision, the Electoral Commissioner must take into EXAMPLE OF ADVICE GIVEN UNDER SECTION 34 account the Privacy Commissioner’s The Electoral Commissioner requested the Privacy Commissioner’s advice under Section 34 of advice on the public interest in the Electoral Act 2002 in relation to a request for access to the non-public electoral roll by the protecting the privacy of the information Strategic Communications Branch of the Department of Justice for the purpose of conducting a requested . The Electoral Commissioner mail-out of information relating to bushfire preparedness to all Victorian households. provides an annual report to Parliament The Privacy Commissioner concluded that on balance the public interest in ensuring that as on its Section 34 decisions . many Victorians as possible receive bushfire information sufficiently outweighed the public interest in protecting the privacy of personal information stored by the Victorian Electoral Section 24C of the Local Government Commission (VEC). The Privacy Commissioner suggested that as an alternative to providing the Act 1989 (Vic) requires application for Department of Justice with the electoral information a more privacy enhancing way would be access to local government voters’ for the VEC to conduct the mail-out through its own contracted mail-house. rolls for public interest purposes to be The Electoral Commissioner decided to grant the request but with a number of strict conditions, approved by the Privacy Commissioner . including the requirement that the mail-out be conducted by VEC’s usual contracted mail house under the existing confidentiality agreement. Under that condition the electoral information In 2009-10, the Privacy Commissioner did not leave the control of VEC. In addition the only personally addressed mail would be to received three requests for advice addresses within the 52 high risk bushfire areas as identified by the Country Fire Authority with under the Electoral Act (five were non-personalised letters being sent to the remaining addresses received in 2008-09) and three requests under the Local Government Act (no requests were received in 2008-09) (See Table 3) . 12

functions of the office Office of the Cover of the Data Matching Guidelines Use of Portable Storage Guide for Respondents – Devices – A Guide to Policy Responding to a Privacy Complaint Development (Update) (November 2009)

Victorian Privacy Commissioner In January 2009, Privacy This document updated existing Victoria published a report on advice designed to help organisations findings of its survey into the respond to privacy complaints under Victorian Public Sector’s use the Information Privacy Act. of Portable Storage Devices (PSDs) . The survey showed Information Sheet 01.10 – Accessing and correcting your the public sector had generally personal information (revised) handled PSDs poorly, posing (January 2010) security risks . In August 2009, Privacy Victoria developed a This Information Sheet provides guide to assist public sector guidance to help members of the public access and correct 2009–10 organisations develop policies for the use of PSDs, covering personal information held by technical controls, governance Victorian Government agencies, annual report issues and a checklist for contracted service providers, and development of a PSD policy . other organisations . It provides a brief explanation of access and Fitzroy Legal Service Law correction rights and processes Handbook under the Freedom of Information In July 2009, as in previous Act, Information Privacy Principle years, Privacy Victoria 6 – Access and Correction, and the contributed to the 2010 Law Privacy Act 1988 (Cth) . The document Handbook. The Law Handbook also provides some guidance as to is a guide to the law in Victoria, which act is likely to apply to different published annually by the types of organisations . Guidelines and Fitzroy Legal Service . Privacy Victoria Information Sheet 02.10 – assisted the Fitzroy Legal Service Information Sheets Emergencies and Privacy (revised) in updating the section on Victorian (January 2010) Guidelines privacy law . It is envisaged that this process will be repeated in 2010-11 . The previous Information Sheet Bushfires and Privacy was revised Data Matching in the Public and expanded to advise agencies on Interest: A Guide for the Victorian Information Sheets Public Sector how to comply with the Information Privacy Act when facing requests for Privacy Victoria publishes Information In August 2009, Privacy Victoria information relating to emergency Sheets to clarify commonly raised published guidelines on Data situations (including bushfires), and issues recognised by Privacy Victoria Matching in the Public Interest . on use and disclosure issues in staff in enquiries, complaints or The guide, designed for use by emergency situations . Victorian public sector agencies, awareness functions . provides assistance on conducting Information Sheet 05.09 – Public data matching exercises for public Records, Recordkeeping Systems Codes of Practice interest purposes . The guide also and the Information Privacy Part 4 of the Information Privacy Act aids organisations to understand Principles (July 2009) and prevent potential privacy risks allows an organisation regulated by such as function creep, data quality This Information Sheet explains the the Act to discharge its duty to comply problems and profiling, as well as interaction between the Information with any of the ten IPPs by complying explaining the privacy compliance Privacy Act and public record with an approved code of practice . A environment . requirements under the Public code of practice may modify any one Record Act. It was developed in or more of the IPPs, or can prescribe conjunction with the Public Record how a particular IPP must be complied Office Victoria . with . The code of practice must be at least as stringent as the IPPs . There were no consultations or proposals for codes of practice in 2009-10 . 13 Office of the The Privacy Commissioner Audit and Monitor commissioned Deloitte Touche Handle Complaints Tohmatsu to conduct the audits . Privacy Victoria’s 2007-2012 Privacy Victoria’s 2007-2012 In December 2009 the Privacy Strategic Plan includes this Strategic Plan includes these two Victorian Privacy Commissioner Commissioner’s report on the Objective: Objectives relating to the handling of findings of those audits was privacy enquiries and complaints: • Promote and encourage delivered to the Deputy Premier 6. adherence to the Information • Model fair and efficient Privacy Principles as common The Report concluded that while procedures for the handling of practice amongst the Victorian Victoria Police had made some enquiries and complaints under public sector . progress to meet the requirements the Information Privacy Act 2000; of Compliance Notice 06/02, more and The Audit and Monitoring function work was required . In particular the assists Privacy Victoria meet this Privacy Commissioner noted the • Foster respectful and constructive

Objective . continued failure of Victoria Police relationships . to have MoUs with all external 2009–10 users of LEAP and recommended Review of the response Procedures for this be addressed immediately . annual report by Victoria Police to The Privacy Commissioner also Handling Complaints Compliance Notice 06/02 supported key recommendations in Privacy Victoria receives a wide and by the Department the Report of the Commissioner for array of enquiries from the general of Justice to Compliance Law Enforcement and Data Security public . (See ‘Handle Enquiries’ at Notice 06/03 (CLEDS) Review of Information pages 21-25) However, only those Governance within Victoria Police matters falling within the jurisdiction In July 2006 the former Privacy April 2009 . of the Information Privacy Act are Commissioner served on Victoria The Privacy Commissioner found deemed to be a formal complaint . Police and the Department of Justice that the Department of Justice Part 5 of the Act outlines the Privacy Compliance Notices under Part 6 had made considerable progress Commissioner’s complaint handling of the Information Privacy Act. The to address issues identified in function . It provides an individual Notices were served following an Compliance Notice 06/03 . There with the right to make a privacy investigation into an incident known were some outstanding information complaint if he or she believes a as ‘Mr C’s Case’ 5. security issues that needed to be Victorian government organisation has failed to comply with one or The case involved the release by addressed as a matter of priority, but more of the ten Information Privacy Victoria Police of a large amount overall the Privacy Commissioner Principles (IPPs) . of personal information, including was satisfied that the Department criminal records from the Victoria had met the requirements of the In order for the Privacy Police database known as ‘LEAP’, Compliance Notice . Commissioner to investigate a to two employees of the Department complaint, three criteria must be met: of Justice . As a result of information the organisation in question must be ascertained in the course of the subject to the Act; the organisation investigation the former Privacy must have engaged or be engaging Commissioner assessed the security in an act or practice which raises an of the E* Justice system which is issue of compliance with an IPP; and the responsibility of the Department the act or practice must relate to the of Justice . The Compliance Notices handling of ‘personal information’ required that Victoria Police and (meaning recorded information that the Department of Justice facilitate identifies an individual) . Complaints audits of their responses to the cannot be lodged with respect Compliance Notices . to misuse of information about a business or a corporation, as only living natural persons have privacy rights under the Information Privacy Act .

5 See Office of the Victorian Privacy 6 See Office of the Victorian Privacy Commissioner Report 03.06 Commissioner Report 01.09 www.privacy.vic.gov.au www.privacy.vic.gov.au 14

functions of the office Office of the The Privacy Commissioner has no Section 25(5) obliges the staff As can be seen from Table 5, there power to determine whether or not of Privacy Victoria to provide was a significant increase in new a breach of privacy has occurred appropriate assistance to an complaints in the 2005-06 (82) and in the circumstances giving rise to individual who wishes to make a 2008-09 (72) reporting periods . In Victorian Privacy Commissioner a complaint . This can be confusing complaint where he or she requires 2005-06, this can be attributed to for Complainants and Respondents, help formulating the complaint . 21 complaints arising against one who sometimes request the Privacy organisation as a result of a single Commissioner to make a ruling Section 25(4) requires complaints human error (see Complainant AD or decision . Rather, the Privacy to be lodged in writing in order & others v The Department V Prv Commissioner has the discretion to for the Privacy Commissioner to Cmr [2006]). In 2008-09 this can decline to entertain a complaint on investigate . Table 4 shows that, of be attributed to nine complaints the grounds set out under Section the 53 new complaints received being made in relation to the same 29(1) of the Act, or she may refer a in this report period, 26 (49 .06%) issue by one individual on her own complaint to conciliation . The role were received by post, 18 (34 .00%) behalf, and on behalf of her partner of the Privacy Commissioner under were submitted online using Privacy and their seven children . Also in 2009–10 the Act is primarily to conciliate Victoria’s ‘e-complaint’ form, with the 2008-09, ten complaints were made complaints . remaining nine complaints (16 .98%) by different individuals against the

annual report received by email, fax or delivered in same organisation as a result of an Whenever Privacy Victoria person by a Complainant . employee’s ‘bulk’ release of their receives an enquiry that is ‘within personal information . jurisdiction’, potential Complainants Privacy Victoria has a number of are encouraged by staff to first Information Sheets available on make a complaint to the relevant its website to assist the general Analysis of Complaints organisation and to allow it public and the Victorian public appropriate time to respond . This sector to understand the Privacy Commissioner’s complaints Complaints by Respondent is to encourage organisations Organisation to resolve privacy issues with functions and processes . individuals directly and to avoid Table 6 shows 23 complaints the matter proceeding to a formal received against Government complaint . Privacy Victoria staff Formal Complaints Departments in the current reporting may facilitate contact between an Received period, accounting for 43 40%. of organisation and an individual and, the total new complaints received . Table 5 shows the number of where appropriate, can provide Government Departments have been complaints investigated during contact details for privacy officers the most common Respondent over the current period . A total of to members of the general public the last five reporting periods . Local 78 complaints were handled in with legitimate privacy concerns . Councils have been the Respondent the period . Fifty three (53) new Complainants are also encouraged to 11 new complaints in 2009-10, complaints were investigated with 25 to first complain to an organisation accounting for 20 80%. of the total being carried over from the previous about a privacy issue because amount of new complaints received . financial year . As at 30 June 2010, 51 Section 29(1)(c) and (h)(ii) allow a Local Councils have usually been the complaints have been finalised, with complaint to be declined where an second most common Respondent 27 continuing into the next financial individual has not first complained over the last five reporting periods . to the organisation, or where the year . individual has complained to the The number of new complaints (53) organisation but the organisation has is slightly down on the previous not had an adequate opportunity to reporting period (72) and is in line respond . The Privacy Commissioner, with the amount of new complaints however, is not required to refer received in the 2006-07 (54) and a potential Complainant to an 2007-08 periods (51) . organisation first . All grounds for declination set out under Section 29(1) are at the absolute discretion of the Privacy Commissioner .

In 2009-10, Privacy Victoria identified 195 enquiries that could potentially be investigated as formal complaints . Of these, only 53 were converted into actual complaints . 15 Office of the Table 4 New Complaints by Source – Yearly Comparisons

% of total % of total % of total % of total Source 2006-07 complaints 2007-08 complaints 2008-09 complaints 2009-10 complaints Victorian Privacy Commissioner eComplaint 21 38.89% 11 21.57% 13 18.06% 18 33.96%

Email 2 3.70% 3 5.88% 7 9.72% 6 11.32%

Fax 2 3.70% 2 3.92% 1 1.39% 1 1.89%

In person 6 11.11% 9 17.65% 3 4.17% 2 3.77%

Post 23 42.59% 26 50.98% 48 66.67% 26 49.06%

Total 54 100.00% 51 100.00% 72 100.00% 53 100.00%

Table 5 Total Complaints Handled – Yearly Comparisons 2009–10

2005-06 2006-07 2007-08 2008-09 2009-10

Complaints carried over from previous year 15 20* 20 16 25 annual report

New complaints 82 54 51 72 53

Total complaints handled 97 74 71 88 78

* The 2005-06 Annual Report reported in Table 6 ‘Outcome of complaints’ on page 25 that there were 18 complaints on-going as at 30 June 2006 . This figure did not include 2 complaints which were locked from view due to the sensitivity of the subject matter . The correct figure is 20, which was correctly reported in the 2006-07 Annual Report, Table 4, page 18 .

Table 6 Complaints by Respondent Organisation – Yearly Comparisons

Respondent 2005-06 % 2006-07 % 2007-08 % 2008-09 % 2009-10 % Organisation

Local Council 13 15.9% 11 20.4% 6 11.8% 12 16.7% 11 20.8%

Government Department 42 51.2% 18 33.3% 21 41.2% 42 58.3% 23 43.4%

Statutory Authority 10 12.2% 7 13.0% 9 17.6% 6 8.3% 5 9.4%

Public Health 0 0.0% 2 3.7% 1 2.0% 1 1.4% 2 3.8%

Tertiary Institution 2 2.4% 3 5.6% 3 5.9% 3 4.2% 2 3.8%

Contracted Service Provider 3 3.7% 2 3.7% 7 13.7% 1 1.4% 7 13.2%

Law Enforcement 12 14.6% 9 16.7% 3 5.9% 5 6.9% 3 5.7%

Court or Tribunal 0 0.0% 1 1.9% 1 2.0% 0 0.0% 0 0.0%

No organisation (Minister) 0 0.0% 1 1.9% 0 0.0% 2 2.8% 0 0.0%

Total 82 100% 54 100% 51 100% 72 100% 53 100% 16

functions of the office Office of the Complaints by Subject EXAMPLE: IPP 2 (Use and Disclosure), 4 (Data Security) and 5 (Openness) Matter (IPPs) The Complainant alleged that his personal information had been inappropriately disclosed (IPPs A Complainant may allege that 2 and 4) and that he hadn’t been provided with a copy of the Respondent’s privacy policy upon Victorian Privacy Commissioner request (IPP 5). a Respondent organisation has breached a number of IPPs as The Complainant had requested a copy of one of the Respondent’s internal policies. In a a part of the one complaint . The letter he specified that he did not wish his request to be forwarded on to any other party. The Respondent wrote back to the Complainant, advising that the request fell to the responsibility majority of complaints alleged of another Department, and that as a result, the request for the policy had been forwarded inappropriate disclosure of personal on. On receipt of the letter, the Complainant wrote back to the Respondent on two occasions, information under IPP 2 1. (Use complaining about the forwarding of his request to the Department and also requesting a copy and Disclosure) (43 complaints at of the Respondent’s privacy policy. 41 .00%), narrowly followed by IPP The Complainant received a letter from the Department advising that the Respondent had 4 .1 (Data Security) (36 complaints transferred the request pursuant to the Freedom of Information Act 1982. The letter informed at 34 .30%) . This continues the the Complainant that the initial policy he had requested was available on the Internet and trend seen in previous years where

2009–10 provided a website reference. The Complainant had several telephone conversations with these two IPPs have been the most the Respondent’s staff. After a delay, these resulted in the Respondent also emailing the common areas of concern for the Complainant a copy of its privacy policy.

annual report general public . During the reporting The Complainant wrote to the Respondent, reiterating his complaint about the disclosure of his period, no complaints alleged a initial request. He also complained that the privacy policy he had been provided with was out of misuse of personal information date. The Respondent wrote back, advising again that it did not believe that it had breached the under IPP 7 (Unique Identifiers) or Complainant’s privacy. IPP 8 (Anonymity) . Since the 2005- The Privacy Commissioner considered that there was no other purpose for the Respondent’s 06 reporting period, the Privacy transfer other than fulfilling the Complainant’s request for the initial policy. This was the Commissioner has investigated primary purpose for collection of the Complainant’s personal information. As a result, this part only one complaint that alleged of the complaint was declined as not being an interference with the Complainant’s privacy. non-compliance with IPP 7 (Unique In relation to the Complainant’s request for a copy of the Respondent’s privacy policy, the Identifiers), as can be seen from Privacy Commissioner acknowledged that the two month delay between request and provision Table 7 . of the policy was regrettable. However, considering that: IPP 5 contains no requirement for a policy to be provided within a specific time period; that the Respondent eventually provided it; and the Respondent took steps to review the policy and place it on its website, the Privacy Outcome of Complaints Commissioner found that there was no interference with the Complainant’s privacy. This part of the complaint was also declined. Ongoing Complaints At the end of the reporting period, 27 Closed Complaints complaints were yet to be finalised Of the 78 total complaints dealt (Table 8) . Of these, 14 were subject A complaint is ‘closed’ if it has with during the reporting period, to on-going investigation, eight been successfully conciliated, if 51 were finalised . Of those, 20 were at the conciliation stage, and the complaint has been referred were conciliated successfully, 11 five the Privacy Commissioner had by the Complainant to VCAT, if were referred to VCAT and 19 were made a decision about, with the the complaint has been ‘referred’ dismissed as the Complainant did complaints having entered the 60- under Sections 29(3), 31 or 34A of not request referral of the complaint day period in which the Complainant the Information Privacy Act, if it has to VCAT (see Table 9) . been withdrawn, or if the Privacy may request the complaint be Withdrawn Complaints referred to the Victorian Civil and Commissioner has dismissed it . Administrative Tribunal (VCAT) . Of A complaint may be withdrawn for a the eight complaints at conciliation, The Privacy Commissioner must number of reasons . A Complainant four have been made by the same ‘dismiss’ a complaint under the may no longer wish to pursue the Complainant against the same Act where a complaint has been complaint, or the particular matter organisation (three of which are declined, conciliation is inappropriate complained about may no longer be made by the Complainant on behalf or has failed and in each case where an issue because of the Respondent of the Complainant’s children) . the Complainant does not then or Complainant’s changed request referral of the complaint to circumstances or processes . Only VCAT . The Privacy Commissioner one complaint was withdrawn during may also dismiss a complaint if it the 2009-10 reporting period . has gone ‘stale’, meaning where she has had no substantive response from a Complainant 90 days after a request for contact . 17 Office of the Table 7 New Complaints by IPPs – Yearly Comparisons

IPP 2005-06 % 2006-07 % 2007-08 % 2008-09 % 2009-10 %

IPP 1 7 5.1% 10 10.0% 14 16.7% 10 7.0% 15 14.3% Victorian Privacy Commissioner

IPP 2 69 50.7% 44 44.0% 29 34.5% 64 44.8% 43 41.0%

IPP 3 6 4.4% 7 7.0% 9 10.7% 8 5.6% 4 3.8%

IPP 4 45 33.1% 33 33.0% 31 36.9% 55 38.5% 36 34.3%

IPP 5 1 0.7% 1 1.0% 0 0.0% 2 1.4% 1 1.0%

IPP 6 4 2.9% 2 2.0% 0 0.0% 0 0.0% 4 3.8%

IPP 7 0 0.0% 0 0.0% 0 0.0% 1 0.7% 0 0.0%

IPP 8 0 0.0% 1 1.0% 1 1.2% 2 1.4% 0 0.0% 2009–10

IPP 9 1 0.7% 0 0.0% 0 0.0% 1 0.7% 1 1.0% annual report IPP 10 3 2.2% 2 2.0% 0 0.0% 0 0.0% 1 1.0%

Total 136 100% 100 100% 84 100% 143 100% 105 100%

NOTE: NEW complaints means all complaints that are created/opened between 1 July – 30 June . The total of IPPs for NEW complaints will exceed the number of NEW complaints created due to some complaints sharing multiple IPPs .

Table 8 Status of On-going Complaints as at 30 June – Yearly Comparisons

As at 30-Jun-08 As at 30-Jun-09 As at 30-Jun-10

Total complaints ongoing 16 25 27

Status of ongoing complaints

New 0 0 0

Investigating 9 5 14

Conciliation meeting 4 13 8

Pending conciliation 0 0 0

Conciliated 0 1 0

Conciliation failed 1 1 1

Pending declined 0 0 0

Declined 2 3 4

Conciliation not possible 0 2 0

NOTE: Statistics based on complaints HANDLED between 1 July – 30 June . Ongoing complaints at 30 June are carried into the following reporting year and are recorded in the following year’s HANDLED complaints . 18

functions of the office Office of the Declined Complaints EXAMPLE: Declined complaint s.29(1)(f) Under Section 29(1) the Privacy A Complainant noticed that certain emails and documents containing her personal information Commissioner may decline had been removed from the Respondent’s IT system. The missing documents included

Victorian Privacy Commissioner to entertain a complaint on a previous and current performance plans, HR documents and personal emails. number of grounds . Each ground The Complainant alleged that by deleting the emails, her Respondent employer had misused is discretionary, meaning, if the information under IPP 2.1 (Use and Disclosure) and had failed to secure the information in one or more exists, the Privacy breach of IPP 4.1 (Data Security). Commissioner is not required to The Respondent provided documents that showed the complaint (the email and file deletion) decline a complaint on the basis of was the subject of a complaint already made to another Regulator, and that the matter was any . She may instead see benefit in scheduled for hearing at VCAT. referring a complaint to conciliation The Privacy Commissioner declined to entertain the complaint under Section 29(1)(f) as being where parties can communicate their the subject of a complaint under another enactment, and it being dealt with adequately under concerns directly and in a controlled that enactment.

environment . 2009–10 The Privacy Commissioner has a EXAMPLE: Declined complaint s.29(1)(h) 90-day investigation period after The Complainant applied to the Respondent for a permit to keep more than two small dogs at annual report an enquiry becomes a formal his rented property. The application form did not include information about whether the owner complaint to decide whether or not had given permission for this use of the property. The Respondent, without first notifying the to decline to entertain it . The Privacy Complainant, contacted the real estate agent for the owner of the property and notified them Commissioner declined to entertain of the Complainant’s application. As a result, the agent attended the property and notified the 16 of the 51 complaints finalised in Complainant that he would be evicted due to this application and the presence of the dogs. As a 2009-10 . result, the Complainant had to relocate. The Complainant alleged that the Respondent had not provided him with appropriate notice Of the 16 declined, nine were as to whom his personal information would usually be disclosed, as required by IPP 1.3 declined on the basis that there (Collection). had not been an interference The Respondent admitted disclosing the information and not specifically telling the Complainant with the Complainant’s privacy . that it would be notifying the owner of the permit application.The Respondent did advise Five were declined because the however, that the Complainant was told that the owners’ permission was required in order Privacy Commissioner considered to process the permit. The Respondent also advised the Privacy Commissioner that it had that the Respondent had dealt, or amended its form to include a full privacy statement, had changed its processes and had was dealing adequately, with the organised refresher privacy training for its local laws officers. It has also refunded the $40 complaint (see Table 10) . application fee to the Complainant and apologised in writing for any inconvenience. Although the Complainant was also seeking compensation for his complaint, the Privacy When the Privacy Commissioner Commissioner declined to entertain the complaint as she considered that the Respondent had declines to entertain a complaint dealt adequately with the complaint. under Section 29(1), both parties are provided with reasons for the decision . A Complainant is also informed of his or her right to have the complaint referred to VCAT . Of the 16 complaints declined in the reporting period, only one Complainant requested that their complaint be referred to VCAT (see Table 11) . 19 Office of the Table 9 Outcome of Closed Complaints – Yearly Comparisons

Outcome of complaint 2006-07 % 2007-08 % 2008-09 % 2009-10 %

Withdrawn 3 5.6% 7 12.7% 0 0.0% 1 2.0% Victorian Privacy Commissioner

Referred under s.29(3) 1 1.9% 0 0.0% 1 1.6% 0 0.0%

Referred to VCAT 17 31.5% 4 7.3% 23 36.5% 11 21.6%

Stale complaints dismissed under s.30 3 5.6% 1 1.8% 1 1.6% 0 0.0%

Conciliation successful 20 37.0% 21 38.2% 23 36.5% 20 39.2%

Dismissed 10 18.5% 22 40.0% 14 22.2% 19 37.3%

Total complaints closed 54 100% 55 100% 62 100% 51 100%

NOTE: These statistics include any HANDLED complaint that has an OUTCOME date within the 1 July – 30 June period and that has 2009–10 one of the listed outcomes selected . annual report Table 10 Reasons for Complaint Declination under s.29 – Yearly Comparisons

Section Reason 2005-06 % 2006-07 % 2007-08 % 2008-09 % 2009-10 %

s.29(1)(a) No interference with privacy 18 58.1% 11 57.9% 6 50.0% 11 55.0% 9 56.3%

s.29(1)(d) Complaint to Privacy 0 0.0% 4 21.1% 1 8.3% 1 5.0% 0 0.0% Commissioner made more than 45 days after complainant became aware of act or practice

s.29(1)(e) Complaint is frivolous, 7 22.6% 1 5.3% 2 16.7% 3 15.0% 1 6.3% vexatious, misconceived or lacking substance

s.29(1)(f) Being adequately dealt with 2 6.5% 0 0.0% 2 16.7% 0 0.0% 1 6.3% under another enactment

s.29(1)(h) Respondent has dealt, or is 3 9.7% 2 10.5% 1 8.3% 4 20.0% 5 31.3% dealing, adequately with the complaint

s.29(3) Act or practice could be 1 3.2% 1 5.3% 0 0.0% 1 5.0% 0 0.0% better dealt with under the Ombudsman Act 1973

Total 31 100% 19 100% 12 100% 20 100% 16 100%

Table 11 Reasons for Complaints Referred to VCAT – Yearly Comparisons

Reason 2005-06 % 2006-07 % 2007-08 % 2008-09 % 2009-10 %

Declined under s.29 6 46.2% 10 58.8% 3 75.0% 7 30.4% 1 9.1%

Conciliation not possible 4 30.8% 0 0.0% 0 0.0% 9 39.1% 2 18.2%

Conciliation unsuccessful 3 23.1% 7 41.2% 1 25.0% 7 30.4% 8 72.7%

Total complaints referred to VCAT 13 100% 17 100% 4 100% 23 100% 11 100%

NOTE: These statistics include any HANDLED complaint that has a decision and that has been referred to VCAT with one of the selected REASONS . 20

functions of the office Office of the Conciliate Complaints EXAMPLE: Conciliated complaint Under Section 33 of the Act, if the The Complainant made a complaint about his neighbour to the Respondent. Subsequently, Privacy Commissioner considers it the neighbour paid a visit to the Complainant and said that ‘he had mates who work at (the Victorian Privacy Commissioner reasonably possible that a complaint Respondent) and that they had passed on the Complainant’s complaint and details to him’. The neighbour also made various threats against the Complainant. may be successfully conciliated she must make all reasonable The Complainant alleged the Respondent had disclosed his personal information in breach of endeavours to conciliate the IPP 2.1 (Use and Disclosure) and/or had failed to keep his personal information secure under complaint . IPP 4.1 (Data Security). The Respondent advised the Privacy Commissioner that it had completed an investigation Of the 51 complaints finalised during into the Complainant’s allegations, and could not find any evidence of any disclosure to the the reporting period, 31 were referred Complainant’s neighbour about his complaint. Privacy Victoria staff advised the Complainant to conciliation . Twenty of these of this response, and asked him what he was seeking as a resolution to the complaint. The 31 complaints were successfully Complainant advised that he wanted Council to review its access to their IT complaints system, and to remind staff about the importance of privacy. The Respondent agreed to conduct a conciliated – a 65% success rate .

2009–10 review of its system and security to ensure that only appropriate staff had correct access Outcomes achieved for conciliated permissions on the IT system. The Respondent also agreed to have an independent audit of the complaints include financial system, provide additional staff training on the Information Privacy Act and its core principles, annual report compensation, review of the and committed to on-going review of its privacy policy. respondent organisation’s policies The matter was successfully conciliated. or information handling practices, reimbursement of costs, staff EXAMPLE: Conciliation not possible training and apologies . In the current reporting period, the highest amount The Complainant alleged that the Respondent disclosed inaccurate information about his attendance at a court hearing to his ex-partner. The Complainant’s ex-partner then used this of compensation paid to settle a information against the Complainant in other proceedings. complaint was $6,780 00. . The Respondent believed it was able to disclose the information under IPP 2.1(g) – which Conciliation usually involves a permits disclosure of personal information by law enforcement agencies for the prevention, meeting facilitated by Privacy Victoria detection, investigation, prosecution or punishment of criminal offences or of a law imposing a staff to allow direct communication penalty or for the preparation for proceedings before any court or tribunal. As the Respondent between the parties . However, showed a willingness to attend conciliation, the Privacy Commissioner referred the matter to conciliation. ‘face-to-face’ contact is not always necessary for a complaint to be Prior to the conciliation meeting, it became apparent to the Conciliator that the parties positions’ successfully conciliated . were polarised. The Complainant would only accept substantial monetary compensation as a resolution to the complaint and the Respondent was not prepared to offer anything as a Conciliation not Possible resolution. After the Conciliator spoke at length with both parties, the Privacy Commissioner decided that conciliation was not possible. In addition to declining to entertain a complaint under Section 29 or referring it to conciliation under Section 33, the Privacy Commissioner Case Notes Review of Complaints Process may also consider that it is not reasonably possible that a complaint The Privacy Commissioner publishes In the upcoming 2010-11 reporting may be conciliated under Section Case Notes that summarise privacy period, Privacy Victoria aims to 32 . The Privacy Commissioner complaints in a de-identified form . review its current complaint and may consider that conciliation is The purpose of Case Notes is to enquiries processes . It is hoped not possible where there is an promote an understanding and that this review will ensure greater irretrievable breakdown in the parties’ awareness of the application of IPPs consistency, transparency and relationship or where one or more amongst both the Victorian public procedural fairness in complaint parties display repeated negative sector and the general public . A handling for both the general public behaviours to the complaint and/or complaint is chosen to be published and the Victorian public sector . the conciliation process . The Privacy as a Case Note because it raises Commissioner may decide that new, important or unique issues . conciliation is ‘not possible’ at either In 2009-10, one Case Note was the investigation or the conciliation published . Case Notes are published stage of a complaint . on the Privacy Victoria website and In 2009-10, the Privacy Commissioner on AustLII on the Australian Privacy considered that conciliation was and Surveillance Law Library . inappropriate in regard to four of the 51 closed complaints . 21 Office of the Chart 1 Method of Receipt of Over the past five years, the Enquiries 2009 -10 Handle Enquiries methods of contact with Privacy Victoria have not varied greatly What is an enquiry? in terms of ranking popularity . Victorian Privacy Commissioner In the current period, telephone Enquiries received by Privacy remains the most preferred method Victoria are contacts made of contact, comprising 82 84%. by members of the public, of enquiries, followed by e-mail organisations subject to the (11 08%),. e-Complaints (3 .14%) Information Privacy Act, and and postal enquiries (1 96%). . The other private and community 2009-10 period is the first time that organisations seeking information the number of e-Complaints has or advice . A ‘contact’ enquiry is an exceeded the number of postal enquiry that involves some form of enquiries . In person (0 .69%) and fax

interaction with a staff member of enquiries (0 .29%) remain the least Privacy Victoria . 2009–10 common method of contact . Privacy Each contact enquiry is recorded Victoria staff are available to assist for statistical analysis regardless enquirers visiting the office and annual report of whether the subject matter can arrange set appointments and falls within the jurisdiction of the interpreters if required . Information Privacy Act. Some The overall number of enquiries enquiries may only involve one rose from 2,223 in 2008-09 to contact, while more complex 2,454 in 2009-10, an increase enquiries may involve further Chart 2 Total Enquiries Received of 231 (10 .39%) (see Chart 2) . research and communications . (IPA and Non-IPA) – This suggests that members of Most formal complaints under the Yearly Comparisons the public are more familiar with Information Privacy Act originate as Privacy Victoria’s role as a source enquiries . of information and referral, as well Statistical information on as having an increased awareness all enquiries is recorded by of the Information Privacy Act. There capturing the subject of the has also been a greater reporting enquiry, keywords, the source, of privacy issues in the media, the organisation enquired about, including publicity about Privacy whether the enquiry may potentially Victoria’s conference Watch this be a complaint under Part 5 of the space: Children young people and Information Privacy Act and the privacy, which may have raised the relevant IPPs . profile of the office and contributed to increased enquiry numbers .

How do people contact Enquiries relating to surveillance Privacy Victoria? (114, 4 65%. of enquiries) increased in the 2009-10 reporting period . Privacy Victoria received 2,454 enquiries during 2009-10 by telephone, e-mail, post, in person and by the Privacy Victoria website ‘e-Complaints’, which may or may not become formal complaints (see Chart 1) . 22

functions of the office Office of the Who is contacting Example: Source – Government organisation – Information Privacy Act Privacy Victoria? The enquirer was calling from a state-funded university. The enquirer was preparing an update (Source of enquiries) to the board of the university on the impact of privacy law reform and timelines, and sought

Victorian Privacy Commissioner information on whether or not the Information Privacy Act would be amended in light of the The source of each enquiry is Australian Law Reform Commission’s report on privacy law. categorised where possible . By Privacy Victoria staff informed the enquirer that legislation to amend the Commonwealth default, calls are categorised Privacy Act 1998 was expected to be introduced in late 2010 or early 2011 to implement the as originating from members first tranche of reforms. This would include proposed ‘Unified Privacy Principles’, which would of the public unless the type of apply to the Commonwealth public sector and large private organisations. Following those organisation is specifically identified amendments, the staff member noted there was likely to be a Standing Committee of Attorneys- by the enquirer . Members of the General and Council of Australian Government process to seek agreement for State and public accordingly comprised 1,804 Territory legislation to be enacted or amended to include the Unified Privacy Principles. These (73 .51%) of enquiries within the would then apply to State and Territory public sector organisations. The staff member noted 2009-10 reporting period, followed that the timetable for this process had not been confirmed.

2009–10 by government organisations (248, 10 .11%), local councils (144, 5 .87%), private organisations (141, Chart 3 Source of Enquiries 2009 -10 annual report 5 .75%), community organisations Subject matter (57, (2 .32%), contracted service of enquiries providers (55, 2 .24%), and Members Enquiries relating to the Information of Parliament (5, 0 .20%) (see Chart Privacy Act accounted for 948 3) . (38 .63%) of all enquiries received Generally, the distribution of within the 2009-10 reporting period . enquirers remained statistically This is statistically similar to 2008-09 similar to previous years . where 886 (39 .86%) of all enquiries were related to the Act (see Table 13) . When is Privacy Matters relating to Commonwealth Victoria contacted? privacy law and health privacy (Enquiries by month) accounted for 610 (24 .86%) and 276 Enquiries were evenly distributed (11 .25%) respectively . The remaining across the months of 2009-10 . 620 (25 26%). enquiries received There was a noticeable reduction in related to matters that fell outside enquiries over the summer holiday Victorian, Commonwealth or health period, consistent with previous privacy laws . years (see Table 12) . Freedom of Information enquiries With the exception of August and (60, 2 .44%) have continued to rise April, every month of the 2009-10 steadily over the past three years, as reporting period saw an increase have enquiries related to surveillance in the number of enquiries . June (114, 4 .65%) . (238, 9 .70%), March (237, 9 66%),. Enquiries within the jurisdiction of and September (234, 9 54%). were Privacy Victoria and related to the the busiest months of 2009-10, with Information Privacy Act accounted June seeing the highest number of for the single largest category of enquiries (238) in a single month enquiries . since August 2007 (241) (see Chart 4) . Privacy Victoria staff closely monitor the topics of all enquiries received as February was also particularly busy, this assists in targeting awareness, seeing a marked increase of 23 70%. training and promotional activities for for the month compared to the same the following year . period in the previous year, with 214 enquiries received in 2009-10 compared to 173 in 2008-09 . 23 Office of the Table 12 Enquiries by Month – Yearly Comparisons

Month 2003-04 2004-05 2005-06 2006-07 2007-08 2008-09 2009-10 TOTAL % 7 Years

July 289 213 242 214 216 215 220 1,609 9.5% Victorian Privacy Commissioner

August 283 218 260 223 241 210 207 1,642 9.7%

September 298 234 208 203 216 217 234 1,610 9.5%

October 284 205 225 201 204 198 202 1,519 9.0%

November 167 204 202 168 165 136 179 1,221 7.2%

December 203 188 136 141 112 141 161 1,082 6.4%

January 178 188 160 160 168 144 173 1,171 6.9%

February 239 188 206 150 187 173 214 1,357 8.0% 2009–10 March 238 192 237 215 172 207 237 1,498 8.9%

April 201 186 156 173 152 175 172 1,215 7.2% annual report

May 242 241 225 263 186 192 217 1,566 9.3%

June 211 190 209 155 168 215 238 1,386 8.2%

Total 2,833 2,447 2,466 2,266 2,187 2,223 2,454 16,876 100%

Table 13 Subject of Enquiries – Yearly Comparison

Subject 2003-04 2004-05 2005-06 2006-07 2007-08 2008-09 2009-10 TOTAL % 7 Years

Commonwealth 1,048 743 581 436 479 542 610 4,439 26.32%

Direct Marketing 54 76 54 26 31 14 21 276 1.64%

Freedom of Information 78 58 52 56 40 48 60 392 2.32%

Health 305 277 300 245 293 238 276 1,934 11.47%

Other 186 218 225 321 242 221 250 1,663 9.86%

Property 76 66 111 97 77 63 62 552 3.27%

Publications 0 0 0 23 78 53 76 230 1.36%

Surveillance 103 129 104 98 74 93 114 715 4.24%

Victorian Information Privacy Act 983 868 968 905 786 886 948 6,344 37.62%

Workplace 0 0 71 59 87 65 37 319 1.89%

Total 2,833 2,435 2,466 2,266 2,187 2,223 2,454 16,864 100% 24

functions of the office Office of the Referrals from Chart 4 Enquiries by Month 2009-10 Privacy Victoria Privacy Victoria maintains a strong Victorian Privacy Commissioner commitment to assisting all enquirers where possible . Where an enquiry falls outside the jurisdiction of the Information Privacy Act, staff members aim to identify other organisations which may be able to assist the enquirer with their needs .

Out of 2,454 enquiries in 2009-10, 1,453 (59 .21%) were referred to

other agencies . The top five referral 2009–10 agencies made up 1,193 (82 .11%) of the total referrals (see Table 14) . The most common referrals annual report were to the Australian Privacy Commissioner (683, 47 01%. of total referrals) and the Health Services Commissioner (287, 19 75%. of total referrals) . Referrals to the EXAMPLE: Subject matter of enquiries – Surveillance Australian Privacy Commissioner are The enquirer worked for a large, publicly listed corporation. The corporation proposed to install usually where the matter concerned global positioning system (GPS) tracking in its vehicles as opposed to having timesheets. While private organisations, such as the enquirer did not name the company, it was established that the corporation was not subject banks or insurance companies, to the Information Privacy Act. The enquirer felt that the installation of a GPS in his (work) or Commonwealth government vehicle encroached on his personal privacy. agencies . Other commonly referred Privacy Victoria Staff explained that GPS devices may fall within the jurisdiction of the to agencies included Victoria Police Surveillance Devices Act 1999 (Vic), which regulates the installation, use and maintenance of (93, 6 .40% of total referrals), and surveillance devices, including tracking devices (such as a GPS). The staff member explained Consumer Affairs (41, 2 .82% of total that, while Privacy Victoria cannot provide legal advice, the installation of a GPS in a vehicle referrals) . may be unlawful under that Act if the express or implied consent of the person who has control of that vehicle is not sought. The staff member explained that Victoria Police regulate the Act, Matters relating to the Surveillance and provided the appropriate contact details. The staff member suggested that the enquirer Devices Act 1999 (Vic) comprised seek separate legal advice for advice on the Surveillance Devices Act. 89 (6 .13% of total referrals), a 3 05%. The staff member also identified that the way in which the corporation collects information may increase from the 38 (3 .08% of total also fall under the federal Privacy Act 1988 (Cth) and referred the enquirer to the Australian referrals) in 2008-09 . The increase Privacy Commissioner. reflects growing public concern over the use, installation and maintenance of surveillance devices such as Table 14 Top Five Referral Agencies 2009-10 video cameras (including CCTV) and % of total % of total listening devices . Referral Agency 2009-10 referrals enquiries

Federal Privacy Commissioner 683 47.01% 27.83%

Health Services Commissioner 287 19.75% 11.70%

Victoria Police 93 6.40% 3.79%

Surveillance Devices Act 1999 (Vic) 89 6.13% 3.63%

Consumer Affairs 41 2.82% 1.67%

Total 1,193 82.11% 48.61%

* Total enquiries for 2009-10 were 2,454 of which 1,453 were referred to other agencies (59 .21%) * The top five referral agencies made up 1,193 or 82 .11% of the total referrals (1,453) * There were a total of 47 specified referral agencies accounting for 1,421 of the 1,453 referrals (97 .80%) * There were a total of 32 of the 1,453 referrals to agencies which were not specified (2 .20%) 25 Office of the Chart 5 Relevant IPPs Identified 2009-10 Enquiries relating to the Information Privacy Act Privacy Victoria received 948 Victorian Privacy Commissioner enquiries relating to the Information Privacy Act . Of those, 1,459 relevant IPPs were identified . The number of relevant IPPs exceeds the number of enquiries due to many enquiries involving more than one IPP . It should also be noted that numerous enquiries categorised as being under the Act may in fact not relate to any of the IPPs, but may be (for example) about what type of organisations 2009–10 are subject to the Act, the definition of personal information or the other

functions or scope of the Act . annual report

As has been the pattern in previous years, IPP 2 (Use and Disclosure) is the most often raised IPP, with EXAMPLE: Referral – Federal Privacy Commissioner 604 enquiries (41 40%. of total The enquirer attended a nightclub in Melbourne. Upon entry, the nightclub seized and scanned IPPs) . Enquiries relating to IPP his drivers’ licence. The enquirer did not realise this was going to occur, and stated he was 1 (Collection) and IPP 4 (Data happy to show his licence to prove his age, but did not want his information to be stored. As Security) respectively accounted the nightclub did not indicate what it would do with the enquirer’s personal information or how for 321 (22 00%. of total IPPs) and it would be used, the enquirer was concerned that the information would be disclosed to others. 308 (21 .11% of total IPPs) of all Privacy Victoria staff explained how privacy is regulated within Victoria. Whilst the Information Information Privacy Act enquiries Privacy Act applies to government organisations, as well as their contracted service providers, received (see Chart 5) . it does not apply to private organisations. Staff explained that a nightclub was likely to fall under the federal Privacy Act 1988 (Cth), which is regulated by the Australian Privacy Commissioner. The proportion of relevant IPPs However, the staff member noted that, depending on the annual turnover of the nightclub, it was is similar to previous years . IPP 1 possible that the nightclub fell within the ‘small business’ exception of the federal Act. The staff (Collection) saw its highest result member provided the contact details of the Australian Privacy Commissioner and suggested (321 enquiries) since recording that the enquirer seek more information from that office. began . While IPP 9 (Transborder Data Flows) saw a reduction of 1 01%. from the recorded 30 (2 .24% EXAMPLE: Enquiries relating to the Information Privacy Act of total IPPs) in 2008-09 compared The enquirer was a casual teacher. A state school was seeking a casual teacher and requested to the 18 (1 .23% of total IPPs) in the enquirer’s date of birth, tax file number and bank account details before they would 2009-10, taking into account the consider the enquirer for a position. The enquirer stated that other schools she had worked for small sample size, this reduction is had not asked for this information until a position had been offered. The enquirer felt that it was statistically insignificant . possible she might be discriminated against if she provided her date of birth before she had secured a position. Privacy Victoria staff discussed Information Privacy Principle (IPP) 1.1, which provides that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities. The staff member explained that to comply with the Information Privacy Act, the school would need to show why it needed that information from the enquirer. In addition, IPP 1.3 requires an organisation, at or before the time it collects personal information about an individual, to take reasonable steps to ensure that the individual is aware of, among other things, the purposes for which the information is collected, to whom the organisation usually discloses information of that kind and the main consequences (if any) for the individual if all or part of the information is not provided. The enquirer stated that she had not been told for what purpose the school was collecting the information and what would happen if she did not provide it. After explaining the relevant IPPs, the staff member referred the enquirer to the privacy officer at the Department and provided the appropriate contact details. 26

functions of the office Office of the Investigate and Collection and Sharing of Ombudsman Victoria’s Law Enforcement Data Own Motion Investigation Enforce – Department of In December 2009, following media Victorian Privacy Commissioner Human Services The 2007-2012 Strategic Framework reports concerning a Memorandum Objectives relating to the Privacy of Understanding (MoU) for the For a number of years, the Privacy Commissioner’s Investigation and exchange of law enforcement Commissioner has been concerned Enforcement functions are: data between Victoria Police, the about the manner in which the Department of Sustainability and • Promote and encourage Department of Human Services Environment (DSE) and Aquasure – Child Protection has handled adherence to the Information Pty Ltd (Aquasure), a briefing on the Privacy Principles as common personal information . Between MoU was held at Privacy Victoria . November 2005 and February 2007 practice amongst the Victorian In attendance were representatives public sector; and for example, 12 formal complaints from Victoria Police, DSE, the were investigated relating to Commissioner for Law Enforcement 2009–10 • Continually improve inappropriate releases of personal understanding of privacy issues, and Data Security (CLEDS), the Office information by Child Protection . rights and good privacy practice . of Police Integrity and the Victorian The majority of these complaints annual report Human Rights and Equal Opportunity involved the release of information Section 58 of the Information Privacy Commission . Victoria Police and DSE which put the safety and wellbeing Act sets out some of the Privacy gave assurances that no information of individuals – both adults and Commissioner’s investigation and had been exchanged with Aquasure children – at great risk . In 2009, the enforcement functions . Specifically, under the MoU and that the intention Victorian Ombudsman commenced subsection (g) provides the Privacy of the parties was that any information an Own Motion investigation into the Commissioner with the power sharing would be in accordance with Child Protection Program . He invited to examine the practices of an privacy laws . Subsequent enquiries by the Privacy Commissioner to assist organisation to ascertain whether the Privacy Commissioner confirmed the investigation by seconding a personal information is maintained that the Desalination Project Deed member of staff from Privacy Victoria according to the IPPs; subsection provides for Aquasure to be bound by to examine the Department’s privacy (i) provides for the issuing of the Information Privacy Principles . compliance . compliance notices under Part 6; subsection (s) provides for Following the meeting CLEDS In November 2009, the Victorian advice (with or without a request) received a reference from the Minister Ombudsman’s Own Motion to be given to any individual or for Police and Emergency Services to Investigation into the Department of organisation on any matter relevant examine the MoU . Part of the review Human Services Child Protection to the Information Privacy Act; will involve determining what, if any, Program, November 2009 was subsection (t) provides for the information has been shared under released . examination and assessment of the MoU . The Privacy Commissioner any actual or proposed act or is awaiting the outcome of that In relation to privacy issues, practices and its impact on personal review before determining whether the investigation found that the privacy; and subsection (u) allows further action is required under Department’s current process for suggestions to be made to an the Information Privacy Act. In the for handling privacy complaints, organisation or individual about any meantime the Privacy Commissioner including complaints about privacy in matter than concerns the need for, or has met with a group of protesters, child protection, lacks transparency desirability of, action in the interests the CEO of Aquasure, and has made and accountability . The Department of personal privacy . further enquiries with DSE regarding has not provided child protection the collection of protestor information workers with sufficient training, in relation to the desalination project . advice or resources to ensure an appropriate level of privacy The Privacy Commissioner has also compliance . The investigation also made a submission to the Victorian identified a high level of awareness Parliament’s Law Reform Committee’s amongst child protection employees Inquiry into arrangements for security about the need to comply with the and security information gathering at Act but regional child protection the State Government’s desalination managers were critical of how the plant and other construction projects . Department approaches privacy The Law Reform Committee is to training generally . report on this Inquiry no later than 30 September 2010 . 27 Office of the Mistaken beliefs are held by some Breach Notifications Although notifying the Privacy child protection staff about their Commissioner of significant responsibilities under the Act, In May 2008 Privacy Victoria breaches is not mandatory under including that the Department should published Responding to Privacy the Act, the Victorian Ombudsman’s Victorian Privacy Commissioner not release the identity of reporters Breaches – Guide and Responding Own Motion Investigation into the to Victoria Police when issues of to Privacy Breaches – Checklist in Department of Human Services Child physical and sexual abuse against order to assist organisations when Protection Program, November 2009 children were alleged . There was responding to privacy breaches . at Recommendation 29 stated that also a fundamental and widespread Within the current reporting period, in future the Department ‘report all lack of understanding amongst 13 breach notifications were received significant losses of Child Protection departmental staff about their data from organisations seeking the client information to the Victorian security obligations under the Act . assistance of Privacy Victoria staff . Privacy Commissioner .’

The Victorian Ombudsman made

13 recommendations in relation to PRIVACY BREACH Example 1 the privacy issues, including that the An organisation contacted Privacy Victoria in relation to one of its Contracted Service Providers 2009–10 Department: (CSP). A worker for the CSP had left a suitcase in their car overnight. Almost a week later, the worker noticed that the case had gone missing. The suitcase contained personal information • Establish arrangements for a relating to three children, including names and addresses, and more delicate information about annual report central privacy unit which has a the children’s behaviours and personal circumstances. In addition there was a diary with an complaint, educative and training unspecified amount of client information in it, and a list of client names and addresses. The car function; did not appear to have been broken into. • Establish a privacy officer position The CSP advised all relevant clients about the loss of their information, and offered to pay costs that is specific to the child incurred as a result (e.g. change of phone numbers, changing of locks etc). After consultation with the CEO, it was decided to send follow-up correspondence to the relevant individuals, protection program to provide providing a contact point within the CSP for anyone with safety or other concerns to contact specialist advice; and discuss them. The CSP filed a police report and several searches were conducted to • Establish arrangements for retrieve the information – without success. privacy network meetings After consulting directly with Privacy Victoria, the CSP was advised that the contact point between the privacy unit, child within the CSP should treat all individuals’ concerns seriously – particularly where there were protection staff and community safety issues – and that these issues should be addressed. The CSP advised that it would service organisations; be changing its processes – that bags containing hard copy client files would be replaced by password protected laptops with encryption capabilities. Paper files would no longer be used. • Review its policies and practice The CSP had developed a general privacy policy and had undergone privacy training. Privacy advice on removing child Victoria advised the CSP to develop a specific policy around security of client information while protection client files from its workers were in transit and how that information was to be stored and handled. The CSP was offices . This review should also encouraged to consult with Privacy Victoria in the drafting of this policy. examine the circumstances under which information may be removed from its offices . The PRIVACY BREACH Example 2 draft practice advice should be An organisation contacted Privacy Victoria to advise that a laptop was believed to have been submitted to the Victorian Privacy taken home by one of its staff members. The organisation did not know who had taken it, as no Commissioner for comment; and process was in place which required employees to obtain permission to take laptops outside of the office for work. The laptop was actually a ‘tablet’ which was used like a notepad on visits to • Review current arrangements clients to record information. That information would then be placed on file at the organisation’s for the management of privacy offices, and the information on the tablet would then be deleted. The organisation’s IT complaints and document formal department did not know whether the tablet had encryption capabilities. The Organisation was processes . not aware what, if any, personal information was contained on the tablet. The Organisation advised that a process had been put in place whereby the Manager was now required to Of the 13 recommendations approve the removal of these tablets and to be notified once they were returned. made, all were agreed to by Privacy Victoria discussed the need to address the situation systemically with the organisation’s the Department . The Privacy representative. It was inadequate for no systems to have ever been in place. The organisation Commissioner will continue was advised that it needed better privacy training and policies around its staff’s use of laptops to monitor the Department’s and portable storage devices in the workplace. The organisation agreed, and also flagged the compliance with these organisation’s need to address the issue of staff ‘sending’ client information via personal email recommendations . accounts (e.g. hotmail) in order to complete work at home. The organisation continues to consult with Privacy Victoria. 28

functions of the office Office of the APPA members are the Privacy/ Member authorities presented Liaise and Information Commissioners of reports detailing recent privacy Co-operate the Commonwealth, New South developments that have occurred Wales, Northern Territory, Victoria, within their jurisdiction . Matters Victorian Privacy Commissioner Privacy Victoria’s liaison and co- Canada, Hong Kong, South Korea, raised included data matching, operation activities address these and New Zealand . APPA Forums privacy risks associated with Objectives from the 2007-2012 are held twice yearly, with hosting portable storage devices, privacy Strategic Framework: duties being rotated around member law reform in Australia, New South authorities . The Forums include Wales and the Northern Territory, and • Promote and encourage jurisdictional reports delivered by the possible establishment of an adherence to the Information member authorities and sessions informal, global network of privacy Privacy Principles as common on privacy-related developments in enforcement authorities . practice amongst the Victorian various countries . public sector; Attendees discussed the APEC

A key APPA initiative is the conduct Privacy Framework and outcomes

2009–10 • Continually improve st understanding of privacy issues, of the annual Privacy Awareness from the 31 International rights and good privacy practice; Week (see pages 36-37) . More Conference of Data Protection and

annual report information about APPA is available Privacy Commissioners, which was • Foster respectful and constructive at: www.privacy.gov.au/aboutus/ held in Madrid, Spain in November relationships; and international/appa . 2009 . Members resolved to convene • Provide leadership in privacy a working group to work towards issues . nd the establishment of a day or week 32 APPA Forum, Adelaide during which privacy is celebrated Privacy Victoria operates in various The Privacy Commissioner and and promoted on a global basis . Australian and international spheres Deputy Commissioner attended Members also resolved to convene to discuss privacy issues and ways the 32nd APPA Forum which was a working group to review APPA’s to co-operate and share resources . held in Adelaide, Australia from membership criteria . Privacy Victoria regularly participates 3-4 December 2009 . The following Members agreed to use an in the Asia Pacific Privacy Authorities Communiqué was published interactive online tool as a joint (APPA) forum, the Privacy Authorities following the meeting . of Australia forum, and the promotional product for Privacy International Conference of Privacy Communiqué Awareness Week (PAW) 2010 . The tool, which allows users to and Data Protection Authorities . The first day of the Forum was a self-test for their risk of ID theft, Such forums allow cross-pollination closed session for APPA members . was originally developed by the of ideas, strategies and discussion In attendance were the Privacy Norwegian Data Inspectorate . Ideas of issues of mutual concern relating Commissioners or representatives of were exchanged about the future to privacy . Australia, Korea, New South Wales, of PAW, and members agreed to New Zealand, Northern Territory, and continue promoting PAW jointly Victoria . The Privacy Commissioner and encourage further international Asia Pacific Privacy of New Zealand and the Hong Kong participation . Members resolved Authorities Privacy Commissioner for Personal to adopt the APPA Secondment Data participated in the Forum by Victoria continues to be an active Framework, which aims to promote teleconference . Representatives participant in the APPA group . greater mobility of staff between from privacy-related authorities in APPA’s principal objectives are to: APPA offices and to increase other jurisdictions also attended as regional collaboration . • Facilitate the sharing of observers, including those from the knowledge and resources USA’s Federal Trade Commission, Broader Session between privacy authorities within and the Australian states of The second day of the Forum was a the Asia Pacific; Queensland and South Australia . broader session . Jurisdiction reports • Foster co-operation in privacy and were presented and members gave data protection; updates on the implementation • Promote best practice amongst of data breach notifications in privacy authorities; and their region . This session also featured discussion of privacy law • Work continuously to improve reform throughout the region and performance of privacy authorities presentations about credit reporting to achieve the important developments and ID scanning . objectives set out in privacy laws . 29 Office of the The Hon. Michael Kirby. Members also participated in a The meeting discussed Privacy public forum on privacy, identity Awareness Week 2010 and and e-crime . The public forum agreed to continue the Week featured presentations from leading in the future . Members agreed Victorian Privacy Commissioner academics and public servants that an overarching slogan for and representatives of the South use by jurisdiction should be Australia Police . This event gave considered on a year by year Photograph courtesy of the High Court Australia APPA members the opportunity to basis, and that each jurisdiction consider the role of privacy authorities should continue to have the in identity crime awareness and flexibility to develop their own prevention, and information and theme . identity security in government . Members agreed with the proposed Terms of Reference rd 33 APPA Forum, Darwin of the newly formed Technology Working Group to be led 2009–10 The Privacy Commissioner and by the Office of the Privacy Director, Privacy Awareness, attended

Commissioner for Personal annual report the 32nd APPA Forum which was held Data Protection, Hong Kong . in Darwin, Australia from 3-4 June Membership of the working 2010 . The following Communiqué group will be open to all APPA r e f e r was published following the meeting . members and observers .

e g a p Communiqué Attendees discussed progress 35 The 33rd Asia Pacific Privacy towards the Global Privacy Authorities (APPA) Forum was hosted Enforcement Network (GPEN), by the Office of the Information the APEC Privacy Framework, Commissioner, Northern Territory in the OECD’s Working Party Darwin, Australia on 3–4 June 2010 . on Information Security and Privacy, the International In attendance were representatives Day 2 Conference of Data Protection and from privacy authorities in Australia, Privacy Commissioners, and the Members participated in a public forum Hong Kong, Korea, Northern establishment of a Global Privacy on ‘Privacy and Society’ organised Territory, New Zealand, and Victoria . Standard . by the Office of the Information Representatives from privacy-related Commissioner, Northern Territory . authorities in other jurisdictions also APPA members discussed Approximately 60 Privacy Contact attended as observers, including broadening membership with Officers from across the Northern those from the USA’s Federal Trade members agreeing with the Territory Government attended . The Commission, Japan’s Consumer recommendations made by the following speakers addressed the Affairs Agency, Korea’s Korean APPA Membership Working Group . forum: Communications Commission, Members agreed that APPA is to Macau’s Office for Personal Data evolve into a regional meeting of • The Hon . Delia Lawrie, MLA, Deputy Protection, and the Australian states data protection authorities and Chief Minister and Attorney-General of Queensland, South Australia and privacy enforcement authorities for • The Hon . Austin Asche AC QC, the Australian Capital Territory . the entire Asia Pacific region with retired Chief Justice members being eligible to join if they Day 1 are accredited to the International • Mr Michael Grant QC, Solicitor- Attendees presented reports detailing Conference of Data Protection General recent privacy developments that and Privacy Commissioners • Dr Colin Bennett, Visiting Professor have occurred within their jurisdiction (ICDPPC); or a participant in the UNSW including issues relating to privacy APEC Cooperation Arrangement for and technology . Matters raised Cross-border Privacy Enforcement • Ms Marie Shroff, Privacy included future privacy impacts (APEC Arrangement) . Members also Commissioner, New Zealand of ubiquitous computing, cloud discussed broadening membership • Mr Philip Piper, Director ICT Security, computing, the use of biometric data to include authorities who perform Northern Territory Government for entry into venues and ongoing functions that are substantially investigations . This session allowed similar to APPA members . • Ms Karen Curtis, Australian Privacy members to discuss and exchange Commissioner ideas on the issues that jurisdictions are facing . 30

functions of the office Office of the • Ms Helen Versey, Victorian Privacy 31st International Data Peoples’ Republic of China Commissioner Protection Conference, Madrid, November 2009 On 5 November 2009, Privacy • Mr Roderick Woo, Privacy Victoria was visited by a Delegation Victorian Privacy Commissioner Commissioner for Personal Data, The Privacy Commissioner attended from the Guangxi Zhuan Hong Kong the 31st International Conference, Autonomous Region, Peoples’ • Mr Mark Wood, Licensing which took place in Madrid, Spain, Republic of China . The delegation Inspector Department of Justice, from 4-6 November 2009 . The theme was given an overview of Australian Northern Territory . of the Conference was Privacy: and Victorian privacy laws, as well as Today is Tomorrow. The event was the work of the Office . The public forum featured organised by the Spanish Data presentations on privacy issues Protection Agency . The Privacy and Indigenous populations from Commissioner presented a paper Public Sector Australia, New Zealand and Canada, and participated in a Workshop Consultation and as well as a panel discussion on of sub-national Commissioners Liaison 2009–10 a wide variety of issues including entitled ‘Experiences and As reported elsewhere in this Annual the use of biometrics, children and Proactive Strategies for Raising Report, ongoing consultation and annual report privacy, changes in the privacy Awareness’ . Privacy Victoria also liaison continued with key staff in the landscape in Hong Kong and alcohol had an information display at the many organisations covered by the licensing issues in the Northern conference . Territory . The 2nd day of the official Information Privacy Act . A number of APPA forum opened with an address strategic communications initiatives on privacy advocacy by guest Consumer Affairs Victoria were undertaken with Victorian speaker Dr Colin Bennett from the government agencies to inform University of Victoria, BC Canada . During 2009-10, Privacy Victoria various target audiences about the continued liaison with the Indigenous role and functions of the Office, as Members discussed the use of Consumers Unit at Consumer Affairs well as privacy rights more generally . social media platforms by privacy Victoria on the Koories Know Your regulators as a communication tool, Rights! Project (see 2007-08 Annual and members agreed to continue to Report) . In July 2009, Privacy Victoria Local Government update the meeting on progress in participated in the Aboriginal Justice During 2009-10, Privacy Victoria held this area . Forum held in Warrnambool . three meetings of the Privacy and The privacy implications of smart Councils group . The meetings bring infrastructure were also discussed Office of the Health together Privacy Victoria staff and with a variety of jurisdictions noting Services Commissioner representatives from Local Councils that this was an issue that would to discuss local government privacy During 2009-10, Privacy Victoria become more important as this type issues . The meetings are held continued to work very closely with of technology continued to develop . following meetings of the Privacy the Office of the Health Services Victoria Network . Commissioner to ensure the Office of the Information provision of consistent, clear and During the year four Introduction Commissioner, Queensland accessible information and advice to the Information Privacy Act to the Victorian community . The training sessions were conducted In August 2009, the Director, two Commissioners both have for Victorian Local Council staff Privacy Awareness, gave two jurisdiction over privacy matters, with who handle personal information . presentations on lessons learnt the Health Services Commissioner While the sessions covered from the introduction of the dealing with privacy of health the same content as general Information Privacy Act in Victoria information under the Health introductory privacy session, all of to two Brisbane meetings arranged Records Act 2001 . See ‘Promote the participants were from Local by the Office of the Information Awareness’ for more information . Councils to allow the discussion and Commissioner, Queensland . These questions to focus on the privacy meetings followed the passage issues common to that sector . by the Queensland Parliament of Local Council specific sessions will the Information Privacy Act 2009 continue to be regularly offered . (Qld). The Office of the Information Commissioner, Queensland oversees this Act and the Right to Information Act 2009 (Qld). 31

“This is the first meeting I have attended and I have found it very useful.” “All the speakers were well prepared and kept my Office of the interest the whole time.” 23rd meeting rd Privacy Victoria Network meeting feedback The 23 meeting of the Privacy Victoria Network was held on Wednesday 11

November 2009 at the Department of Victorian Privacy Commissioner Transport Theatrette, 121 Exhibition Street, Melbourne . The meeting was sponsored by the Department of Privacy Victoria Network Privacy Victoria Network Transport . eNews The Privacy Victoria Network was The Privacy Victoria Network Presentations established in 2002 to facilitate and eNews is published monthly . • Privacy and the New Ticketing Solution encourage information exchange ENews contains information Liana Fraser, Manager, Policy and about the Information Privacy Act, and on Privacy Victoria activities, Strategy, Ticketing Authority privacy issues more broadly, within the

privacy developments and a Victorian public sector . It continues as • Service Providers and Privacy: Ten selected privacy news digest . 2009–10 a valuable source of information and practical questions you should ask Privacy Victoria Network support for participants who include Charlie Offer, Executive Director, members receive notification of Ernst and Young Privacy Managers, Privacy Officers/ annual report each issue via an email alert . Contact Officers, or staff with equivalent • Panel discussion: Contracted Service responsibilities within State Government 2009-10 Network Meetings Providers and Privacy Compliance - Departments and Agencies, Statutory Three well-attended meetings Issues and Solutions Authorities and Local Councils . were held during 2009-10, 24th meeting The Network: providing valuable opportunities The 24th meeting of the Privacy Victoria • Provides an opportunity for Privacy for Privacy Officers to hear Network was held on Wednesday 10 Officers to be informed about issues about new developments and March 2010 at the Telstra Theatrette, relating to the implementation of issues and to share problems Melbourne . the Information Privacy Act; and practical solutions . Presentation materials from Presentations • Facilitates information exchange each meeting are usually posted about privacy issues between public on Privacy Victoria’s website . • Privacy and Access to Information - sector agencies; Lessons from the Canadian Approach: 22nd meeting Dr Colin Bennett, University of Victoria, • Gives an opportunity for agencies to nd British Columbia, Canada give feedback to Privacy The 22 meeting of the Privacy Victoria; and Victoria Network was held on 15 • Maintaining the Integrity and July 2009 at the Treasury Theatre, Confidentiality of Personal • Assists Privacy Victoria’s work in Melbourne . Information Ellen Holland, Senior promoting compliance with the Director, Performance Audit, Victorian Information Privacy Act across the Presentations Auditor-General’s Office Victorian public sector . • Information privacy and record keeping systems Ricky Tuck, To join the network email training@ Public Record Office Victoria Public Record Office of Victoria privacy.vic.gov.au or telephone Local Call 1300 666 444 . • Data matching - the During 2009-10, Privacy Victoria and experience of Births, Deaths the Public Record Office of Victoria Supporting New Privacy Officers and Marriages Helen Trihas, conducted a number of information In late June 2009, Privacy Victoria Registrar, Registry of Births, sessions on changes to the Evidence introduced morning teas for new Deaths and Marriages Victoria Act and the relationship between good record-keeping practices and the Privacy Officers . These are generally • Data matching for emergency Information Privacy Act . Sessions were held in the fortnight before each response - the Victorian given in Mildura, Wangaratta, Sale and Privacy Victoria Network meeting . The bushfires Adam Todhunter, at the Public Record Office as part of social event is designed to introduce Chief Information Officer, Privacy Awareness Week 2010 . new Privacy Officers to key Privacy Department of Education and Victoria staff, help them to learn more Early Childhood Development about the resources and support A joint Information Sheet on offered by the Office and to hear from Recordkeeping Compliance, more experienced public sector Privacy Recordkeeping Systems and the Officers . Participant feedback from Information Privacy Principles was these events has been very positive . released at the July 2009 Privacy Victoria Network meeting . 32

functions of the office Office of the We encourage organisations In May 2003 Privacy Victoria, in Promote directly affected by the Information partnership with the Office of the Awareness Privacy Act and members of the Health Services Commissioner, Victorian community to contact launched communication Victorian Privacy Commissioner Privacy Victoria’s 2007-2012 us by telephone, fax, mail, email campaigns for ten of Victoria’s Strategic Plan includes these two or in person for any advice and ethnic communities and Indigenous Objectives: assistance they may require . (See communities . These campaigns ‘Advise and Guide’ and ‘Handle featured printed material, advertising • To promote and encourage Enquiries’) Contact details appear and the assistance of community adherence to the Information on the back cover . leaders to access community Privacy Principles as common groups . Major activity for the practice amongst Victorian Public campaigns was undertaken over a Sector staff; and Communicating 12-month period . • To continually improve Privacy among Diverse Materials from these campaigns

2009–10 understanding of privacy issues, Communities rights and good privacy practice were updated in 2009, with the addition of material in six additional throughout the Victorian Public Diverse Communities’ annual report Sector and general community community languages including Engagement Project Hindi and Somali . The materials To meet these Objectives, Privacy 2010–2011 are available on the Privacy Victoria Victoria undertakes a range of website and are distributed upon diverse awareness activities . Privacy Victoria’s engagement with request . Victoria’s multicultural communities, As privacy is often not an immediate including Indigenous communities, is While Privacy Victoria does not seek ‘top-of-mind’ concern for most currently limited . nor maintain statistical information people, a degree of innovation and about the ethnicity of enquirers creativity is required to develop Over recent years, and as reported and complainants, contact from appropriate information strategies . In in this and previous Annual Reports, members of Victoria’s diverse and addition to this is the need to ensure multicultural and Indigenous Indigenous communities is currently people are able to access and use community engagement has minimal . This contact is evidenced Privacy Victoria’s information, advice predominantly been achieved through demand for interpreting and complaint services relevant to through a small number of strategic services, requests for the range of their needs . Partnerships with key partnerships designed to provide information material in community organisations and stakeholders Victorian communities with languages and contact with are a key community engagement knowledge of the Office’s existence diverse community and Indigenous strategy . Given its resourcing level, and services, rights afforded under organisations . the Office is relatively successful the Information Privacy Act and the in engaging with the broader broader need to protect personal In recognition of this low level community, including specific target information . of engagement, during 2009-10 audiences . Privacy Victoria sought and received OVPC’s 2002 Report Privacy in funding for an 18-month project to Much of Privacy Victoria’s privacy Diverse Victoria found that: develop, implement and evaluate a awareness work involves informing “Culturally appropriate structured, effective and potentially Victorian public sector staff mechanisms are needed to ongoing community engagement about their responsibilities under help people from different project to ensure an appropriate the Information Privacy Act and communities become aware of, level of access to information and supporting them in Information and understand, their rights ”. services from Victoria’s diverse and Privacy Act compliance through Indigenous communities . The project activities such as the Privacy Victoria will commence early in 2010-11 Network and the training program . following the recruitment of a Project Officer . 33 Office of the Indigenous Communities Youth Advisory Group, October 2009

The Privacy laws protect our communities campaign targeting Victoria’s Indigenous Victorian Privacy Commissioner communities was launched in June 2003 . This work primarily continued through participation in the Consumer Affairs Victoria’s Indigenous Consumer’s Unit Koories Know Your Rights! Project (see page 30) .

Children and 2009–10 Young People

Staff gave presentations at the The education of children and young annual report Privacy is one of the most important Victorian Institute of Teaching people about the need to protect the issues for children and young and Yarram Secondary College in privacy of their personal information people today – and for teachers, October 2009 and at the annual and the fact that, as Victorians, they parents and others working with Conference of the Victorian have privacy rights is an important them . Privacy issues including Information Technology Teachers’ and challenging task . But education cyber-bullying, the safe and Association in November 2009 . needs to be done in a way which is responsible use of information and meaningful to children and young communication technologies, and Significant promotion of the people, and which is effective . In counselling, health and welfare are establishment of the Youth Advisory this regard, having a group of young critical issues for schools and the Group was undertaken throughout people directly inform and advise wider community . the Victorian education sector . This the Office about the privacy issues was complemented by extensive Accordingly, Privacy Victoria and challenges affecting them has national promotion of the 21 May continues to focus on children already proven to be of enormous national conference . This included and young people as a priority for benefit . print and electronic information our privacy awareness work and distribution, advertising in the youth Group meetings during 2009-10 2009-10 saw significant activity and education press, and broader focussed on how the Group might in this area . Much of the year was editorial and media coverage . work, examining priority privacy focussed on the establishment of This has assisted in increasing issues for youth, and determining the Privacy Victoria Youth Advisory awareness of privacy rights and the what the Group could do in a Group and the Watch this space: Office as evidenced by an increase concrete way to get the privacy Children, young people and privacy in the number of enquiries received message out to children and young conference held on 21 May 2010 (see ‘Handle Enquiries’) . people . (see below) . Much activity centred on the 21 Youth Advisory Group Education Sector May conference, which included presentations from two Group In October 2009, Privacy Victoria During 2009-10, Privacy Victoria members, Candice Jansz and Hugh established a Youth Advisory Group . continued its engagement with the Stephens . It is expected that during Applications to join the group Department of Education and Early 2010-11 the Group will build on were received from young people Childhood Development and the the outcomes of the conference to statewide and sixteen young people wider education sector to raise the develop information materials for were selected . The aim of the group awareness of Victorian children, young Victorians and to contribute is to inform and support the Office’s young people, teachers and parents towards the Privacy Victoria website privacy awareness and policy work about privacy issues, especially redevelopment . with young people . through the Victorian education system . The Privacy Commissioner acknowledges the significant contribution made by members of the Youth Advisory Group during 2009-10 . 34

functions of the office Office of the Microsoft’s John Galligan with sponsored delegates at the space conference. There were also presentations on ‘offline’ topics such as health, social research, the particular difficulties faced by Victorian Privacy Commissioner gay youth and at-risk youth, and the development of resources for young people . During the day, members of Privacy Victoria’s Youth Advisory Group consulted with conference delegates to gauge their opinions on a range of privacy issues affecting children and young people . These consultations 2009–10 will inform the ongoing work of the Group . The conference

annual report also featured displays from the Watch this Australian Communications and Media Authority and Australian Federal Police .

The Commissioner would like to acknowledge the conference presenters and Watch this space: Children, At the start of the conference exhibitors for their contribution to young people and privacy participants were treated to two rap the success of the conference . Conference, 21 May 2010 songs performed by Tjimba and the Conference papers can be accessed Yung Warriors – the second one, at www.privacy.vic.gov.au . On Friday 21 May, Privacy Victoria ‘Privacy’ written specially for the held the Watch this space: Children, occasion . The conference MC was Sponsored Delegate Program young people and privacy national renowned actor and children’s TV A feature of the conference was conference at Melbourne’s Crown presenter Noni Hazlehurst . the Sponsored Delegate program Promenade Hotel . The conference sponsored by Microsoft, open to was attended by over 280 delegates Much of the discussion at the Victorian secondary school students . including 50 Victorian secondary conference focused on online Five Sponsored Delegates received school students . Held during privacy issues such as use of social a ticket to the conference, travel Education Week and Law Week, media . This included discussions on costs and $500 for their school to the conference was sponsored by ‘sexting’ – the practice of sending develop and run a privacy awareness the Department of Education and nude or semi-nude photographs on project in their school during 2010-11 . Early Childhood Development and mobile phones or on the internet, Sponsored Delegates were selected Microsoft . usually to current partners who from applications received from then may misuse the photograph . Victorian secondary schools . Schools Victorian Deputy Premier and These images are considered child represented in the program are: Attorney-General, the Hon . Rob Hulls pornography under existing laws MP, opened the event which included and some young people have been • Christian Brothers’ College, St presentations from leading cyber- charged with offences relating to the Kilda safety experts, educators, members material received and distributed • Rosebud Secondary College of Privacy Victoria’s Youth Advisory to others . Internet safety consultant Group and those dealing with the Robyn Treyvaud presented the film • Star of the Sea College, Brighton privacy issues facing young people . ‘Photograph’, made by a group of • MacRobertson Girls’ High School, The presentations addressed the Bendigo secondary school students, Melbourne protection of children, youth and and discussed ways in which their privacy in a rapidly changing teachers could use the supporting • Thornbury High School physical and cyber-world . teaching resources . The outcomes from this project will be reported on in the 2010-11 Annual Report. 35

“The speakers were all very knowledgeable and made the conference a great eye opener to privacy in a techno world” Office of the “An excellent and informative conference” Midsumma Festival 2010

Watch this space conference delegate feedback The Midsumma Festival brings a diverse mix of artists and performers together under a single umbrella Victorian Privacy Commissioner for an impassioned celebration and innovative presentation of queer art Events Royal Melbourne Show 2009 and culture . The festival program is made up of a wide range of events Privacy Victoria continued its and activities including visual art, Inaugural Privacy Victoria annual participation in the Victorian theatre, spoken word, cabaret, film, Oration – Why Privacy Matters Government Pavilion at the Royal live music, sport, and social and Melbourne Show (17-27 September) political forums and debates . From On Tuesday 1 September 2009, in partnership with the Office of the 17 January to 7 February 2010, the Hon . Michael Kirby AC CMG Health Services Commissioner . Melbourne played host to around 100 delivered the inaugural Privacy events . 2009–10 Victoria Oration to a full house The 2009 Show was attended by at the Australian Centre for the over 450,000 people . Of these, As in recent years, Privacy Victoria annual report Moving Image, at Melbourne’s approximately 184,000 visited the and the Office of the Health Services Federation Square . In his speech Victorian Government Expo Pavilion Commissioner placed a full-colour on ‘Why privacy matters’, Mr Kirby which featured the theme Fast advertisement in the Festival drew attention to the international Forward . The combined display Guide . 40,000 copies of the Guide dimension of privacy and referring featured messages about identity were produced, with an estimated to recent privacy developments and theft, access rights and information readership of more than 120,000 issues . The full text of his speech is about both Offices . The display and nation-wide and a shelf life of two at Appendix I and is also available at a free cardboard travel-card holder months . www.privacy.vic.gov.au reminded Show goers to Stop. Think. Go. Protect your personal Law Week 2010 Michael Kirby was, until 2 February information. You never know how 2009, one of the seven Justices of far it will travel. During the Show, Privacy Victoria again participated in Australia’s highest constitutional and the Privacy Commissioner and the annual Law Week co-ordinated by appellate court, the High Court of other Privacy Victoria staff gave five the Victoria Law Foundation and Law Australia . He served there from his presentations on privacy laws and Institute of Victoria . Law Week is held appointment on 6 February 1996 . issues to visitors to the Government in the 3rd week of May each year to At the end of that service he was Expo Pavilion . promote access and understanding Australia’s longest serving judicial of our law and justice system . officer . In 2008 Michael Kirby was During 2009-10 Privacy Victoria and awarded the inaugural Australian the Office of the Health Services During Law Week a range of privacy Privacy Medal from the Office of the Commissioner received a grant from information material was distributed Federal Privacy Commissioner . Information Victoria to assist their to libraries throughout Victoria by the participation in the 2009 and 2010 Victoria Law Foundation on behalf 1 September 2009, the date of events . The funding will be primarily of the Office . This material included the Oration, marked the eighth used to develop and implement an privacy brochures and compact discs anniversary of the Information Privacy interactive game targeting children which provide privacy information in Act coming into effect in Victoria . and young people at the 2010 Show . an accessible way for Victorians with The Commissioner records her vision impairment. appreciation of the financial and in kind support given by Information The 2010 event had the theme of Victoria to enable her office to reach Law and Justice in the Community. so many Victorians with important During the week, 18 regional towns privacy information . hosted events, and the Victorian Law Foundation launched Victoria Law, a new website containing easy-to- understand legal information – it can be found at www.victorialaw.org.au . Privacy Victoria’s Watch this space: Children, young people and privacy was a major Law Week event (see page 34) . 36

functions of the office Office of the Privacy Awareness Week 2010 VPS poster In the Public Sector Official Launch Privacy Awareness Week was The slogan used to promote officially launched on Monday 3 May Privacy Awareness Week Victorian Privacy Commissioner by the Chief Commissioner Victoria throughout the Victorian public Police, Simon Overland APM . The sector in 2010 was Stop and Victorian Privacy Commissioner, think: Don’t leave a privacy risk Helen Versey, and Julia Griffith, behind . This recognises that Executive Director Regional and many privacy breaches occur Executive Services, Department of because of a lack of attention Justice also spoke at the event which being paid to data security was held at 121 Exhibition Street and risks both in and external to hosted by the Department of Justice . workplaces . The poster and fridge magnets distributed The event was also the Victorian to Victorian Government

2009–10 launch of an online tool which allows organisations for Privacy people to assess their risk of ID theft Awareness Week reminded (see page 37) .

annual report staff to protect USB keys, clear faxes and printer trays, lock Information Security Seminar PCs and to secure files . The On Monday 3 May, Worksafe Victoria 2009 Privacy Awareness Week hosted a seminar titled Information tagline Privacy: protecting Security: Respect and Protect – It is not preventing slogan also your responsibility at 222 Exhibition featured on the poster . street, Melbourne . Over 140 people attended, mainly from WorkSafe An Identify and Improve — and their key contracted service Privacy Checklist which helps providers . There was also good staff take responsibility for cross-agency representation from Privacy Awareness the handling of information in the a range of Victorian government Week 2010 workplace was also distributed . agencies . Materials from this and previous Privacy Awareness Week (3-8 May) Privacy Awareness Weeks are was first held in Victoria in 2002 to The Privacy Commissioner spoke at available at www.privacy.vic.gov.au . coincide with the anniversary of the the seminar, which was hosted by Ian Forsyth, Deputy Chief Executive, commencement of the Information The Privacy Awareness Week Worksafe . Consultants from Ernst Privacy Act . The annual event aims to materials were developed jointly and Young presented on the topic of remind the public sector in particular, by Privacy Victoria, the Department People are the weakest link... Seven and the broader community more of Justice and a number of other lessons to learn from past privacy generally, of the importance of Departments and agencies . protecting privacy . breaches . This presentation can be In addition to the program of events downloaded at www.privacy.vic. Privacy Awareness Week is now organised by Privacy Victoria, many gov.au . WorkSafe’s Chief Executive, marked by the Asia Pacific Privacy government organisations profile Greg Tweedly and other senior staff Authorities . This includes all the privacy issues and responsibilities also attended the workshop . Australian Commissioners and those by conducting their own internal Information Privacy and Record from Canada, British Columbia, promotions . These include intranet Keeping Systems Hong Kong, New Zealand, and messages, information displays and South Korea (see pages 28-30) . events . Good records management practice enhances organisational compliance with privacy legislation . On Tuesday 4 May the Public Record Office Victoria hosted an event at their North Melbourne offices to explore the relationship between the Information Privacy Act and record keeping systems . The presentation and discussion was followed by a tour of the Public Record Office . 37 Office of the The Changing Role of the Privacy Film Screening This excellent privacy tool is yet Victorian Drivers’ Licence The film Nineteen Eighty-Four was another example of how smart and Seminar screened at the Treasury Theatre on effective it is to work collaboratively with international partners . While we In Australia, a driver’s licence is no Wednesday 5 May and introduced Victorian Privacy Commissioner longer considered just a permit to by the Privacy Commissioner . live in different countries, in today’s drive a vehicle . Most Victorian and Nineteen Eighty-Four is a British globalised economy and with federal government agencies rely film, released in 1984, based online communication becoming on the driver licence as evidence upon George Orwell’s novel about increasingly part of our everyday of identity and would be unable to life under a fictional totalitarian lives, we all face the same issues, provide a range of critical services government . especially when it comes to the without it . The drivers’ licence is also threat of identity theft and the need the preferred or only acceptable The screening was sponsored by for all of us to take active steps to form of identity for 80% of Australian Department of Innovation, Industry protect our personal information . businesses . VicRoads has not and Regional Development, and the Identity theft continues to rise but sought this wider identity function of Department of Justice . 2009–10 many people don’t know that they the driver licence, but use beyond its Regional Events – Geelong are at risk or what they can easily do statutory function is a reality .

to protect themselves . The interactive annual report During Privacy Awareness Week tool is like a multiple choice quiz . VicRoads has some significant 2010, the Privacy Commissioner Users can work through a series strength in managing identity and Director, Privacy Awareness, of questions on eleven different as a core process in regulating travelled to Geelong to give topics: for instance how well they access to the road network and presentations on Victorian privacy protect information in their wallet, supporting road safety through laws and public sector compliance their mailbox or on their computer . licensing . Nevertheless, the obligations to Victorian government The test takes just a few minutes and challenges of supporting wider organisations . identity management objectives includes questions such as: are considerable . Identity Thursday 6 May • Do you leave your laptop in the crime is growing in volume and • Presentations to staff of the Traffic car? sophistication . The impact of identity Accident Commission and the • Do you shred old mail with your crime involving the drivers’ licence City of Greater Geelong across Australia runs into hundreds name and details on? of millions of dollars . The opportunity Friday 7 May • Do you keep your user names exists to facilitate considerable social • Presentation to staff from the and passwords secret? and economic benefits through Department of Human Services improved identity management • Do you use a password on your and road safety . This will require mobile phone? For the Community capability, agility and sensitivity in • Do you let bar or restaurant staff order to realise the benefits and Privacy Commissioners provide take away your credit card? enhance privacy . help against identity theft Users get a score indicating how The seminar, which was presented As part of Privacy Awareness open they are to the risk of identity by Dr Dale Andrea, Manager Week, on behalf of the Asia theft and they can then check out Licensing & Identity Strategy, Pacific Privacy Authorities, the the simple tips on each topic to help VicRoads: Privacy Commissioner launched protect themselves better in the in Victoria a free online tool to help • Examined the role of the drivers’ future . people protect themselves against licence; identity theft . International privacy The identity theft test was originally • Looked at identity management commissioners are increasingly developed for the Norwegian for the drivers’ licence; pooling their resources and expertise data protection commissioner to develop information like this to who shared it with the Asia Pacific • Explored recent initiatives; and assist the public . Privacy Authorities . The Asia Pacific • Discussed challenges, including commissioners then worked together specific privacy issues . The Chief Commissioner, Victoria to adapt some of the questions for Police, also spoke at the launch use in this region . The presentation can be which was a feature of the Victorian downloaded at www.privacy.vic.gov. public sector launch of Privacy au . The event was followed by a tour Awareness Week . of the VicRoads Traffic Management Centre . 38

functions of the office Office of the ID Theft tool poster Community presentations and Privacy Aware events (such as those described in this Report) provide the Office Four editions of the quarterly with valuable opportunities to newsletter, Privacy Aware, were Victorian Privacy Commissioner directly provide members of the published: Winter 2009, Spring community and their service 2009, Summer 2009-10 and Autumn providers with information about 2010 . Due to the small number of Victoria’s privacy laws and subscribers for the print edition, the rights and responsibilities and after consultation with the they confer . In keeping with Privacy Victoria Network, a decision the Privacy Commissioner’s was made to cease publication of functions to raise privacy Privacy Aware in hard copy . From awareness and make public the Autumn 2010 edition, Privacy statements on privacy issues (s . Aware is only published electronically 58 (o), (p) Information Privacy and made available on the Privacy 2009–10 Act), community presentations Victoria website . To receive email are often used to discuss notification of new editions, email

annual report broader privacy protection [email protected] or issues such as identity theft and telephone Local Call 1300 666 444 . cybersafety . A full list of our publications can be Privacy Victoria continued to found at Appendix G . respond to ad hoc requests for information and promotion Advertising materials . These materials, and copies of all Information Sheets Paid advertising was placed in the and other documents, are Guide for the Midsumma Festival provided free-of-charge to Victorian (see page 35) . Advertising was The identity theft self-test tool is public sector organisations, schools also commissioned for the Privacy available at www.privacy.vic.gov.au and community groups upon Victoria Oration (see page 35), the and www.privacyawarenessweek.org . request . Requests for information establishment of the Youth Advisory should be sent via enquiries@ Group, Privacy Awareness Week and Information and privacy.vic.gov.au, telephone to the 21 May national conference . Local Call 1300 666 444 (from Promotional Material outside Australia +61 3 8619 8719) or Local Fax 1300 666 445 (+61 3 Media Relations 8619 8700) . Providing Information Privacy Victoria engages in a to the Community proactive media relations strategy to engage with the print and electronic As in previous years, the Privacy Website Redevelopment media . Privacy Victoria also acts Commissioner and Privacy Victoria As reported in the 2008-09 Annual as a referral point for journalists . staff gave presentations on privacy Report, a major external review The Office engages the services issues to a number of community of Privacy Victoria’s website was of a media consultant on specific groups as listed at Appendix D . commissioned and completed by initiatives . This strategy has led the end of June 2009 . The review to an increase in calls from the identified a need to improve the media seeking comment from website’s design and navigation . the Commissioner and increased Significant work to implement the coverage in the state and national review’s recommendations was media . undertaken during 2009-10 . The new website will be launched during 2010-11 . 39

“The exercises were relevant and useful. The trainer’s knowledge was thorough and she gave good examples” Office of the The Privacy Commissioner issues Half-day Training Session Participant media releases on matters of public interest and distribution channels are considered on a case-by-case Victorian Privacy Commissioner basis . Media releases are issued to promote events and publications, TABLE 15 Public Sector Privacy Awareness and Training Activities and to comment on relevant issues; occasional articles are submitted Management facilitated discussion of privacy compliance issues by management and for publication in stakeholder and session executive groups education sector publications . As Presentation a privacy awareness activity where a Privacy Victoria staff member noted under ‘Children and Young addresses public sector employees (excluding Privacy Victoria Network People’, significant media activity and Privacy and Councils meeting) on specific or general privacy issues was undertaken to promote the establishment of the Youth Advisory Refresher targeted at staff who have previously attended training; includes privacy

updates and includes facilitated discussion Group and the 21 May national 2009–10 conference . Training a formal, half-day structured interactive session which combines information provision with activities to explore specific issues and check understanding

Privacy Victoria issued eighteen annual report media releases during 2009-10, an 2-hour session condensed version of the half-day training session increase on the ten issued during 2008-09 . These are available at Workshop special topic workshop of half or full-day duration www.privacy.vic.gov.au .

Public Sector Awareness Training Needs Assessment To this end, during 2009-10 Privacy Victoria introduced a and Training Program Privacy Victoria works with more rigorous training needs Privacy Victoria’s ongoing Victorian organisations to make any privacy assessment process . This Public Sector Awareness and training program best meet their includes the completion of a Training Program is designed to needs . However, Privacy Victoria’s brief privacy training needs assist organisations inform and training resources are limited and an assessment proforma and a educate staff about the requirements effective program takes some time training plan prior to the booking of the Information Privacy Act and to plan . Privacy Victoria trainers can of any training session or other privacy compliance . provide training on aspects such activity . The outcome is a more as the general privacy legislative effective approach being taken The program includes: environment and privacy guidelines to training, especially as it relates and can discuss the privacy issues to the provision of support to • generic privacy training materials staff face . However, they do not management groups and in made available online; know each organisation’s specific ensuring that training delivery more • training conducted at Privacy context, nor will they be familiar with closely matches audience needs . Victoria; its information handling policies and procedures . It is therefore important While it is preferable to have staff • training and presentations that any training for an organisation participate in a half-day training conducted on-site for includes input from management session, it is recognised that organisations across Victoria; and the privacy officer (or the many organisations are unable to • special topic workshops; and person responsible for privacy release staff for that length of time . matters) . It is also important that Privacy Victoria’s approach to the • discussions and presentations to training sessions have value and are provision of awareness and training management groups . as effective as possible in educating services is therefore flexible in order and motivating participants to maximise the ability of staff to to become privacy aware and participate in privacy awareness or compliant . training activities . 40

functions of the office Office of the Accordingly, and as a result of the The Frontline Privacy: Privacy Attendance and Participation varied range of awareness and and Customer Service workshop training needs being identified was introduced in March 2010 . During 2009-10 Privacy Victoria through the revised Training Needs Customer service areas, including delivered privacy awareness and Victorian Privacy Commissioner Assessment process, Privacy public counters and call centres, training activities presentations to Victoria has expanded its public can pose particular challenges for over 2,000 staff from approximately sector awareness and training privacy compliance . The workshop 113 organisations (see Appendix H) . program by conducting a more combines introductory privacy This number excludes staff attending varied number of activities . These training with discussion of risks events such as Privacy Victoria are summarised in Table 15 . See associated with customer service Network or Privacy and Councils Charts 6 and 7 for awareness and and ways to mitigate those risks . meetings, Privacy Awareness Week training activities conducted during events or the 21 May national 2009-10 . In 2010, a resource was introduced conference . This is in line with the to assist facilitated discussion total for the previous year .

Privacy awareness and training of privacy compliance issues 2009–10 services are provided free of charge by management and executive Total Number of Public Sector to organisations subject to the groups . The Revisiting privacy – A Privacy Awareness and Training

annual report Information Privacy Act . However resource for managers and privacy Activities training to metropolitan and regional committees document is proving a areas is generally provided on useful tool for organisational self- 2008-09 113 a cost-recovery basis, if Privacy assessment and privacy training 2009-10 113 Victoria incurs costs such as room- needs analysis . Eight sessions hire or travel expenses . with various management groups were undertaken during 2009- The introduction of a more rigorous 10 . Privacy Victoria encourages training needs assessment Training Calendar management and executive staff process impacted on the number of awareness and training In January 2009, for the first time, of all organisations affected by activities delivered during the year, Privacy Victoria released the full core the Information Privacy Act to particularly in the first six months training program for the forthcoming regularly self-assess organisational after implementation . However calendar year . The program outlined compliance with the Act and is the ultimate outcome is a more the sessions and specific topic available to assist organisations in effective approach being taken to workshops to be held at Privacy this process . training, especially as it relates to the Victoria and in regional Victoria provision of support to management throughout the year . Additional groups and in ensuring that training sessions were scheduled on a delivery more closely matches needs/demand basis . Releasing the audience needs . program in this way was designed to assist organisations plan staff development activities and this Public Sector Awareness and approach has been well received . It Training Activity Locations is expected that an annual training program will be released each As can be seen from Chart 7, January . Privacy Victoria provides services to organisations affected by the Information Privacy Act in the Special Topic Workshops Melbourne Central Business District (including at Privacy Victoria), In line with recommendations from throughout metropolitan Melbourne the 2008 Stakeholder Analysis and in regional Victoria . and Climate Survey, Privacy Victoria continues to develop and introduce new workshops, as well as continuing to conduct the workshops introduced during 2008- 09 (see 2008-09 Annual Report) . 41

“The presentation was very good and well presented. It flowed easily and smoothly and the audience was kept interested. Excellent presentation skills” Office of the Chart 6 Type of Privacy Awareness Regional Presentation Attendee and Training Activities Victorian Privacy Commissioner

Public Sector and Evaluation and Feedback Community Presentations Privacy Victoria’s resources do not Much of Privacy Victoria’s permit the formalised evaluation awareness work consists of of awareness activities . However, presentations made to a variety evaluation is undertaken to inform of public sector and community the Quality component of Output audiences . Presentations are Reporting and to ensure that the tailored to the audience and include Office engages in continuous

discussion of current privacy issues improvement processes and 2009–10 as well as the relevance of the practices . Evaluation of Privacy IPPs to the attendees’ professional Victoria’s awareness activities and personal lives . They are often includes: annual report conducted in partnership with • participant feedback at training government departments and other and events (e .g . PVN meetings); agencies . • the delivery of major events (e .g . During 2009-10, the number of conferences); presentations given by Privacy Victoria staff remained steady • the timely production of Chart 7 Training Locations 2009-10 compared to the previous year . information products such as Many of these presentations were Privacy Victoria Network eNews given to community groups (See and Privacy Aware; and Appendix D) and attendance • the informal assessment of numbers for these events (e .g . at responsiveness to requests the Royal Melbourne Show) were for training and presentations, not able to be obtained . materials and speaking engagements . Total Number of Presentations As reported in previous Annual 2008-09 48 Reports, all training sessions delivered at Privacy Victoria, and 2009-10 47 many other training and awareness activities, are evaluated through Graduate Recruitment Program a participant feedback process . In May 2010, Privacy Victoria Surveyed participants consistently participated in the VPS Graduate report an increase in knowledge and Recruitment program co-ordinated understanding resulting directly from by the State Services Authority, the training . This process provides delivering seven information Privacy Victoria with valuable data sessions to tertiary graduates about content issues, the relevance undertaking internships at a variety of training material and trainer of VPS organisations . It is expected performance . that Privacy Victoria will continue to be involved in this important program . 42

functions of the office Office of the Watch this space conference advertisement Research and Report Victorian Privacy Commissioner Research and reporting assists Privacy Victoria meet the following Objectives from the 2007-2012 Strategic Framework: • Continually improve understanding of privacy issues, rights and good privacy practice; and r e f e r • Provide leadership in privacy

e g a p issues . 2009–10 34 All of the work contained in the

annual report section of this report entitled ‘Advise and Guide’, particularly the reference to consultations and submissions, involves extensive research work . Some research work is involved with the handling of complaints and enquiries . In addition, staff continually research and monitor other jurisdictions, including overseas, keeping the work of Privacy Victoria staff up to date with Training sessions are often an developments in technology, privacy, opportunity for an organisation and related law . to commence review processes; they also serve as opportunities for No reports have been published Privacy Victoria to learn more about under Section 63(3) of the day-to-day privacy implementation Information Privacy Act. and compliance issues . This in turn can lead to further consultation with Policy and Compliance staff, the development of new information material or the continued revision of training material to ensure currency and relevance . During 2009-10, the sessions conducted with management groups were particularly valuable for both parties .

Training Materials

During 2009-10, organisations continued to use Privacy Victoria’s free generic training materials to assist them in informing staff of the requirements of the Information Privacy Act and to comply with the Act . These are available at www. privacy.vic.gov.au . 43 managing our office Office of the Managing Chart 8 Organisational Structure at 30 June 2010 our Office Privacy Commissioner Operations Manager Executive Assistant to Victorian Privacy Commissioner Privacy Victoria’s 2007-2012 Helen Versey Privacy Commissioner Alex Blake Dinah Bridson Strategic Framework contains the following Objective: Administrative • Operate a cohesive, well Officer managed, accountable and Deputy Commissioner independent Office . Anthony Bendall

Output Reporting Director Technology Director Awareness Jon Armstrong David Taylor In line with the guidelines issued 2009–10 by the Department of Treasury Manager and Finance, we have continued Compliance to work within an accrual output External Services annual report Provided Policy and Training and management framework . Targets Compliance Communications for the Privacy Regulation Output Financial (mandatory under Officer Officer identified in the 2009-10 Budget the Financial Management Act 1994 and Minister of Policy and Training Papers produced the outcomes Finance Directions) Compliance Officer outlined in Appendix B . Graham Lindsay Officer Internal Audit Neil Manthorpe Policy and Administrative Compliance Support Governance and Information Technology Officer Officer Organisational Structure Chris Bekas Library Services Enquiries Julie Bransden Officer Management Team

Privacy Commissioner Helen Versey was appointed Deputy Privacy Commissioner Director, Privacy Awareness as Victoria’s second Privacy Dr Anthony Bendall was appointed David Taylor joined Privacy Victoria Commissioner by the Governor in Deputy Privacy Commissioner on 4 in December 2001 . David’s Council on 13 March 2007 . June 2007 . Prior to his appointment, career in public administration Helen joined Privacy Victoria in Anthony was Manager FOI and includes significant experience in December 2001 . A qualified lawyer, Privacy at the NSW Department communications and public affairs, Helen has worked in private practice of Education . He has also worked as well as adult education and in the United Kingdom, Darwin and at the Office of the NSW Privacy training . Commissioner and at the Office of Perth specialising in criminal law, Director, Technology family law and personal injuries the Federal Privacy Commissioner . litigation . Prior to commencing with Anthony is responsible for the Jon Armstrong joined Privacy Victoria Privacy Victoria, Helen worked for 13 Policy and Compliance functions in January 2002 . Jon’s extensive years at the Western Australian Equal of the Office, and deputises for the experience in the public sector Opportunity Commission as their Commissioner as appropriate . has been mainly in the information Senior Lawyer . technology field, with a particular emphasis on data security, electronic commerce and service delivery . 44

managing our office Office of the TABLE 16 Privacy Commissioner Functions

Policy & Compliance Awareness Technology Administration • Manage the investigation, • Provide education and training • Provide expert advice on the • Manage and continually Victorian Privacy Commissioner complaints, conciliation and services to organisations, with technology aspects of the enhance the corporate services audit work of the Office. an emphasis on the prevention Office’s compliance functions. functions of the Office, of breaches of the Information with particular emphasis • Interpret and provide advice on Privacy Principles. • Monitor developments in data on the need for appropriate the Information Privacy Act and processing and computer independence related laws. • Devise, implement and technology with a view to continuously assess strategies minimising any adverse effects • Liaise with public sector • Undertake research on privacy to raise privacy awareness on personal privacy. management, to broaden the and related issues. and understanding among all knowledge base of the Office, Victorians. • Provide advice on the in particular to ensure that • Examine legislative and policy technology aspects of projects proposals and provide advice a practical understanding of • Co-ordinate the consultation and policy documents within issues facing managers in and guidance on privacy and co-ordination between the Victorian public sector.

public administration in Victoria implications. Privacy Victoria, relevant 2009–10 • Manage and maintain properly informs the work of • Develop guidelines to assist public, private and community the Office. sector organisations, including Privacy Victoria’s information in compliance with the technology environment, both Information Privacy Act. other privacy and data annual report protection agencies. in-house and online. • Consult with public, private and community sector organisations on proposals and issues with privacy implications.

TABLE 17 Privacy Victoria Staffing

Ongoing (EFT) Fixed Term (EFT) Total (EFT)

As at As at As at As at As at As at 30-Jun-09 30-Jun-10 30-Jun-09 30-Jun-10 30-Jun-09 30-Jun-10 M F M F M F M F

Statutory Office Holder 0 1 0 1 0 0 0 0 1 1

VPSG 6 3 0 3 0 0 0 0 0 3 3

VPSG 5 1 0 0 2 0 0 0 0 1 2

VPSG 4 1 3.2 3 0.4 1 0.6 0 0.6 5.8 4

VPSG 3 0 3 0 3 0 0 0 0 3 3

VPSG 2 0 0 0 0 0 0 0 1 0 1

VPSG 1 0 0 0 0 0 0 0 0 0 0

Total 5 7.2 6 6.4 1 0.6 0 0.6 13.8 14 45 Office of the Human Resource Workplace Relations Performance Management Monitoring The Privacy Commissioner is a Privacy Victoria had a core staff of 14 signatory to the 2009 Extended Victorian Privacy Commissioner as at 30 June 2010 . and Varied Version Victorian Public Risk Management Service (Non-Executive Staff) Contractors are engaged to assist Agreement 2006 as a separate During 2009-10 Privacy Victoria management of our information employer within the Victorian Public reviewed its Fraud Control, Risk technology infrastructure as well as Sector . Management and Disaster Recovery to perform the duties of the Chief and Business Continuity Plans . The Financial and Accounting Officer and content of the plans are known to Internal Auditor . Public Administration Values staff and are regularly monitored and Employment Principles and reviewed by the Management Our staffing and work practices are Committee, Internal Audit and the The Public Administration Act determined and guided by: Audit and Finance Committee .

2004 abolished the Office 2009–10 • The Public Administration Act of Commissioner for Public 2004; and Employment and established the Financial Management • The 2009 Extended and Varied State Services Authority . annual report The Privacy Commissioner is Version Victorian Public Service Privacy Victoria maintains a suite separately accountable under the (Non-Executive Staff) Agreement of detailed employment policies, Financial Management Act 1994 2006. including policies with respect to (Vic) for the management of Privacy The Privacy Commissioner is a grievance resolution, managing Victoria’s financial resources . separate employer (Section 16 of diversity, performance management Audit and Finance Committee the Public Administration Act 2004) and discipline . members during 2009-10 were: and Privacy Victoria staff are not The importance of discretion and employees of the Department of • Professor David Boymal (Chair), security in a Privacy Commissioner’s Justice . former National Director, office impose on all staff a high level Accounting and Auditing of obligation . Proper standards of Standards, Ernst & Young; Selecting on Merit behaviour and ethical conduct at work are of the utmost importance • Graeme Greaves, Chartered The Privacy Commissioner is to the Office and are supported Accountant formerly employed as committed to applying merit and by Section 67 of the Information a Senior Finance Executive with equity principles when appointing Privacy Act 2000 (Vic), which makes the State Electricity Commission; staff . The selection processes ensure unauthorised disclosure an offence . and that applicants are assessed and The Code of Conduct for Victorian • David Gibbs, BCom, FCA, evaluated fairly and equitably on the Public Sector Employees of Special Director – Family Office, Mutual basis of the key selection criteria Bodies issued by the Public Sector Trust Pty Ltd . and other accountabilities without Standards Commissioner applies discrimination . During 2009-10 two within the Office of the Victorian The Audit and Finance Committee’s on-going full-time roles and one Privacy Commissioner . main role is to consult, advise and fixed-term part-time role were filled . warn the Privacy Commissioner Handling Grievances about responsibilities for financial Occupational Health reporting, maintaining systems of and Safety In the 2009-10 year, no grievances internal control and governance . were received by the Privacy Sound financial management links The Privacy Commissioner is Commissioner in her capacity as the budget allocation process with committed to the prevention of Agency Head . strong financial and management occupational injuries . Privacy Victoria reporting systems to ensure that the monitors incidents and has recorded financial resources of the Office are no lost-time injuries during 2009-10 . used to the optimum . 46

managing our office Office of the Internal Audit Consultancies Requests can also be lodged online at www.foi.vic.gov.au . Access The internal audit function is a key Total Number of Total Cost charges may also apply once assurance mechanism available Consultancies in the (excluding documents have been processed Victorian Privacy Commissioner to Privacy Victoria to support the year ended 30 June GST) and a decision on access made discharge of its governance and 2010 with values of (for example, photocopying and oversight responsibilities . As part of less than $100,000 (excluding GST) search and retrieval charges) . Further the internal audit plan, the Internal information regarding Freedom of Auditor independently reviews 0 $Nil Information can be found on FOI Privacy Victoria’s controls required Online, www.foi.vic.gov.au . under the Financial Management Privacy Victoria did not engage any and Compliance Framework, consultants with a contract value Compliance with the including Risk Management controls . greater than $100,000 (excluding For the 2009-10 financial year, GST) . Building Act 1993 Privacy Victoria’s Internal Auditor was 2009–10 Privacy Victoria does not own or Neil Manthorpe . Freedom of Information control any government buildings and consequently is exempt from notifying annual report Managing and The Freedom of Information Act its compliance with the building Valuing Diversity 1982 (Vic) allows the public a right and maintenance provisions of the of access to documents held by Building Act 1993 . In light of the small number of Privacy Victoria . For the 12 months employees, broad-based initiatives ending 30 June 2010, Privacy Compliance with Whistleblowers in this area are neither necessary Victoria received one application . nor viable . A flexible and supportive The information requested was Protection Act 2001 released in full . workplace is provided through The Whistleblowers Protection Act flexible working hours, leave Making a Request 2001 (Vic) encourages and assists arrangements and home-based people in making disclosures of Access to documents may be work . improper conduct by public officers obtained through written request and public bodies . The Act provides to the Freedom of Information protection to people who make Other Disclosures Manager, as detailed in Section 17 disclosures in accordance with the of the Freedom of Information Act . Act and establishes a system for the In summary, the requirements for Victorian Industry Participation matters disclosed to be investigated making a request are: and for rectifying action to be taken . In October 2003, the Victorian • It should be in writing; Parliament passed the Victorian The Privacy Commissioner does Industry Participation Policy Act 2003 • It should identify as clearly as not tolerate improper conduct by (Vic) which requires public bodies possible what document is being employees, nor the taking of reprisals and Departments to report on the requested; and against those who come forward implementation of the Victorian • It should be accompanied by to disclose such conduct . She is Industry Participation Policy (VIPP) . the appropriate application fee committed to ensuring transparency Departments and public bodies are (the fee may be waived in certain and accountability in the Office’s required to apply VIPP in all tenders circumstances) . administrative and management over $3 million in metropolitan practices and supports the making Melbourne and $1 million in regional Requests for documents in the of disclosures that reveal corrupt Victoria . Privacy Victoria did not possession of Privacy Victoria should conduct, conduct involving a engage in any applicable tenders be addressed to: substantial mismanagement of public during the reporting period . Freedom of Information Manager resources, or conduct involving a Office of the Victorian Privacy substantial risk to public health and Commissioner safety or the environment . GPO Box 5057 The Privacy Commissioner will take MELBOURNE Victoria 3001 all reasonable steps to protect people who make such disclosures from any detrimental action in reprisal for making the disclosure and afford natural justice to the person who is the subject of the disclosure . 47 Office of the Reporting Procedures TABLE 18 Disclosures under the Whistleblowers Protection Act Disclosures of improper conduct or 2009‑10 2008‑09 detrimental action by Privacy Victoria Number Number staff or contractors may be made, Victorian Privacy Commissioner in the first instance to the Privacy The number and types of disclosures made to public bodies during the year: Commissioner: Public interest disclosures 0 0 Ms Helen Versey Protected disclosures 0 0 Privacy Commissioner Office of the Victorian Privacy The number of disclosures referred during the year by the Commissioner public body to the Ombudsman for determination as to whether GPO Box 5057 they are public interest disclosures 0 0 MELBOURNE Victoria 3001 The number and types of disclosed matters referred to the Phone: (03) 8619 8721 public body by the Ombudsman for investigation 0 0

Local Call 1300 666 444 The number and types of disclosures referred by the public 2009–10 body to the Ombudsman for investigation 0 0 Alternatively, disclosures of improper The number and types of investigations taken over from the conduct or detrimental action by annual report the Privacy Commissioner or her public body by the Ombudsman 0 0 employees may be made directly to The number of requests made by a whistleblower to the the Ombudsman: Ombudsman to take over an investigation by the public body 0 0

The Ombudsman Victoria The number and types of disclosed matters that the public body Level 9, 459 Collins Street has declined to investigate 0 0 (North Tower) The number and types of disclosed matters that were Melbourne VIC 3000 substantiated upon investigation and the action taken on Telephone: (03) 9613 6222 completion of the investigation 0 0 Toll free: 1800 806 314 Any recommendations made by the Ombudsman that relate to Internet: the public body: Recommendation regarding file security and www.ombudsman.vic.gov.au management n/a n/a Email: [email protected]

Further Information Written guidelines outlining the system for reporting disclosures of improper conduct or detrimental action by the Office of the Victorian Privacy Commissioner or her employees are available for public perusal .

Disclosures under the Whistleblowers Protection Act The current procedures established by Privacy Victoria under Part 6 are available upon request . 48

managing our office Office of the TABLE 19 Office-based Environmental Impacts

Environmental Aspect Description Unit of Measure 2009-10 2008-09

Victorian Privacy Commissioner Energy User per FTE kWh per FTE 4,273 4,664

User per square meter of office space kWh /m2 115 124

Total use – Electricity kWh 59,816 64,363

Total use – Natural Gas kWh N/A N/A

Total use – LPG kWh N/A N/A

Total use kWh 59,816 N/A

Total associated greenhouse gas emissions Tonnes of CO2 Equivalent 80.15 N/A

Total GreenPower kWh N/A N/A 2009–10 Total cost of GreenPower Dollars N/A N/A

annual report Paper Use per FTE Reams per FTE 21 16

Total use Reams 294 224

Transportation Total energy consumption Giga joules 11.74 N/A

Energy consumption per FTE Giga joules per FTE 0.84 N/A

Total associated greenhouse gas emissions Tonnes of CO2 Equivalent 1.1 N/A

Associated greenhouse gas emissions per FTE Tonnes of CO2 Equivalent per FTE 0.08 N/A

Total Travel associated with departmental Kilometres 6,009 3,281 operations 1

Travel associated with departmental Kilometres per FTE 429 238 operations per FTE

Employees regularly (>75 per cent of time) per cent 100% 87% using public transport, cycling or walking to and from work

Waste Generated per FTE Kilograms per FTE N/A N/A

Total recycled (Approx.) Kilograms Approx. 300 Approx. 270

Water Consumption per FTE Litres per FTE N/A N/A

Total consumption Litres N/A N/A

1 Kilometres travelled using hire cars . 49 Office of the Disability Action Plans Attestation on compliance with the Australian/ A disability action plan is a strategic New Zealand Risk Management Standard plan which helps an organisation to remove barriers that prevent I, Helen Versey, certify that the Office of the Victorian Privacy Victorian Privacy Commissioner people with a disability from using Commissioner has risk management processes in place consistent with the organisation’s goods, services the Australian/New Zealand Risk Management Standard (or equivalent and facilities, and from gaining and designated standard) and an internal control system is in place that keeping employment . Disability enables the executive to understand, manage and satisfactorily control action planning strives to remove risk exposures . The Audit & Finance Committee verifies this assurance barriers for people with a disability and that the risk profile of the Office of the Victorian Privacy Commissioner from taking part in the organisation’s has been critically reviewed within the last 12 months . activities and in changing practices that may result in discrimination .

Currently Privacy Victoria provides 2009–10 access to its publications in the Helen Versey following formats: Privacy Commissioner annual report

• In Braille, available at libraries and Office of the Victorian Privacy Commissioner upon request; 23 August 2010 • On the internet in standard and large print text; • On information CDs also available at libraries and upon request; • In audio files in MP3 format available at libraries and upon request; and • Hard copy standard print

Privacy Victoria is accessible by wheelchair and most other mobility aides . Any person concerned about physical access to Privacy Victoria’s office or services should contact us .

Disclosure Index An index identifying the Office’s compliance with statutory disclosure requirements is contained in Appendix A .

Additional Information Additional Privacy Victoria information available upon request is listed in Appendix C . 50

financial report The following pages provide the Financial Report for the Office of the Victorian Privacy Commissioner for the period 1 July 2009 to 30 June 2010 . Office of the Comprehensive Operating Statement for the financial year ended 30 June 2010 Victorian Privacy Commissioner

2010 2009 Notes $ $ Income from transactions

Grant from the Department of Justice 1(c), 1(e), 2 2,042,034 2,007,392

Other income 1(e), 2 99,743 34,634 Total income from transactions 2,141,777 2,042,026

2009–10 Expenses from transactions

Employee expenses 1(f), 3(a) 1,360,815 1,295,493 annual report Supplies and services 1(f), 3(b) 584,068 564,793

Depreciation 1(f), 3(c) 6,866 9,949

Other operating expenses 1(f), 3(d) 173,696 176,370 Total Expenses from transactions 2,125,445 2,046,605 Net result from transactions (net operating balance) 16,332 (4,578)

Total other economic flows included in net result 1(g), 4 (410) (7,318) Net result 15,922 (11,896)

Total other economic flows - other non-owner changes in equity 0 0 Comprehensive result 15,922 (11,896)

The comprehensive operating statement should be read in conjunction with the accompanying notes. 51 Office of the Balance Sheet as at 30 June 2010 Victorian Privacy Commissioner

2010 2009 Notes $ $ ASSETS

Financial assets

Cash 14 (a) 500 500

Receivables 5 348,516 171,736

Total financial assets 349,016 172,236 2009–10 Non-financial assets annual report Prepayments 6 13,756 15,752

Plant and equipment 7 8,598 15,464 Total non-financial assets 22,354 31,216 Total Assets 371,370 203,452 LIABILITIES

Payables 8 87,633 128,469

Provisions 1 (j), 9 235,528 232,696 Total liabilities 323,161 361,165 Net assets 48,209 (157,713) EQUITY

Accumulated surplus/(deficit) (593,442) (609,364)

Contributed capital 641,651 451,651 Net worth 15 48,209 (157,713)

- Commitments for expenditure 11

- Contingent liabilities and contingent assets 12

The balance sheet should be read in conjunction with the accompanying notes. 52

financial report Office of the Statement of Changes in Equity for the financial year ended 30 June 2010 Victorian Privacy Commissioner

Changes due to

Total Transaction with Equity at comprehensive owners in its Equity at 2010 1 July 2009 result capacity as owner 30 June 2010

(a) Accumulated surplus/(deficit) (609,364) 15,922 0 (593,442)

(b) Contributions by owners 451,651 0 0 451,651

2009–10 Capital contribution by DoJ 0 0 190,000 190,000

451,651 0 190,000 641,651

annual report Total equity at end of the financial year (157,713) 15,922 190,000 48,209

Changes due to

Total Transaction with Equity at comprehensive owners in its Equity at 2009 1 July 2008 result capacity as owner 30 June 2009

(a) Accumulated surplus/(deficit) (597,467) (11,897) 0 (609,364)

(b) Contributions by owners 453,376 0 0 453,376

Transactions with the State in its 0 0 (1,725) (1,725) capacity as owner - loss on disposal of fixed assets

453,376 0 (1,725) 451,651 Total equity at end of the financial year (144,091) (11,897) (1,725) (157,713)

The statement of changes in equity should be read in conjunction with the accompanying notes. 53 Office of the Cash Flow Statement for the financial year ended 30 June 2010 Victorian Privacy Commissioner

2010 2009 Notes $ $ Cash flows from operating activities

Receipts:

Receipts - Government and Sec . 29 revenue 1,964,998 2,022,975

Total receipts 1,964,998 2,022,975

Payments: 2009–10

Payments to employees (1,358,393) (1,285,888) annual report Payments to suppliers (796,605) (731,746)

Total payments (2,154,998) (2,017,634) Net cash flows from / (used in) operating activities 14 (b) (190,000) 5,341 Cash flows from investing activities

Payments for purchase of non-financial assets 7 0 (5,341) Net cash flows from / (used in) investment activities 0 (5,341) Cash flows from financing activities

Government funding provided for capital expenditure 0 0

Capital contribution by DoJ 15 190,000 0 Net cash flows from / (used in) financing activities 190,000 0 Net increase / (decrease) in cash and cash equivalents 0 0

Cash and cash equivalents at beginning of the financial year 500 500 Cash and cash equivalents at end of the financial year 14 (a) 500 500

The cash flow statement should be read in conjunction with the accompanying notes. 54

notes to the financial statements Office of the Notes to the Financial Statements for the financial year ended 30 June 2010 Victorian Privacy Commissioner

Note Number Contents ...... Page

1 . SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES ...... 5. 5

2 . INCOME FROM TRANSACTIONS ...... 6. 0

3 . EXPENSES FROM TRANSACTIONS ...... 6. 1

2009–10 4 . OTHER ECONOMIC FLOWS INCLUDED IN NET RESULT ...... 6. 1

...... annual report 5 . RECEIVABLES 61

6 . PREPAYMENTS ...... 6. 1

7 . PLANT AND EQUIPMENT ...... 6. 2

8 . PAYABLES ...... 6. 2

9 . PROVISIONS ...... 6. 3

10 . SUPERANNUATION FUNDS ...... 6. 3

11 . COMMITMENTS FOR EXPENDITURE ...... 6. 4

12 . CONTINGENT LIABILITIES AND CONTINGENT ASSETS ...... 6. 4

13 . FINANCIAL INSTRUMENTS ...... 6. 4

14 . NOTES TO THE CASH FLOW STATEMENT ...... 65

15 . NET WORTH ...... 6. 5

16 . RESPONSIBLE PERSONS ...... 6. 5

17 . REMUNERATION OF AUDITORS ...... 6. 5

18 . SUBSEQUENT EVENTS ...... 6. 5

19 . GLOSSARY OF TERMS ...... 6. 7 55 Office of the 1. SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES The annual financial statements represent the audited general purpose financial statements for the Office of the Victorian Privacy Commissioner (OVPC) .

To gain a better understanding of the terminology used in this report, a glossary of terms can be found in Note 19 . Victorian Privacy Commissioner (a) Statement of compliance These financial statements have been prepared in accordance with the Financial Management Act 1994 (Vic) and applicable Australian Accounting Standards, including interpretations (AASs) . AASs include Australian equivalents to International Financial Reporting Standards . Where applicable, those paragraphs of the AASs applicable to not for profit entities have been applied . The annual financial statements were authorised for issue by the Accountable Officer on 23 August 2010 . (b) Basis of accounting preparation and measurement The accrual basis of accounting has been applied in the preparation of these financial statements whereby assets, liabilities, equity, income and expenses are recognised in the reporting period to which they relate, regardless of when cash is received or paid . These financial statements are presented in Australian dollars, the functional and presentation currency of the OVPC . 2009–10 In the application of AASs management is required to make judgments, estimates and assumptions about carrying values of assets and liabilities that are not readily apparent from other sources . The estimates and associated assumptions are based on historical experience and various other factors that are believed to be reasonable under the circumstance, the results of which annual report form the basis of making the judgments . Actual results may differ from these estimates . The estimates and underlying assumptions are reviewed on an ongoing basis . Revisions to accounting estimates are recognised in the period in which the estimate is revised if the revision affects only that period or in the period of the revision, and future periods if the revision affects both current and future periods . Judgements made by management in the application of AASs that have significant effects on the financial statements and estimates, with a risk of material adjustments in the subsequent reporting period, are disclosed throughout the notes to the financial statements . The report has been prepared in accordance with the historical cost convention, except for: • Non-current physical assets which, subsequent to acquisition, are measured at a revalued amount being their fair value at the date of the revaluation less any subsequent accumulated depreciation and subsequent impairment losses . Revaluations are made with sufficient regularity to ensure that the carrying amounts do not materially differ from their fair value; and • The fair value of an asset other than land is generally based on its depreciated replacement value . Historical cost is based on the fair values of the consideration given in exchange for assets . Accounting policies are selected and applied in a manner which ensures that the resulting financial information satisfies the concepts of relevance and reliability, thereby ensuring that the substance of the underlying transactions or other events is reported . The accounting policies set out below have been applied in preparing the financial statements for the year ended 30 June 2010 and the comparative information presented for the year ended 30 June 2009 . (c) Reporting entity The financial statements cover OVPC as an individual reporting entity . The OVPC is a government agency of the State of Victoria, established under the Infomation Privacy Act 2000 (Vic) (the Act), which was proclaimed on 1 September 2001 and is headed by the Privacy Commissioner whose functions and powers are detailed in sections 58 and 59 of the Act . Its principal address is: The Office of the Victorian Privacy Commissioner Level 11 10-16 Queen Street, Melbourne VIC 3000 OVPC is an administrative agency acting on behalf of the Crown . A description of the nature of the OVPC’s operations and its principal activities is included in the report of operations on page 4, which does not form part of these financial statements . Objectives and funding The OVPC is the key body in a system regulating the way Victorian government, its agencies and local councils collect and handle personal information . OVPC’s objectives are: (i) to balance the public interest in the free flow of information with the public interest in respecting privacy and protecting personal information in the public sector, (ii) to promote the responsible and transparent handling of personal information in the public sector; and (iii) to promote awareness of the same practices . OVPC is funded for the provision of outputs consistent with its statutory functions . Funds are predominantly from accrual-based grants derived from monies appropriated annually by Parliament through the Department of Justice (DoJ) . Going concern In prior years, OVPC was totally dependent on the support of the Victorian State Government to ensure it was able to meet the shortfall between its assets and its liabilities . Accordingly, accounts had been prepared on a going concern basis despite the fact that in those previous years, annual grant revenue was not sufficient to meet total expenses incurred by it . In the current financial year, DoJ made a capital contribution of an amount sufficient so that OVPC is in a position to pay its obligations as and when they fall due . As a result, the liabilities of OVPC no longer exceed its assets as they have done in prior years . 56

notes to the financial statements Office of the 1. SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES continued (d) Scope and presentation of financial statements Comprehensive operating statement Victorian Privacy Commissioner Income and expenses in the comprehensive operating statement are classified according to whether or not they arise from ‘transactions’ or ‘other economic flows’ . This classification is consistent with the whole of government reporting format and is allowed under AASB 101 Presentation of financial statements . ‘Transactions’ and ‘other economic flows’ are defined by theAustralian system of government finance statistics: concepts, sources and methods 2005 Cat . No . 5514 .0 published by the Australian Bureau of Statistics (see Note 19) . ‘Transactions’ are those economic flows that are considered to arise as a result of policy decisions, usually interactions between two entities by mutual agreement . Transactions also include flows within an entity, such as depreciation where the owner is simultaneously acting as the owner of the depreciating asset and as the consumer of the service provided by the asset . Taxation is regarded as mutually agreed interactions between the Government and taxpayers . Transactions can be in kind (e .g . assets provided/given free of charge or for nominal consideration) or where the final consideration is cash . ‘Other economic flows’ are changes arising from market re-measurements . They include gains and losses from disposals,

revaluations and impairments of non-current physical and intangible assets; actuarial gains and losses arising from defined

2009–10 benefit superannuation plans; fair value changes of financial instruments and agricultural assets; and depletion of natural assets (non-produced) from their use or removal . The net result is equivalent to profit or loss derived in accordance with AASs . annual report Balance sheet Assets and liabilities are presented in liquidity order with assets aggregated into, financial assets and non-financial assets . Current and non-current assets and liabilities (those expected to be recovered or settled beyond 12 months) are disclosed in the notes, where relevant . Statement of changes in equity The statement of changes in equity presents reconciliations of each non-owner and owner equity opening balance at the beginning of the reporting period to the closing balance at the end of the reporting period . It also shows separately changes due to amounts recognised in the comprehensive result and amounts recognised in other comprehensive income related to other non- owner changes in equity . Cash flow statement Cash flows are classified according to whether or not they arise from operating activities, investing activities, or financing activities . This classification is consistent with requirements under AASB 107 Statement of cash flows . (e) Income from transactions Income is recognised to the extent that it is probable that the economic benefits will flow to the entity and the income can be reliably measured . Other income The OVPC is permitted under Section 29 of the Financial Management Act 1994 to have certain income annotated to the annual grant . The income which forms part of a Section 29 agreement is recognised by the OVPC and the receipts paid into the Consolidated Fund as an administered item . At the point of revenue recognition, Section 29 provides for an equivalent amount to be added to the annual grant . Examples of receipts which can form part of a Section 29 agreement are Departmental special purpose grants and the proceeds from the provision of training packages and services . Where applicable, amounts disclosed as income are net of returns, allowances, duties and taxes . (f) Expenses from transactions Expenses are recognised as they are incurred and reported in the financial year to which they relate . Employee expenses Employee expenses include superannuation expenses which are reported differently depending upon whether employees are members of defined benefit or defined contribution plans . In relation to defined contribution (i .e . accumulation) superannuation plans, the associated expense is simply the employer contributions that are paid or payable in respect of employees who are members of these plans during the reporting period . Employer superannuation expenses in relation to employees who are members of defined benefit superannuation plans are described below . Superannuation – State superannuation defined benefit plans The amount recognised in the comprehensive operating statement in relation to employer contributions for members of defined benefit superannuation plans is simply the employer contributions that are paid or payable to these plans during the reporting period . The level of these contributions will vary depending upon the relevant rules of each plan, and is based upon actuarial advice . The Department of Treasury and Finance (DTF) in their Annual Financial Statements, recognise on behalf of the State as the sponsoring employer, the net defined benefit cost related to the members of these plans . Refer to DTF’s Annual Financial Statements for more detailed disclosures in relation to these plans . Supplies and services Supplies and services expenses are recognised as an expense in the reporting period in which they are incurred . 57 Office of the Depreciation and amortisation All plant and equipment and other non-current physical assets (excluding items under operating leases, assets held-for-sale and investment properties) that have a limited useful life are depreciated . Depreciation is generally calculated on a straight line basis, at rates that allocate the asset’s value, less any estimated residual value, over its estimated useful life . Leasehold improvements are depreciated over the period of the lease or estimated useful life, whichever is the shorter, using the Victorian Privacy Commissioner straight-line method . The estimated useful lives, residual values and depreciation method are reviewed at the end of each annual reporting period . At this balance date, all leasehold improvements have been fully amortised to $Nil value (2009 - $Nil) . The following estimated useful lives are used in the calculation of depreciation: Computer Equipment 3 years Plant and Equipment 10 years Leasehold Improvements Amortised over the unexpired period of the lease Other operating expenses Other operating expenses generally represent the day to day running costs incurred in normal operations . (g) Other economic flows included in net result Other economic flows measure the change in volume or value of assets or liabilities that do not result from transactions . These 2009–10 include: Net gain/(loss) on non-financial assets

Net gain/(loss) on non-financial assets and liabilities includes realised and unrealised gains and losses as follows: annual report Revaluation gains/(losses) of non-current physical assets Refer to accounting policy on property, plant and equipment provided in Note 1(i) Non-Financial Assets . Disposal of non-financial assets Any gain or loss on the sale of non financial assets is recognised at the date that control of the asset is passed to the buyer and is determined after deducting from the proceeds the carrying value of the asset at that time . Impairment of non-financial assets Non-financial assets with indefinite useful lives are tested annually for impairment, (i .e . as to whether their carrying value exceeds their recoverable amount and so require write downs), and whenever there is an indication that the asset may be impaired . All other assets are assessed annually for indications of impairment, except for; • financial assets • non-current physical assets held for sale If there is an indication of impairment, the assets concerned are tested as to whether their carrying value exceeds their possible recoverable amount . Where an asset’s carrying value exceeds its recoverable amount, the difference is written off as an other economic flow, except to the extent that the write-down can be debited to an asset revaluation reserve amount applicable to that class of asset . It is deemed that, in the event of the loss of an asset, the future economic benefits arising from the use of the asset will be replaced unless a specific decision to the contrary has been made . The recoverable amount for most assets is measured at the higher of depreciated replacement cost and fair value less costs to sell . Recoverable amount for assets held primarily to generate net cash inflows is measured at the higher of the present value of future cash flows expected to be obtained from the asset and fair value less costs to sell . Other gains/(losses) from other economic flows Other gains/(losses) from other economic flows include the gains or losses from: • transfer of amounts from the reserves and/or accumulated surplus to net result due to disposal or derecognition or reclassification; and • the revaluation of the present value of the long service leave liability due to changes in the bond interest rates . (h) Financial assets Cash and deposits Cash and deposits, including cash equivalents, comprise cash on hand and cash at bank, deposits at call and those highly liquid investments with an original maturity of three months or less, which are held for the purpose of meeting short term cash commitments rather than for investment purposes, and which are readily convertible to known amounts of cash and are subject to an insignificant risk of changes in value . Receivables Receivables consist predominantly of amounts owing from the Victorian Government and debtors in relation to goods and services . Amounts owing from the Victorian Government and other statutory receivables are not classified as financial instruments . All debtors are recognised at the amounts receivable as they are due for settlement at no more than 30 days from the date of recognition, except for amounts receivable from government that relate to the extinguishment of long term liabilities, which are classified as Non-current assets . 58

notes to the financial statements Office of the 1. SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES continued (i) Non-Financial Assets Property, plant and equipment

Victorian Privacy Commissioner All non-current physical assets are measured initially at cost and subsequently revalued at fair value less accumulated depreciation and impairment . OVPC applies an individual asset capitalisation threshhold of $5,000 . Individual acquisitions below this value are expensed . Leasehold improvements The cost of a leasehold improvements is capitalised as an asset and depreciated over the remaining term of the lease or the estimated useful life of the improvements, whichever is the shorter . Revaluations of non-current physical assets Non-current physical assets are measured at fair value in accordance with FRD 103D issued by the Minister for Finance . A full revaluation normally occurs every five years, based on the asset’s government purpose classification, but may occur more frequently if fair value assessments indicate material changes in values .

Revaluation increases or decreases arise from differences between an asset’s carrying value and fair value .

2009–10 Net revaluation increases (where the carrying amount of a class of assets is increased as a result of a revaluation) are recognised in other comprehensive income and accumulated in equity under the revaluation surplus, except that the net revaluation increase shall be recognised in the net result to the extent that it reverses a net revaluation decrease in respect of the same class of

annual report property, plant and equipment previously recognised as an expense (other economic flows) in the net result . Net revaluation decreases are recognised immediately as expenses (other economic flows) in the net result, except that the net revaluation decrease shall be recognised in other comprehensive income to the extent that a credit balance exists in the revaluation surplus in respect of the same class of property, plant and equipment . The net revaluation decrease recognised in other comprehensive income reduces the amount accumulated in equity under revaluation surplus . Revaluation increases and decreases relating to individual assets within a class of property, plant and equipment, are offset against one another within that class but are not offset in respect of assets in different classes . Any revaluation surplus is not normally transferred to accumulated funds on de-recognition of the relevant asset . Other non-financial assets Prepayments Other non-financial assets include prepayments which represent payments in advance of receipt of goods or services or that part of expenditure made in one accounting period covering a term extending beyond that period . Impairment of non-financial assets Refer to Note 1(g) Other economic flows included in net result . (j) Liabilities Payables Payables consist predominantly of accounts payable and other sundry liabilities . Accounts payable represent liabilities for goods and services provided to the OVPC prior to the end of the financial year that are unpaid, and arise when the OVPC becomes obliged to make future payments in respect of the purchase of those goods and services . Payables are initially measured at fair value, being the cost of the goods and services, and subsequently measured at amortised cost . Provisions Provisions are recognised when the OVPC has a present obligation, the future sacrifice of economic benefits is probable, and the amount of the provision can be measured reliably . The amount recognised as a provision is the best estimate of the consideration required to settle the present obligation at the end of the reporting period, taking into account the risks and uncertainties surrounding the obligation . Where a provision is measured using the cashflows estimated to settle the present obligation, its carrying amount is the present value of those cashflows . Employee benefits Provision is made for benefits accruing to employees in respect of wages and salaries, annual leave and long service leave for services rendered to the reporting date . (i) Wages and salaries, annual leave and sick leave Liabilities for wages and salaries, including non-monetary benefits, annual leave and accumulating sick leave which are expected to be settled within 12 months of the reporting period are recognised in the provision for employee benefits . These liabilities are classified as current liabilities and measured at their nominal values . Those liabilities that are not expected to be settled within 12 months are recognised in the provision for employee benefits as current liabilities, measured at present value of the amounts expected to be paid when the liabilities are settled using the remuneration rate expected to apply at the time of settlement . 59 Office of the (ii) Long service leave Liability for long service leave (LSL) is recognised in the provision for employee benefits . Current liability – unconditional LSL is disclosed in the notes to the financial statements as a current liability even where the OVPC does not expect to settle the liability within 12 months because it will not have the unconditional right to defer the settlement of the entitlement should an employee take leave within 12 months . Victorian Privacy Commissioner The components of this current LSL liability are measured at: nominal value—component that the OVPC expects to settle within 12 months; and present value—component that the OVPC does not expect to settle within 12 months . Non current liability – conditional LSL is disclosed as a non-current liability . There is an unconditional right to defer the settlement of the entitlement until the employee has completed the requisite years of service . This non current LSL liability is measured at present value . Any gain or loss following revaluation of the present value of non- current LSL liability is recognised as a transaction, except to the extent that a gain or loss arises due to changes in bond interest rates for which it is then recognised as an other economic flow (refer to Note 1(g)Other economic flows included in net result) . Employee benefits on-costs

Employee benefits on-costs such as payroll tax, workers compensation and superannuation are recognised separately from the 2009–10 provision for employee benefits . (k) Leases annual report A lease is a right to use an asset for an agreed period of time in exchange for payment . Leases are classified at their inception as either operating or finance leases based on the economic substance of the agreement so as to reflect the risks and rewards incidental to ownership . Leases of property, plant and equipment are classified as finance infrastructure leases whenever the terms of the lease transfer substantially all the risks and rewards of ownership from the lessor to the lessee . All other leases are classified as operating leases . Operating leases OVPC as lessee Operating lease payments, including any contingent rentals, are recognised as an expense in the comprehensive operating statement on a straight-line basis over the lease term, except where another systematic basis is more representative of the time pattern of the benefits derived from the use of the leased asset . The leased asset is not recognised in the balance sheet . All incentives for the agreement of a new or renewed operating lease are recognised as an integral part of the net consideration agreed for the use of the leased asset, irrespective of the incentive’s nature or form or the timing of payments . In the event that lease incentives are received to enter into operating leases, the aggregate cost of incentives are recognised as a reduction of rental expense over the lease term on a straight-line basis, unless another systematic basis is more representative of the time pattern in which economic benefits from the leased asset are consumed . (l) Equity Contributions by owners Additions to net assets which have been designated as contributions by owners are recognised as contributed capital . Other transfers that are in the nature of contributions or distributions have also been designated as contributions by owners . Transfers of net assets arising from administrative restructurings are treated as distributions to or contributions by owners . (m) Commitments Commitments are disclosed at their nominal value and inclusive of the Goods and Services Tax (GST) payable . (n) Contingent assets and contingent liabilities Contingent assets and contingent liabilities are not recognised in the balance sheet, but are disclosed by way of a note and, if quantifiable, are measured at nominal value . Contingent assets and liabilities are presented inclusive of GST receivable or payable respectively . (o) Accounting for the Goods and Services Tax (GST) Income, expenses and assets are recognised net of the amount of associated GST, unless the GST incurred is not recoverable from the taxation authority . In this case it is recognised as part of the cost of acquisition of the asset or as part of the expense . DoJ manages the GST transactions on behalf of OVPC and the net amount of GST recoverable from or payable to the Australian Taxation Office is recognised in the DoJ financial statements . (p) Events after reporting date Assets, liabilities, income or expenses arise from past transactions or other past events . Where the transactions result from an agreement between the OVPC and other parties, the transactions are only recognised when the agreement is irrevocable at or before the end of the reporting period . Adjustments are made to amounts recognised in the financial statements for events which occur after the reporting period and before the date the financial statements are authorised for issue, where those events provide information about conditions which existed in the reporting period . Note disclosure is made about events between the end of the reporting period and the date the financial statements are authorised for issue where the events relate to conditions which arose after the end of the reporting period and which may have a material impact on the results of subsequent reporting periods . (q) Rounding of amounts Amounts in the financial statements have been rounded to the nearest dollar, unless otherwise stated . Figures in the financial statements may not equate due to rounding . 60

notes to the financial statements Office of the 1. SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES continued (r) AASs issued that are not yet effective Certain new accounting standards and interpretations have been published that are not mandatory for the 30 June 2010 reporting

Victorian Privacy Commissioner period . DTF assesses the impact of these new standards and advises entities of their applicability and early adoption where applicable . As at 30 June 2010, the following standards and interpretations had been issued but were not mandatory for financial year ending 30 June 2010 . The OVPC has not, and does not intend to, adopt these standards early .

Applicable for annual reporting periods beginning Impact on financial Standard / Interpretation Summary or ending on statements

AASB 2009-5 Further Amendments to Some amendments will result in Beginning Terminology and Australian Accounting Standards arising from accounting changes for presentation, 1 Jan 2010 editorial changes.

the Annual Improvements Project. [AASB 5, recognition or measurement purposes, Impact minor. 2009–10 8, 101, 107, 117, 118, 136 & 139] while other amendments will relate to terminology and editorial changes.

annual report Erratum General Terminology changes. Editorial amendments to a range of Beginning Terminology and Australian Accounting Standards and 1 Jan 2010 editorial changes. Interpretations Impact minor.

AASB 124 Related party disclosures Government related entities have been Beginning Preliminary assessment (Dec 2009) granted partial exemption with certain 1 Jan 2011 suggests that impact is disclosure requirements. insignificant. However, OVPC is still assessing the detailed impact and whether to early adopt.

AASB 2009-14 Amendments to Australian Amendment to Interpretation 14 arising Beginning Expected to have no Interpretation – Prepayments of a minimum from the issuance of Prepayments of a 1 Jan 2011 significant impact funding requirement [AASB Interpretation 14] minimum funding requirement.

AASB 9 Financial Instruments This standard simplifies requirements Beginning Detail of impact is still for the classification and measurement 1 Jan 2013 being assessed. of financial assets resulting from Phase 1 of the IASB’s project to replace IAS 39 Financial Instruments: Recognition and Measurement (AASB 139 Financial Instruments: Recognition and Measurement).

AASB 2009-11 Amendments to Australian This gives effect to consequential changes Beginning Detail of impact is still Accounting Standards arising from AASB arising from the issuance of AASB 9. 1 Jan 2013 being assessed. 9 [AASB 1, 3, 4, 5, 7, 101, 102, 108, 112, 118, 121, 127, 128, 131, 132, 136, 139, 1023 & 1038 and Interpretations 10 & 12]

2010 2009 2. INCOME FROM TRANSACTIONS $ $ Annual grant revenue provided to OVPC by the Department of Justice during the period 2,048,900 2,012,000 Reduction of annual grant revenue arising from depreciation adjustment 6,866 4,608 Net grant revenue received during the year 2,042,034 2,007,392 Other income Section 29 revenues - training and conference activities 99,743 34,634

Funding for depreciation for the financial year amounting to $6,900 (2009 - $9,800) was provided, however, at the end of the financial year, it is adjusted to the amount that it is required to match capital expenditure made during the year which, in the year to 30 June 2010 amounted to $ Nil (2009 - $5,341) . The actual depreciation charge for the year was $6,866 (2009 - $9,949) . While depreciation is not fully funded, the funding of other expenditure allows OVPC to meet its statutory functions . 61 Office of the 2010 2009 3. EXPENSES FROM TRANSACTIONS $ $ (a) Employee expenses

Salaries 1,167,413 1,121,110 Victorian Privacy Commissioner Superannuation contributions (Note 10) 104,858 98,178 Payroll tax 66,040 60,809 Annual leave expense 14,318 (22,042) Long service leave expense 455 29,129 Workers compensation 7,428 6,450 Fringe benefits tax 303 1,859 Total employee expenses 1,360,815 1,295,493 (b) Supplies and services

Computer requisites 47,642 50,725

Other supplies and services 179,811 168,309 2009–10 Systems development and maintenance 100,510 84,223

Advertising, printing and subscriptions 86,766 79,115 annual report Professional services 148,799 159,773 Telephones, facsimile 20,540 22,648 Total supplies and services 584,068 564,793 (c) Depreciation and amortisation Computer and communication equipment 5,789 8,240 Plant and equipment 1,077 1,709 Total Depreciation and amortisation 6,866 9,949 (d) Other operating expenses Rental expense relating to operating leases 162,054 165,650 Other 11,642 10,720 173,696 176,370

4. OTHER ECONOMIC FLOWS INCLUDED IN NET RESULT Net gain/(loss) arising from revaluation of long service leave liability (410) (7,318) (410) (7,318)

5. RECEIVABLES Current receivables - statutory Amount owing from the Department of Justice 326,884 156,113 Total current receivables 326,884 156,113 Non-current receivables - statutory Amount owing from the Department of Justice 21,632 15,624 Total non-current receivables 21,632 15,624 Total receivables 348,516 171,736

6. PREPAYMENTS By expense activity: Privacy law compliance 2,620 2,278 Privacy education and training 600 1,305 Information technology responsibilities 8,819 9,077 Administration 1,717 3,092 Total prepayments 13,756 15,752 62

notes to the financial statements Office of the 2010 2009 7. PLANT AND EQUIPMENT $ $ Government purpose group - Public administration

Victorian Privacy Commissioner Computer and communication equipment - at cost 60,417 70,620 Less: Accumulated depreciation 56,037 60,451 4,380 10,169

Plant and equipment - at cost 10,763 10,763 Less: Accumulated depreciation 6,545 5,468 4,218 5,295

Leasehold improvements - at cost 188,965 188,965

Less: Accumulated depreciation 188,965 188,965

2009–10 0 0

annual report Total Plant and equipment 8,598 15,464

Leasehold improvements had been fully amortised by the end of the initial lease term which ended on 31 March 2007 . All OVPC’s Plant & Equipment are classified into the Public Administration Purpose Group . Reconciliations Reconciliations of the carrying amounts of each class of plant and equipment at the beginning and end of the current and previous financial year are set out below .

Computer & Plant & Leasehold Total Communication Equipment Improvements Equipment Carrying amount Balance at 1 July 2008 13,068 8,729 0 21,797 Additions 5,341 0 0 5,341 Disposals 0 (1,725) 0 (1,725) Depreciation/amortisation expense (Note 3 (c)) (8,240) (1,709) 0 (9,949) Balance at 1 July 2009 10,169 5,295 0 15,464 Additions 0 0 0 0 Disposals 0 0 0 0 Depreciation/amortisation expense (Note 3 (c)) (5,789) (1,077) 0 (6,866) Balance at 30 June 2010 4,380 4,218 0 8,598

2010 2009 8. PAYABLES $ $ Current payables Contractual Supplies and services 87,469 127,944 Statutory Taxes payable 164 525 Total current payables 87,633 128,469

(i) The average credit period is 30 days.

(a) Maturity analysis of payables - Please refer to table (c) in Note 13 for the ageing analysis of payables . (b) Nature and extent of risk arising from payables - Please refer to Note 13 for the nature and extent of risks arising from payables . 63 Office of the 2010 2009 9. PROVISIONS $ $ CURRENT

Employee benefits (Note 9(a)) - Annual leave: Victorian Privacy Commissioner Unconditional and expected to be settled within 12 months 31,937 20,265 Unconditional and expected to be settled after 12 months 2,012 1,581 Employee benefits (Note 9(a)) - Long service leave: Unconditional and expected to be settled within 12 months 70,778 89,952 Unconditional and expected to be settled after 12 months 78,820 74,667 Total employee benefits provisions 183,547 186,465 Provisions related to employee benefit on-costs Unconditional and expected to be settled within 12 months 18,072 19,290

Unconditional and expected to be settled after 12 months 12,277 11,317

Total current provisions 213,896 217,072 2009–10 NON-CURRENT

Employee benefits (Note 9(a)) 18,877 13,645 annual report Employee benefit on-costs 2,755 1,979 Total non-current provisions 21,632 15,624 Total provisions 235,528 232,696 (a) Employee benefits and related on-costs Current employee benefits Annual leave entitlements 33,948 21,846 Long service leave entitlements 149,598 164,618 Non-current employee benefits Long service leave entitlements 18,877 13,645 Total employee benefits 202,423 200,109 Current on-costs 30,350 30,608 Non-current on-costs 2,755 1,979 Total on-costs 33,105 32,587 Total employee benefits and related on-costs 235,528 232,696 MOVEMENTS IN PROVISIONS On-costs Total Opening balance 32,587 32,010 Additional provisions recognised 26,721 21,150 Reductions arising from payments/other sacrifices of economic benefits (26,203) (20,573) Closing balance 33,105 32,587 Current 30,350 30,608 Non-current 2,755 1,979 33,105 32,587 10. SUPERANNUATION FUNDS Employees of the OVPC are entitled to receive superannuation benefits and the OVPC contributes to both defined benefit and defined contribution plans . The defined benefit plan provides benefits based on years of service and final average salary . OVPC does not recognise any defined benefit liability in respect of the plan(s) because the OVPC has no legal or constructive obligation to pay future benefits relating to its employees; its only obligation is to pay superannuation contributions as they fall due . The Department of Treasury and Finance recognises and discloses the State’s defined benefit liabilities in its financial statements . However, superannuation contributions paid or payable for the reporting period are included as part of employee benefits in the Comprehensive Operating Statement for OVPC . The name and details of the major employee superannuation funds and 2010 2009 paid contributions made by OVPC are as follows: $ $ State Superannuation Schemes (Defined benefit scheme) 15,522 16,063 VicSuper (Accumulation scheme) 84,906 77,709 Other 4,429 4,406 Total superannuation 104,858 98,178 64

notes to the financial statements Office of the 2010 2009 11. COMMITMENTS FOR EXPENDITURE $ $ The following commitments have not been recognised as liabilities in the financial statements:

Victorian Privacy Commissioner Operating leases Commitments under a non-cancellable operating lease at the reporting date are as follows: Not longer than 1 year 124,785 166,380 Longer than one year and not later than 5 years 0 124,785 Longer than 5 years 0 0 124,785 291,165 Leasing arrangements The operating lease relates to office facilities with a lease term of 2 years, terminating as at 31 March 2011 without an option to extend . OVPC does not have an option to purchase the leased asset at the expiry of the lease period . Commitments for capital expenditure are not recognised as liabilities in the financial statements . Commitments for capital

expenditure at the end of the financial year were $Nil (2009 $Nil) . 2009–10 12. CONTINGENT LIABILITIES AND CONTINGENT ASSETS There were no contingent liabilities or contingent assets as at 30 June 2010 (2009: Nil)

annual report 13. FINANCIAL INSTRUMENTS (a) Financial risk management and objectives and policies The OVPC’s financial instuments comprise of: Cash Payables (excluding statutory payables) Details of significant accounting policies and methods adopted, including the criteria for recognition, the basis of measurement and the basis on which income and expenses are recognised, in respect of each class of financial asset, financial liability and equity instrument are disclosed in Note 1 to the financial statements . Table 13 .1 Categorisation of financial instruments Carrying amount Carrying amount Financial assets Note Category 2010 $ 2009 $ Cash and cash equivalents 14 (a) Cash 500 500 Financial liabilities Payables 8 Financial liabilities measured at amortised cost 87,633 128,469 (b) Credit risk Credit risk arises from the financial assets of OVPC . OVPC’s exposure to credit risk arises from the potential default of counter parties on their contractual obligations resulting in financial loss to OVPC . Credit risk is measured at fair value and is monitored on a regular basis . Credit risk associated with OVPC’s financial assets is minimal because the only debtor is the Department of Justice . Provision of impairment for financial assets is calculated based on past experience and current and expected changes in client credit ratings . The carrying amount of financial assets recorded in the financial statements net of any allowances for losses, represents OVPC’s maximum exposure to credit risk without taking account of the value of collateral obtained . Currently, OVPC does not hold any collateral as security nor credit enhancements relating to any of its financial assets . As at the reporting date, there is no evidence to indicate that any of the financial assets were impaired . (c) Liquidity risk Liquidity risk is the risk that the OVPC would be unable to meet its financial obligations as they fall due . OVPC operates under the Government fair payments policy of settling financial obligations within 30 days and in the event of a dispute, make payments within 30 days from the date of resolution . The OVPC’s exposure to liquidity risk is deemed insignificant based on prior periods’ data and current assessment of risk . Maximum exposure to liquidity risk is the carrying amounts of financial liabilities in the financial report . The following table discloses the contractual maturity analysis for OVPC’s financial liabilities:

Maturity dates 2010 Carrying amount Nominal amount Less than 1 month 1 - 3 months 3 months - 1 year 1 - 5 years Payables 87,633 87,633 76,919 10,714 - - 87,633 87,633 76,919 10,714 - - 2009 Payables 128,469 128,469 122,944 5,525 - - 128,469 128,469 122,944 5,525 - - 65

(d) Market risk Office of the OVPC is not exposed to market risk . (e) Fair value

Management consider that the carrying amount of financial assets and liabilities recorded in the financial report approximate their Victorian Privacy Commissioner fair values because of the short term nature of the financial instruments and the expectation they will be paid in full . 14. NOTES TO THE CASH FLOW STATEMENT (a) Reconciliation of cash For purposes of the Cash Flow Statement, cash includes cash on hand . Cash at the end of the reporting period as shown in the Cash Flow Statement is reconciled to the related items in the 2010 2009 Balance Sheet as follows: $ $ Cash 500 500 500 500 (b) Reconciliation of net result for the reporting period to net cash inflow from operating activities Net result for the period 15,922 (11,897) 2009–10 Non-cash movements: Depreciation 6,866 9,949 Movements in assets and liabilities: annual report (Increase)/Decrease in receivables (176,780) (19,052) (Increase)/Decrease in prepayments 1,996 (11,348) (Decrease)/Increase in creditors and accruals (40,836) 20,766 (Decrease)/Increase in provision for employee entitlements 2,832 16,923 (205,922) 17,238 Net cash flows from (used in) operating activities 190,000 5,341

15. NET WORTH At the end of the prior financial year, the Net Worth of OVPC was negative - $157,713 . However, in the current financial year, DoJ made a capital contribution of $190,000 so that at the end of the financial year, Net Worth is positive - $48,209 . 16. RESPONSIBLE PERSONS In accordance with the Ministerial Directions issued by the Minister for Finance under the Financial Management Act 1994, the following disclosures are made regarding responsible persons for the reporting period . The names of persons who were Responsible Persons during the financial year are as follows: Minister: Rob Hulls - Attorney-General 1 July 2009 to 30 June 2010 Acting Minister during Attorney-General’s leave periods: The Hon . Tony Robinson, MP 1 July 2009 to 11 July 2009 The Hon . Bob Cameron, MP 11 January 2010 to 15 January 2010 The Hon . John Lenders, MLC 16 January 2010 to 31 January 2010 Privacy Commissioner: Helen Versey 1 July 2009 to 30 June 2010 Remuneration Remuneration received or receivable by the accountable officer in connection with the management of the OVPC during the reporting period was in the range: $180,000 – $190,000 ($180,000 – $190,000 in 2008-09) . Amounts relating to Ministers are reported in the financial report of the Department of Premier and Cabinet . There are no other executive officers other than the above . Other transactions Other related transactions and loans requiring disclosure under the Directions of the Minister for Finance have been considered and there are no matters to report . There were no related-party transactions for the year ended 30 June 2010 (2009:Nil)

17. REMUNERATION OF AUDITORS Audit fees paid or payable to the Victorian Auditor-General’s Office for the audit of 2010 2009 OVPC’s financial report $ $ Total cost as at 30 June 2010 (2009) 11,650 10,692 11,650 10,692

18. SUBSEQUENT EVENTS OVPC has no material or significant events occurring after the reporting date (2009 $Nil) . 66

notes to the financial statements Office of the 19. GLOSSARY OF TERMS Comprehensive result Total comprehensive result is the change in equity for the period other than changes arising from transactions with owners . It is the

Victorian Privacy Commissioner aggregate of net result and other non-owner changes in equity .

Commitments Commitments include those operating, capital and other outsourcing commitments arising from non-cancellable contractual or statutory sources .

Employee benefits expenses Employee benefits expenses include all costs related to employment including wages and salaries, leave entitlements, redundancy paymentspayments, defined benefits superannuation plans, and defined contribution superannuation plans .

Financial asset A financial asset is any asset that is:

2009–10 (a) cash; (b) an equity instrument of another entity; (c) a contractual or statutory right: annual report • to receive cash or another financial asset from another entity; or • to exchange financial assets or financial liabilities with another entity under conditions that are potentially favourable to the entity; or (d) a contract that will or may be settled in the entity’s own equity instruments and is: • a non-derivative for which the entity is or may be obliged to receive a variable number of the entity’s own equity instruments; or • a derivative that will or may be settled other than by the exchange of a fixed amount of cash or another financial asset for a fixed number of the entity’s own equity instruments .

Financial instrument A financial instrument is any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity . Financial assets or liabilities that are not contractual (such as statutory receivables or payables that arise as a result of statutory requirements imposed by governments) are not financial instruments .

Financial liability A financial liability is any liability that is: (a) A contractual or statutory obligation: (i) To deliver cash or another financial asset to another entity; or (ii) To exchange financial assets or financial liabilities with another entity under conditions that are potentially unfavourable to the entity; or (b) A contract that will or may be settled in the entity’s own equity instruments and is: (i) A non-derivative for which the entity is or may be obliged to deliver a variable number of the entity’s own equity instruments; or (ii) A derivative that will or may be settled other than by the exchange of a fixed amount of cash or another financial asset for a fixed number of the entity’s own equity instruments . For this purpose the entity’s own equity instruments do not include instruments that are themselves contracts for the future receipt or delivery of the entity’s own equity instruments .

Financial statements Depending on the context of the sentence where the term ‘financial statements’ is used, it may include only the main financial statements (i .e . comprehensive operating statement, balance sheet, cash flow statements, and statement of changes in equity); or it may also be used to replace the old term ‘financial report’ under the revised AASB 101 (September 2007), which means it may include the main financial statements and the notes .

Grants and other transfers Transactions in which one unit provides goods, services, assets (or extinguishes a liability) or labour to another unit without receiving approximately equal value in return . Grants can either be operating or capital in nature . While grants to governments may result in the provision of some goods or services to the transferor, they do not give the transferor a claim to receive directly benefits of approximately equal value . For this reason, grants are referred to by the AASB as involuntary transfers and are termed non-reciprocal transfers . Receipt and sacrifice of approximately equal value may occur, but only by coincidence . For example, governments are not obliged to provide commensurate benefits, in the form of goods or services, to particular taxpayers in return for their taxes . Grants can be paid as general purpose grants which refer to grants that are not subject to conditions regarding their use . Alternatively, they may be paid as specific purpose grants which are paid for a particular purpose and/or have conditions attached regarding their use . 67

Net result Office of the Net result is a measure of financial performance of the operations for the period . It is the net result of items of income, gains and expenses (including losses) recognised for the period, excluding those that are classified as other non-owner changes in equity .

Net result from transactions/net operating balance Victorian Privacy Commissioner Net result from transactions or net operating balance is a key fiscal aggregate and is income from transactions minus expenses from transactions . It is a summary measure of the ongoing sustainability of operations . It excludes gains and losses resulting from changes in price levels and other changes in the volume of assets . It is the component of the change in net worth that is due to transactions and can be attributed directly to government policies .

Non-financial assets Non-financial assets are all assets that are not ‘financial assets’ .

Other economic flows Other economic flows are changes in the volume or value of an asset or liability that do not result from transactions . It includes gains and losses from disposals, revaluations and impairments of non-current physical and intangible assets; actuarial gains and

losses arising from defined benefit superannuation plans; fair value changes of financial instruments and agricultural assets; and 2009–10 depletion of natural assets (non-produced) from their use or removal . In simple terms, other economic flows are changes arising from market remeasurements .

Payables annual report Includes short and long term trade debt and accounts payable, grants, taxes and interest payable .

Receivables Includes amounts owing from government through appropriation receivable, short and long term trade credit and accounts receivable, accrued investment income, grants, taxes and interest receivable .

Supplies and services Supplies and services generally represent the day-to-day running costs, including maintenance costs, incurred in the normal operations of OVPC .

Transactions Transactions are those economic flows that are considered to arise as a result of policy decisions, usually an interaction between two entities by mutual agreement . They also include flows within an entity such as depreciation where the owner is simultaneously acting as the owner of the depreciating asset and as the consumer of the service provided by the asset . Taxation is regarded as mutually agreed interactions between the government and taxpayers . Transactions can be in kind (e .g . assets provided/given free of charge or for nominal consideration) or where the final consideration is cash . In simple terms, transactions arise from the policy decisions of the government .

68

accountable officer’s and chief financial and accounting officer’s declaration Office of the Victorian Privacy Commissioner

2009–10 annual report 69 auditor-general’s report to the Members of Parliament of Victoria, the responsible Ministers and the Victorian Privacy Commissioner Office of the Victorian Privacy Commissioner

2009–10 annual report 70

auditor-general’s report Office of the Victorian Privacy Commissioner

2009–10 annual report 71

Appendix A The Annual Report of the Office of the Victorian Privacy Commissioner is prepared in accordance with all relevant Victorian legislation . This index has been prepared to facilitate identification of the Department’s compliance with statutory disclosure requirements . Office of the Disclosure Index

Legislation Requirement Page reference Victorian Privacy Commissioner Ministerial Directions Report of operations – FRD Guidance

Charter and purpose

FRD 22B Manner of establishment and the relevant Ministers Page 4

FRD 22B Objectives, functions, powers and duties Page 4

FRD 22B Nature and range of services provided Pages 2-42

Management and structure 2009–10

FRD 22B Organisational structure Page 43 annual report Financial and other information

FRD 8B Budget portfolio outcomes Page 73

FRD 10 Disclosure index Pages 71-72

FRD 12A Disclosure of major contracts Page 46

FRD 15B Executive officer disclosures Page 65

FRD 22B, SD 4.2(k) Operational and budgetary objectives and performance against objectives Pages 5-42

FRD 22B Employment and conduct principles Pages 45-47

FRD 22B Occupational health and safety policy Page 45

FRD 22B Summary of the financial results for the year Pages 50-53

FRD 22B Significant changes in financial position during the year Pages 50-53

FRD 22B Major changes or factors affecting performance Pages 5-42

FRD 22B Subsequent events Page 65

FRD 22B Application and operation of Freedom of Information Act 1982 Page 46

FRD 22B Compliance with building and maintenance provisions of Building Act 1993 Page 46

FRD 22B Statement on National Competition Policy n/a

FRD 22B Application and operation of the Whistleblowers Protection Act 2001 Page 46

FRD 22B Details of consultancies over $100,000 Page 46

FRD 22B Details of consultancies under $100,000 Page 46

FRD 22B Statement of availability of other information Page 74

FRD 24C Reporting of office-based environmental impacts Page 48

FRD 25 Victorian Industry Participation Policy disclosures Page 46

FRD 29 Workforce Data disclosures Pages 43-44

SD 4.5.5 Risk management compliance attestation Page 49

SD 4.2(g) General information requirements Inside Cover

SD 4.2(j) Sign-off requirements Inside Cover 72

Appendix A Office of the Legislation Requirement Page reference Financial statements

Victorian Privacy Commissioner Financial statements required under Part 7 of the FMA

SD4.2(a) Statement of changes in equity Page 52

SD4.2(b) Operating statement Page 50

SD4.2(b) Balance sheet Page 51

SD4.2(b) Cash flow statement Page 53

Other requirements under Standing Direction 4 .2

SD4.2(a) Compliance with Australian accounting standards and other authoritative pronouncements Page 55

2009–10 SD4.2(a) Statement of Compliance Page 55

SD4.2(d) Rounding of amounts Page 59 annual report SD4.2(c) Accountable officer’s declaration Page 68

Other disclosures as required by FRDs in notes to the financial statements

FRD 9A Departmental disclosure of administered assets and liabilities n/a

FRD 11 Disclosure of ex-gratia payments n/a

FRD 13 Disclosure of parliamentary appropriations n/a

FRD 21A Responsible person and executive officer disclosures Page 65

FRD 102 Inventories n/a

FRD 103D Non-current physical assets Page 62

FRD 104 Foreign currency n/a

FRD 106 Impairment of assets Page 58

FRD 109 Intangible assets n/a

FRD 107 Investment properties n/a

FRD 110 Cash flow statements Page 53

FRD 112A Defined benefit superannuation obligations Pages 56, 65

FRD 113 Investments in subsidiaries, jointly controlled entities and associates n/a

FRD 114A Financial Instruments – General government entities and public non-financial corporations Page 66

FRD 119 Contributions by owners Page 52 Legislation

Freedom of Information Act 1982 Page 46

Building Act 1983 Page 46

Whistleblowers Protection Act 2001 Pages 46-47

Victorian Industry Participation Policy Act 2003 Page 46

Financial Management Act 1994 Page 56

Multicultural Victoria Act 2004 Pages 28-42 73

Appendix B Budget Paper 3 for 2009-10 (p .150) describes the outputs for the Office of the Victorian Privacy Commissioner . The results for 2009-10 are as follows: Office of the Major Outputs Privacy Regulation Victorian Privacy Commissioner The Office of the Victorian Privacy Commissioner administers the Information Privacy Act 2000, which includes complaints handling, investigation and audit, advice and guidance, and education and training for state and local government and the general public 1.

Performance Measures Unit 2009-10 Target 2009-10 Actual

Quantity

Compliance activities conducted (a) number 2,640 2,756

Privacy awareness activities conducted (b) number 190 205

2009–10 Quality

Client satisfaction with services provided percent High High annual report Timeliness

Statutory or agreed timelines met percent 90 90

Cost

Total Output Cost $ million 2.4 2.1 (c)

(a) Compliance activities include complaints, enquiries, consultations, guidance, audits, investigations and codes of practice . (b) Privacy awareness activities include public sector training, and awareness raising activities for the general public and the public sector . (c) Audited cost of outputs controlled by Privacy Commissioner . 74

Appendix C Office of the Additional Departmental Information Available on Request

In compliance with the requirements of (a) a statement that declarations of The information is available on request Victorian Privacy Commissioner the Standing Directions of the Minister pecuniary interests have been duly from: for Finance, details in respect of the completed by all relevant officers of The Victorian Privacy Commissioner items listed below have been retained the Department; Phone: 03 8619 8719 by the Department and are available (b) details of shares held by senior Email: [email protected] to the relevant Ministers, Members of officers as nominee or held Parliament and the public on request beneficially in a statutory authority or (subject to the freedom of information subsidiary; requirements, if applicable): (c) details of publications produced by the Department about the activities of the Department and where they

can be obtained; 2009–10 (d) details of changes in prices, fees, charges, rates and levies

annual report charged by the Department for its services, including services that are administered; (e) details of any major external reviews carried out in respect of the operation of the Department; (f) details of any other research and development activities undertaken by the Department that are not otherwise covered either in the report of operations or in a document which contains the financial statement and report of operations; (g) details of overseas visits undertaken including a summary of the objectives and outcomes of each visit; (h) details of major promotional, public relations and marketing activities undertaken by the Department to develop community awareness of the services provided by the Department; (i) details of assessments and measures undertaken to improve the occupational health and safety of employees, not otherwise detailed in the report of operations; (j) a general statement on industrial relations within the Department and details of time lost through industrial accidents and disputes, which are not otherwise detailed in the report of operations; and (k) a list of major committees sponsored by the Department, the purposes of each committee and the extent to which the purposes have been achieved . 75

Appendix D Office of the Speeches and Presentations

Staff of the Office of the December 2009 Helen Versey, Victorian Privacy Commissioner Privacy Commissioner Victorian Privacy Commissioner 8 Port of Melbourne Authority, Melbourne July 2009 July 2009 10 Victorian Commission for Gambling 17 Glenroy Community Information 30 Springvale Botanical Cemetery Regulation, Melbourne Annual General Meeting August 2009 22 Victorian Commission for Gambling August 2009 11 Victorian Local Government Regulation, Melbourne 26 Victorian Managed Insurance Multicultural Information Network, January 2010 Authority, Melbourne Melbourne 15 Ombudsman Victoria, Melbourne September 2009 20 Australian Catholic University, East

Melbourne February 2010 21 Royal Melbourne Show,Flemington 9 Victorian Commission for Gambling 2009–10 September 2009 October 2009 Regulation, Melbourne 21 Chartered Secretaries Australia 7 Australian Law Librarians Association, 17 Wyndham City Council, Werribee (Victoria), Melbourne annual report Melbourne 22 Royal Melbourne Show, Flemington March 2010 14 International Association of Privacy Professionals, Australia and New 23 Royal Melbourne Show, Flemington 3 City of Port Phillip, St Kilda Zealand Chapter Annual Conference, 24 Royal Melbourne Show, Flemington 12 Monash University, Advancement, Melbourne Caulfield 25 Royal Melbourne Show, Flemington November 2009 19 Windermere Child and Family 4 31st International Conference 29 Vietnamese Community Workers, Services, Narre Warren Flemington of Data Protection and Privacy 24 Moyne Shire Council, Port Fairy Commissioners, Madrid, Spain October 2009 24 Hume City Council, Broadmeadows 26 Department of Justice, Melbourne 1 Royal Melbourne Institute of Technology, Melbourne April 2010 May 2010 23 Maribyrnong City Council, Footscray 3 Launch of Privacy Awareness Week 7 Western Water, Sunbury 2010, Melbourne 9 Western Water, Sunbury 27 Chartered Secretaries Australia (Victoria), Melbourne 6 Transport Accident Commission, 15 Loddon Shire Council, Wedderburn Geelong 30 City of Port Phillip, St Kilda 22 Mildura Rural City Council 6 City of Greater Geelong May 2010 26 Victorian Institute of Teaching, 7 Department of Human Services, Melbourne 4 VPS Graduate Program, Melbourne Geelong 29 Yarram Secondary College 5 VPS Graduate Program, Melbourne 21 Watch this space conference, 12 VPS Graduate Program, Melbourne Melbourne 30 Tarwin Lower Community Health Centre, Friday Friendship Group 12 City of Casey, Narre Warren November 2009 13 VPS Graduate Program, Melbourne 5 Delegation from Guangxi Zhuang 13 Office of the Child Safety Autonomous Region, Peoples’ Commissioner, Melbourne Republic of China, Melbourne 14 VPS Graduate Program, Melbourne 16 Victorian Institute of Teaching, Melbourne 14 Building Commission, Melbourne 17 Rural City of Wangaratta 17 Building Commission, Melbourne 19 Barwon Water, Geelong 26 Wyndham City Council, Werribee 25 Wyndham City Council, Werribee 27 Warrnambool City Council 25 Victorian Information Technology 31 Victoria Police, Melbourne Teachers’ Association Annual Conference, Flemington June 2010 1 Hume City Council, Broadmeadows 27 Wellington Shire Council, Sale 3 Independence Australia, Melbourne 30 Victorian Bushfire Reconstruction and Recovery Authority, Melbourne 17 Wodonga City Council 17 East Gippsland Shire, Bairnsdale 76

Appendix E Info Sheet 05.09 July 2009

Recordkeeping compliance, recordkeeping systems and the Information Privacy Principles Office of the

This Fact Sheet outlines the relationships Recordkeeping systems and the Registration: Victorian Privacy Commissioner between the functions of a recordkeeping IPPs • supports data quality by identifying system and the Information Privacy Act’s It is much easier to implement the IPPs when and how a record was captured ten Information Privacy Principles (IPPs) . when information and records are kept • indicates whether information in a It has been published jointly by the Office (managed) in a recordkeeping system . record needs to be updated of the Victorian Privacy Commissioner Recordkeeping systems include software and the Public Record Office of Victoria . • supports anonymous transactions, and hardware, but they are more than e .g . by assigning a case number Legislative context that . They are whole frameworks that to an enquiry or report so it can be include: software and hardware; policies actioned, but not capturing a person’s Both the Information Privacy Act 2000 and procedures and people trained name and the Public Records Act 1973 in them; the records themselves; and regulate how Victorian state and local • supports identification of data to be specialised information and records

government agencies create, collect, moved to another organisation or systems used to control the records 1. A 2009–10 use and manage recorded information . jurisdiction recordkeeping system protects records “Public records,” as defined in the Public and makes them accessible according Classification is the assignment of Records Act, include any records made to authorised destruction and security records to categories of business annual report or received by a person employed in a standards, including relevant IPPs . activities, so as to facilitate description, public office in the course of his or her Because recordkeeping systems have control, links, and determination of duties, or by a court or person acting common features in handling records, disposal and access status . judicially in Victoria . The Information it is easy to identify their benefits for Privacy Act is concerned only with Classifying records: assisting compliance with the IPPs . “personal information” – information • enables appropriate access and about an individual from which the How recordkeeping systems disclosure rules to be applied to all person’s identity is apparent or can be support implementation of the records in a category reasonably ascertained . Both Acts apply IPPs • enables appropriate security to recorded information in any format, Recordkeeping systems capture not only arrangements to be applied to all for example paper, film, tapes, discs, the records’ content, but also information records in a category computer drives and portable storage about how they are created and used . • supports anonymous transactions devices such as USB keys . (where appropriate) while still Rules concerning the capture of records providing for statistical and other Information Privacy Principles and information support are: (IPPs) analysis of activity • collecting personal information that • supports identification of data to be The 10 Information Privacy Principles is necessary for the performance of (IPPs) refer to, respectively: moved to another organisation or functions jurisdiction 1 . Collection • non-capture of unnecessary Recordkeeping systems manage 2 . Use and disclosure inappropriate information access to, and security of, records . 3 . Data quality • updating information as a transaction They implement system policies and 4 . Data security or relationship proceeds procedures to routinely grant or restrict 5 . Openness Recordkeeping systems usually register access based on: captured records – i .e . provide evidence 6 . Access and correction of capture by assigning a sequential • the categories the records belong to 7 . Unique identifiers number or other unique identifier at the • access permissions that individuals, 8 . Anonymity time of capture . groups of individuals or organisations 9 . Transborder data flows have 10 . Sensitive information Recordkeeping systems identify records’ disposal status, based on The full text of the IPPs is available at the categories the records belong to www.privacy.vic.gov.au . and information about their capture and registration .

1 Adapted from ICA: Principles and Functional Requirements for Records in Electronic Office Environments, Module 2, page 64 . 77 Office of the Mapping Recordkeeping Characteristics to the Information Privacy Principles (IPPs)

Records Management function IPP1 IPP2 IPP3 IPP4 IPP5 IPP6 IPP7 IPP8 IPP9 IPP10

Capture Victorian Privacy Commissioner

Registration

Classification

Access and Security

Disposal

Storage

Location and event tracking

By facilitating timely records disposal, 2009–10 recordkeeping systems: • help prevent inappropriate retention of annual report out of date information • help prevent inappropriate re-use of information • help prevent inappropriate data matching based on unique identifiers Recordkeeping systems maintain and store records, securing them against unauthorised access, alteration or destruction .

Keeping records secure: • means the correct information is available to the right users for the right reasons – and to no one else • means that information captured in accordance with system rules has integrity • prevents loss or misuse of information Finally, recordkeeping systems track the location of records, the usage of records and other events affecting records . Tracking and auditing record movements and other events: • helps prevent loss or misuse of records, and helps identify the immediate cause should loss or misuse occur • identifies instances where records have been amended, or released in whole or in part, under freedom of information or another scheme • identifies records that have been transferred to another organisation or jurisdiction

This Information Sheet is designed to give general guidance only. It should not be relied on as legal advice. 78

Appendix E Info Sheet 06.09 (Updates Info Sheet 06.08) Privacy regulation across Australia (at 5 November 2009) Office of the

Privacy is a personal right that attaches This Information Sheet deals only with NSW: The New South Wales Privacy and Victorian Privacy Commissioner itself to various concepts including laws that regulate information and Personal Information Protection Act privacy of the home, bodily privacy, health privacy in Australia across the 1998 (NSW) commenced in stages information privacy and communications Commonwealth, States and Territories . from 1 February 1999 and took full privacy . In Australia, aspects of privacy References are also included to human effect from 1 July 2000, applying are protected by laws of trespass, rights laws establishing a general right to to state and local government nuisance, breach of confidence and privacy . agencies . It was amended in 2009 copyright . The courts are also beginning to include access to and correction (For more information, and links to to recognise an emerging tort of invasion of personal information . The Health privacy-related developments across of privacy and the Australian Law Reform Records and Information Privacy Australia, see the interactive privacy map Commission, in its 2008 report ALRC Act 2002 (NSW) commenced on at www.privacy.vic.gov.au > Relevant 108 – For Your Information, Australian 1 September 2004 and applies to Laws > Privacy Laws .) Privacy Law and Practice, recommended NSW state and local governments 2009–10 the implementation of a statutory cause Existing Australian privacy laws as well as private sector persons of action for serious invasions of privacy . and organisations in NSW . The Laws limiting the use of surveillance In summary, information privacy laws NSW Privacy Commissioner annual report devices or the interception and recording apply in the Commonwealth (CTH) and administers both of these Acts . of telephone conversations also have the Australian Capital Territory (ACT), New NT: The Northern Territory Information the effect of protecting privacy, as do South Wales (NSW), the Northern Territory Act 2002 commenced on 1 July confidentiality provisions that are often (NT), Queensland (QLD), Tasmania 2003 and became enforceable found in laws regulating sensitive matters (TAS) and Victoria (VIC) . Specific laws on 1 July 2004 in relation to state such as adoption, infectious disease or protecting health information exist in the public sector organisations, and the handling of criminal records . ACT, NSW and VIC . A general right to privacy is recognised under human rights on 1 July 2005 in relation to local Most Australian jurisdictions, except laws enacted in the ACT and VIC . authorities . The Northern Territory Western Australia and South Australia1, Information Commissioner is have enacted specific information privacy ACT: The Human Rights Act 2004 (ACT) responsible for overseeing the legislation which regulates how certain (as amended) took effect on 2 information and privacy provisions public and private sector organisations January 2007 and establishes of this Act . collect, store and handle personal the right to privacy for individuals . QLD: The Information Privacy Act 2009 information and provide a mechanism The Health Records (Privacy and (IP Act) commenced on 1 July for individuals to make a complaint to Access) Act 1997 (as amended) 2009 and applies to all Queensland an independent Commissioner about commenced on 18 November public sector organisations . The IP a breach of the relevant legislation . In 2006 and applies to health services Act contains a set of Information some jurisdictions, privacy legislation providers in the ACT . The Human Privacy Principles (Qld IPPs), which now provides rights for individuals Rights Commission administers bind all public sector organisations to access and correct their personal both of these Acts . except Queensland Health . information while in other jurisdictions CTH: The Commonwealth Privacy Act Queensland Health is also subject these rights remain in complementary 1988 (Cth) applies to the federal to the IP Act but instead of the legislation (freedom of information laws) . (Commonwealth) public sector Qld IPPs, it is subject to ‘National Health information is often given specific from 1 January 1989 and was Privacy Principles’ (NPPs) which legislative protection (health privacy extended to cover parts of the are included in Schedule 4 of the laws) and in Victoria and the Australian private sector from 21 December Act and correspond to the National Capital Territory, human rights legislation 2001 . The Privacy Act 1988 (Cth) Privacy Principles in the Privacy Act recognise a broader right to privacy and also applies to public sector 1988 (Cth) . The IP Act establishes oblige public sector organisations to act agencies in the ACT . The Australian the office of Privacy Commissioner, in a way that is compatible with this and Office of the Privacy Commissioner who is appointed by Governor in other protected rights . administers this Act . Council but acts at the direction of Most privacy laws in Australia and the Information Commissioner . overseas are based on internationally TAS: The Tasmanian Personal accepted standards set down by the Information Protection Act 2004 Organisation for Economic Co-operation commenced on 5 September and Development (OECD) in 1980 and 2005 and applies to state public more recently by the European Union in sector bodies and local councils . 1995 . The Tasmanian Ombudsman administers this Act .

1 South Australia has administrative guidelines that are largely based on privacy laws 79 Office of the VIC: The Information Privacy Act 2000 (Vic), applying to state and local government agencies in Victoria, commenced on 1 September

2001 and became enforceable Victorian Privacy Commissioner on 1 September 2002 . The Health Records Act 2001 (Vic) became fully operational on 1 July 2002 and applies to all identifying personal information collected by health service providers as well as health or disability identifying personal information collected by non-health service providers in Victoria . These Acts are

administered, respectively, by the

Victorian Privacy Commissioner 2009–10 and the Victorian Health Services Commissioner . The Charter of

Human Rights and Responsibilities annual report Act 2006 commenced on 1 January 2007 and became fully operative on 1 January 2008 . The Charter establishes a general right to privacy for individuals in addition to other rights and is administered by the Victorian Equal Opportunity and Human Rights Commission . Administrative directions South Australia has opted to use administrative privacy standards in lieu of privacy legislation . It implemented a set of state Information Privacy Principles by means of a Cabinet Administrative Instruction introduced in July 1989 and re-issued on 30 July 1992 . This Instruction applies to state, but not local, government in South Australia . South Australia also has a Code of Fair Information Practice which is based on the National Privacy Principles and regulates the South Australian Department of Health, its funded service providers and others with access to personal information held by the Department of Health . You can find the source documents for the underlined text above by going to the interactive privacy map at www.privacy. vic.gov.au under Relevant Laws > Privacy Laws .

This Information Sheet is designed to give general guidance only. It should not be relied on as legal advice. 80

Appendix E Info Sheet 01.10 (Replaces 02.04) January 2010

Office of the Accessing and correcting your personal information

What is access and correction? • Insurance investigators; However, if an agency or department Victorian Privacy Commissioner Access and correction refers to the right • Non-profit organisations that receive withholds a document, they must give of individuals to view and obtain copies funding to deliver government welfare reasons for the decision and you can of their personal information and to services to the public; and challenge the decision if you believe it to be incorrect . correct personal information held about • Contractors to government agencies them . This right forms part of many data responsible for the collection and protection principles across the world . processing of fines . Who to Contact: Victoria has had legislation relating to • The FOI officer of the relevant Why have two separate systems access and correction for over 25 years, minister/agency/department . under the Freedom of Information Act of access and correction? • See: www.foi.vic.gov.au 1982 (Vic) (FOI Act) . In the past, Government provided the majority of services to the public directly .

The Information Privacy Act 2000 (Vic) Access and correction of personal Persons or organisations contracted 2009–10 (IPA) also provides for rights of access information was established under the by the Victorian government to provide and correction, under Information Privacy FOI Act, and procedures and precedent services to the public Principle 6 (IPP 6) . regulating the government sector have annual report a) Contractually bound to comply with the However, IPP 6 is designed to built up over the last 25 years . IPA supplement existing FOI rights, rather During recent years ‘outsourcing’ These organisations must comply with than duplicate or replace them . This (government functions contracted out IPP 6 . Individuals seeking access and Information Sheet will explain how access to the private sector) has increased . In correction may make this request informally and correction rights operate in Victoria . order to provide outsourced services, and contracted service providers should My information is held by a businesses may need to hold personal respond to such requests . information about members of the public . Victorian government department What if the contracted service provider – does the IPA apply? Because these businesses were not refuses my application? No . This is because most Victorian covered by FOI laws, individuals had Where a contracted service provider refuses government organisations are subject to no right of access and correction to an application for access or correction, it the FOI Act . information held by these businesses and must provide reasons for the refusal, or a ‘gap’ existed . Access and Correction reasons for a delay in responding, within 45 If an individual seeks access or correction (IPP 6) remedies this ‘gap’ and days of receiving the request (IPP 6 .8) . to documents that can be requested complements the FOI Act by providing under the FOI Act, they must apply under access and correction rights where the Privacy Victoria can receive complaints FOI . This is because the IPA specifically FOI Act does not or cannot apply . about access or correction regarding excludes operation of IPP 6, where the contracted service providers . FOI Act would otherwise apply 1. How can I exercise my rights of access and correction? When will the Information Privacy Who to Contact: Act Access and Correction (IPP 6) The method of access and correction • The FOI officer/Privacy officer of provisions apply? will depend on what type of organisation holds the information: the relevant contracted service Victorian public sector organisations provider and local councils routinely outsource 1 . Victorian government • Privacy Victoria: 1300 666 444 or services to private businesses . These ministers and agencies/ www.privacy.vic.gov.au businesses are known as ‘contracted departments service providers’ . The contracted service • Information Privacy Principle provider (CSP) may be bound to comply Access and correction is to be exercised (IPP 6) – See Page 4 . with the IPA as a result of entering into an under the current FOI Act, by application outsourcing contract . directly to the applicable agency/ b) Not contractually bound to comply with department holding the information . the IPA Usually, CSPs are not bound by the FOI Act 2. What if the agency/department refuses Such bodies are not required to comply my application? with IPP 6 . However, the government Where an organisation is acting under organisation that has outsourced the The FOI Act sets out procedures of a state contract but is not bound by the service may remain responsible for rights of review of an agency’s decision FOI Act, IPA Access and Correction rights responding to requests for access and regarding access and/or correction . (IPP 6) will apply . correction, under the FOI Act . Some examples of contracted service A number of exemptions apply to the provision of access under the FOI Act . providers are: Who to Contact: For example, if providing access would • Public transport operators; involve an unreasonable disclosure of • The FOI officer of the relevant the personal affairs of another person, minister/agency/department . access may be withheld . • See: www.foi.vic.gov.au 1 See s 12 Information Privacy Act 2000 (Vic) 2 See s 3 Freedom of Information Act 1982 (Vic) 81 Office of the 2 . A private sector Extract from Schedule 1 of the 6 .2 However, where providing access organisation without Information Privacy Act 2000 (Vic) would reveal evaluative information generated within the organisation any contract/funding/ Information Privacy Principle 6 in connection with a commercially relationship with a

sensitive decision-making process, the Victorian Privacy Commissioner – Access and Correction Victorian government organisation may give the individual organisation 6 .1 If an organisation holds personal an explanation for the commercially information about an individual, it must sensitive decision rather than direct Neither the Victorian FOI Act, nor provide the individual with access access to the information . the Information Privacy Act, will apply to the information on request by the in this circumstance . However, the individual, except to the extent that— 6 .3 If the organisation is not required to Commonwealth Privacy Act 1998 may provide the individual with access to (a) providing access would pose a the information because of one or more apply . This Act contains National Privacy serious and imminent threat to the of paragraphs 6 .1(a) to (j) (inclusive), Principle (NPP 6), similar to IPP 6 life or health of any individual; or the organisation must, if reasonable, which provides for rights of access and (b) providing access would have consider whether the use of mutually correction . an unreasonable impact on the agreed intermediaries would allow

privacy of other individuals; or sufficient access to meet the needs of

both parties . 2009–10 Who to Contact: (c) the request for access is frivolous or vexatious; or • The relevant organisation directly . 6 .4 If an organisation charges for providing (d) the information relates to existing access to personal information, the • Office of the Federal Privacy annual report legal proceedings between the organisation— Commissioner: 1300 363 992 or organisation and the individual, www.privacy.gov.au and the information would not (a) must advise an individual who be accessible by the process of requests access to personal discovery or subpoena in those information that the organisation will proceedings; or provide access on the payment of the prescribed fee; and (e) providing access would reveal the intentions of the organisation (b) may refuse access to the personal in relation to negotiations with information until the fee is paid . the individual in such a way as to 6 .5 If an organisation holds personal prejudice those negotiations; or information about an individual and the (f) providing access would be individual is able to establish that the unlawful; or information is not accurate, complete (g) denying access is required or and up to date, the organisation must authorised by or under law; or take reasonable steps to correct the (h) providing access would be likely information so that it is accurate, to prejudice an investigation of complete and up to date . possible unlawful activity; or 6 .6 If the individual and the organisation (i) providing access would be likely to disagree about whether the information prejudice— is accurate, complete and up to date, (i) the prevention, detection, and the individual asks the organisation investigation, prosecution or to associate with the information a punishment of criminal offences statement claiming that the information or breaches of a law imposing a is not accurate, complete or up to date, penalty or sanction; or the organisation must take reasonable (ii) the enforcement of laws relating steps to do so . to the confiscation of the 6 .7 An organisation must provide reasons proceeds of crime; or for denial of access or a refusal to (iii) the protection of public correct personal information . revenue; or (iv) the prevention, detection, 6 .8 If an individual requests access investigation or remedying of to, or the correction of, personal seriously improper conduct; or information held by an organisation, the (v) the preparation for, or conduct organisation must— of, proceedings before (a) provide access, or reasons for the any court or tribunal, or denial of access; or implementation of its orders— (b) correct the personal information, or by or on behalf of a law provide reasons for the refusal to enforcement agency; or correct the personal information; or (j) ASIO, ASIS or a law enforcement (c) provide reasons for the delay agency performing a lawful security in responding to the request for function asks the organisation access to or for the correction of not to provide access to the personal information— information on the basis that as soon as practicable, but no later This Information Sheet is designed to providing access would be likely than 45 days after receiving the to cause damage to the security of give general guidance only. It should not request . be relied on as legal advice. Australia . 82

Appendix E Info Sheet 02.10 (Replaces 11.02) January 2010

Office of the Emergencies and Privacy (Replaces Info Sheet 11.02 – ‘Bushfires and Privacy’)

Organisations hold a wide variety 2 . IPP 2 .1(d) – Disclosures 3 . IPP 2 .1(f) – Use/disclosure Victorian Privacy Commissioner of personal information relating to necessary to prevent imminent required/authorised under law individuals and may collect information threats to life/health/safety of an IPP 2 .1(f) permits disclosures that are for a wide variety of purposes . Such individual or public safety, public information can be of significant use and authorised or required by law . When health or public welfare . benefit for other organisations that must emergency services seek personal deal with emergency situations . IPP 2 .1(d) allows the use or disclosure of information on this basis, it is appropriate personal information for a purpose not that the disclosing organisation ask that When developing the Information Privacy related to the purpose of collection where the particular law relied upon be cited . Act 2000, the Victorian Parliament an organisation reasonably believes that recognised that in an emergency the disclosure is necessary to lessen or Example: A declared state of situation, the public interest in safety will prevent either: emergency override the privacy requirements of the S.23 of the Emergency Management Act – even where emergency response • a serious and imminent threat to 2009–10 Act 1968 allows the Premier to declare was not the primary reason for collection . an individual’s life, health, safety or a state of disaster to exist wholly or in welfare; or Privacy law does not stand in the way of a part of Victoria for a defined period of annual report responding to legitimate emergencies . • a serious threat to public health, time. Following a declaration, the Minister The purpose of this Information Sheet public safety, or public welfare . for Police and Emergency Services (and is to aid organisations to respond in the The first category relates only to an under that Act, Coordinator-in-Chief of most effective and privacy-enhancing Emergency Management) may declare that imminent threat posed to an individual . way when facing a request for information the operation of the whole or any part of an It is important to note that an ‘imminent in an emergency . The check-list at Act (including the Information Privacy Act) threat’ may be a continuing one, for Appendix A is specifically designed is suspended, where necessary to respond example in the aftermath of a disaster . to assist organisations to deal with to, or recover from, a disaster (s.24(2)(b)). While individual threats may be relevant, emergency situations . Where such a declaration exists, any use or a serious threat to the public is more disclosure will be authorised by law. What is the law relating to likely to be relevant in large scale disclosures of information in emergencies . emergencies? 4 . IPP 2 .1(a) – A reasonably expected Under this ground, the disclosing secondary related purpose In an emergency context, the Information organisation should make it clear Privacy Act contains four main provisions to the recipient emergency services IPP 2 .1(a) allows for disclosure by an permitting disclosure of personal organisation that the data is being organisation for secondary purposes information: provided for the sole purpose of ensuring that are related to the primary purpose public safety, not just any purpose . of collection and would be reasonably 1 . IPP 2 – Primary Purpose of expected . Collection Emergency services may themselves breach the Information Privacy Act if they This ground requires two separate Usually, an organisation should only use use or disclose the information for non- considerations: information for the purpose it is collected safety purposes such as fundraising or i) That the secondary purpose is related (IPP 2) . membership drives . to the primary purpose – Requiring a However, if new personal information IPP 2 .1(d) may also be relevant to connection or association between the is collected in order to respond to an information uses and disclosures after a secondary purpose of use and disclosure emergency, sharing that information disaster or accident has occurred where to the primary purpose of collection; and where necessary with other organisations it is necessary for public welfare . ‘Public ii) That an individual would reasonably involved in the disaster response or welfare’ in this context includes offering expect the organisation to use or disclose recovery may be considered to be assistance to victims and to assist the the information – What an ordinary person disclosure for the primary purpose of community more generally to overcome aware of the circumstances would consider collection . the effects of disasters and other trauma . reasonable . Where information is shared in order Example: Providing next-of-kin/ emergency details to respond to an emergency but the particular individual involved indicates Travellers who provide agencies with that they do not require further contact details for their next of kin do so in order for contact to be made when an assistance, then his or her personal emergency occurs. During an emergency information should not be retained (IPP situation, it would be in line with the primary 4) . purpose of collecting these details for the information to be disclosed to emergency authorities for emergency functions, such as to inform families (when required), victim identification and other relevant disaster response work. 83 Office of the i) Implement an ‘emergency data policy’ • Will the information meet the purpose Example: Local Council use for and set of protocols for which it is requested? Excess fire and flood protection disclosure can be as unhelpful as It is advisable for organisations to Local Councils may collect information insufficient disclosure, so clarifying develop an ‘emergency data policy’ and from ratepayers in relation to owners’ how much information is necessary, Victorian Privacy Commissioner put a set of protocols in place before properties, information such as the and tailoring the disclosure to the amenities, value, uses and upkeep of the such a request occurs . This way, the actual purpose, assists both the those properties. Particularly in rural and organisation and its staff can quickly disclosing organisation and the outer-suburban areas, a related secondary and confidently handle requests for recipient organisation . purpose is the extent to which the property information in emergency situations . is a fire or flood hazard. Councils may Policies and protocols should include employ fire protection and safety officers both an ‘escalation process’ for dealing Example: Disclosure of ineffective who inspect, monitor risk, prepare with such disclosures, and guidance data prevention plans and enforce bylaws (such as those regulating burning-off in the open) for determining who will disclose the If an emergency authority requests information, what information should be information about residents from a Local Disclosure of this information to a relevant released, and to which organisations . Council, ratepayer information may authority for the secondary purpose of be ineffective. Ratepayer information

safety against bushfire, flood or extreme ii) Take steps to ensure that the data 2009–10 contains personal information of those weather is likely to be reasonably expected held is accurate and secure who own property but not who reside in this circumstance. IPP 2 may allow information to be used in it. In areas with a high proportion of or disclosed, but other IPPs (such as IPP non-resident owner/ratepayers (such as annual report inner-Melbourne), the information may not Data-Sharing under IPP 2 .1(a) 3: Data Quality and IPP 4: Data Security) be helpful. following an emergency must continue to be complied with . One benefit is that the data disclosed by the After an emergency, data sharing organisation is likely to be of a higher • Can the aim be achieved without the between organisations and emergency quality and therefore more useful in an data proliferating? An analysis of ‘why’ services may also be permitted under IPP emergency situation . Organisations the recipient organisation requests the 2 .1(a) . should take steps to ensure data quality data may be helpful . and security, such as: Example: Information-sharing • Keeping the data used or disclosed Example: Intended use of after an accident or disaster for the emergency response information is to conduct a mail-out Where a large-scale emergency or disaster quarantined from other datasets; An emergency organisation may wish to occurs, IPP 2.1(a) would allow information • Not allowing the data to be used for contact residents to provide important to be disclosed to relevant organisations other purposes; and emergency information. However, the involved in emergency response and aim can be satisfied without a transfer • Making arrangements for the return or recovery efforts, including Commonwealth of data. The source organisation could agencies such as Centrelink. disposal of the information once the make arrangements with the emergency Bodies may have to be identified quickly, emergency has been responded to (in authority to mail the information out on its missing or incapacitated persons assisted line with the Public Records Act 1973) . behalf. The aim (provision of the emergency and relatives contacted to identify and A suggested set of matters for inclusion information) can be satisfied without assist victims. In order to respond, this in a protocols document is provided at transfer of personal information. may require prompt access by emergency Appendix B . authorities to personal information about Clear policies – staff and public those affected. Individuals involved in Planning checklist such a disaster would reasonably expect confidence Advance planning and training of staff their information to be matched in order to Development of policies and procedures in anticipation of emergencies should locate, identify and both assist them and for an emergency context will allow those close to them. include the way in which personal staff to readily assess and respond to information will be handled and shared . requests in a high-pressure emergency The following checklist may be useful: Establishing Emergency Policies situation . • What will the information be used and Protocols for? The requesting emergency Most people will accept the use and When a serious threat to public health authority should state with reasonable disclosure, without consent, of their or safety occurs, disclosure may be precision its reasons for seeking personal information to serve the public necessary and the organisation may the data . This allows the disclosing interest in dealing with an emergency . need to respond in a fast and effective organisation to apply IPP 2 properly But misuse of the information for other manner to a request for information . and to be confident about the basis purposes, or lack of care in protecting The following measures can assist an for disclosure . personal information, will in the long run organisation in being prepared for this harm the reputations of organisations that eventuality: engage in such misuse or sloppiness . Worse, it may sap public confidence in services that rely on people to co-operate with them readily and quickly when public safety is threatened . 84

Appendix E Office of the Emergencies and C) After an emergency Emergencies and Privacy: Privacy: Appendix A situation has passed Appendix B 1 . Request return or destruction of Steps an organisation can take Draft Protocols for data sharing in

Victorian Privacy Commissioner the information disclosed (where to better deal with an emergency possible) . an emergency situation 2 . Conduct an audit of the The following areas for inclusion in a A) Before an emergency – information and ensure it was set of protocols are suggestions only preparatory steps disclosed correctly, in accordance and should be considered as indicating with the Information Privacy Act and the minimum requirements for such a 1 . Draft a policy and set of with the relevant organisational document . procedures to help staff know policies . what they need to do when 1. Commencement and expiry confronted with a request from 3 . Review the policies and dates – It is important to be clear an emergency body, or during an procedures, analyse how effective about the period during which the emergency itself . they were and whether there is any data sharing arrangements will be in place and to set a clear end scope for improvement . 2 . Provide training to staff members

2009–10 date, after which the data sharing in privacy generally, but also will cease . specifically in how to deal with 2. Parties to the protocol – This emergencies . annual report will define and limit which other 3 . Provide support to staff, in the organisations information is to be form of a structure which allows shared with . front-line staff access to managers 3. Authorisation/escalation with the ability and authority to process – This should set out the authorise a disclosure, in line with process by which the protocols the emergency policy . are activated, the information that 4 . Ensure data quality – Take steps will be disclosed and who must to ensure personal information held authorise activation . by the organisation is accurate, 4. Purpose of sharing information complete and up to date – so it will – This should be defined and be of maximum assistance during limit the purpose that the an emergency . receiving organisation can use the information for, which is in this B) During an emergency – context, the use of the information when using/disclosing to combat a threat to public the information safety, health or welfare . 1 . Follow the policy and procedures 5. Data storage and quarantine that were drafted in the preparatory – Protocols should outline that stage above . the information should be kept separately from the receiving 2 . Make clear to recipients why organisation’s existing systems . information is being transferred Data should not simply be and what the purpose of the imported into the organisation’s transfer is . existing databases and lost or 3 . Ensure data security – Take mixed into other information . This steps to ensure that the personal will allow it to be securely archived information is shared and stored and/or disposed of when no in such a way as to protect it from longer needed to respond to, or misuse, loss, unauthorised access, recover from, the emergency . modification or disclosure . 6. Data security –This will outline 4 . Make a record of the disclosure – the steps to be implemented What information was transferred, to secure the information when, to whom, who authorised while in transit and to ensure the transfer and under which secure storage once received section of IPP 2? (e .g . encryption, technical and administrative access controls) . 7. Data quality – Before re-using information obtained from another party, the information should be checked to ensure that it is accurate, up to date and complete . 85 Office of the 8. Destruction/disposal – Protocols should clearly set out the process for disposal of information once it is no longer needed .

This should be considered on Victorian Privacy Commissioner collection of the information and involve consideration of the Public Records Act and early consultation with the Public Records Office of Victoria (PROV) . 9. Access and correction – Protocols should detail procedures for allowing individuals to access and, where necessary, correct their own

information with a central point to

deal with queries . Simple reliance 2009–10 on the Freedom of Information Act may be insufficient, as it may not

apply to all organisations involved . annual report 10. Complaints – Protocols should set out actual policies and procedures to handle complaints and the process by which individuals and the Privacy Commissioner will be notified if there is a privacy breach .

This Information Sheet is designed to give general guidance only. It should not be relied on as legal advice. 86

Appendix F Case Notes

Complainants AO v Organisation

Office of the [2009] VPrivCmr 4

Victorian Privacy Commissioner IPP 1 – Collection – Allegation that the organisation collected personal information which was not necessary for one or more of its functions or activities (IPP 1.1) IPP 2 – Use and Disclosure – Allegation that the organisation allowed personal information to be used and disclosed for a purpose unrelated to the primary, or permitted secondary purpose of collection. IPP 4 – Data Security – Allegation that the organisation failed to take reasonable steps to protect personal information from misuse and loss, unauthorised access, modification or disclosure.

Complaint IPP 1 Privacy Commissioner’s Decision The Complainant was an employee of The Complainants alleged that the The Privacy Commissioner decided not to

the Respondent (Complainant A) . Due to transfer of their personal information decline to entertain the complaint under

2009–10 resourcing issues in 2004, Complainant stored within their lap-top to the section 29(1)(f) because the investigation A often used her own lap-top computer Respondent’s system (in 2004) was a conducted by the Victorian Ombudsman which she would work on during the collection of personal information that concerned the administrative actions of annual report day, and at home after hours . In 2004 was not necessary for the Respondent’s the Respondent following the complaint, Complainant A became seriously ill functions or activities . rather than the alleged breaches of the and left the workplace, not returning IPP 2 Complainants’ privacy . for some time . The Respondent asked In considering whether to decline to Complainant A if specific work files The Complainants also alleged that by entertain the complaints on the basis could be copied from her lap-top to storing their personal information on a that it was more than 45 days after the the Respondent’s system to which she (password protected) computer that Complainants became aware of the agreed . was readily accessible to a number of its staff, the Respondent allowed the act or practice (29(1)(d)), the Privacy Complainant A became aware that the Complainants’ personal information to Commissioner considered whether Respondent had not only copied work be used and disclosed for a purpose the Complainants would be satisfied related files from the lap-top, but that it unrelated to the primary purpose of with this decision, or whether it was had also copied the entire contents of the collection or a permitted secondary likely they would refer the matter to the computer including personal information purpose . Victorian Civil and Administrative Tribunal of both herself and her husband – (VCAT) . Given the Victorian Privacy IPP4 Complainant B . Commissioner’s primary function in The Complainants further alleged that relation to complaints is to try to resolve The Complainants wrote to the by storing their personal information on them, and the protracted period of time in Respondent in 2004 complaining about its computer, the Respondent failed to which the Complainants and Respondent the collection of personal information . secure their personal information from had been in dispute, it was decided to The Respondent replied expressing unauthorised access, modification or attempt conciliation in order to assist regret that the personal information disclosure by other staff that had access the parties to resolve their longstanding had been collected, but assured the to it . dispute and avoid further litigation . Complainants’ that their personal information had since been deleted from Response to the complaint In regard to the Respondent’s position the Respondent’s files . The Respondent sought to have the that the complaints should be declined on the basis that there was no intent to In April 2007 the Complainants became complaints declined on the basis that it breach the Complainants’ privacy, it was aware that their personal information had been more than 45 days after the explained to the Respondents that intent had in fact not been deleted from all Complainants became aware of the was not a relevant factor in deciding of the Respondent’s files, and was act or practice (29(1)(d)) and / or that whether or not a complaint should be available to view by those who had the complaint had been the subject of declined . access to a particular stand-alone an investigation by the Ombudsman computer . Following contact again with in 2008 which they believed had As a result, the complaint was referred to the Respondent, all personal information adequately dealt with the matter under conciliation . was then deleted from that remaining that other enactment (29(1)(f)) . Further, computer . the Respondent was of the view that Outcome because “there was no intent to breach Both the Complainants and Respondent The Complainants subsequently the privacy” of the Complainants, the representatives attended the conciliation complained to the Victorian Privacy complaints should not be entertained . in a positive and enthusiastic manner . Commissioner as the Respondent initially Thanks largely to the constructive, failed to adequately delete their personal empathetic and sensitive attitude of the information, and they were dissatisfied Respondent’s representatives, and the with the Respondent’s handling of their flexible and amenable attitude of the complaint . Complainants, an outcome was reached to the satisfaction of both parties . 87

Case Notes

Complainant AP v Organisation B

[2010] VPrivCmr 1 Office of the

IPP 2 – Use and Disclosure – Allegation that the Organisation allowed personal information to be used and disclosed for a Victorian Privacy Commissioner purpose unrelated to the primary or permitted secondary purpose of collection. IPP 4 – Data Security – Allegation that the Organisation failed to take reasonable steps to protect personal information from misuse and loss, unauthorised access, modification or disclosure.

Background information Audit information provided by the 3 . The other Act was not inconsistent The Complainant was an employee of employer in response to the privacy with the IPA because it provided for a Victorian Public Sector organisation complaint indicated that it was likely that action to be taken against individual and was required to handle telephone the unauthorised disclosure of personal staff of Organisation B who may have enquiries from the public which were information had occurred through the breached secrecy provisions . The IPA often recorded by the employer . The actions of Organisation B . Consequently, places obligations on organisations

Complainant received a call from a the Complainant lodged a separate and provides redress for individuals 2009–10 member of the public who clearly complaint about Organisation B . This where an organisation fails to comply identified himself throughout the Case Note focuses on the complaint with its obligations . conversation . The caller was extremely about Organisation B . annual report Subsequent response from abusive towards the Complainant and The initial response from Organisation B made threats against members of Organisation B Organisation B . In a subsequent response, Organisation In its initial response, Organisation B B provided advice that its email audit As a result, a senior member of the sought to have the complaint declined for had revealed that the electronic audio employer organisation sent an email the following reasons: recording had been accessed in to a senior member of Organisation B 1 . It had not had adequate opportunity to excess of 2000 times by Organisation B notifying Organisation B of the threats . deal with the matter (Section 29(1)(h) employees for entertainment purposes . The email included personal information (ii) of the Information Privacy Act 2000 It established that an employee of about the member of the public as well (Vic) (‘IPA’)); Organisation B was not responsible for as an electronic audio file containing the the actual upload of the file to YouTube . 2 . As it was taking disciplinary action recording of the telephone call handled However, given that the email had been under another Act against its staff by the Complainant . The electronic audio circulated so widely amongst employees for the unauthorised disclosure, the file was labelled with a misspelled version of Organisation B for entertainment complaint should be declined on of the Complainant’s name . purposes that were completely unrelated the basis that the act or practice to the primary purpose of collection, Subsequently, the Complainant’s complained about could be made Organisation B acknowledged that this employer became aware that the the subject of an application under “may have contributed” to the disclosure email and electronic audio file were another Act and it was being on YouTube . circulating in the public domain and that adequately dealt with under that Act the recorded call had been placed on (Section 29(1)(f)); and Result YouTube and another website with links 3 . That the relevant provision of the Act through Google . The Complainant’s The information provided by the employer was inconsistent with the IPA so, due employer, whose staff member had organisation and Organisation B revealed to Section 6 of the IPA, the IPA did not sent the email to Organisation B for the that the original email to Organisation apply to the complaint . purpose of notifying it of the threats, B containing the electronic audio file had been circulated widely within made a complaint to Organisation B The Privacy Commissioner’s Organisation B . The Commissioner’s view about the unauthorised disclosure of the response email and electronic audio file . was, therefore, that this had exposed the The Commissioner rejected Organisation Complainant’s personal information to The employer took steps to have the B’s arguments for the following reasons: the risk of unauthorised disclosure . It was electronic audio file removed from the 1 . As Organisation B had been aware of not determined who was responsible for internet, however it was subsequently the complaint for 18 months, it could releasing the email to the public . re-uploaded . not be said that it had not had an The Complainant made a complaint to his adequate opportunity to deal with the employer about unauthorised disclosure complaint; of his personal information and breach 2 . Investigating the actions of its staff of data security . The Complainant also under another Act did not mean that alleged that his employer had failed to the subject matter of the complaint provide him with a copy of its privacy was being adequately dealt with policy on request . The Complainant under the other Act because that was dissatisfied with how the complaint Act provided no means of redress was handled by the employer and for loss or damage suffered by the subsequently made a formal complaint Complainant due to the interference to the Office of the Victorian Privacy with privacy; and Commissioner about the employer . 88

Appendix F Office of the However, from the evidence provided by the Complainant’s employer and Organisation B, it appeared that the senior member of the employer

Victorian Privacy Commissioner organisation had only sent the email with the audio file to the senior member of Organisation B . Therefore, it was highly probable that one or more of the 2000 or so employees of Organisation B who had received the email had sent the email outside of Organisation B and into the public domain . Consequently, the Commissioner did not consider that there were any grounds to exercise her discretion to decline the complaint

against Organisation B and determined

2009–10 to refer it to conciliation . Conciliation with Organisation B

annual report failed. The Complainant required the Commissioner to refer the complaint to the Victorian Civil and Administrative Tribunal and agreement was reached at a compulsory conference with the Complainant and both Organisation B and the employer . 89

Appendix G Copies of publications produced by Privacy Victoria are available through the Office or from our website at www.privacy.vic.gov.au . Requests for copies of any publication, or for inclusion on the Privacy Aware newsletter email distribution list, may be made to [email protected] or by telephoning 1300 666 444 . Office of the Privacy Victoria Publications at 30 June 2010 Victorian Privacy Commissioner Audits • Complainant O v Health Services Guidelines • 01 .03: Victorian Public Sector Commissioner VPrivCmr [2005] 1 • How to prepare for the Information Websites, September 2003 • Complainant P v Local Council Privacy Act 2000, May 2002 • 01 .05: Victorian Public Sector Data VPrivCmr [2005] 2 • Privacy Audit Manual – Edition 01, Matching, February 2005 • Complainant Q v Contracted Service November 2003 • 03 .05: Victorian Public Sector Provider to Department VPrivCmr • Privacy Impact Assessments – a Guide, Websites, October 2005 [2005] 3 August 2004 • 01 .06: Victorian Taxi and Tow Truck • Complainants R, S, T, U and V v Local • Public Registers and Privacy – Guidance Directorate - Surveillance cameras in Council VPrivCmr [2005] 4 for the Victorian Public Sector, August taxis, March 2006 • Complainant W v Public Library 2004

• 02 .06: Deakin University - Electronic VPrivCmr [2005] 5 • Website Privacy – Guidelines for the Mail Policies, June 2006 • Complainant X v Contracted Service Victorian Public Sector, May 2004 2009–10 Provider to a Department VPrivCmr Brochures • Guide for Councils on handling [2005] 6 applications for access to the voters’ roll • Community information brochure, annual report • Complainant Y v The Department for public interest purposes, March 2005 2007 VPrivCmr [2005] 7 • Guidelines for developing a Code of • Protecting Information Privacy in the • Complainant Z v Local Council Practice under Part 4, Information Privacy Victorian Public Sector VPrivCmr [2006] 1 Act 2000, July 2006 • Privacy laws protect our communities • Complainant AA v The Department • Guidelines to the Information Privacy Brochure for indigenous communities, VPrivCmr [2006] 2 Principles, Edition 2, September 2006 . 2009 • Complainant AB v Victoria Police The Guidelines are supported by a • Privacy laws protect you Brochure, VPrivCmr [2006] 3 separate Index and Table of Cases May 2009 Also available in 16 other • Short Guide to the Information Privacy languages • Complainant AC v Public Sector Body VPrivCmr [2006] 4 Principles, December 2006 • Private Lives: Your Guide to Privacy • Privacy Audit Manual – Edition 02 Law in Victoria booklet • Complainant AD & Others v The Department VPrivCmr [2006] 5 November 2007 Case Notes • Complainant AE v Contracted Service • Guide for Councils on handling • Complainant A v Local Council [2003] Provider to a Statutory Authority applications for access to the voters’ roll VPrivCmr 1 VPrivCmr [2006] 6 for public interest purposes, Version 2, June 2008 • Complainant B v Statutory Entity • Complainant AF v Local Council [2003] VPrivCmr 2 VPrivCmr [2007] 1 • Responding to Privacy Breaches – Guide, Edition 01, May 2008 • Complainant C v Department [2003] • Complainant AG v Local Council VPrivCmr 3 VPrivCmr [2007] 2 • Responding to Privacy Breaches – Guide, Checklist, May 2008 • Complainant D v Minister [2003] • Complainant AH v The Department VPrivCmr 4 [2007] VPrivCmr 3 • Privacy Impact Assessments Guide – Edition 02, Supporting documents: • Complainant E v Statutory Entity • Complainants AI v Local Council Privacy Impact Assessment Report [2003] VPrivCmr 5 [2008] VPrivCmr 1 template and Accompanying Guide to • Complainant F v Tertiary Institution • Complainant AJ v The Department the template, May 2009 [2003] VPrivCmr 6 [2008] VPrivCmr 2 Guides to Complaint Handling • Complainant G v Department [2004] • Complainant AK v Statutory Authority • Guide for Complainants under the VPrivCmr 1 [2008] VPrivCmr 3 Information Privacy Act 2000 • Complainant H v Local Council [2004] • Complainant AL v Local Council • Guide for Respondents under the VPrivCmr 2 [2009] VPrivCmr 1 Information Privacy Act 2000 • Complainant I v Department [2004] • Complainant AM v Local Council VPrivCmr 3 [2009] VPrivCmr2 • Conciliation under the Information Privacy Act 2000 – Revised May 2008 • Complainant J v Statutory Entity • Complainants AN v Statutory Authority [2004] VPrivCmr 4 [2009] VPrivCmr 3 • Complaint handling under the Information Privacy Act 2000 • Complainant K v Local Council • Complainants AO v Organisation VPrivCmr [2004] 5 [2009] VPrivCmr 4 • Guide to the Handling of Complaints • Complainant L v Tertiary Institution under the Information Privacy Act 2000 • Complainant AP v Organisation B by VCAT VPrivCmr [2004] 6 [2010] VPrivCmr 1 • Complainant M v Tertiary Institution • Guide for Complainants under the VPrivCmr [2004] 7 Information Privacy Act 2000 (Chinese) • Complainant N v Local Council • Guide to the handling of complaints by VPrivCmr [2004] 8 the Victorian Civil and Administrative Tribunal (Chinese) 90

Appendix G Office of the Handy Tips • 03 .09 Handling Criminal Records in • 03 .06 Mr C’s Case: Report of an • Smartcard Privacy Checklist the Public Sector (Revised) investigation pursuant to Part 6 of the Information Privacy Act 2000 • HT01 Identity Theft and You • 04 .09 Children and Privacy complaints: A Guide for Parents and into Victoria Police and Department

Victorian Privacy Commissioner • HT02 Importance of Data Quality Guardians of Justice in relation to the security • HT03 Improving Data Security of personal information in the Law • 05 .09 Recordkeeping compliance, Enforcement Assistance Program recordkeeping systems and the Information Sheets (LEAP) and E*Justice databases, July Information Privacy Principles • 01 .02 Regulation of Online Content – 2006 Child Porn • 06 .09 Privacy Regulation across Submissions • 02 .02 Privacy and School Reports Australia (as at 5 November 2009) • Privacy Victoria’s submissions to • 03 .02 Frequently Asked Questions – • 01 .10 Accessing and Correcting Your Personal Information various enquiries and parliamentary Public Sector committees can be viewed at • 04 .02 Victoria’s Privacy Protection • 02 .10 Emergencies and Privacy www.privacy.vic.gov.au. Landscape (revised)

Surveys • 05 .02 Complaint Handling Under the Issue Papers 2009–10 • Use of Portable Storage Devices, Information Privacy Act 01 .02 Public Registers and Privacy: Privacy Survey, January 2009 • 06 .02 Email Disclaimers and Privacy Building Permit Data, January 2002 annual report • 07 .02 A Brief History of Information Thinking through the IPPs Joint Issues Paper - Personal Information Privacy • 01 .04 Privacy and Sexuality Card (prepared with the Victorian Registry • 08 .02 Dogs, Cats and their Owner’s of Births Deaths and Marriages), March Privacy 2006 • 09 .02 Comparative Table of Organisations’ Responsibilities Under Newsletters Australian Privacy Legislation • Privacy Aware is published quarterly and made available by email or at • 01 .03 Images and Privacy www.privacy.vic.gov.au . • 02 .03 Property Sales, Valuers and • Privacy Victoria Network eNews is Privacy published online monthly . • 04 .03 International Privacy Standards • 05 .03 Mobile Phones with Cameras Postcards and Posters • Privacy Victoria’s range of privacy • 01 .05 Guide for Councils on handling awareness postcards and posters can applications for access to the voters’ be viewed at www.privacy.vic.gov.au . roll for public interest purposes • 02 .05 Privacy, Property, and Mining Procedures • 03 .05 Personal Information in • Procedure for Service of Compliance Complaint Handling Notices – under section 44 of the Information Privacy Act, July 2003 • 06 .05 Local Councils and the 2006 Commonwealth Games Reports • 01 .06 Who’s covered by the • 01 .02 Public Registers and Privacy: Information Privacy Act? Building Permit Data - a report to the Minister for Local Government, August • 02 .06 Exemptions from the 2002 Information Privacy Act • 02 .02 Privacy in Diverse Victoria • 01 .08 Frequently Asked Questions – - attitudes towards information General Public privacy among selected Non-English • 02 .08 Privacy and global Positioning speaking background and Indigenous System Technology groups in Victoria, October 2002 • 03 .08 Privacy and the Charter of • 01 .06 Jenny’s case: Report of an Human Rights and Responsibilities investigation into the Office of Police • 04 .08 Fences and Privacy (Revised) Integrity pursuant to Part 6 of the • 05 .08 Freedom of Information and the Information Privacy Act 2000, February Information Privacy Act 2006 • 07 .08 Confirming Identity and Privacy: • 02 .06 Controlled disclosure of criminal A Guide for Organisations record data: Report to the Attorney- General pursuant to section 63(3) of • 08 .08 Establishing Your Identity and the Information Privacy Act 2000, June Privacy: A Guide for Individuals 2006 • 01 .09 Councillors, Councils and the Information Privacy Act • 02 .09 Job Applications, Referee Checks and Privacy 91

Appendix H Organisations listed include Victorian public sector organisations, government agencies, private sector organisations and community groups . Office of the Organisational Participation in Privacy Victoria’s Training and Awareness Activities during 2009-10 Victorian Privacy Commissioner

Organisation Name Work Unit Aboriginal Justice Forum Ambulance Victoria Australian Catholic University Ballarat Regional Multicultural Council Banyule City Council Barwon Prison

Barwon Water Authority 2009–10 Bass Coast Shire Council

Berry Street General, Home Based Care, Southern, Managers, Team Leaders annual report Box Hill Institute Brimbank City Council Cardinia Shire Council CenITex Chartered Secretaries Australia City of Boroondara City of Casey General, Maternal and Child Health Nurses, Early Childhood Workers and Family Support Workers City of Greater Dandenong City of Stonnington City of Whitehorse Common Equity Housing Ltd Council of Legal Education Country Fire Authority Darebin City Council Delegation from Guangxi Zhuang Autonomous Region, People’s Republic of China Department of Education and Early Childhood Development General, Eastern Region, Audit and Review, Children’s Services, Student Wellbeing Department of Human Services General, Business Intelligence, Disability Client Services (Bendigo), Barwon South Western Department of Innovation, Industry and Regional Development General Department of Justice General, Board of Examiners, Consumer Affairs Victoria, Business Licensing Victoria, Licensing Branch, Dispute Settlement Centre of Victoria, Morwell Justice Service Centre, Knowledge Information and Technology Services, Office of Correctional Services Review, Office of the Public Advocate, Corrections Victoria Department of Premier and Cabinet General Department of Primary Industry General Department of Sustainability and Environment Public Land Services Department of Transport General, Point to Point Transport Regulation, Strategy and Planning, Bus and Regional Services, Victorian Taxi Directorate, Transport Ticketing Authority, Surveys Team 92

Appendix H Office of the Organisation Name Work Unit Department of Treasury and Finance General

Victorian Privacy Commissioner East Gippsland Shire Council Energy Safe Victoria Film Victoria Gippsland Water Glen Eira City Council Glenroy Community Information AGM Greater Shepparton Council Holmesglen Institute of TAFE

2009–10 HomeGround Services Hume City Council

annual report Independence Australia Jewish Care (Victoria) Inc. Kindergarten Parents Victoria Kyabram Health Service La Trobe Uni Loddon Shire Council Maribyrnong City Council Melbourne Water Monash University Alumni Service Managers Moorabool Shire Council Moreland City Council Mornington Peninsula Shire Mornington Peninsula Shire Moyne Shire Council Murrindindi Shire Council Museum Victoria Nillumbik Shire Council North East Water Northern Grampians Shire Council Office of Correctional Services Review Office of Public Prosecutions Office of the Child Safety Commissioner Ombudsman Victoria Orana Family Services Plumbing Industry Commission Port of Melbourne Corporation Port Phillip and Westernport Catchment Management Authority Port Phillip City Council Royal Botanic Gardens Royal Melbourne Institute of Technology General, Academic Registrars 93 Office of the Organisation Name Work Unit Royal Society for the Prevention of Cruelty to Animals (Victoria)

Sarina Russo Victorian Privacy Commissioner Somali and Indian Communities South Gippsland Shire Council Southern Grampians Shire Council Springvale Botanical Cemetery State Revenue Office Surf Coast Shire Council South West TAFE Skills Stores

Tarwin Lower Gippsland Community Health Centre Friday Friendship Group 2009–10 Transport Accident Commission

University of Ballarat annual report University of Melbourne General, Commerce Student Centre, Victoria College of Arts and Music Victoria Police General, Privacy Unit, Intelligence and Covert Surveillance Unit, Warrnambool Victorian Building Commission General, Managers Victorian Bushfire Reconstruction and Recovery Authority Victorian College of Optometry Clinical Services Victorian Commission for Gambling Regulation Victorian Curriculum and Assessment Authority General, Managers Victorian Electoral Commission Victorian Information Technology Teachers’ Association Victorian Institute of Teaching Victorian Legal Aid Victorian Local Government Multicultural Information Network Victorian Managed Insurance Authority Victorian Public Service Graduates Program VicUrban Vietnamese Community Workers Warrnambool Council West Wimmera Shire Council Western Water William Angliss Institute Windermere Child and Family Services Incorporated Wodonga City Council Women’s Liberation Halfway House Domestic Violence Service WorkSafe General, Call Centre Staff Wyndham City Council Yarra Ranges Shire Council Yarram Secondary College YMCA Victoria 94

Appendix I Privacy Victoria Oration Melbourne, 1 September 2009

Office of the The Hon. Michael Kirby AC CMG

PRIVACY, MYSPACE, YOUTUBE AND FACEBOOK: Victorian Privacy Commissioner CAN THE LAW COPE?

CAUGHT IN A HURRICANE • I have never learned to drive . Odd JUSTICE SCALIA’S ENCOUNTER Last week I went to Halifax in Canada though that may be, it is the truth . One of the most famous judges of the US When I was young my parents had no to speak at a conference on Family Supreme Court is Justice Antonin Scalia . money for a car and I never learned . Law . I arrived at New York’s airport He tends to be on the conservative side Still can’t do it . on time and waited for the plane to of things . But he is a robust character Halifax . Unfortunately, Hurricane Bill had • My partner’s shop was not in Mosman and gives as good as he takes . Early this disrupted plane timetables . My flight was but in Willoughby, many kilometres year he was very dismissive about privacy cancelled . Wondering how I would get away . He would have been happy to protection . He tends to be gung-ho have a Tammany Hall paper run that in and out of Halifax, I spent time as the about everything . He does not much like

2009–10 airline searched for the solution . Only stretched over seven kilometres . But it government interfering in the private . Early computers, containing a huge amount of just didn’t happen . in 2009, he made public comments that personal data and weather information • The job I held down was a high- appeared to question the need for more annual report could sort things out . pressured judicial post leaving no time protection for private information . This for delivery boy duties . got under the skin of a law professor at To while away the anxious moments, I Fordham University in the United States . logged on to the free internet available Endearing or not, the story is just false . Joel Reidenberg set his students the task in the airport lounge . Given that New But like other stories, it has got into the to see how much private information was York was founded by the Dutch, I media and it is impossible to dig it out . available on the internet about Justice thought I would see what the profile of People will chuckle or tut-tut, as they Scalia . The class turned in a fifteen page my partner, Johan van Vloten was . So are inclined . But there is nothing we can dossier . It not only included Scalia’s home I googled his name . Half way across do to correct the record . We can jump address that was supposed to be private the world, up it came with a story in an up and down, make a fuss, complain, for security reasons . (In the United States, Australian newspaper . The coverage, in demand correction . Nothing happens . following a decision that Scalia has always a gossip column, projected an image I will go to my State Funeral, and it will supported, many people carry guns .) of an intelligent, prudent and admirable probably be in my official obituaries . The dossier also carried home telephone Australian citizen . That was, frankly, false . But does this capacity of the new numbers, the value of his home, details on The story appeared in a gossip column . technology to spread and repeat false his food and movie preferences, his wife’s It attributed to an unnamed lawyer the facts of a personal kind really matter . personal email address, photos of his remarkable information that, twenty years Certainly, there is no doubt that the grandchildren and much else besides . ago, when Johan ran a newsagency story was published as trivial gossip business on the North Shore of Sydney, in a newspaper and one cannot erase Professor Reidenberg justified his class a lawyer in Mosman had seen an aged the record . In that respect, it is like the project on the basis that it was intended driver throwing newspapers for him false accusations made against me by a to spark discussion about the need for and recognised me to be the ‘delivery federal senator in the national parliament . better protections for privacy in American boy’ . His astonishment that the then Despite their demonstrable falsity, law . Justice Scalia responded admitting President of the NSW Court of Appeal the withdrawal, the apology and the that the project was “perfectly legal” but was caught ‘moonlighting’ to help his demotion of the accuser, my name will claiming that it showed “abominably poor domestic partner, was recorded in all of always be linked with those false claims . judgment” . I just hope that the dossier its salacious detail . Over the past decade Can’t get away from them . Damage did not contain demeaning and false data or so, we have seen this story repeated done . A nasty association . But should I alleging that the judge was moonlighting both in the popular and the gay press . care? Should my partner and my family in some unusual way . Because if it does, I can tell, he will never get it out of the It would certainly be irregular for a senior care? Well, they do . You see, people still record . People believe that the internet is judge to be delivering newspapers in value their privacy, their reputation and infallible . They tend to believe everything the early hours of the morning, even to the way other people perceive them . they find there is gospel . We are losing help a domestic partner . Maybe in an In the age of the internet, stories that control over the projection of our persona . emergency such a thing might happen . once would have been wrapping the fish Reidenberg responded to Scalia: People have come up to us and told us and chips and forgotten a few weeks that they found the tale endearing . A or months or years later, are preserved “Where there are so few privacy kind of early-morning affirmation of love forever . Anyone wanting to relive them protections for secondary use of that one sees in television soap operas . can just google a name at JFK airport, personal information, that information Anyone who would roll out of bed at and there it is, once again . Immortal, can be used in many troubling ways . 4am to deliver newspapers deserves invisible, a new God to project personal A class assignment that illustrates sympathy . details worldwide . this point is not one of them . Indeed, the very fact that Justice Scalia found The only problem with this story is that it it objectionable and felt compelled has not a skerrick of truth to it: to comment underscores the value and legitimacy of the exercise .” (AVA Journal, 29 April 2009) . 95 Office of the MYSPACE, YOUTUBE AND The media is full of stories of this kind The questions are immensely FACEBOOK and those experts who have examined complex, and there are no easy them agree that there is a need to answers . Just when we think we Media reports constantly bombard us with enhance user awareness (often in are smoothing problems out, new stories of privacy issues in the new social inexperienced, young and immature technology adds another wrinkle . But Victorian Privacy Commissioner networking outlets of the internet . For many persons) of the decisions they make we can take steps to protect privacy if of the problems that are presented, the law that may affect them seriously, down the we make an effort . We must . After all, offers no, or no effective, solution . track . Quite clearly, the new facilities in it is just the beginning .” • In Missouri, in July 2009, it emerged that cyberspace are fulfilling a huge need THE VICTORIAN a troubled 13 year old, Megan Meier, that old media and earlier networks did COMMISSIONER’S OFFICE had engaged in an online dialogue with not adequately serve . But somehow a purported boyfriend who was actually the new facilities must be promoted It is here that we must be glad that a neighbour of one of Megan’s school under conditions that assure respect in Australia we have federal and friends . From a happy correspondent, for individual control over personal data state privacy guardians to take up the exchanges turned to calumny and and an entitlement, where appropriate, the challenges of privacy invasions Megan hanged herself in her bedroom of the modern age . In Victoria, the

to retrieve information that is false, wardrobe . A jury found the neighbour Privacy Commissioner has special damaging or presented in a wrong light . 2009–10 guilty of telecom offences, but the verdict Captured images have a measure of responsibilities over what in Europe is was placated . Now a Megan Meier permanency which is something that called data protection . Helen Versey Cyber-bullying Prevention Act is pending fleeting memories lack . Video voyeurism heads a dedicated office that scrutinises annual report in the US Congress, but it is too late for may simply be a generational shift, but particular privacy concerns that arise in the young girl . it may be necessary to protect immature this State . • Every day 65,000 videos are uploaded users against irrevocable decisions that These concerns include issues such as onto YouTube . These contain a lot of haunt them for the rest of their lives . Until the following: harmless material . But sometimes now, the usual answer given to such people lose out . An ambitious 23 year complaints is an appeal to the “binary” • Ultranet: A proposed major old student at Yale University, Aleksey, distinction between public and private information, technology and data applied to UBS Bank for a job using a space . If it gets into the public space, it is access project designed to connect weird and arrogant video as his CV . It said to be beyond control . Once there, it students, teachers and parents, and showed every reason why he should be has become public property . If you put it to allow remote electronic access to curriculum assessment, progress, rejected . But then the video turned up there, you cannot really complain . Even if attendance and administrative on YouTube . One media website in the you did not put it there, but were in public United Kingdom declared that his video information . A tender to develop the when the information was captured, you was “the greatest CV ever filmed” . It project is being developed in the are said to have no legitimate complaint . was a “six minute ego-mercial” . Aleksey Victorian Department of Education . became the laughing stock of America Writers on this subject point to the Fortunately, that Department and the world . There are many such capacity of search engines like Google continues to provide information to the stories . How the video was leaked to explore the epidermis of the web Privacy Commissioner on the project from UBS was not disclosed . Aleksey’s and to discover lots of content that has and to seek advice on the way in remedies were limited . previously been unknown . The search which ultranet should be developed . • In mid-July 2009, the Canadian Privacy engines are improving all the time . More • The Victorian Student Number Commissioner took Facebook to task and more information is uploaded . One (VSN): Legislation was enacted alleging “serious privacy gaps” in his respected commentator in a book The by the Victorian parliament early in huge service, which is the world’s largest Future of Reputation, Daniel Solove 2008 to provide for a VSN . This is a social network with 250,000,000 users . has declared that the developments unique student identifier to be used Essentially, the Canadian Commissioner in cyberspace make him “giddy with on first enrolment in any Victorian told Facebook to introduce changes excitement . . but also a bit frightened” . school, public and private . It will to increase user’s privacy by (a) He concludes (p .205): follow the student through school and any TAFE career, up to the alerting users to third party access “Although the internet poses new and age of 24 . Again, there have been to their personal data, (b) controlling difficult issues, they are variations on ongoing consultations between the the retention of user information after some timeless problems: the tension Department of Education and Privacy an account had been de-activated, between privacy and free speech, the Victoria designed to incorporate (c) terminating the retention of email nature of privacy, the virtues and vices privacy safeguards into the final form addresses of non-users who were invited of gossip and shaming, the effect of of the VSN . Ensuring that students to join the site but declined and generally new technologies on the spread of and their families know the use that it enhancing privacy controls in favour of information, and the ways in which is being made of the VSN and have users . American commentators criticised law, technology and norms interact . access to the information collected, the “staggering silence in the US on New technologies do not just enhance so far as possible, to understand the emerging privacy issues” affecting these freedom, but also alter the matrix way in which they are being projected new sites . In fairness, Facebook declared of freedom and control in new and to the world and users is the key to that it was working with the Canadian challenging ways . Privacy Commissioner’s office because the application of privacy principles in it shared “the common goal of making this new administrative tool . the internet more privacy friendly for Canadian and users across the world” . (Financial Times, 17 July 2009) . 96

Appendix I Office of the • Myki – the new electronic ticketing • Surveillance: There has been I do not pretend that it is easy to system for Melbourne public extensive consultation between the safeguard privacy in the current age . But transport: This new system is Victorian Law Reform Commission surrendering the endeavour as just too designed to provide a durable, and Privacy Victoria over an enquiry difficult to achieve is not an option . The

Victorian Privacy Commissioner reusable smart card that stores into surveillance in public places . In internet is exciting and overwhelmingly money, travel days or both . Following a sense, this development, and the beneficial . It leaps the orders of this consultation and input from Privacy use of CCTVs in public spaces, is a world . It binds our species together as Victoria, most people using myki will counter-part of the development of never before . It provides an outlet for have the choice of purchasing and facilities on the internet . Everyone freedom fighters everywhere . We have using an anonymous myki, limited knows of the cases where CCTV seen these features recently in Burma, and publically declared information records have been used in the Iran and many other places . We should will be provided concerning the usage apprehension and identification of be positive and optimistic about the value to which the information will be put . serious criminals and the London of the new technology . In any case, the The transport authorities continue terrorists . The Victorian Law Reform new technology is expanding every day . to consult on the privacy issue . And Commission has supported most of And in its regulation, Australia is a small this is the consequence of having the proposals for reform advanced

player . in place legislation establishing by Privacy Victoria . Both in police 2009–10 a privacy guardian propounding surveillance and implementation of I applaud the work of Privacy Victoria . I privacy principles and ensuring anti-terrorist laws, it is necessary to honour the Privacy Commissioner, Helen that developments conform to ensure that fundamental protections Versey, and the Deputy Commissioner, annual report those principles or, if they do not, are preserved . Otherwise, in the name Anthony Bendall . I honour those that the exceptions are known and of combating crime and terrorism, we who work with them to safeguard explanations are afforded . unravel the very democratic features the privacy of Victorians . I applaud • Electronic health records and a of our society that the criminals and the role that the Victorian Charter of universal health identifier appears to terrorists attack . Rights & Responsibilities plays in also be coming following the agreement of • Social networking and cyber-bullying: safeguarding privacy and ensuring that the Council of Australian Government The case of Megan Meier in the law-makers and officials build privacy to implement and operate a system United States has many parallels in concerns into the laws and policies of this of individual and health care provider Australia . In mid-July 2009, a 14 year State . In this respect, Victoria is certainly identifiers . Privacy Victoria has been old girl in Victoria named Chantelle, a leader in Australia . Good citizens know participating in the consultations over took her own life in circumstances that privacy is an attribute of fundamental this development and the Australian that has focused attention on the human rights and freedoms . It is an Health Ministers Conference has dangers of social networking sites assertion that, within limits that are set promised robust and effective and the risks of cyber-bullying . by law, individuals have an entitlement legislative protection for the privacy of Chantelle’s mother blamed the suicide to protect their personal being, their personal information whilst achieving on the internet . The case involved the immediate family and relationships, their the health care benefits that can be fourth suicide in six months among individual space and their information gained through better sharing of students at the same school . It has penumbra . For a small agency, Privacy health information . Privacy protection highlighted the severe impact that Victoria has achieved much . But its is never absolute . It always involves cyber-bullying can sometimes have on greatest challenges lie ahead . a balance against other fundamental young people . Bullying is a significant rights and benefits . factor in mental health problems for children and adolescents . Mobile ****** phones, instant messaging software, chat rooms and social networking sites can all be used for bullying . The internet has made it easier for free communication and harmless association to occur . But it has also promoted the opportunity for mass audience outreach and great impact on individuals . Bullying has now left from the playground and the technology is seamless and makes it possible to extend a bullying culture into a wider community . We need to confront this “dark side” of human behaviour . This has led to new explorations by Privacy Victoria into what privacy means to young people; what privacy issues affect young people; and how best they can be informed of their privacy rights and of how to protect them . SUMMARY The full text of the Information Privacy Principles forms schedule 1 of the Information Privacy Act 2000 (Vic). To determine legal rights and responsibilities, use the full version, not this summary.

Victoria’s Information Privacy Principles (IPPs)

1. Collection 6. Access and correction 10. Sensitive information Collect only personal information Individuals have a right to The law restricts collection of that is necessary for performance seek access to their personal sensitive information like an of functions . Advise individuals information and seek corrections . individuals racial or ethnic origin, that they can gain access to their Access and correction will be political views, religious beliefs, personal information . handled mostly under the Victorian sexual preferences, membership Freedom of Information Act. of groups or criminal record . 2. Use and disclosure 7. Unique identifiers Use and disclose personal information only for the primary A unique identifier is usually a purpose for which it was collected number assigned to an individual or a secondary purpose the in order to identify the person for person would reasonably expect . the purposes of an organisations Uses for secondary purposes operations . Tax File Numbers should have the consent of the and Driver’s Licence Numbers person . are examples . Unique identifiers can facilitate data matching . Data matching can diminish privacy . IPP 3. Data Quality 7 limits the adoption and sharing of unique identifiers . Make sure personal information is accurate, complete and up to date . 8. Anonymity Give individuals the option 4. Data Security of not identifying themselves when entering transactions with Take reasonable steps to protect organisations, if this would be personal information from misuse, lawful and feasible . unauthorised access, modification or disclosure . 9. Transborder data flows 5. Openness Basically, if your personal information travels, privacy Document clearly expressed protection should travel with it . policies on management of Transfer of personal information personal information and provide outside Victoria is restricted . the policies to anyone who asks . Personal information may be transferred only if the recipient protects privacy under standards similar to Victoria’s IPPs . The Information Privacy Principles

are simply… Office of the the right information, to the right people, for the right reason, in the right way, Victorian Privacy Commissioner at the right time.

GPO Box 5057 2009–10 Melbourne Victoria 3001 Australia DX 210643 Melbourne

Level 11 annual report 10-16 Queen Street Melbourne Victoria 3000 Australia Local Call 1300 666 444 Local Fax 1300 666 445 www .privacy .vic .gov .au An independent statutory office established by the enquiries@privacy .vic .gov .au Victorian Parliament under the Information Privacy Act 2000.