Privacy Roundtable Meeting
Date: Thursday 19 September 2019
Time: 10 am – 12 pm AEST
Location: OVIC Training Room, Level 34, 121 Exhibition Street
- Office of the Victorian Information Commissioner
- Annan Boag – Assistant Commissioner, Privacy and Assurance
- Dermot Dignam – Manager, Privacy Guidance
- Caitlin Galpin – Senior Privacy Guidance Officer
- Tricia Asibal – Policy Officer
- Department of Transport
- Department of Education
- Department of Health and Human Services
- Department of Justice and Community Safety
- Department of Premier and Cabinet
Welcome and introduction
- The Assistant Commissioner, Privacy and Assurance, welcomed the members of the Privacy Roundtable.
- OVIC tabled proposed Terms of Reference, noted that these incorporated changes to promote open and frank discussion amongst attendees.
- It was noted that principal changes included the provision for OVIC to publish both the Terms and minutes produced following Roundtable events on the OVIC public website. This publication would allow other agencies who are not members of the group to benefit from the discussions held.
The Manager, Privacy Guidance discussed:
- OVIC’s updated Breach Guidance which aims to assist organisations that are subject to the Privacy and Data Protection Act 2014 (Vic) (PDP Act) to prepare for and respond to the privacy implications of data breaches involving personal information.
- OVIC’s Regulatory Action Policy which details how OVIC will use its powers of regulatory action, including making informal preliminary enquiries, audits and examinations, investigations, issuing compliance notices and associated penalties as well as public reports.
- The recent release of OVIC’s Closer to the Machine: Technical, social and legal aspects of AI e-book, available on its public website.
- The Information Privacy Principles (IPP) Updated Guidelines project is ongoing, noting that the final tranche of draft updates to the four chapters of the Guidelines had been published, with feedback required by 20 September.
- The Assistant Commissioner discussed feedback received on chapters to date, noting that feedback on IPP 9 suggested this as an area of focus.
- Global Privacy Enforcement Network (GPEN) Sweep
- The Manager, Privacy Guidance, noted that, as in past years, it is participating in the GPEN annual ‘Sweep’ to coordinate a global analysis of organisation’s privacy practices, with this year’s theme being data breach notifications, and how agencies understand their obligations internally and externally
- OVIC noted that it is in the process of randomly selecting organisations who will be participating and providing responses to issued surveys.
- Recent OVIC Myki Report/Compliance Notice
- OVIC discussed its publication of a report in August 2019, relating to its investigation into the release of Myki data. OVIC noted that the report includes recommendations that call for stronger privacy protections for open data releases.
- OVIC noted that it has also published a recent blog piece detailing lessons for agencies in relation to this report, focussing on re-identification of deidentified data, privacy impact assessments and overarching effective data governance.
- An attendee noted that the report clarified the interpretation of what is, and what has the potential to become, personal information.
- The Assistant Commissioner advised that context is crucial in determining whether information is ‘personal information’ and discussed that the addition of information security could reduce the likelihood that de-identified information would be determined to be personal information.
- Review of OVIC complaints process
- Manager, Privacy Guidance noted that OVIC is currently reviewing its approach to complaints handling and conciliation. Attendees provided feedback to the review.
- Some attendees noted they would benefit from greater clarity regarding OVIC’s intent and purpose in the conciliation process, greater consideration to early resolution where practicable, and direction where OVIC diverges from its usual process, such as not directing individuals to the organisation in the first instance.
- A member queried how the process is managed when the scope of a complaint and its required response changes during the process, noting that this may occur in a face-to-face setting. The Manager, Privacy Guidance advised that it would be appropriate for agencies to state their preference for providing a response, such as taking this on notice. The Assistant Commissioner discussed the specificity of the PDP Act regarding what can be considered before the Victorian Civil and Administrative Tribunal (VCAT) and noted VCAT’s process for considering new elements. OVIC noted that it would consider developing guidance on this matter.
- A member queried the manner in which OVIC provides guidance to complainants on requested outcomes. Manager, Privacy Guidance advised that requests for particular outcomes elicits reality testing with complainants and guidance, though the complainant may refute OVIC’s advice. The Assistant Commissioner discussed compensation circling loss and harm, and it was noted that OVIC provide specific fact sheet guidance and general verbal advice on this matter throughout conciliation.
Agency representative updates
- Group members discussed key challenges, trends and initiatives in their relevant areas.
Common themes arising from this discussion included:
- Resourcing constraints and the impact of structural change at organisations.
- Trends reporting a significant uplift in the number of Privacy Impact Assessments received across departments this year.
- The value of regulator provided guidance and templates, particularly in the space of privacy impact assessments, and circling the risks associated with deidentification of personal information. A member queried whether there was scope for OVIC to collaborate on guidance documents with the Health Complaints Commissioner. The Assistant Commissioner advised that joint guidance had been released in the past and OVIC would consider the group’s request for closer collaboration.
Examination of Local Government Privacy Policies Report
- OVIC’s Privacy Guidance Team spoke to the recent publication of a report outlining the findings of an examination of all 79 local government authorities’ privacy policies.
- OVIC noted that while privacy policies may be made available as required by the PDP Act, areas for improvement include how a policy is written and presented, and the inclusion of information about making a privacy complaint.
- OVIC noted that key areas to consider in reviewing organisational privacy policies are:
- Findability and accessibility
- Policy control
- Policy content
- Privacy complaints
- OVIC noted that it has developed and published an IPP 5 Self-Assessment Tool to assist with such reviews.
Model Terms for Transborder Data Flows
- OVIC’s Policy Team spoke to the recently published Model Terms for Transborder Data Flows, noting that this work was completed following updates to the IPP Guidelines. OVIC noted that this guidance was most recently published in 2006.
- OVIC noted that the Model Terms are issued under s 8C of the PDP Act and are not prescriptive, rather they are a tool to assist organisations in complying with IPP 9.
- OVIC noted that the Model Terms may be appropriate where a higher standard of privacy protection is required.
- OVIC noted that the Model Terms may also be appropriate where the recipient organisation is unfamiliar with the IPPs.
- OVIC reminded attendees of upcoming Privacy Network Event, to be hosted on Wednesday 9 October 9.30am. OVIC encouraged privacy professionals or those with a general interest in privacy information management to attend.
Meeting closed 11.40am