Privacy Roundtable Meeting
Date: Thursday 6 February 2020
Time: 10 am – 12 pm AEDT
Location: OVIC Training Room, Level 34, 121 Exhibition Street
- Office of the Victorian Information Commissioner
- Annan Boag – Assistant Commissioner, Privacy and Assurance
- Dermot Dignam – Manager, Privacy Guidance
- Caitlin Galpin – Senior Privacy Guidance Officer
- Anita Mugo – Senior Policy Officer
- Department of Education
- Department of Health and Human Services
- Department of Jobs, Precincts and Regions
- Department of Justice and Community Safety
- Department of Premier and Cabinet
- Department of Treasury and Finance
- Victoria Police
Welcome and introduction
- The Assistant Commissioner, Privacy and Assurance, welcomed the members of the Privacy Roundtable.
The Manager, Privacy Guidance discussed:
- The publication of the Australian Dispute Resolution Advisory Council’s (ADRAC) conciliation discussion paper which proposes a definition of ‘conciliation’. OVIC is supportive of this definition.
- OVIC’s recently published case notes relating to privacy matters as determined by the Victorian Civil and Administrative Tribunal (VCAT) or the Supreme Court of Victoria:
- Kaliszewski v Department of Justice and Community Safety (Human Rights)  VCAT 27
- Tucker v State Revenue Office (Human Rights)  VCAT 53
- McLean v Racing Victoria Ltd  VSC 690
- Review of OVIC complaints process
- Manager, Privacy Guidance noted changes to OVIC’s privacy complaint processes over the past 18 months. This included greater direction from OVIC in identifying the preferred method to conciliate complaints; revised templates for notification and decision letters; and greater provision of guidance to complainants and organisations on the application of the Privacy and Data Protection Act 2014.
- Manager, Privacy Guidance discussed how these changes have decreased the number of privacy complaints referred by OVIC to the Victorian Civil and Administrative Tribunal.
- Identified trends in enquiries or complaints being made to OVIC, including queries relating to information required to be published in a public register.
The Policy Team discussed:
- OVIC’s Victorian Privacy Network meeting scheduled for 12 March 2020, including notable presentations from the ACCC discussing the Final Report on Digital Platforms Inquiry; from the Victorian Centre for Data Insight on data building capacity; and a panel discussion on the privacy implications of new technology.
- OVIC’s scheduled activities for Privacy Awareness Week (PAW), to be held from 4 – 8 May 2020. The team noted that this year’s PAW theme is ‘Privacy – Protect Yours, Respect Others’.
- The introduction of OVIC’s Privacy Management Framework which is intended to provide organisations with guidance on the policies and procedures that promote good privacy practices within an organisation. The Framework will shortly be available for consultation and is intended to be published during PAW.
Agency representative updates
- Group members discussed key challenges, trends and initiatives in their relevant areas.
Common themes arising from this discussion included:
- Trends reporting a significant uplift in the number of Privacy Impact Assessments (PIAs) received across departments and agencies. This was generally attributed to an increased awareness as a result of targeted training amongst departmental staff; others noted the increase may be a result of mandates for PIA completion on particular projects. It was noted that any outsourcing of the completion of PIAs should not be conflated with outsourcing responsibility for complying with privacy obligations for that project.
- PAW and other privacy awareness initiatives such as the introduction of eLearning modules, the development of privacy and risk management training and other accountability measures. Many departments and agencies noted that training was being developed in collaboration with other areas of the business, such as IT, Procurement and Records teams.
OVIC’s Information Security Incident Notification Scheme
- OVIC’s Information Security Team spoke to the introduction of the Information Security Incident Notification Scheme (ISINS). It was noted that the ISINS is in effect for incidents discovered/identified from October 2019 onwards.
- OVIC noted that the ISINS is a notification scheme introduced under Element 9.010 of the Victorian Protective Data Security Standards (VPDSS). The team noted that applicable organisations are also required to report Protective Data Security Plans every two years. The next being due 21 August 2020 PDSP.
- OVIC discussed the threshold for reporting incidents as incident that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level of 2 (limited) or higher.
- OVIC’s Information Security team accepts notifications but does not provide an assistance capability. The Privacy Guidance team is available to provide guidance in relation to personal information which may be involved in the reported incident.
- A member noted the requirement for increased efforts to harmonise their work with other departmental teams, to make sure teams are coordinating their response and shared awareness of incidents.
- A member queried whether notifications made under the ISINS may lead to an OVIC initiated audit or investigation of the reporting organisation. The Assistant Commissioner, Privacy and Assurance noted that although this is possible, the scheme is being set up to provide assurance and gain insight into the state of information security across the VPS, rather than being primarily to inform regulatory action.
Meeting closed 11.50am