Victoria introduces new privacy, infosec legislation

Victorian Attorney-General Robert Clark yesterday introduced a new privacy and security bill into the state’s legislative assembly that will seek to enshrine common government data security standards into law.

The Victorian Privacy Data and Protection Bill 2014, if passed, will replace the state’s current privacy and law enforcement data security acts.

It will merge the positions of Victorian Privacy Commissioner and Victorian Commissioner for law enforcement data security, both of which are currently held by David Watts.

In their place, the government will appoint a Commissioner for privacy and data protection, whose responsibility will be to promote the state’s privacy principles, guide agencies, investigate privacy complaints and audit agency compliance with state-wide data protection standards.

A spokesman for the Attorney-General has yet to confirm whether Watts will be transitioned to the new role.

One of the new Commissioner’s first jobs will be to establish a Victorian protective data security framework “for monitoring and assuring the security of public sector data,” according to the bill.

The framework “must be as consistent as possible with standards relating to information security (including international standards)”, the draft legislation states.

The bill also gives the Commissioner discretion to allow agencies to apply for some flexibility in terms of the state’s privacy principles, in cases where they seek to handle or share personal information they deem to be in the public interest.

“These reforms enhance privacy protections for individuals while giving public sector agencies greater clarity about the appropriate use of personal information,” Clark said in a statement.

The standards will apply across the Victorian public sector, which has struggled to coordinate and deliver consistent protection of the personal information it holds in the past.

In November last year Victorian Auditor-General John Doyle found the state government was worryingly underprepared for a cyber attack, and that it lacked any central coordinating authority that could monitor incursions taking place across multiple agencies at the same time.

The audit was released just days after Technology Minister Gordon Rich-Phillips promised a whole-of-government cyber security strategy for the state.

This followed a 2009 report which uncovered evidence that the confidentiality of private information held by the Victorian Government had been compromised, and that agency databases were widely vulnerable to penetration.

The new laws will apply only to state government agencies in Victoria. The Australian Privacy Principles, adopted by the Commonwealth in March this year, apply to Commonwealth agencies and all private organisations will an annual turnover exceeding $3 million.