Victorian Numbered Acts Victorian Numbered ActsAfter Part 1 of the Privacy and Data Protection Act 2014 insert —
(1) The Information Commissioner has the following functions—
(a) functions relating to information privacy set out in section 8C;
(b) functions relating to protective data security and law enforcement data security set out in section 8D;
(c) functions conferred on the Information Commissioner by or under this Act;
(d) functions conferred on the Information Commissioner by or under any other Act.
(2) The Information Commissioner must have regard to the objects of this Act in the performance of the Commissioner's functions and the exercise of the Commissioner's powers under this Act.
(3) Except where expressly provided in this Act, the Information Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Information Commissioner's duties and functions and the exercise of the Information Commissioner's powers.
(1) The Privacy and Data Protection Deputy Commissioner has the following functions—
(a) functions relating to information privacy set out in section 8C(2);
(b) functions relating to protective data security and law enforcement data security set out in section 8D(2);
(c) any function conferred by the Information Commissioner on the Deputy Commissioner by authorisation under section 8F;
(d) any other function conferred on the Information Commissioner by or under this Act, except —
(i) a function of the Information Commissioner referred to in section 8A(1)(d); or
(ii) a function of the Information Commissioner referred to in section 8C(1) or 8D(1); or
(iii) a function of the Information Commissioner referred to in section 8F; or
(iv) a function of the Information Commissioner referred to in section 8O; or
(v) issuing directions under section 8P; or
(vi) making reports under section 116.
(2) The Privacy and Data Protection Deputy Commissioner must have regard to the objects of this Act in the performance of the Deputy Commissioner's functions and the exercise of the Deputy Commissioner's powers under this Act.
(3) Except where expressly provided in this Act, the Privacy and Data Protection Deputy Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Deputy Commissioner's duties and functions and the exercise of the Deputy Commissioner's powers.
(1) The Information Commissioner has the following functions in relation to information privacy—
(a) in accordance with Division 3 of Part 3, to undertake activities relating to the development and approval of codes of practice;
(b) to develop and publish model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;
(c) to make public interest determinations and temporary public interest determinations in accordance with Division 5 of Part 3;
(d) to approve information usage arrangements in accordance with Division 6 of Part 3;
(e) to examine and assess any proposed legislation that would require or authorise acts or practices of an organisation that may, in the absence of the legislation, be interferences with the privacy of an individual or that may otherwise have an adverse effect on the privacy of an individual, and to report to the Minister the results of the examination and assessment;
(f) to make public statements in relation to any matter affecting personal privacy or the privacy of any class of individual;
(g) to issue guidelines and other materials in relation to the Information Privacy Principles and information usage arrangements;
(h) to undertake reviews of any matters relating to information privacy, as requested by the Minister;
(i) to make reports or recommendations in relation to information privacy as provided for by section 111.
(2) The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to information privacy—
(a) to promote understanding and acceptance of the Information Privacy Principles and of the objects of those Principles;
(b) to examine the practice of an organisation with respect to personal information maintained by that organisation for the purpose of ascertaining whether or not the information is maintained according to the Information Privacy Principles or any applicable code of practice;
(c) to issue certificates under Division 7 of Part 3;
(d) subject to this Act—
(i) to receive complaints about an act or practice of an organisation; and
(ii) if appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the complaint;
(e) to issue compliance notices under Division 9 of Part 3 and to carry out an investigation for that purpose;
(f) to conduct or commission audits of records of personal information maintained by an organisation for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles or any applicable code of practice;
(g) to consult and cooperate with persons and bodies concerned with information privacy;
(h) to undertake research in relation to matters relating to information privacy.
(1) The Information Commissioner has the following functions in relation to protective data security and law enforcement data security—
(a) to issue protective data security standards and law enforcement data security standards;
(b) to develop the Victorian protective data security framework;
(c) to issue guidelines and other materials in relation to protective data security standards;
(d) to undertake reviews of any matters relating to protective data security, as requested by the Minister;
(e) to undertake reviews of any matters relating to law enforcement data security and crime statistics data security, as requested by the Minister;
(f) to make reports or recommendations in relation to data security as provided for by section 111.
(2) The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to protective data security and law enforcement data security—
(a) to promote the uptake of protective data security standards by the public sector;
(b) to conduct monitoring and assurance activities, including audits, to ascertain compliance with data security standards;
(c) to refer findings of monitoring and assurance activities, including audits, to an appropriate person or body for further action;
(d) to undertake research in relation to matters relating to protective data security and law enforcement data security relevant to the public sector, particularly relating to information and communications technology;
(e) to retain copies of protective data security plans.
If a function may be performed by the Information Commissioner and the Privacy and Data Protection Deputy Commissioner, that function may be performed by—
(a) the Information Commissioner; or
(b) the Privacy and Data Protection Deputy Commissioner; or
(c) the Information Commissioner and the Privacy and Data Protection Deputy Commissioner.
(1) The Information Commissioner may in writing authorise the Privacy and Data Protection Deputy Commissioner to perform any of the following functions of the Information Commissioner, as specified in the authorisation—
(a) to undertake activities in relation to the development or approval of a specified code of practice;
(b) to develop and publish specified model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;
(c) to make a specified public interest determination or a specified temporary public interest determination in accordance with Division 5 of Part 3;
(d) to approve a specified information usage arrangement;
(e) to issue a specified protective data security standard or a specified law enforcement data standard;
(f) to review or amend the Victorian protective data security framework, as specified;
(g) to issue guidelines and other materials in relation to a specified protective data security standard.
(2) The Information Commissioner may at any time in writing revoke an authorisation under this section, and on that revocation may continue and complete any action commenced under the authorisation by the Privacy and Data Protection Deputy Commissioner.
(1) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Information Commissioner's functions.
(2) The Privacy and Data Protection Deputy Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Deputy Commissioner's functions.
(1) The Governor in Council may appoint an eligible person as the Privacy and Data Protection Deputy Commissioner.
(2) A person is not eligible for appointment as the Privacy and Data Protection Deputy Commissioner if the person is—
(a) a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(b) a member of a council.
(3) A person may hold office as Privacy and Data Protection Deputy Commissioner for not more than 2 terms (whether consecutive terms or otherwise).
(1) The appointment of the Privacy and Data Protection Deputy Commissioner is to be for the period, not exceeding 5 years, set out in the instrument of appointment.
(2) Subject to this Part, the Privacy and Data Protection Deputy Commissioner holds office on the terms and conditions determined by the Governor in Council.
(3) Subject to section 8H(3), the Privacy and Data Protection Deputy Commissioner may be reappointed.
(4) The Privacy and Data Protection Deputy Commissioner is entitled to leave of absence as determined by the Governor in Council.
(5) The Privacy and Data Protection Deputy Commissioner must not directly or indirectly engage in paid employment outside the duties of the relevant office.
The Privacy and Data Protection Deputy Commissioner is entitled to be paid the remuneration and allowances that are determined by the Governor in Council.
(1) The Privacy and Data Protection Deputy Commissioner ceases to hold office if the office holder—
(a) resigns by notice in writing delivered to the Minister; or
(b) becomes an insolvent under administration; or
(c) is convicted of an indictable offence or an offence that, if committed in Victoria, would be an indictable offence; or
(d) nominates for election for the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(e) nominates for election as a member of a council; or
(f) is removed from office under section 8L.
(2) The Privacy and Data Protection Deputy Commissioner's resignation under subsection (1)(a) takes effect on—
(a) the day on which it is received by the Minister; or
(b) if a later day is specified in the notice, on that day.
(1) The Governor in Council, on the recommendation of the Minister, may suspend or remove the Privacy and Data Protection Deputy Commissioner from office on any of the following grounds—
(a) misconduct;
(b) neglect of duty;
(c) inability to perform the duties of the office;
(d) any other ground on which the Governor in Council is satisfied that the Privacy and Data Protection Deputy Commissioner should not hold office.
(2) If the Privacy and Data Protection Deputy Commissioner is removed from office, the Minister must cause a full statement of the grounds for removal to be presented to each House of Parliament within 10 sitting days of that House after the removal.
(1) The Governor in Council, on the recommendation of the Minister, may appoint an eligible person to act as the Privacy and Data Protection Deputy Commissioner—
(a) during a vacancy in the office of the Deputy Commissioner; or
(b) during any period, or all periods, when the Deputy Commissioner is absent from duty or from the State or, for another reason, cannot perform the functions of the office.
(2) A person is not eligible for appointment to act as the Privacy and Data Protection Deputy Commissioner if the person is—
(a) a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(b) a member of a council.
(3) An appointment under subsection (1) is for the period, not exceeding 12 months, set out in the instrument of appointment.
(4) The Governor in Council, on the recommendation of the Minister, may at any time remove the acting Privacy and Data Protection Deputy Commissioner from office.
(5) While a person is acting in the office of the Privacy and Data Protection Deputy Commissioner, the person—
(a) has, and may exercise, all the powers and must perform all the duties of that office under this Act and any other Act; and
(b) is entitled to be paid the remuneration and allowances that the Privacy and Data Protection Deputy Commissioner would have been entitled to for performing those duties.
An act or decision of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner is not invalid only because—
(a) of a defect or irregularity in or in connection with the appointment of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner; or
(b) in the case of an acting Privacy and Data Protection Deputy Commissioner, the occasion for so acting had not arisen or had ceased.
(1) The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner any of the Information Commissioner's functions and powers under this Act except this power of delegation.
(2) The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or any member of staff of the Office of the Victorian Information Commissioner a function or power relating to information privacy, protective data security or law enforcement data security conferred on the Information Commissioner by or under any other Act.
(3) With the written consent of the Information Commissioner, the Privacy and Data Protection Deputy Commissioner may by instrument delegate to a member of staff any of the Deputy Commissioner's functions and powers (including any function or power delegated under subsection (1)) except this power of delegation.
The Information Commissioner may issue directions to the Privacy and Data Protection Deputy Commissioner or to any member of staff of the Office of the Victorian Information Commissioner for the purposes of this Act in relation to the performance of functions under this Act other than in relation to the following—
(a) certifying consistency of an act or practice under section 55; or
(b) the conciliation of a complaint under Subdivision 3 of Division 8 of Part 3.".