Victoria’s privacy watchdog has issued a blistering critique of “dysfunctional” changes to the state’s freedom of information and privacy and data protection system currently being considered by parliament.
Privacy and data protection commissioner David Watts argues the government’s proposed changes will import a governance structure that has caused “dysfunction” elsewhere and may lead to conflicts of interest. He believes FOI reforms will not be “substantive”, representing a “missed opportunity”, accusing the government of failure to consult.
Watts rejected reports, however, that he was threatening to quit.
“I have not petulantly said I’d resign,” he told The Mandarin.
“Far from it, but I’ve indicated very clearly I would not be willing to run or participate in a governance structure that’s so flawed and has no evidence base for it.”
Consultation on the changes only took place after the key decisions about the new structure had already been taken, Watts argues, suggesting the government had ignored normal policy development processes. In a statement to The Mandarin, a government spokesperson said:
“The Commission for Privacy and Data Protection was consulted on the proposed reforms and invited to provide feedback ahead of the drafting of the Bill. The government has offered further opportunities for the commission to give feedback and to date we have not received any formal feedback on the Bill.”
Update, August 19: Watts disputes this claim, publishing an account on his website on Friday.
The government wants to institute a system similar to New South Wales and the Commonwealth. But Watts isn’t convinced its use in other places is a good enough reason to reproduce it here:
“What I’m calling for is some debate about this, and for the community to look at what the key issues are, rather than saying NSW and the Commonwealth have done this, so we should too,” he argues.
He’s concerned changing the system now will jeopardise the work the office is doing to change the culture of the public service with regard to privacy and data protection — work that is important, even if not always welcome.
“We understand it can be uncomfortable, but you do have to drive change. Security in Victoria has been identified as being really bad over and over again. We’re addressing it,” he states.
Under the changes, the Office of the Freedom of Information Commissioner and the Commissioner for Privacy and Data Protection would be merged.
The new body, known as the Office of the Victorian Information Commissioner, would be led by the Victorian information commissioner — who will still be a statutory officer — with two deputies subject to lower protections: the public access deputy commissioner and a privacy and data protection deputy commissioner.
Watts argues in a paper published by his office that the reforms will lead to a “significant weakening” of the independence of commissioner roles.
The new regime would effectively enable the minister to dismiss the two new deputy commissioners — who are currently statutory officers only sackable by both houses of parliament — at will.
This creates the situation where the two deputies, who will carry the bulk of the often controversial workload, will have fewer workplace protections than their own staff.
“They’re really hard jobs, you need to attract the best people,” Watts told The Mandarin. “Who would want to do that job? How would you manage your staff?”
And while the Bill explicitly provides that the minister may not direct the deputy commissioners, the fact that they could now be dismissed by a meeting of the executive, which would only need to inform parliament, means it would be hard for the deputy commissioners to maintain independence in the face of a determined minister.
A government spokesperson noted that the information commissioner, in charge of the new agency, would still be protected from dismissal by the requirement for a majority of both houses of parliament, but didn’t dispute that the deputies would be subject to weaker requirements.
The information commissioner and deputy commissioners will be appointed following a competitive recruitment process, the government says.
The changes may “embed a conflict of interest into the administrative structure” by combining privacy and data protection with FOI functions, the commission’s paper argues.
Watts believes “there does not appear to have been any substantial policy basis for the introduction of the structure” in other jurisdictions, and it has caused problems:
“Experience in a number of jurisdictions indicates that the model does not work. … The experience in NSW is that the structure has led to conflict. This dysfunction has led to persistent and intractable disputes between commissioners. In Queensland, the privacy commissioner position was not permanently filled for years. Similar issues with the Commonwealth legislation have led to significant turnover in the roles, with two of the three not currently filled and the senior role currently the subject of an acting appointment.
“In short, the evidence base that has emerged following implementation of the information commissioner model elsewhere in Australia suggests that structural dysfunction will be the outcome of passing the Bill.”
The government argues there is value in having a single regulator, however. A spokesperson said:
“These changes ensure the Victorian community has a single regulator to oversee Victoria’s FOI, public sector privacy and data protection laws, and provide independent advice to government across those closely-related fields. The new body will also help improve the way government manages information.”
The commissioner says he is at a loss as to why the government would want to get rid of the office he leads — which has been in place only since 2014 — suggesting it may have something to do with “discomfort” about its efficacy:
“Replacement of the governance regime for privacy and data protection appears premature. In this short period it is inconceivable that government could have tested the existing governance arrangements, found them wanting and developed a more effective model.
“Since 2014 significant progress has been made in developing privacy and data protection policy and frameworks and in encouraging sensible operational responses to adverse incidents involving privacy and data protection. Despite this progress, the developments are still at an early stage and need to be consolidated. A governance change at this stage can be expected to damage and at least to some degree reverse this process. It is tempting to conclude that the proposed changes are a reaction to discomfort caused by the existing governance structure and the effectiveness of developments. This is not a positive conclusion.
“… There is more than a passing appearance that the proposals for change to governance in the Bill are intended to further inhibit the change process commenced by the PDPA [Privacy and Data Protection Act].”
FOI reforms not ‘substantive’
Watts also thinks the proposed changes to the FOI regime would not be “substantive”, as the community expects:
“The first of these issues is that the FOI changes are minor compared to community expectations for the future of FOI. The government has indicated that a root and branch review of FOI is to occur at some unspecified future time. In this context, the Bill is an opportunity lost. The changes proposed by the Bill to FOI are largely process changes rather than substantive. The regime could be significantly more effective if supported by improvements in the substantive requirements for disclosure.”
He noted that while the bill proposes to lower the permissible amount of time for agencies to answer FOI requests from 30 to 45 days, real change “will be meaningless unless accompanied by either the significantly greater human resources support or a fundamental rethink of FOI systems and processes.”