Sven Bluemmel: what agencies can expect from Vic privacy and FOI reforms

By The Mandarin

Wednesday January 24, 2018

The Office of the Victorian Information Commissioner has combined oversight of FOI, privacy, and data protection. It combines the functions of the previous Office of the Privacy and Data Protection Commissioner and the Office of the Freedom of Information Commissioner.

The establishment of OVIC signals a new direction for engagement with public sector agencies and entities to assist them in information management issues and to help drive systemic and cultural change, particularly in FOI. To quote from the second reading speech of the FOI Act amending bill:

“The creation of this new office will provide more proactive and integrated FOI, privacy and data protection leadership in Victoria, particularly by driving the cultural shifts necessary to improve the way government manages and provides access to information.”

It also means we can build a consistent regulatory approach across all three areas. I have been spending a significant amount of my time engaging with stakeholders to promote and drive cultural change in the administration of the Freedom of Information and Privacy and Data Protection acts, through which I have gained valuable insights into the current issues facing agencies. These include:

  • increasing pressures in responding to FOI requests in a reduced timeframe;
  • delivering better services using insights from data while respecting privacy; and
  • preparing for the implementation of the Victorian Protective Data Security Standards.

My vision for FOI, privacy and data protection

In summary, through government agencies working with OVIC, there will be improved outcomes for applicants under the FOI Act in timeliness, convenience and informality.

More information will be proactively released, other information will be released upon informal request and the FOI process will only be needed as a last resort.

“… some agencies are still devoting considerable effort to finding loopholes and adopting technical approaches to avoid their obligations under the FOI Act or delay reviews by my office.”

Professional standards developed by OVIC will provide clear guidance for agencies. OVIC will provide the highest quality of training and guidance to agencies, as well as assistance to members of the public. This will be done without charge.

In short, a culture will develop where it gets easier and easier to do the right thing under FOI. Or, looking at it from another angle, it will get harder and harder to do the wrong thing.

And, if one does choose to do the wrong thing, it will be just about impossible to defend that choice. That is the vision.

Encouraging proactive release

Let me dig a bit deeper.

The ability for individuals to access information held by government is a core pillar of democracy. OVIC is working to ensure that the process is as easy to navigate as possible for individuals and agencies.

Sven Bluemmel

My impression is that while the majority of agencies are approaching the FOI Act with a view to releasing as much information as possible, some agencies are still devoting considerable effort to finding loopholes and adopting technical approaches to avoid their obligations under the FOI Act or delay reviews by my Office.

I encourage agencies to adopt a more flexible, less technical approach to the FOI Act.

There are significant gains to be made by agencies proactively identifying opportunities for ‘routine’ or ‘administrative’ release regimes. Nothing in the FOI Act intends to discourage agencies from publishing or giving access to documents outside of the FOI Act. In fact s.16 provides for making the maximum amount of information available to the public promptly and inexpensively.

Part II statements also have a role to play here — we’ve observed that there is scope for agencies to provide more comprehensive and detailed information about their information holdings, and to encourage applicants to seek access without making a formal FOI request, where it is appropriate to do so.

My experience has been that this will improve outcomes for the community, as intended by the FOI Act and the parliament, and enable agencies to better focus their FOI resources.

Expanded training and resources

Looking next at training and resources.

We see OVIC as having a major role in providing continuing general and tailored face-to-face training to agency officers on FOI and privacy administration, exemptions and administrative decision making.

OVIC currently has a range of regular forums, training and education and agency guidance materials to assist agencies to improve their practice at an agency level.

However, we are working on enhancing our suite of online training, including webinars and e-modules and information resources, such as fact sheets and e-bulletins, and to make them available free of charge.

Development of Professional Standards

Another of my key priorities will be the development of and consultation on new professional standards under Part IB of the FOI Act.

The purpose of professional standards is to ensure greater public access to government held information, by providing agencies with clarity, and making them accountable for acting consistently with the pro-disclosure object of the FOI Act.

Principal officers will be directly responsible for ensuring that all of their staff, not just FOI officers and units, are aware of and comply with the professional standards. This significant amendment recognises that access to information held by Victorian agencies is a shared responsibility.

I consider the professional standards will be useful tool to improve administrative FOI practices by giving agencies clarity and guidance on the following matters:

  1. Assisting applicants in making FOI requests.
  2. Identifying relevant documents.
  3. Communicating and consulting with applicants and third parties.
  4. Ensuring timely decision-making, including the use of extensions of time when making decisions.
  5. Assisting my office in conducting FOI reviews and dealing with complaints.

Exactly what the Standards will cover, and their content, will be determined over time and will be informed by consultation with agencies.

If you haven’t done so already, be sure to subscribe to information updates on our website.

“My office has a major role in working with agencies on privacy and projects. My office is not interested in hampering projects ‘because of privacy’.”

With the proliferation of digital records, it is timely for OVIC to work with the Public Records Office of Victoria and agencies to ensure that agencies embed FOI requirements into their digital information management systems to ensure that they are able to respond in a timely and efficient manner to requests for documents.

Assisting agencies in this way will ensure agencies are planning ahead to give effect to their obligations under the FOI Act. Digitally-held data must be accessible, searchable and capable of being edited to allow for partial access of information, where necessary.

OVIC too needs to work smarter to meet increasing demands on our office. OVIC has seen a 40% increase in the number of applications for review and complaints to our office in 2016-17 on the three previous years (which has continued into 2017-18).

Our office is implementing a range of measures to improve the timeliness and efficacy of our external review and complaints process.

“… it can’t just be about what we as government agencies can get from the information.”

These measures include a greater focus on informal resolution and early finalisation of review and complaint matters through direct and prompt engagement between OVIC, applicants and agencies. To date, this has resulted in a 50% reduction in the number of files progressing through to a formal review or complaint. Where applications proceed to a formal review, we are also finding that the number of documents subject to review is often reduced by sending a schedule of documents to the applicant and early identification an applicant’s critical concerns about an agency’s decision.

We are also rolling out a simplified notice of decision for review matters that proceed to a formal decision, where appropriate. This has involved reducing the length and complexity of our notices of decision, wherever possible, so that applicants and agencies receive a decision and access to information or their review rights without undue delay.

Information privacy and information sharing

I now move to information privacy which OVIC regulates under the Privacy and Data Protection Act 2014. The privacy provisions and the Information Privacy Principles under the Privacy and Data Protection Act remain the same under Victoria’s new information access and management regime.

However, agencies’ obligations under the Privacy and Data Protection Act need to be considered in light of the immense value of personal information to government and the private sector alike.

Much of the most valuable data that government has access to contains personal information of individuals. Used appropriately, this information enables government agencies to make informed decisions and provide better policy and service responses to the issues of the day.

The Productivity Commission’s Report on Data Availability and Use, which was released in March this year, highlighted that the majority of the data held by Australian government agencies is not being fully utilised.

But there is another side to the coin – it can’t just be about what we as government agencies can get from the information.

Upholding the privacy of an individual’s personal information is paramount for a number of important reasons.

  1. Privacy is recognised as a human right, including in Victoria under the Victorian Charter of Human Rights and Responsibilities.
  2. There are significant economic and social benefits in establishing strong relationships based on trust and transparency with the public.
  3. People need to feel secure in the knowledge that we are handling their information appropriately. That confidence, in turn, builds the social licence given to government to undertake these activities as the public has trust in the public sector’s stewardship of their personal information.
  4. The Information Privacy Principles, while based on privacy, are in effect just good and respectful information management practices, which when in place assist a more structured approach to information management.

A challenge for any organisation, whether public or private, is knowing how to reap the social and economic benefits of all of this information while establishing strong privacy and security protections.

Technology further enhances this challenge. It creates new uncertainties around how personal information is to be handled in accordance with privacy law. This is evident through big data, internet of things devices, artificial intelligence and blockchain technology.

“My vision for OVIC is to be a regulator that engages constructively with agencies to achieve the legislative outcomes that have been entrusted to us by parliament – while also maintaining our independence and impartiality.”

Alongside the technological issues, experience tells us that organisations are also grappling with more traditional privacy challenges that transcend technology. Such as information sharing, de-identification, and understanding the privacy obligations that carry through to outsourced service providers.

My office has a major role in working with agencies on privacy and projects. My office is not interested in hampering projects ‘because of privacy’.

We are working towards facilitating closer working relationships with agencies to assist them in meeting their privacy obligations and assisting them to achieve their information sharing objectives in a privacy-enhancing way.

We want agencies to utilise us in planning their projects and building in privacy protections, and to seek our advice and assistance where required.

OVIC will facilitate more robust advice for agencies, and cement an integrated approach to information management across the public sector. When agencies seek privacy advice from OVIC, our response will not only be guided by privacy but will also be provided through a data protection and public access lens.

Data protection

The third OVIC function that I would like to discuss is data protection.

The Victorian government has committed to effectively manage protective data security risks within the Victorian public sector. OVIC is unique in that it is the first of its kind in Australia to integrate data security and protection. Our objective is to foster a more risk based approach to protective data security.

As you will no doubt be aware, the Victorian Protective Data Security Framework is the overall scheme for managing protective data security risks in Victoria’s public sector.

The framework seeks to introduce cultural change so that protective data security practices are reflected in everyday business operations, and all agency personnel take a shared responsibility. The framework consists of:

  1. The Victorian Protective Data Security Standards endorsed by the Special Minister of State.
  2. The associated assurance model.
  3. Supplementary security guides and supporting resources developed by OVIC.

The framework has been developed to help public-sector organisations manage protective data security risks by:

  1. Identifying information assets.
  2. Assessing the value of information.
  3. Identifying and managing protective data security risks.
  4. Applying security measures.
  5. Enhancing their protective data security capability.
  6. Creating a positive security culture.

While OVIC aims to establish data security as an integral and natural element within an agency’s information management culture, I recognise that a partnership approach to the roll out of the framework and the standards is critical to their success.

Through consultations with a number of agencies, I am aware that a number are already devoting considerable resources towards the implementation of the standards. These consultations have also identified for my office the need to develop of a new governance model that will inform and steer the next phase of the implementation of the framework and standards to ensure that improved data security capability adds value to agencies’ operations and services.

“I want to ensure that agency practices in privacy, data protection and information access are consistently improving, ensuring that Victoria’s approach to handling information is as robust as possible.”

For this reason, OVIC is currently refocusing its work in this area to develop a robust and consultative governance model to ensure we fully understand the sector’s perspective as we implement the framework and the standards. My office’s guidance material and reporting requirements placed on agencies will only lead to meaningful and positive change if those materials are respected as having been built on a solid foundation of recognising agency business realities.

To ensure that this is the case, we need to talk to agencies. At all levels of their business. My OVIC colleagues in the data protection team have been doing exactly that. As a result of what we have heard, OVIC has adapted or suspended certain activities. These include:

  1. Cessation of OVIC’s procurement process for a monitoring and assurance software solution to support the VPDSF Assurance Model.
  2. The removal of the requirement (from the framework) for organisations to provide me with a copy of their security risk profile assessment and self-assessment against the standards.
  3. Revisiting the framing of the attestation template and instead focusing on capturing compliance status at a high level and making it clear that the detailed assessment against each Standard does not need to be provided to my office.

Except where advised, in all other respects the framework and standards remain operative and the VPDSF five step action plan provides the appropriate guidance for organisations implementing the Standards. Organisations are still required to submit a high-level protective data security plan and revised attestation to my office in 2018.

In other words, the substantive requirements placed upon agencies by the Privacy and Data Protection Act and the standards have not changed. What has changed is how, and in what level of detail, agencies are required to tell OVIC about them.

“We will be as collaborative a regulator as your agency allows us to be.”

OVIC has also commenced a new project titled Insight and Innovation, Security Behaviours in the VPS, and is currently working alongside a diverse range of departments and agencies in order to understand how to drive positive changes to the culture of security and data protection across the public sector.

One of the outcomes of this project will be a co-designed Insight and Innovation paper to support future engagement opportunities for the framework and help inform targeted training and awareness material made available by OVIC to agencies.

At an agency level, the desired indicator is that there is a sense of assurance that they are making the right calls as they balance up the competing interests that bear upon critical information management issues.

OVIC as regulator

I would now like to turn to how OVIC will go about its work and what agencies can expect from our approach.

My vision for OVIC is to be a regulator that engages constructively with agencies to achieve the legislative outcomes that have been entrusted to us by parliament – while also maintaining our independence and impartiality.

I want to ensure that agency practices in privacy, data protection and information access are consistently improving, ensuring that Victoria’s approach to handling information is as robust as possible.

The way I foresee doing this is to make it as easy as possible for agencies to do the right thing. Key to us being able to achieve this will be continuing the conversation. I need to understand the environment that agencies operate in, the challenges they face, and the areas where more guidance is needed.

“… if we encounter concealment, delaying tactics, and the use of technical arguments to defend the indefensible, I will use my statutory powers to call out these practices for what they are.”

While a regulatory body has an important statutory role to play, it’s my intention that our engagement with agencies is focused on support, guidance, and constructive feedback. During OVIC’s short three months, agencies are seeking our views on early drafts of new legislation regarding privacy impacts, and agencies are self-reporting suspected data breaches to the office to seek advice on how to respond.

OVIC welcomes the opportunity to work with Victorian agencies in a positive and collaborative manner and it has been great to see the agencies that we have worked with regard us as an enabler for their objectives, rather than as a regulator who wants to catch them out ‘doing something wrong’.

I also intend on working closely with other bodies who issue standards and guidelines — such as PROV and WOVG CISO. OVIC will be supporting an oversight approach which is consistent, predictable, and efficient and the more we can ensure our messages are aligned then the better this will be.

However, to work, this kind of regulatory approach does place some demands on you and your agencies about how you deal with us.

We will be as collaborative a regulator as your agency allows us to be. If you are open about your issues, we will work with you to help find a solution. If you are responsive to our needs we will make allowance for the challenges you may face from time to time.

However, if we encounter concealment, delaying tactics, and the use of technical arguments to defend the indefensible, I will use my statutory powers to call out these practices for what they are.

The approach we want to take is about collaboration and capability development. So it is up to your organisation which version of this regulator it will be working with. And if you are unsure how we may respond to how your organisation plans to deal with a certain issue – don’t send us a letter in a month’s time. Ring us up today and work it through with us.

So my clear message to you is that our doors are open to agencies so that we can support them as they go about their day to day business processes. OVIC has a lot to do, but I know that my colleagues and I are up for the challenge. We want to do our bit to shape the best possible future for FOI, privacy and data protection in Victoria.

I look forward to working with agencies to achieve the important legislative reform across the Victorian public sector that was envisaged at the inception of OVIC.

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals