ACT Numbered Regulations - Explanatory Statements ACT Numbered Regulations - Explanatory Statements[Index] [Search] [Download] [Related Items] [Help]
INFORMATION PRIVACY AMENDMENT REGULATION 2015 (NO 1) (NO 6 OF 2015)
2015
THE LEGISLATIVE
ASSEMBLY
FOR THE AUSTRALIAN CAPITAL
TERRITORY
INFORMATION PRIVACY
AMENDMENT
REGULATION 2015 (No
1)
SL2015-6
EXPLANATORY
STATEMENT
Presented by
Simon Corbell
MLA
Attorney-General
Information Privacy Amendment
Regulation 2015
(No 1)
Outline
This regulation amends the Information Privacy Amendment Regulation 2014.
This regulation is made under section 25(1)(h) of the Act which provides that the Act does not apply to acts or practices for an agency prescribed by regulation.
The regulation prescribes the administrative unit responsible for the administration of ACT Courts and Tribunal, exempting it from the operation of the Information Privacy Act 2014 (the Act) when that unit discloses or uses personal information for the purposes of implementing the new case management system project known as the Integrated Case Management System (ICMS).
Disclosure and use under this exemption can only be made to the West Australian Department of the Attorney-General (WADAG), as the provider of the infrastructure supporting the new ICMS.
The 2014-15 Budget contained an appropriation of $3.825 million over four years for the upgrade of the ACT Courts and Tribunal ICT systems. As part of the transition from the old MAX system to the new ICMS, live test data is required to be transferred to WADAG to support the testing, implementation and maintenance of the new system.
The scope of the exemption for the ICMS case management system project is limited to the disclosure or use of personal information held by ACT Courts and Tribunal to the WADAG for the development, testing and installation of an information management system for cases heard, or to be heard by ACT Courts and Tribunal, and the ongoing maintenance and upgrading of the system.
The exemption will permit disclosure of personal information from MAX to WADAG for the purposes of testing software used in ICMS to migrate data from MAX to ICMS. It will also permit disclosure of personal information to WADAG for the future ongoing support and improvements of ICMS.
The risk of any privacy breach as a result of the disclosure to WADAG is low. There is a standard privacy protection clause in the procurement contract with WADAG. WADAG has confirmed that access to all data will be restricted to those who have gone through a proper vetting process and that the data hosted in WA will be protected and secured in a Tier 4 Data Centre (highest security). This provides a similar level of protection to that which currently exists in the ACT Government computer network.
The Office of the Australian Information Commissioner was consulted in the development of this regulation and did not object.
Human rights implications
This regulation provides a limited exemption for specific acts of use and disclosure of personal information by the ACT Courts and Tribunal. This exemption engages the right to privacy (s 12, Human Rights Act 2004) and may limit that right.
The limitation on the right is justifiable given consideration of the following factors:
a) the nature of the right affected: the right to privacy is a fundamental right, but is not absolute and can be limited by clear legislative provision. In this case the legislative provision is in the Information Privacy Regulation, rather than listed as a specific exemption under section 25 of the Act. The highly specific nature of the exemption, which is constrained to a particular named project, for which an exemption may not always be required, or which may change according to revisions to the procurement agreement is properly suited to inclusion in a regulation.
b) the purpose of the limitation: the purpose of providing an exemption is to provide clear and explicit authority for the use and disclosure of personal information collected and held by the ACT Courts and Tribunal, for the purposes of testing, developing and maintaining the ICMS system. Arguably, even without the exemption in this regulation, the ACT Courts and Tribunal would be able to use and disclose this information to allow for the upgrade of the existing case management system within the terms of the Territory Privacy Principles as part of normal business practice. However, given the risks to the successful implementation of the ICMS if data migration is unsuccessful or delayed and the sensitive nature of the data, a specific exemption for use of the personal information or disclosure to the WADAG will allow the ACT Courts and Tribunal to confidently share live data with WADAG for ICMS testing as well as for ongoing support and maintenance for the ICMS system.
Further, there is a public interest in ensuring that the data migrated from MAX to ICMS is accurately and securely migrated in order to avoid inaccuracies or errors in the data as a result of having to scramble data to avoid disclosing or using personal information for migration and testing of the new ICMS software.
c) the nature and extent of the limitation: The risk of any privacy breach as a result of the disclosure to WADAG, or use as part of the case management system project is low. There is a standard privacy protection clause in the procurement contract with WADAG. WADAG has confirmed that access to all data will be restricted to those who have gone through a proper vetting process and that the data hosted in WA will be protected and secured in a Tier 4 Data Centre (highest security). This provides a similar level of protection to that which currently exists in the ACT Government computer network.
The Act will continue to apply to storage, access to and correction of the migrated personal information in the ICMS system that will ultimately be hosted within the ACT. This means that protections and the ability to make a privacy complaint about alleged breaches of those protections to the independent Privacy Commissioner remain in place.
d) the relationship between the limitation and its purpose: the disclosure and use of personal information for the development, testing and installation of an information management system for cases heard, or to be heard by ACT Courts and Tribunal, and the ongoing maintenance and upgrading of the system has been drafted to be as targeted in application as is possible, while still allowing flexibility in the delivery of a stable, secure and functional case management system.
The enhanced case management system will improve the experience of those
dealing with the ACT Courts and Tribunal system by improving allocation and
follow through on matters and reducing hearing wait times. It is anticipated
that the new case management system will ultimately support the rights to trial
without delay (Human Rights Act – s 18(6) and s 22(2)(c)).
e) any
less restrictive means reasonably available to achieve the purpose the
limitation seeks to achieve: the use of scrambled or fictitious data
instead of personal information held by the ACT Courts and Tribunal was
considered as an option for the migration and testing of the new ICMS system.
This option would be possible but would add substantially to the cost, time and
complexity of the system upgrade and would increase the likelihood of
‘go-live errors’ and ‘system failures’ on its rollout
The importance of the implementation of the new case management system, and the
substantial risks to the development and rollout of the system arising from the
use of scrambled data has been assessed as warranting a limited exemption to
clearly provide for the use and disclosure of unscrambled personal information
for the upgrade project.
Notes on clauses
Clause 1 Name
of regulation
This is a formal provision that sets out the name of
the regulation.
Clause 2 Commencement
This is a formal
provision that provides for the commencement of the regulation. This regulation
will commence on the day after it is notified.
Clause 3 Legislation
amended
This clause lists the legislation to be amended by the
regulation. This regulation will amend the Information Privacy Amendment
Regulation 2014.
Clause 4 Section 6 heading
This
clause is a technical amendment that amends the heading of section 6 of the
regulation to allow for the inclusion of a second exemption (for the use and
disclosure of personal information for the case management project) inserted by
this Regulation.
Clause 5 Section 6 (2)
This clause is a
technical amendment required to indicate that there will be two prescribed
public sector agencies under the amended regulation.
Clause
6 New section 7
This clause inserts a new section 7 to the regulation
which creates an exemption for the administrative unit responsible for the
administration of ACT Courts when it:
a) discloses personal information held
by the Courts and Tribunal to the administrative unit of the Department of the
Attorney General of Western Australia for the case management system; or
b) uses personal information for the case management system
project.
The clause also inserts a note explaining that personal
information also includes sensitive personal information (defined in s 14 of the
Act).
The clause sets out the scope of the case management system project
defining that project as:
a) the development, testing and installation of an
information management system for cases heard, or to be heard, by ACT courts
(which includes the Tribunal); and
b) the ongoing maintenance and upgrading
of the system.
This clause provides that the ACT Courts and Tribunal can
use personal information, or disclose personal information to the WADAG for the
purposes of developing, testing, installing, maintaining and upgrading the
information technology system used to allocate, manage and finalise cases
without having to obtain the consent of the individuals whom the information is
about. The information which can be used or disclosed includes sensitive
personal information including information about an individual’s criminal
record.
Clause 7 Dictionary, note 3
This clause is a
technical court that inserts ‘ACT court’ into note 3 of the
dictionary to the Regulation to indicate that the term ACT court has the same
meaning that it has in the Information Privacy Act 2014, and includes the
Tribunal..