Service Victoria Bill 2017 - Victorian Legislation and … · · 2018-01-18Service Victoria Bill...

1

Service Victoria Bill 2017

Introduction Print

EXPLANATORY MEMORANDUM

General

The purpose of the Bill is to provide for the delivery of Government services to the public by Service Victoria and for other purposes.

Clause Notes

Part 1—Preliminary Part 1 of the Bill outlines the purposes of the Bill and contains the commencement provisions and definitions.

Clause 1 provides that the main purposes of this Bill are—

(a) to provide for the delivery of Government services to the public by Service Victoria; and

(b) to provide for a regulatory framework for the provision of identity verification functions by the Service Victoria CEO.

Clause 2 sets out the commencement of the Bill. It will come into operation on the day or days that it is proclaimed or, if a provision this Bill does not come into operation before 1 March 2018, it comes into operation on that day.

Clause 3 provides definitions for the key terms used in the Bill.

Clause 4 subclause (1) defines a service agency as any of the following—

(a) a public service body;

(b) a public entity;

(c) Victoria Police;

581275 BILL LA INTRODUCTION 31/10/2017

2

(d) a Council;

(e) a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act. For example, this could include the Registrar of Births, Deaths and Marriages employed under section 5 of the Births, Deaths and Marriages Registration Act 1996.

Subclause (2) provides that a service agency does not include a special body (other than Victoria Police).

Part 2—Transfer of customer service functions to Service Victoria Part 2 of the Bill outlines how customer service functions may be transferred from a service agency to the Service Victoria CEO and, if necessary, transferred back to the service agency.

Division 1—Ministerial agreements

Clause 5 subclause (1) provides that subject to subclause (3), the Minister and the service agency Minister may agree that the Service Victoria CEO is to perform a customer service function that is to be prescribed as a transferred customer service function.

Subclause (2) provides that an agreement under subclause (1) must be in writing and a copy of it must be given to the service agency head and the Service Victoria CEO. If the Minister is the service agency Minister, the Minister may publish a notice in the Government Gazette that—

(a) the function is to be prescribed as a transferred customer service function; and

(b) as a result of that prescription, the Service Victoria CEO is to perform the function.

Subclause (4) provides that a copy of a notice under subclause (3) must be given to the service agency head and the Service Victoria CEO.

3

Subclause (5) provides that, despite anything to the contrary in the enactment that confers a customer service function on a service agency, on the commencement of a regulation that prescribes the customer service function as a transferred customer service function—

(a) the customer service function is to be performed by the Service Victoria CEO; and

(b) the service agency cannot perform the customer service function, unless it is delegated to the service agency head under section 8.

Clause 6 provides that the Service Victoria CEO and service agency head must use best endeavours to give effect to an agreement or a notice under clause 5 that applies to them.

Division 2—Transferred customer service functions

Clause 7 provides that the Minister and the service agency Minister may agree for the transfer back to a service agency of any transferred customer service function and sets out the requirements of this transfer.

Clause 8 enables the Service Victoria CEO to delegate any transferred customer service function back to the service agency head.

Subclause (2) provides a power of sub-delegation, which will allow service agency heads to further delegate the powers to assist the Service Victoria CEO.

Division 3—Other matters

Clause 9 authorises a service agency to disclose regulated information that the agency holds to the Service Victoria CEO or a delegate for the purpose of enabling transferred customer service functions or ancillary functions. Clause 9 ensures service agencies and Service Victoria are able to disclose the necessary information to facilitate the delivery of customer service functions. To ensure appropriate protection of this information, any disclosure of information obtained under this Bill is subject to the offences contained in clauses 50 and 51 of the Bill. Clause 55 outlines how a disclosure can be made when the regulated information is subject to a secrecy provision.

4

Part 3—Transfer of identity verification functions to Service Victoria

Part 3 of the Bill outlines how identity verification functions may be transferred from a service agency to the Service Victoria CEO and, if necessary, transferred back to the service agency.

Division 1—Ministerial agreements

Clause 10 subclause (1) provides that subject to subclause (3), the Minister and the service agency Minister may agree that the Service Victoria CEO is to perform an identity verification function that is to be prescribed as a transferred identity verification function.

Subclause (2) provides that an agreement under subclause (1) must be in writing and a copy of it must be given to the service agency head and the Service Victoria CEO.

Subclause (3) provides that if the Minister is the service agency Minister, the Minister may publish a notice in the Government Gazette that—

(a) the function is to be prescribed as a transferred identity verification function; and

(b) as a result of that prescription, the Service Victoria CEO is to perform the function.

Subclause (4) provides that a copy of a notice under subclause (3) must be given to the service agency head and the Service Victoria CEO.

Subclause (5) provides that, despite anything to the contrary in the enactment that confers an identity verification function on a service agency, on the commencement of a regulation that prescribes the identity verification function to be a transferred identity verification function—

(a) the identity verification function is to be performed by the Service Victoria CEO; and

(b) the service agency cannot perform the identity verification function, unless it is delegated to the service agency head under section 13.

5

Clause 11 provides that the Service Victoria CEO and a service agency head must use best endeavours to give effect to an agreement under clause 10(1) or a notice under clause 10(3) that applies to them.

Division 2—Transferred identity verification functions

Clause 12 provides that the Minister and the service agency Minister may agree for the transfer back to a service agency of any transferred identity verification function, and sets out the requirements of this transfer.

Clause 13 enables the Service Victoria CEO to delegate any transferred identity verification function back to the service agency head.

Subclause (2) provides a power of sub-delegation, which will allow service agencies to further delegate the powers to assist the Service Victoria CEO.

Division 3—Other matters

Clause 14 authorises a service agency to disclose regulated information that the agency holds to the Service Victoria CEO or a delegate for the purpose of enabling transferred identity verification functions or an ancillary function to be performed. Clause 14 ensures service agencies and Service Victoria are able to disclose the necessary information to facilitate the delivery of customer service functions. To ensure appropriate protection of this information, any disclosure of information obtained under this Bill is subject to the offences contained in clauses 50 and 51 of the Bill. Clause 55 outlines how a disclosure can be made when the regulated information is subject to a secrecy provision.

Part 4—Role of Service Victoria Part 4 of the Bill sets out the role of the Service Victoria CEO and requires the establishment of the Service Victoria database.

Clause 15 sets out the functions of Service Victoria CEO, who has the following functions—

(a) to perform transferred customer service functions;

6

(b) to develop customer service standards to improve the delivery of Government services to individuals;

(c) to verify identity and to perform transferred identity verification functions;

(d) to assist the Minister to develop identity verification standards to achieve a consistent and secure process to verify identity;

(e) to issue electronic identity credentials;

(f) to provide advice and information on matters relating to customer service functions and identity verification functions;

(g) to perform functions ancillary to a function referred to in paragraphs (a) to (c);

(h) to perform any other functions conferred by or under this Bill or an enactment.

Clause 16 subclause (1) provides that the Service Victoria CEO has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Service Victoria CEO's functions.

Subclause (2) provides that, for the purposes of performing a transferred customer service function, the Service Victoria CEO may exercise any power (whether express or implied) under the enactment that confers the customer service function on the service agency that is necessary or convenient to be exercised to perform that transferred customer service function.

Clause 17 requires that the Service Victoria CEO establish and maintain a database for the purposes of recording information required for the performance of the functions of Service Victoria and the Service Victoria CEO.

The Service Victoria database—

(a) must be kept electronically; and

(b) may include the following information relating to individuals who use Service Victoria services—

(i) customer service information;

(ii) account information;

7

(iii) identity information;

(iv) electronic identity credentials;

(v) credential usage history;

(c) may be comprised of multiple databases.

Clause 18 subclause (1) provides that this clause applies if the Service Victoria CEO does not give an application or request for an authority or official information document that the Service Victoria CEO has received to the appropriate service agency for determination because the application or request does not meet the requirements under the relevant enactment.

Subclause (2) provides that the exercise of that power is not to be taken to be a decision of the service agency to reject or refuse the application or request. Clause 18 ensures that the Service Victoria CEO is able to refuse to pass through an incomplete application (e.g. the application requires, but the applicant does not provide, any contact details) in the same manner as service agencies without creating any administrative appeal rights.

Part 5—Customer service functions

Division 1—Performance of customer service functions Part 5 of the Bill sets out how the Service Victoria CEO is to perform customer service functions, including the minimum standards that apply to handling certain types of information.

Clause 19 requires that the Service Victoria CEO complies with customer service standards when performing—

(a) transferred customer service functions; or

(b) a function that is ancillary to a transferred customer service function.

The clause includes an example of a function that is ancillary to a transferred customer service function, which is refunding a payment that was collected as part of exercising a transferred customer service function.

8

Division 2—Customer service standards

Clause 20 requires that the Service Victoria CEO develops standards that relate to one or more of the following—

(a) the customer experience with the provision of services;

(b) the development and design of processes for the provision of services;

(c) the handling of customer complaints, including response times for handling customer complaints;

(d) the monitoring of and reporting on compliance with the customer service standards;

(e) any other matter related to the exercise of customer service functions.

Customer service standards must be published on the Internet.

Division 3—Minimum standards for customer service information and account information

Division 3 of Part 5 of the Bill creates a set of minimum standards for handling certain types of information. The purpose of the minimum standards is to provide strong safeguards for the handling of information, which are in many instances more stringent than the requirements of the Privacy and Data Protection Act 2014 and the Health Records Act 2001.

The minimum standards distinguish between the following types of information collected by the Service Victoria CEO in the exercise of customer service functions under the Bill—

• customer service information, which is defined in clause 3 as regulated information which relates to—

• authorities or official information documents; or

• applications for the issue or grant of an authority or official information document, such as an authority or official information document, or a copy of, or application for, such an authority or document; and

• account information, which is defined in clause 3 as regulated information which relates to an individual's Service Victoria account, such as—

• details of account usage; and

9

• details of current authorities issued to the individual to whom the account relates, whether or not obtained through Service Victoria; and

• expired or cancelled authorities issued to the individual to whom the account relates obtained through Service Victoria.

This distinction is necessary because different minimum standards apply to each type of information. For example, as customer service information relates to a specific transaction, the Service Victoria CEO must not retain this information once the transaction is complete, unless required by law. In contrast, account information can relate any number of transactions which the individual has consented to the Service Victoria CEO collecting and so the Service Victoria CEO must not retain this information after the expiry of the relevant account, unless required by law.

Clause 21 requires that the Service Victoria CEO complies with the minimum standards set out in Division 3 of Part 5 of the Bill for the collection, use, disclosure and retention of customer service information and account information.

Subclause (2) provides that for the purposes of Division 8 of Part 3 of the Privacy and Data Protection Act 2014, a contravention of the minimum standards set out in Division 3 of Part 5 of this Bill involving personal information is taken to be an interference with the privacy of an individual. Subclause (2) ensures that an individual is able to make a complaint to the Information Commissioner in relation to a contravention of the minimum standards.

Subclause (3) provides that, for the purposes of Division 9 of Part 3 of the Privacy and Data Protection Act 2014, a contravention of the minimum standards set out in Division 3 of Part 5 of this Bill involving personal information is taken to be a contravention of an Information Privacy Principle of the Privacy and Data Protection Act 2014. Subclause (3) ensures that the Information Commissioner is able to exercise its enforcement powers, such as serving a compliance notice, in relation to a contravention of the minimum standards.

Subclause (4) provides that, for the purposes of Part 6 of the Health Records Act 2001, a contravention of the minimum standards set out in Division 3 of Part 5 of this Bill involving health information is taken to be an interference with the privacy

10

of an individual. Subclause (4) ensures that an individual is able to make a complaint to the Health Complaints Commissioner in relation to a contravention of the minimum standards.

Subclause (5) provides that, for the purposes of section 66 of the Health Records Act 2001, a contravention of the minimum standards set out in Division 3 of Part 5 of this Bill involving health information is taken to be a contravention of that Act. Subclause (5) ensures that the Health Complaints Commissioner may serve a compliance notice in response to a contravention of the minimum standards.

Clause 22 subclause (1) provides that the Service Victoria CEO must not collect customer service information unless the collection is necessary to perform any functions under this Bill for an individual to whom that information relates.

Subclause (2) provides that the Service Victoria CEO must not collect account information unless—

(a) the collection is necessary to perform any functions under this Bill for an individual to whom that information relates; and

(b) the individual has consented.

Clause 23 subclause (1) provides that the Service Victoria CEO must not use or disclose customer service information unless the use or disclosure is necessary—

(a) to perform any functions under this Bill for an individual to whom that information relates; or

(b) for a person authorised by the Service Victoria CEO to carry out administrative, technical or other functions relating to the management, maintenance or auditing of the Service Victoria database.

Subclause (2) provides that the Service Victoria CEO must not use or disclose account information unless the use or disclosure is necessary—

(a) to perform any functions under this Bill for an individual to whom that information relates and the individual has consented; or

11


Subclause (3) provides that, despite subclauses (1) and (2), the Service Victoria CEO may use or disclose customer service information or account information if—

(a) the information is personal information and it is used or disclosed in accordance with Information Privacy Principle 2.1(d), 2.1(e), 2.1(g) or 2.1(h) of the Privacy and Data Protection Act 2014; or

(b) the information is health information and it is used or disclosed in accordance with Health Privacy Principle 2.2(h), 2.2(i) or 2.2(j) of the Health Records Act 2001.

Clause 24 subclause (1) provides that the Service Victoria CEO must not retain any incomplete application for an authority or official information document for longer than the earlier of—

(a) 90 days after the creation of the application; or

(b) any other period required by law.

Subclause (2) provides that, subject to subclause (1), the Service Victoria CEO must not retain customer service information relating to an individual after the earlier of:

(a) notification being received from the service agency that the transaction to which the information relates is complete; or

(b) any other period required by law.

This subclause ensures that the Service Victoria CEO does not retain a completed application for, or details of, an authority or official information document after the individual's transaction is complete, unless required by law.

Subclause (3) provides that the Service Victoria CEO must not retain account information after the earlier of—

(a) the closure or expiry of the account to which the information relates; or

(b) any period required by law.

12

Subclause (4) provides that the Service Victoria CEO must not retain any authority or official information document, or copy of an authority or official information document, once it has been delivered to the individual to whom it relates, unless required by law.

Part 6—Identity verification and electronic identity credentials Part 6 of the Bill establishes a new regulatory scheme for identity verification. The scheme allows the Service Victoria CEO to issue temporary electronic identity credentials and for individuals to provide consent for the credential to continue as an ongoing electronic identity credential.

Division 1—Performance of identity verification functions

Clause 25 requires that the Service Victoria CEO complies with the identity verification standards when—

(a) verifying identity under Part 6; or

(b) performing a function that is ancillary to identity verifications under Part 6.

Division 2—Identity verification and electronic identity credentials

Clause 26 subclause (1) provides that the Service Victoria CEO may determine the form and manner in which an individual may apply for the issue of a temporary electronic identity credential to the individual.

Subclause (2) provides that an application for a temporary electronic identity credential must be made in a form and manner consistent with, and be accompanied by any identity information required by, the determination made by the Service Victoria CEO.

Clause 27 subclause (1) provides that if an individual makes an application under clause 26, the Service Victoria CEO must—

(a) issue a temporary electronic identity credential to the individual; or

(b) issue an interim refusal notice to the individual in accordance with clause 28.

13

Subclause (2) provides that a temporary identity credential or interim refusal notice under subclause (1) must be issued—

(a) in the case of an individual who is a member of a prescribed class of individual—within the period prescribed for that class; or

(b) in any other case—within 10 days after receiving the application under clause 26.

The intention of subclause (2) is to provide a default decision-making time of 10 days, unless the individual is a member of a prescribed class of individual. A prescribed class of individual may include individuals whose identity cannot be readily verified (e.g. someone who has lost all identity documents in a fire). The exceptions process for verifying identity for these classes of individual will be contained in the identity standards issued under clause 41 of the Bill.

Subclause (3) provides that the Service Victoria CEO must issue a temporary electronic identity credential to an individual unless—

(a) any or all of the identity information accompanying the application under clause 26 cannot be verified using the procedure set out in the identity verification standards; or

(b) the Service Victoria CEO issued an electronic identity credential to the individual and that credential was suspended under clause 36; or

(c) the individual, before making the application, made the same, or a substantially similar, application that—

(i) was refused under clause 28; and

(ii) was accompanied by the same or substantially similar information.

Subclause (4) requires that, before a temporary electronic identity credential issued to an individual expires under subclause (5), the Service Victoria CEO must determine whether the individual, other than an individual to whom an ongoing electronic identity credential is issued, consents to the continuation of the temporary electronic identity credential as an ongoing electronic identity

14

credential. The consent provision ensures user choice as to whether an ongoing electronic identity credential is created.

Subclause (5) provides that if an individual does not consent to the continuation of a temporary electronic identity credential, the temporary electronic identity credential expires—

(a) if the individual uses the credential for the purposes of a transaction, on the day on which that transaction is finally determined or the day on which the Service Victoria CEO has determined that the individual does not consent to the continuation of the credential, whichever is the later; or

(b) in any other case—10 days after the credential is issued.

Subclause (5) ensures that if an individual does not perform a transaction, the temporary electronic identity credential has a defined expiry date.

Subclause (6) provides that if an individual consents to the continuation of a temporary electronic identity credential, the Service Victoria CEO must issue an ongoing electronic identity credential to the individual.

Subclause (7) provides that unless it is renewed under clause 30, an ongoing electronic identity credential issued under subclause (6) expires on the earlier of the following—

(a) the expiry of a period of 10 years after the day on which the credential is issued; or

(b) the expiry of any shorter period prescribed for the purposes of this clause.

Clause 28 outlines the process for issuing an interim refusal notice for a temporary electronic identity credential.

Subclause (1) provides that an interim refusal notice issued to an individual under clause 27 must—

(a) specify the reasons that the notice was issued; and

(b) specify the date on which the notice is issued; and

(c) invite the individual to submit further identity information in support of the application in response to which the notice is issued within 28 days after the date of the notice.

15

Subclause (2) requires that within 7 days after receiving a submission under subclause (1) from an individual, the Service Victoria CEO must consider the submission and either—

(a) issue a temporary electronic identity credential to the individual; or

(b) refuse to issue a temporary electronic identity credential to the individual.

Subclause (3) provides that if the individual to whom an interim refusal notice is issued does not make a submission in response to that notice within 28 days after the date on which the notice is issued, the Service Victoria CEO must refuse to issue a temporary electronic identity credential to the individual.

Clause 29 provides that a temporary electronic identity credential may not be used in relation to the determination of more than one transferred customer service function or transferred identity verification function. This reflects the fact that the expiry of temporary electronic identity credentials is expressly linked to the performance of a transaction.

Clause 30 subclause (1) provides that an individual may apply to the Service Victoria CEO for the renewal of an ongoing electronic identity credential in the form and manner determined by the Service Victoria CEO.

Subclause (2) provides that an application for the renewal of an ongoing electronic identity credential must be made—

• at least 90 days before the credential is due to expire under clause 27(7); or

• if the credential is suspended under clause 36 and the period of that suspension ends less than 90 days before the credential is due to expire, as soon as reasonably practicable after the end of the suspension; and

• in a form and manner consistent with the determination made under subclause (1).

Subclause (3) provides that, if an individual makes an application for the renewal of an ongoing electronic identity credential, the Service Victoria CEO must—

(a) renew the ongoing electronic identity credential; or

16


Subclause (4) provides that the Service Victoria CEO must renew the ongoing electronic identity credential or issue an interim refusal notice under subclause (3)—


(b) in any other case—within 10 days after receiving the application for the renewal.


Subclause (5) requires the Service Victoria CEO to issue an interim refusal notice to an individual if—

(a) the application for the renewal of the ongoing electronic identity credential does not comply with subclause (2); or

(b) the Service Victoria CEO is satisfied on reasonable grounds that individual is not the individual to whom the credential relates; or

(c) the identity of the applicant has not been verified in accordance with the identity verification standards.

Subclause (6) provides that an ongoing electronic identity credential renewed under subclause (3) continues in force until the earlier of—

(a) the expiry of a period of 10 years after the day on which the credential is renewed under that clause; or

(b) the expiry of any shorter period prescribed for the purposes of this clause; or

(c) the cancellation of the credential under clause 38.

17

Clause 31 subclause (1) provides that an interim refusal notice issued to an individual under clause 30 must—



(c) invite the individual to submit further identity information in support of the application for the renewal of the credential within 28 days after the date of the notice.

Within 7 days after receiving a submission under subclause (1) from an individual, the Service Victoria CEO must consider the submission and either—

(a) renew the ongoing electronic identity credential; or

(b) refuse to renew the ongoing electronic identity credential.

If the individual to whom an interim refusal notice is issued does not make a submission in response to that notice within 28 days after the date on which the notice is issued, the Service Victoria CEO must refuse to renew the ongoing electronic identity credential.

Clause 32 provides that the Service Victoria CEO may record the status and level of assurance of an electronic identity credential from time to time on the credential.

Clause 33 sets out the process for increasing the level of assurance of an ongoing electronic identity credential. An increase in the level of assurance would generally require additional identity information to be provided.

Subclause (1) provides that the Service Victoria CEO may determine the form and manner in which an individual may apply for an increase in the level of assurance of an ongoing electronic identity credential issued to the individual.

An application for an increase in the level of assurance of an ongoing electronic identity credential must—

(a) be made in a form and manner consistent with the determination made under subclause (1); and

(b) be accompanied by any identity information required by the determination made under subclause (1).

18

If an individual makes an application for an increase in the level of assurance, the Service Victoria CEO must—

(a) increase the level of assurance of the ongoing electronic identity credential; or


The Service Victoria CEO must increase the level of assurance of the ongoing electronic identity credential or issue an interim refusal notice under subclause (3)—


(b) in any other case—within 10 days after receiving the application for the increase.


The Service Victoria CEO must increase the level of assurance of an ongoing electronic identity credential unless—

(a) any or all of the identity information accompanying the application for the increase cannot be verified using the procedure set out in the identity verification standards; or

(b) the individual to whom the credential is issued, before making the application for the increase, made the same, or a substantially similar, application that:

(i) was refused under clause 34; and

(ii) was accompanied by the same or substantially similar information; or

(c) the application for the increase does not comply with the determination under subclause (1).

19

If the level of assurance of an ongoing electronic identity credential is increased under subclause (3), that credential continues in force until the earlier of—

(a) the expiry of a period of 10 years after the day on which the level of assurance of the credential is increased; or

(b) the expiry of any shorter period prescribed for the purposes of this clause.

Clause 34 requires that an interim refusal notice issued to an individual under clause 33 must—



(c) invite the individual to submit further identity information in support of the application for the renewal of the credential within 28 days after the date of the notice.

Within 7 days after receiving a submission under subclause (1) from an individual, the Service Victoria CEO must consider the submission and either—

(a) increase the level of assurance of the ongoing electronic identity credential; or

(b) refuse to increase the level of assurance of the ongoing electronic identity credential.

If the individual to whom an interim refusal notice is issued does not make a submission in response to that notice within 28 days after the date on which the notice is issued, the Service Victoria CEO must refuse to increase the level of assurance of the ongoing electronic identity credential.

Clause 35 outlines the legal effect of an electronic identity credential.

Subclause (1) provides that the requirements of a transferred identity verification function to obtain information relating to an individual's identity or to verify an individual's identity are met if—

(a) the Service Victoria CEO notifies the service agency that an electronic identity credential has been issued to the individual; and

20

(b) the level of assurance of the credential is the same as, or higher than, the level of assurance required for the purposes of the function under the identity verification standards.

The purpose of subclause (1) is to allow a service agency to rely on the existence of an electronic identity credential to satisfy the legal requirements relating to identity verification contained in the service agency's relevant enactment.

Subclause (2) provides that the suspension, expiry or cancellation of an electronic identity credential, or the removal or variation of any information recorded on that credential, does not, of itself, affect the validity of a transaction that relied on the credential to verify the identity of an individual if the suspension, expiry, cancellation, removal or variation takes place after the transaction is finally determined.

The purpose of subclause (2) is to ensure that transactions that have previously relied on an electronic identity credential are not invalidated by the expiry or cancellation of a credential. This reflects the status quo, where an individual may have used a driver's license to verify his or her identity in an application for a passport. The validity of the passport is not affected by the expiry or cancellation of the driver's license.

Subclause (3) provides that if the Service Victoria CEO notifies a service agency that an electronic identity credential has been issued to an individual, the Service Victoria CEO must notify the service agency if the credential is cancelled under clause 38.

The purpose of subclause (3) is to ensure that where an electronic identity credential is cancelled because the individual to whom the credential is issued is not the individual to whom the credential relates, the relevant service agencies are notified of this outcome. Each service agency may then take regulatory action under their relevant enactment (e.g. suspend the relevant authority).

Clause 36 requires that the Service Victoria CEO suspends the operation of an electronic identity credential if the Service Victoria CEO is satisfied on reasonable grounds that the individual to whom the credential is issued is not the individual to whom the credential relates.

21

The Service Victoria CEO may consider any information the Service Victoria CEO considers appropriate when determining whether to suspend an electronic identity credential under subclause (1).

As soon as reasonably practicable after suspending an electronic identity credential under subclause (1), the Service Victoria CEO must give the individual to whom the credential is issued a written notice that—

(a) specifies the date and grounds on which the credential was suspended; and

(b) invites the individual to make submissions on the suspension within 28 days after the date of the notice; and

(c) describes the effect of subclause (4), which is that the suspension of an electronic identity credential under subclause (1) is revoked if the Service Victoria CEO does not cancel the credential under clause 38(1) within the period set out in clause 38(2).

The suspension of an electronic identity credential under this clause has effect—

(a) from the time decided by the Service Victoria CEO and specified in the notice given to the individual under subclause (3); and

(b) until the credential is cancelled under clause 38(1) or the suspension of the credential is revoked.

The suspension of an electronic identity credential under this clause does not affect the date on which the credential is to expire.

The Service Victoria CEO must consider any submission from the individual in response to the invitation when determining whether to cancel an electronic identity credential under clause 38(1).

Clause 37 outlines the effect of suspension of an electronic identity credential, where a service agency has yet to make a final determination in relation to the relevant transaction.

22

Clause 37 applies if—

(a) a service agency is exercising a function conferred on the service agency by an enactment in relation to an individual to whom an electronic identity credential is issued; and

(b) the Service Victoria CEO has notified the service agency of the issue of the credential.

Subclause (2) provides that if the enactment that confers the function on the service agency specifies a time period in which the function must be exercised, that time period—

(a) ceases to run if, and from the time, the Service Victoria CEO notifies the service agency of the suspension of the credential; and

(b) begins to run again if, and from the time, the Service Victoria CEO notifies the service agency that the suspension of the credential is revoked.

The purpose of clause 37 is to ensure that, where the Service Victoria CEO suspends an electronic identity credential prior to the completion of a transaction for which the credential is being used, the statutory time periods for the service agency cease to run. This prevents a service agency from refusing an application or request on the basis that the identity requirements cannot be met as no electronic identity credential is in force.

Clause 38 subclause (1) requires that the Service Victoria CEO must, by written notice, cancel an electronic identity credential that is suspended under clause 36 if, after considering any submissions made on the suspension, the Service Victoria CEO is still satisfied on reasonable grounds that the individual to whom the credential is issued is not the individual to whom the credential relates.

Notice under subclause (1) must be given within 7 days after the earlier of—

(a) the day the Service Victoria CEO receives a submission from the individual in response to the invitation under clause 36(3)(b); or

(b) the end of the period during which the individual may make a submission in response to that invitation.

23

The Service Victoria CEO must cancel an electronic identity credential if the Service Victoria CEO is satisfied on reasonable grounds that—

(a) the credential has been issued or renewed in error or the level of assurance of the credential has been increased in error; or

(b) the individual to whom the credential was issued has died.

The Service Victoria CEO may consider any information the CEO considers appropriate when determining whether to cancel an electronic identity credential under subclause (3).

As soon as possible after cancelling an electronic identity credential under subclause (3)(a), the Service Victoria CEO must give the individual to whom the credential is issued a written notice of the cancellation.

A written notice of cancellation must specify the date and grounds on which the credential was cancelled.

A cancellation under this clause has effect from the time at which—

(a) in the case of a cancellation under subclause (1), notice is given under that subclause; or

(b) in the case of a cancellation under subclause (3)(a), notice of the cancellation is given to the individual under subclause (5); or

(c) in the case of a cancellation under subclause (3)(b), the Service Victoria CEO cancels the electronic identity credential.

Clause 39 ensures an individual retains control over whether he or she has an ongoing electronic identity credential.

Subclause (1) provides that an individual may apply to the Service Victoria CEO for the cancellation of an ongoing electronic identity credential in the form and manner determined by the Service Victoria CEO.

Subclause (2) provides that, on receiving an application for the cancellation of an ongoing electronic identity credential, the Service Victoria CEO must—

24

(a) cancel the ongoing electronic identity credential; and

(b) as soon as reasonably practicable after cancelling the credential, give notice in writing to the individual to whom the credential is issued of the cancellation.

Clause 40 provides that a person may apply to VCAT for review of a decision—

(a) to refuse to issue an electronic identity credential; or

(b) to cancel an electronic identity credential; or

(c) to refuse to renew an ongoing electronic identity credential; or

(d) to refuse to increase the level of assurance of an ongoing electronic identity credential.

An application for review under this clause must be made within 28 days after the day on which the Service Victoria CEO gives notice of the refusal or decision.

Division 3—Identity verification standards

Clause 41 provides that the Minister may make identity verification standards for the purpose of achieving a consistent and secure identity verification framework for transactions.

Under subclause (2), the identity verification standards are to deal with digital and non-digital processes, and should also address (but are not limited to)—

(a) determination of the level of assurance required for each transaction and any subsequent process for approval by the service agency Minister; and

(b) the identity information required for each level of assurance; and

(c) any exceptions process that will apply if an individual's identity cannot be readily identified; and

(d) any terms and conditions applying to the issue and renewal of an electronic identity credential.

Subclause (3) provides that the Minister must have regard to the guiding principles set out in clause 42 when making the identity verification standards.

25

Subclause (4) provides that the identity verification standards are a legislative instrument within the meaning of the Subordinate Legislation Act 1994.

Clause 42 sets out the guiding principles for making and using the identity verification standards, which are—

(a) user choice; and

(b) minimal data is to be requested and stored; and

(c) risk-based approach to identity verification; and

(d) security, transparency and accountability; and

(e) flexibility; and

(f) national consistency.

Clause 43 provides that the Service Victoria CEO must use the identity verification standards when performing functions under Part 6 of the Bill.

Division 4—Minimum standards for identity information Division 4 of Part 6 of the Bill creates a set of minimum standards for handling certain types of information. The purpose of the minimum standards is to provide strong safeguards for the handling of information, which are in many instances more stringent than the requirements of the Privacy and Data Protection Act 2014 and the Health Records Act 2001.

Clause 44 provides that the Service Victoria CEO must comply with the minimum standards for the collection, use, disclosure and retention of identity information and electronic identity credential information.

Subclause (2) provides that a contravention of the minimum standards set out in Division 4 involving personal information is taken to be an interference with the privacy of an individual for the purposes of Division 8 of Part 3 of the Privacy and Data Protection Act 2014. Subclause (2) ensures that an individual is able to make a complaint to the Information Commissioner in relation to a contravention of the minimum standards.

Subclause (3) provides that, for the purposes of Division 9 of Part 3 of the Privacy and Data Protection Act 2014, a contravention of the minimum standards set out in Division 4 involving personal information is taken to be a contravention

26

of an Information Privacy Principle of the Privacy and Data Protection Act 2014. Subclause (3) ensures that the Information Commissioner is able to exercise its enforcement powers, such as serving a compliance notice, in relation to a contravention of the minimum standards.

Subclause (4) provides that a contravention of the minimum standards set out in Division 4 involving health information is taken to be an interference with the privacy of an individual for the purposes of Part 6 of the Health Records Act 2001. Subclause (3) ensures that an individual is able to make a complaint to the Health Complaints Commissioner in relation to a contravention of the minimum standards.

Subclause (5) provides that, for the purposes of section 66 of the Health Records Act 2001, a contravention of the minimum standards set out in Division 4 involving health information is taken to be a contravention of that Act. Subclause (5) ensures that the Health Complaints Commissioner may serve a compliance notice in response to a contravention of the minimum standards.

Clause 45 provides that the Service Victoria CEO must not collect identity information unless the collection is necessary to perform any identity verification functions for an individual to whom that information relates and that individual has consented.

Clause 46 provides that the Service Victoria CEO must not use or disclose identity information, an electronic identity credential, information recorded on a credential or credential usage history unless it is necessary—

(a) to perform any function under the Bill for an individual to whom that information relates and the individual has consented; or


Subclause (2) provides that despite subclause (1), the Service Victoria CEO may use or disclose identity information, an electronic identity credential, information recorded on a credential or credential usage history if—

27

(a) it is personal information used or disclosed in accordance with Information Privacy Principle 2.1(d), 2.1(e), 2.1(g) or 2.1(h) of the Privacy and Data Protection Act 2014; or

(b) it is health information used or disclosed in accordance with Health Privacy Principle 2.2(h), 2.2(i) or 2.2(j) of the Health Records Act 2001.

Clause 47 provides that the Service Victoria CEO must not retain any identity information for longer than any period required by law.

Subclause (2) provides that the Service Victoria CEO must not retain a temporary electronic identity credential, information recorded on that credential or credential usage history after that credential expires or is cancelled unless—

(a) a longer period of retention is required by law; or

(b) in the case of a temporary electronic identity credential, an ongoing electronic identity credential is issued under clause 27(6) in respect of that credential.

Subclause (3) provides that the Service Victoria CEO must not retain an ongoing electronic identity credential, information recorded on that credential or credential usage history after any period required by law.

Part 7—Offences

Clause 48 creates an offence for an individual to knowingly issue an electronic identity credential to an individual to whom the credential does not relate. The penalty is 240 penalty units or 2 years' imprisonment or both.

Clause 49 creates an offence for an individual to include a statement or information, or provide any document, that an individual knows is false or misleading in an application for an electronic identity credential or an increase in the level of assurance of, or the renewal of, an ongoing electronic identity credential. The penalty is 240 penalty units or 2 years' imprisonment or both.

Clause 50 creates an offence for a person (without reasonable excuse) to access, use or disclose any data or information obtained by the person under the Bill other than in accordance with this Bill or

28

in connection with the performance of functions under this Bill. The penalty is 240 penalty units or 2 years' imprisonment or both.

Clause 51 creates an offence for a person to access, use or disclose any data or information obtained by the person under this Bill if the person knows or is reckless as to whether the data or information may be used to—

(a) endanger the life or physical safety of any person; or

(b) commit, or assist in the commission of, an indictable offence; or

(c) impede or interfere with the administration of justice.

The penalty is 600 penalty units or 5 years' imprisonment or both.

Part 8—General

Clause 52 provides that the Service Victoria CEO may, by instrument, delegate any function or power conferred or duty imposed on the Service Victoria CEO under the Bill, the regulations or any other enactment to a prescribed person or a prescribed class of person.

Clause 53 provides that the Service Victoria CEO must provide a report to the Information Commissioner on the operation of Service Victoria in relation to personal information (other than health information) at least every 12 months.

Subclause (2) provides that the Service Victoria CEO must provide a report to the Health Complaints Commissioner on the operation of Service Victoria in relation health information at least every 12 months.

Subclause (3) provides that a report to the Information Commissioner or the Health Complaints Commissioner must include, but is not limited to—

(a) the number of applications made under clause 26 during the period to which the report relates; and

(b) the number of electronic identity credentials issued during that period; and

(c) the number of applications for the issue of electronic identity credentials refused during the period; and

(d) the number of electronic identity credentials suspended and cancelled during the period; and

29

(e) details of the transferred identity verification functions for which credentials were used during the period; and

(f) details of any requests for access to information regarding the use of credentials, including whether such requests were granted, during the period; and

(g) an assessment by the Service Victoria CEO of the operational issues that have arisen during the period.

Clause 54 provides that this clause does not affect the handling of regulated information that would otherwise be permitted under the Privacy and Data Protection Act 2014, the Health Records Act 2001 or any other Act.

Subclause (2) provides that this Bill does not affect obligations under the Privacy and Data Protection Act 2014 or the Health Records Act 2001 in relation to the handling of regulated information.

Subclause (3) provides that if the Service Victoria CEO becomes aware that this Bill, the Privacy and Data Protection Act 2014 or the Health Records Act 2001 has been, or is likely to have been, breached in relation to regulated information handled under this Bill while in the control of the Service Victoria CEO, the Service Victoria CEO must, as soon as practicable after becoming aware of the possible breach, inform—

(a) in the case of a breach of this Bill or the Privacy and Data Protection Act 2014, the Information Commissioner; and

(b) in the case of a breach of the Health Records Act 2001, the Health Complaints Commissioner.

Clause 55 provides that, if a secrecy provision applies to regulated information—

• disclosed to the Service Victoria CEO by a service agency, the disclosure of that information to the Service Victoria CEO does not contravene the secrecy provision if the disclosure is in accordance with, and for the purposes of, this Bill;

30

• collected by the Service Victoria CEO under this Bill, the collection, holding, management or use of that information by the Service Victoria CEO does not contravene the secrecy provision if the collection, holding, management or use is in accordance with, and for the purposes of, this Bill.

Subclause (3) defines secrecy provision under this clause to mean a prescribed provision of an Act that restricts the use or disclosure of specified information, whether that restriction is absolute or subject to qualifications or exceptions.

The purpose of this clause is to displace a prescribed secrecy provision that would otherwise restrict or prevent the handling of information by the Service Victoria CEO, to the extent necessary to allow the CEO to perform functions under the Bill. This is to ensure that secrecy provisions do not prevent individuals accessing government services through Service Victoria that they would previously have been able to access directly from a service agency.

Clause 56 provides that the Minister may require the Service Victoria CEO to conduct an audit, by an independent auditor, of the compliance with this Bill.

Subclause (3) provides that the Service Victoria CEO must submit a copy of the auditor's report to the Minister within 10 days after receiving that report.

Clause 57 provides that the Minister must cause an independent review of the operation of this Bill to be undertaken as soon as possible after the fifth anniversary of the Bill's commencement. The report of the review must be laid before each House of Parliament within 12 months after that anniversary.

Clause 58 subclause (1) provides that the Governor in Council may make regulations to give effect to the Bill.

Subclause (2) provides that the regulations may be of general or limited application or differ according to differences in time, place or circumstances. This subclause allows any regulations effecting the transfer of customer service functions and identity verification functions to prescribe which aspects or types of function are to be transferred, for example, the digital or non-digital aspects or only those functions in respect of a particular location or cohort.

Service Victoria Bill 2017 - Victorian Legislation and … · · 2018-01-18Service Victoria Bill...

Documents

Transcript of Service Victoria Bill 2017 - Victorian Legislation and … · · 2018-01-18Service Victoria Bill...