commissioner for privacy and data protection · annual report 2014–15 3 commissioner for privacy...

Commissioner forPrivacy and Data Protection



ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700

Commissionerfor Privacy and Data Protection




Commissioner for Privacy and Data ProtectionAnnual Report 2014–15

Ordered to be printed PP number 89, Session 2014-15 P

DP

84

82

Annual Report 2014–15 3

Commissioner for Privacy and Data Protection PO BOX 24014, MELBOURNE VIC 3001 T +61 3 8684 1660 W cpdp.vic.gov.au E [email protected]

11 September 2015 The Hon. Gavin Jennings MLC Special Minister of State Level 1, 1 Treasury Place EAST MELBOURNE VIC 3002 Dear Minister ANNUAL REPORT I am pleased to present you with the Annual Report for 2014-‐15 in accordance with Part 6 section 116 (1) of the Privacy and Data Protection Act 2014, for presentation to Parliament. Yours sincerely DAVID WATTS Commissioner for Privacy and Data Protection

4 Office of the Commissioner for Privacy and Data Protection


Commissioner for Privacy and Data ProtectionAnnual Report 2014–15


Contents

PART ONE: SETTING THE SCENE ..................................................................................................................7

Setting the scene ..................................................................................................................................................... 8The Role of the Commissioner for Privacy and Data Protection ................................................................ 9The Objectives of the Commissioner for Privacy and Data Protection ................................................... 10

PART TWO: THE YEAR IN REVIEW ............................................................................................................... 11

Protective data security ..........................................................................................................................................12 Victorian Protective Data Security Standards (VPDSS) ..............................................................................12 Business Impact Levels......................................................................................................................................13 Data Security Assurance Framework .............................................................................................................13Privacy policy ............................................................................................................................................................14 Privacy by Design ..............................................................................................................................................14 Information Sharing: .........................................................................................................................................14 New Technology .................................................................................................................................................15 Tools and Resources ..........................................................................................................................................15 Cooperation and Engagement .......................................................................................................................15Operational Privacy .................................................................................................................................................17 Information Privacy Enquiries and Complaints ...........................................................................................17 Operational Privacy in a nutshell ....................................................................................................................19 Breach Notifications ..........................................................................................................................................20 Flexibility Mechanisms ......................................................................................................................................20 Submissions to Government ..........................................................................................................................20Law Enforcement Data Security ......................................................................................................................... 22 Crime Statistics Agency .................................................................................................................................... 22 Victoria Police ..................................................................................................................................................... 22

PART THREE: ABOUT THE OFFICE ............................................................................................................. 29

About the Office of the Commissioner for Privacy and Data Protection ................................................30Organisational Structure and Staffing ................................................................................................................31Governance and Reporting ................................................................................................................................. 32Shared Services ....................................................................................................................................................... 33Communications and Publications ................................................................................................................... 33Occupational Health and Safety ......................................................................................................................... 33Workplace Relations .............................................................................................................................................. 33Public Sector Conduct .......................................................................................................................................... 33Environmental Impacts ......................................................................................................................................... 33Risk Management ................................................................................................................................................... 33Freedom of Information ....................................................................................................................................... 34Consultancies .......................................................................................................................................................... 34Overseas Travel ....................................................................................................................................................... 34Major Contracts ...................................................................................................................................................... 34Protected Disclosures ........................................................................................................................................... 34Gifts, Benefits and Hospitality .............................................................................................................................. 34Statement of Availability of Other Information ............................................................................................... 34

ANNUAL FINANCIAL STATEMENTS 2014–2015 .......................................................................................35

Notes to the financial statements for the financial period 17 September 2014 to 30 June 2015..... 42

APPENDICES ................................................................................................................................................... 65

Disclosure Index .....................................................................................................................................................66Budget Paper Number Three (BP3) Output Performance 2014-15 .........................................................68Attestation on Compliance with the Australian / New Zealand Risk Management Standard .............69Attestation on Insurance ..................................................................................................................................... 70

PART ONE Setting the scene


Setting the scene

Privacy and technology have long been uneasy companions.

In 1890, when Warren and Brandeis first described privacy as the right to be let alone, it was because they were worried about the way in which nineteenth century technologies were disrupting individuals’ privacy.

The privacy threats posed by the new technologies of the time – photography and sound recording, but particularly the rise of the mass print media fuelled by advances in printing and the cheap and widespread availability of wood pulp paper – seem incongruous more than one hundred years later. We couldn’t imagine a world without photography or sound recording and, for the most part, the solutions suggested by Warren and Brandeis have appropriately addressed the risk. For the print media, opinions differ sharply about whether, in Australia at least, we have successfully negotiated the balance between privacy and free speech.

Although Victoria’s public sector faces privacy and data protection challenges in 2015 that involve vastly different technologies, the underlying issues persist: how to protect privacy and enjoy the benefits of technology. Our role is to inform the debate so as to ensure that these objectives are not seen to be mutually exclusive.

One of the main objects of the Privacy and Data Protection Act 2014 (PDPA) is to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector. The balance is a dynamic one. It is affected by the opportunities and challenges posed by new technology and the privacy debate needs to keep pace. In order to do so, there must be constructive engagement between the proponents of both.

Government is also vitally interested in the benefits that technology offers to the community. Around the world, governments are looking to do more with data. Sometimes this means making information available to the public that has been locked away inside government. Initiatives – often referred to as ‘open government’ programs – aim to provide citizens with substantially more access to government information in order to promote transparency, participation and collaboration. In Victoria, initiatives such as data.vic aim to unlock unnecessary restrictions on government information and provide the means to get information out into the public domain. This approach to public sector information is foreshadowed in the PDPA which requires that interests in promoting open access to information are balanced with protecting its security.

At the same time, governments are also concerned to ensure that policies, programs and initiatives meet community needs. They want to provide services that have the equivalent functionality as those that people have come to expect from the private sector. For example, government is increasingly looking to undertake more effective research to shape the contours of service delivery for the benefit of the community. This can encompass activities as diverse as gathering better intelligence on organised crime, devising policy responses to homelessness or measuring the effectiveness of changes to school curricula. Sometimes this can mean using personal information in new and unanticipated ways.

New technologies, such as advanced data analytics and the internet of things, can assist to achieve these objectives. But they – as well as information sharing initiatives – must be designed to appropriately protect and respect individuals’ privacy and security. In this context, government has sensitive trust responsibilities. An individual’s loss of privacy extends further than this – it can also lead to a breakdown of trust in government.

More often than not, individuals have no choice but to interact with government and in many cases personal information is collected and handled by government under compulsion. Often that personal information relates to the most vulnerable members of the community. The community expects that its representatives scrupulously observe high standards of privacy and security protection so that collecting and handling personal information occurs respectfully, transparently and for the benefit of the community.

One of the new objectives of the Privacy and Data Protection Act is to promote responsible data security practices in the public sector. Security has always been one of the most fundamental elements of protecting personal information from unauthorised access and disclosure. Our new legislation is unique in requiring privacy and security to be dealt with cohesively through developing and implementing explicit security standards backed by the law and guided and overseen by an independent statutory office.

Victoria’s new approach to the security of personal information - as well as government information more generally - signals a new and innovative approach to producing public value for the benefit of the Victorian community. Our contribution to realising this objective is to provide the regulatory leadership to affect a sustained program of cultural change for Victorian public sector information.


The Role of the Commissioner for Privacy and Data ProtectionThe Privacy and Data Protection Act (the Act) was passed by the Parliament of Victoria in 2014 and came into effect on 17 September 2014. It repealed the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005, but combined those regulatory functions in the one piece of legislation. In addition it introduced new privacy flexibility mechanisms that permit departures from the Information Privacy Principles (IPPs) if there is a substantial public interest in doing so, and established a legislative basis for the development of a protective data security framework across the Victorian public sector.

The Commissioner for Privacy and Data Protection provides an annual report to the Special Minister of State who is required to lay it before the Victorian Parliament

The purpose of the Privacy and Data Protection Act 2014 is principally:

• to provide for responsible collection and handling of personal information in the Victorian public sector

• to provide remedies for interference with the information privacy of an individual

• to establish a protective data security regime for the Victorian public sector

• to establish a regime for monitoring and assuring public sector data security

The Act seeks to achieve these objectives through the establishment of the office of the Commissioner for Privacy and Data Protection. The office became operational on 17 September 2014.

The Commissioner for Privacy and Data Protection has a number of legislated functions. For information privacy, they are principally:

• to promote an understanding and acceptance of the IPPs and their objectives

• to develop and approve codes of practice

• to publish model terms capable of being adopted in a contract or arrangement with a recipient of personal information

• to examine practices, including the conduct of audits, to ascertain compliance with the IPPs

• to receive and handle information privacy complaints

• to issue compliance notices and carry out investigations

• to review proposed legislation with regard to its impact on information privacy

• to consult and cooperate with persons or organisations concerned with information privacy and make public statements regarding information privacy

• to issue guidelines and other material with regard to the IPPs

• to carry out information privacy related research

For protective data security and law enforcement data security, they are principally:

• to issue protective data security standards and law enforcement data security standards and promote their uptake

• to develop the Victorian protective data security framework

• to conduct monitoring and assurance activities to ascertain compliance with data security standards

• to issue guidelines and other material with regard to protective data security standards

• to carry out data security related research

The Commissioner for Privacy and Data Protection exercises a number of powers, notably:

• to require access to data and data systems from public sector body heads and the Chief Commissioner of Police

• to request access to crime statistics data

• to make public interest determinations with regard to information privacy arrangements

• to approve information usage arrangements

• to certify the consistency of an act or practice with the IPPs

• to issue information privacy compliance notices

• to examine witnesses


The jurisdiction of the Commissioner extends to public sector agencies with regard to protective data security and public sector agencies and local government with regard to information privacy. The Commissioner’s jurisdiction extends also to contractors providing services under a State contract which binds the service provider to adherence to the IPPs.

The Objectives of the Commissioner for Privacy and Data ProtectionThe Commissioner’s objectives form the basis of a three year strategic plan. A number of key activities and projects are directly related to and support the achievement of these objectives.

The Commissioner’s objectives are to:

• build information privacy and data security capability, resilience and assurance across the Victorian public sector

• enable privacy-respectful and secure information sharing practices in the public sector

• encourage public sector agencies and citizens to share responsibility for data protection

• enable new technologies through implementing Privacy by Design and Security by Design

• provide privacy and data security thought leadership

• contribute to the development of public value across the Victorian public sector.

PART TWO The year in review


Protective data security

The Privacy and Data Protection Act 2014 obliges the Commissioner to develop a Victorian Protective Data Security Framework.

The Framework consists of the Victorian Protective Data Security Standards and a monitoring and assurance regime.

Victorian Protective Data Security Standards (VPDSS)Work to develop the VPDSS began in September 2014 and was nearing completion at the end of the reporting period. Our aim was to develop a set of security standards that do not present a bureaucratic burden to be endured, but to enable the Victorian public sector to work confidently with security to improve their ability to carry out these functions and deliver services to the community. The Standards will help Victorian public sector agencies:

• identify and value their data

• assess their data security risks

• apply the appropriate security controls

• develop a security culture that embeds good security practices from the ground up.

The Standards are consistent with local, national and international standards for information security. They focus on the outcomes that are required to achieve a proportionate and risk managed approach to information security that enables government business to function effectively, safely and securely.

The VPDSS consist of:

• 20 high level security standards – what has to be done

• a statement of objective for each standard – why it has to be done

• four protocols for each standard, based on a ‘plan, do, check and act’ model to encourage continuous improvement – how it should be done

• elements – non-mandatory guidance measures that provide further information on the how

• resources – tools to assist in implementing the standards and protocols.

The Standards are divided into five domains:

• governance

• information security

• personnel security

• physical security

• ICT security

The standards and objectives (without protocols and elements) were put through a rigorous consultation process that covered the Victorian public sector, at both executive and practitioner levels, other government organisations from the Commonwealth and the States, and which also involved participation from the private sector. Support and in-principle acceptance was sought, and obtained.

Since December 2014, the Data Protection Branch has undertaken the considerable task of developing the protocols and associated elements for each of the 20 standards. The complete standards and protocols were finalised in June 2015 and were made available to government departments and agencies on the collaboration platform, Govdex, for information and ‘socialisation’. It is envisaged that the VPDSS will be released and become binding on Victorian public sector agencies at the beginning of 2016.


Under the Privacy and Data Protection Act 20141, public sector agencies or bodies have two years from the date of issue of the VPDSS to undertake a security risk profile assessment and develop a protective data security plan that addresses the VPDSS. All protective data security plans must be lodged with the Commissioner. This obligation under the Act will impose a considerable and potentially resource intensive burden on the Commissioner. Funding will be sought to implement an ICT solution to collect and hold data security plans and conduct analytics on the data received.

Business Impact LevelsA concurrent major piece of work undertaken by the Data Protection Branch, to assist public sector agencies identify and value their data, and to underpin the VPDSS, has been the development of a Business Impact Level Table.

The Business Impact Level Table (BIL) is designed to provide users with an assessment tool to consider official information, review content and assess the likely impact on their business which would result from a compromise of the confidentiality, integrity or availability of that information.

The Data Protection Branch undertook an initial desktop review of existing BIL tables from the Commonwealth, UK, Victorian and other state governments, together with some existing agency specific BIL tables. The content of these existing tables was then contextualised for the Victorian public sector environment, in accordance with the recommendation of the Australian Government Protective Data Security Framework (PSPF). Consequence statements were adjusted to reflect the local environment.

A Guide to Business Impact Levels and Protective Markings has been developed as a tool to assist the Victorian public sector to operationalise the VPDSS and will be released following their issue.

Data Security Assurance FrameworkWork also began during the reporting period on the development of a monitoring and assurance regime. The regime is one of the pillars of the Victorian Protective Data Security Framework and will meet the Commissioner’s legislated obligation to ‘establish a regime for monitoring and assuring public sector data security’2.

The objectives of the monitoring and assurance framework are to:

• provide a degree of confidence that the Victorian public sector is effectively and efficiently protecting the information it holds

• measure the performance of public sector agencies and bodies in their application of the VPDSS

• support improved understanding of protective data security maturity across the Victorian public sector

• promote transparency and accountability for data protection within the Victorian government.

The monitoring and assurance regime will be aligned with industry standards, for example:

• ISO19600 – Compliance Management Systems

• ASAE3000 and 3105 – Australian Standards for Assurance Engagements

• ISO3100 – Risk Management

The regime will align with other industry and government reference models and assurance frameworks.

During the development process, consultation will take place across the public sector to ensure that it represents best practice.

The work of the Data Protection Branch in developing the Victorian Protective Data Security Framework has involved consultation and collaboration with other Australian states and territories. States and territories have asked permission to use the materials being developed in Victoria, meeting one of the objectives of the Commissioner’s Strategic Plan – to provide privacy and data protection thought leadership.

1 Section 89(1)(b)

2 Privacy and Data Protection Act 2014, Part 1, Section 1(d)


Privacy policy

One of the key objectives of the Commissioner for Privacy and Data Protection is to provide thought leadership around contemporary public sector information privacy issues.

Privacy by Design The Commissioner has formally adopted Privacy by Design (PbD) as a core policy to underpin information and privacy management in the Victorian public sector. PbD enables privacy to be ‘built in’ to the design and architecture of information systems, business processes and networked infrastructure. It aims to ensure that privacy is considered before, at the start of, and throughout the development and implementation of initiatives where personal information is collected and handled.

CPDP’s commitment to PbD was enabled in 2015 by the addition of a new position within the office, Special Counsel – Privacy by Design. The role of the Special Counsel is to guide CPDP’s realisation of PbD as a core policy in the work that it does, and help operationalise PbD throughout the Victorian public sector.

Assisting public sector organisations to understand and implement PbD is a fundamental part of providing privacy leadership to the public sector. As such CPDP has developed specific guidance for both senior managers and employees on how to implement PbD within organisations.

In 2015 CPDP released a radical revision of its Privacy Impact Assessment (PIA) guidance material. A PIA is the core document that is needed to plan and manage any project that involves personal information. The previous PIA tool, while comprehensive, consisted of over 150 pages of daunting text, which deterred many from undertaking a PIA. The revised guidance is designed to simplify and streamline the PIA process, and supports the public sector adopting a PbD approach.

Information Sharing: During the reporting period, CPDP has been briefed on a number of information sharing projects being undertaken by a range of public sector agencies. Their approach, in many cases, falls well short of acceptable privacy practice. One of the key pitfalls is an assumption that the sharing of personal information for improved service delivery invariably must occur at the expense of privacy.

PbD encourages us to approach the handling of personal information with care and respect. It requires a commitment to designing information sharing, service delivery reform and privacy processes together rather than simply seizing on a new service offering and attempting to implement it without considering the necessary information governance structures. With planning and innovative thinking, it should be possible to maintain good privacy and security, while enabling effective, efficient information sharing.

One particularly topical area in which the issue of information sharing has become very significant is family violence. The need to identify, reduce and prevent family violence, and ensure the safety of individuals affected by family violence, requires seamless integration and coordination between various organisations. This will regularly involve the sharing of personal information.

CPDP began an on-going consultation process with the Risk Assessment Management Panel (RAMPs) initiative regarding the privacy implications of the program. The Commissioner’s guidance so far has been that privacy laws in Victoria can enable information sharing in both day-to-day operations and emergency situations for the prevention and response to family violence, provided that the necessary protections and information governance arrangements are in place before a program goes live. There is a great deal of work that still needs to be done to ensure that the information sharing needs of frontline service delivery workers are clarified and simplified.

Breaking down perceived legislative barriers does not invariably ensure that better information sharing practices will emerge. An ‘information sharing culture’ requires a willingness by public sector organisations to value and respect the balance between privacy and information sharing, and to engage for a common purpose. Accountability and transparency built into governance structures, coupled with collaborative approaches will create an environment ripe for appropriate, protected and timely information sharing.


The Commissioner aims to provide leadership in this important area. Privacy should not be seen as a barrier to information sharing, and CPDP wants to help build a practical solutions that authorise appropriate information sharing for the benefit of the community that is clearly and widely understood in the Victorian public sector.

New Technology

Cloud computing The Commissioner initiated two important pieces of work looking at implementing new technologies into the Victorian public sector that are intended to complement our work on Privacy by Design.

The first is a joint CPDP/Public Records Office of Victoria discussion paper on public sector cloud computing. Although the former Office of the Victorian Privacy Commissioner produced cloud computing guidance in 2011, the new discussion paper accounts for the advances in technology that have been made since then, and is consistent with a Privacy by Design methodology. The paper also takes a whole of information lifecycle approach to cloud computing, and is informed by the security and data sovereignty issues that have become more important since the enactment of the Privacy and Data Protection Act 2014.

The discussion paper will form the basis of consultation across the public and private sector and lead to a Guide to Cloud Computing in the Victorian Public Sector in 2015-16.

Big DataThe Commissioner is also leading work on a whole of government big data strategy. Work commenced in 2015 on exploring big data use in the public sector, specifically looking at its implications for information privacy and data security. In 2015/16 we will release a discussion paper, which consolidates much of the debate around the challenges that big data poses to the public sector, as well as some of the ways that risks can be avoided or reduced. Following the release of the paper, we intend to host a forum to facilitate discussion amongst experts and practitioners, after which we will produce a final guidance document for the Victorian public sector.

Tools and ResourcesThere are a number of new resources and educational tools that CPDP produced in the reporting period. The Commissioner initiated engagement with the Deputy Secretary Council to ensure executive level awareness of the importance of appropriate information sharing and early consultation with CPDP. An information sharing checklist was also developed and a project is now underway, in collaboration with the Information Privacy Commissioners of New South Wales and British Columbia, to produce comprehensive guidelines for public sector information sharing.

The development of an information sharing master class, targeted at senior executives across government, is also underway. The master class will be part of a suite of training and educational tools to be rolled out in 2015-16.

CPDP has also started to update existing legacy guidelines on outsourcing to reflect the changing technological landscape and provide a more sophisticated analysis of privacy and data security issues.

Cooperation and EngagementEngagement in policy and practice with privacy practitioners locally and internationally sits at the intersection of operational privacy and policy. At the international level in particular, this engagement allows for discussion of current and emerging issues which inform the direction of policy development and thought leadership.

Privacy Awareness WeekThe Commissioner launched Privacy Awareness Week (PAW) in May 2015, the theme for which was Privacy by Design. During the week, staff of CPDP presented to a number of government departments and agencies. More than 100 public sector employees attended the launch of PAW, during which the Commissioner released the revised Privacy Impact Assessment template and the discussion paper on cloud computing.


Youth Advisory GroupIn 2015 the Commissioner re-established a Youth Advisory Group to provide CPDP with a means to identify and address the specific privacy needs of children and young people. The nine members of the Youth Advisory Group provide feedback and input for the development of targeted products and services for young people in Victoria.

Inter-agency Privacy Officers ForumThis forum was established in 2015 to facilitate strategic engagement with government departments and public sector agencies.

Global Privacy Enforcement Network (GPEN)GPEN is an informal global network of privacy and data protection authorities established to foster cross-border cooperation.

In May 2015 CPDP participated, together with 39 other privacy authorities, in the third annual GPEN ‘sweep’ of applications and websites. The theme for the 2015 ‘sweep’ was ‘Children’s Privacy’, with participants focusing on examining mobile applications and websites for issues related to children’s privacy.

CPDP staff were assisted in the ‘sweep’ by members of the Youth Advisory Group.

Cross-border Privacy Enforcement ArrangementIn 2004, the APEC Privacy Framework was endorsed by APEC ministers as acknowledgement of the importance of information privacy protection and the free flow of information in the Asia Pacific region. The framework includes a Cross-border Privacy Enforcement Arrangement (CPEA) which aims to:

• facilitate information sharing among privacy enforcement authorities

• provide mechanisms to promote effective cross-border cooperation on privacy investigation and enforcement

The Commissioner for Privacy and Data Protection was approved as a participant in the CPEA in September 2014.

UN Global PulseUN Global Pulse is an initiative of the UN Secretary General for innovation in harnessing digital information for sustainable development and humanitarian action. The aims of Global Pulse are to:

• promote public awareness of big data as a public good

• conduct joint innovation projects

• build open source tools for digital innovation

• operate a network of ‘Pulse Labs’ in developing countries to ensure innovation addresses real-world problems.

The Commissioner was appointed as a member of the Data Privacy Advisory Group of UN Global Pulse in 2014.

Federal Trade Commission of the United StatesIn 2015 the Commissioner established a process for cooperation with the Federal Trade Commission of the United States which allows the reporting and investigation of potential breaches of Victorian privacy law by private companies domiciled in the Unites States of America.

Asia Pacific Privacy Authorities (APPA) APPA is the principal forum for privacy authorities in the Asia Pacific region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.

APPA meets twice yearly and the Commissioner or a member of CPDP staff attend all meetings. The Commissioner made a presentation at the 43rd meeting of APPA in Hong Kong on the development of the Victorian Protective Data Security Framework.


Operational Privacy

The Operational Privacy Branch carries out the Commissioner’s legislated responsibilities with regard to information privacy.

Information Privacy Enquiries and ComplaintsCPDP received 1,436 enquiries during the reporting period. Of these, approximately half were within the jurisdiction of the Commissioner for Privacy and Data Protection. Enquiries received that were outside the jurisdiction of CPDP were referred to the appropriate agency, principally the Office of the Australian Information Commissioner (enquiries regarding Commonwealth agencies or private sector organisations), the Health Services Commissioner (enquiries regarding health records) and Victoria Police (enquiries regarding the use of CCTV).

Almost all the enquiries that were within jurisdiction concerned Information Privacy Principles (IPP) 2 (use and disclosure of information) and 4 (data security), with a smaller group concerning IPP 1 (collection of information – individuals alleging that their personal information had been collected without prior notice and consent).

Recurring themes in enquiries overall were:

• cloud computing and outsourcing

• biometric technology in schools and the workplace

• CCTV in the workplace and public areas

• employees recording work-related conversations

• the use of GPS to track a worker’s location

• local council’s recording council meetings and uploading to the internet without prior consent

• the use of personally owned ICT equipment in Victorian public schools.

These themes reflect community concerns about the impact of current and emerging technologies on personal information, which are the subject of much of our privacy policy work.

If an enquiry falls within jurisdiction and concerns a grievance or dissatisfaction by an individual regarding the handling of their personal information, the individual is requested to refer the potential complaint to the organisation in question as the first step. Doing so affords procedural fairness and meets the Commissioner’s obligation to give an organisation adequate opportunity to address a matter before formal involvement by CPDP.

If the individual is not satisfied with the outcome of that step, the matter will be formally assessed to determine if it is a complaint, that is a matter which:

• involves an organisation within the jurisdiction of the Commissioner

• involves personal information, and

• raises one or more of the IPPs.

Of the 1,436 enquiries received in the reporting period, only 34 became formal complaints handled by the CPDP.

While the number appears small, it both belies the complexity of some of the complaints and does not reflect the considerable time spent by staff in assisting complainants to resolve privacy disputes before they escalate to full blown complaints. The following table gives examples of some of the complaints and outcomes.


Issue Outcome

An individual alleged that a school failed to provide adequate security for a confidential memorandum, which contained sensitive personal information. The complaint brought IPP 2.1 (use and disclosure) and IPP 4.1 (data security) into question.

Whilst the school stated that it had appropriate data security practices in place, it acknowledged an inadvertent disclosure occurred in this instance. Our office was able to conciliate, the outcome being an apology from the school, an undertaking to review its data security practices, and the destruction of the copy of the memorandum.

Individuals alleged that an organisation disclosed a copy of a statement which contained personal information to third parties, in circumstances which the individual did not expect to occur, or was advised would occur. The complaint brought IPP 1.3 (collection notice), 2.1 (use and disclosure) and IPP 4.1 (data security) into question.

The Commissioner found no grounds to decline the complaints. However, having regard to the complexity of the complaints, the relationship between the Complainant and Respondent and the outcomes sought by the Complainants, the Commissioner decided that conciliation was not reasonably possible in the matter. The matter was referred to VCAT.

A parent alleged that she made enquiries to transfer her child to School B. The parent emphasised to School B that she had not made a definitive decision to transfer her child, and was only making preliminary enquiries. School B then contacted School A (the school the complainant’s child then attended) to query the child’s performance. School A then contacted the parent and queried why she wanted to transfer him. The individual alleged that personal information was disclosed in circumstances she did not expect, and the schools do not have a clear policy in place in relation to information sharing on this matter. The complaint brought IPP 1.3 (collection notice), 2.1 (use and disclosure), IPP 4.1 (data security) and IPP 5.1 (openness) into question.

This matter remains ongoing. The parties are engaged in (indirect) conciliation, facilitated by this office. The individual is seeking implementation of a policy around information sharing between schools in relation to students transferring.

An individual alleged her local Council sent a rate notice to an incorrect address, which brought IPP 2.1 (use and disclosure), IPP 3.1 (data quality) and IPP 4.1 (data security) into question.

The complaint was ultimately declined. The Commissioner concluded, on the facts presented to him, that an inference with privacy had not occurred as the Council had not been provided with sufficient information from the individual.

An individual alleged that whilst he was imprisoned, legal mail addressed to him was forwarded by the prison to a prisoner with the same name, and then opened. The mail did not state the intended prisoner’s Corrections Reference Number, which would have prevented the incident from occurring. Senders are encouraged to state this information on mail. The complaint brought IPP 2.1 (use and disclosure), IPP 3.1 (data quality) and IPP 4.1 (data security) into question.

The Commissioner was unable to conclude that the response from the organisation adequately dealt with the complaint. The Complainant provided evidence from medical and legal professionals outlining what harm he suffered as a result of the disclosure. The matter was unsuccessfully referred to conciliation. The Complainant did not exercise their right to refer the matter to VCAT.

An enquirer alleged that an organisation disclosed her personal information (address) to a person against whom she has an intervention order. That person subsequently attended her property and made threats of violence to harm her. The complaint brought IPP 2.1 (use and disclosure) and IPP 4.1 (data security) into question.

The matter was investigated by the organisation’s legal department and a confidential in-principle agreement has been reached between the Complainant and Respondent. The Commissioner concluded that the complaint was being adequately dealt with.


Once a complaint has been accepted by CPDP for investigation, the Commissioner will then approach the organisation in question for a formal response to the complaint. Upon receipt of the response, the Commissioner will decide to either decline the complaint or take it to conciliation. Individuals whose complaints are declined are advised of their right to request the Commissioner to refer the complaint to the Victorian Civil and Administrative Tribunal (VCAT).

Of the 34 complaints handled during the reporting period, 10 were conciliated and 9 were referred to VCAT.

Typical outcomes of conciliation include:

• an apology to the complainant

• an undertaking to destroy a paper copy of a document or destroy CCTV footage

• agreement by the respondent to provide privacy training to staff or review its own complaint handling processes.

Operational Privacy in a nutshell

1436 Enquiries

34 Complaints

15 Declined

9 Referrals to VCAT

10 Conciliations


The Commissioner is currently undertaking a review of CPDP’s information privacy complaints handling process. The aim of the review is to ensure that:

• all legislative requirements under the PDPA are met in a timely, efficient and effective way

• opportunities for improving and streamlining the process are identified

• trends in complaints are identified and used to inform our privacy policy work.

The review involves a comparison of CPDP’s complaint handling process against those of other agencies, both within Victoria and in other Australian jurisdictions. The review also aims to develop measures, policies and procedures to assist organisations to better manage their information privacy obligations.

Breach NotificationsAlthough not mandatory under the PDPA, public sector organisations are encouraged to notify the Commissioner if they believe they have breached one or more of the Information Privacy Principles. Voluntary disclosure allows CPDP to provide appropriate information and guidance to the community, helps us to resolve complaints and demonstrates public sector commitment to transparent and accountable privacy practices.

During the reporting period, the Commissioner received 13 breach notifications and issued no compliance notices.

Breach notifications received referred to:

• CCTV cameras being installed in government operated facilities without notice to individuals

• invoices and notices containing personal informant being sent to unintended recipients

• documents containing personal information being misplaced

• local council websites containing personal information being ‘hacked’, and

• emails being sent or copied to a large group of unintended recipients.

Flexibility MechanismsThe Privacy and Data Protection Act 2014 introduced a number of flexibility mechanisms to the Victorian information privacy regime. These enable the Commissioner to grant Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certifications.

The Commissioner has received 15 enquiries about the flexibility mechanisms from public sector agencies, including pre-application enquiries and requests for consultation. As at 30 June 2015, no formal application had been made in respect of the flexibility mechanisms.

Submissions to Government

Data Retention BillIn January 2015 the Commissioner made a submission to the Commonwealth Parliamentary Joint Committee on Intelligence and Security regarding its enquiry into the proposed Data Retention Bill. The Committee acknowledged CPDP’s position that ‘the wide scale collection of metadata is an unjustified infringement on human rights’1 and that retained data ‘would reveal patterns of communications that will enable those who have access to it to investigate and understand the private lives of all Australians, such as the habits of everyday life, places of residence, minute by minute movements, activities undertaken, social, professional and commercial arrangements, and relationships and social environments frequented’2.

1 Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, page 50, paragraph 2.143

2 ibid.


Eight-year Review of the Charter of Human Rights and Responsibilities In June 2015 the Commissioner made a submission to the eight-year review of the Charter of Human Rights and Responsibilities. CPDP’s submission identified opportunities to enhance the effectiveness and operation of the Charter, including the introduction of a stand-alone cause of action, enhanced powers for the Victorian Equal Opportunities and Human Rights Commission and enhanced information sharing powers between key agencies.

Royal Commission into Family Violence (Victoria)The Commissioner provided a written submission in May 2015 to an issues paper published by the Royal Commission regarding information sharing for the purpose of addressing family violence. In his submission the Commissioner noted that, although privacy law is often regarded as inhibiting the sharing of personal information between agencies, the Privacy and Data Protection Act 2014 permits information sharing in certain cases, which could include the prevention or prosecution of family violence.

Royal Commission into Institutional Responses to Child Sexual Abuse (Commonwealth)Representatives of CPDP attended a closed roundtable discussion in June 2015. Topics of discussion included issues around privacy and the disclosure of records containing third party information.


Law Enforcement Data Security

The Commissioner for Privacy and Data Protection assumed the powers and functions of the previous Commissioner for Law Enforcement Data Security (CLEDS). The work undertaken by the Commissioner in this area is therefore principally a continuation of the work carried out by CLEDS between 2006 and 2014. The content of this report regarding Victoria Police should be read in the context of previous annual reports by the CLEDS.

Part 5 of the Privacy and Data Protection Act 2014 calls out law enforcement data security as a special case within the framework of protective data security and extends the Commissioner’s jurisdiction to cover both Victoria Police and the newly created Crime Statistics Agency.

Crime Statistics AgencyThe Crime Statistics Agency (CSA) was established in 2014. It is an agency independent of Victoria Police with responsibility for producing Victoria’s official recorded crime statistics and conducting research into crime and criminal justice trends.

The nature of the work of the CSA entails it receiving and holding law enforcement data.

Under section 92(1) of the Privacy and Data Protection Act 2014, The Commissioner is required to develop and issue Crime Statistics Data Security Standards. This task was completed in March 2015.

Given the close link between Victoria Police and the Crime Statistics Agency, the CSA Standards were developed as a tailored version of the Standards for Law Enforcement Data Security, which bind Victoria Police. However the CSA Standards were developed following the draft format of the Victorian Protective Data Security Standards and form a bridge between the two.

Following the issue of the CSA Standards, the Commissioner provided the CSA with a draft Protective Data Security Plan Template and Data Assurance Reporting Template in order to conduct a compliance gap analysis against the Standards. The gap analysis was completed in June 2015 and is in the process of being analysed.

Using the VPDSS format for the CSA Standards and the two assurance templates developed by the Commissioner will provide CPDP with a proof of concept for the roll out of the Victorian Protective Data Security Framework across the public sector.

Victoria Police

Implementation of RecommendationsThe joint Victoria Police and CPDP Implementation Working Group continued to meet and progress outstanding recommendations throughout 2014-15

As noted in the 2013-14 CLEDS annual report, most outstanding recommendations are IT/system specific and include recommendations that require business cases to secure funding and/or are beyond Victoria Police’s current resources. As such, progress to full implementation is slower than usual.

Victoria Police also need to remain focused on finalising recommendations concerning personal holdings of law enforcement data by Victoria Police employees. The recommendations were established under a review undertaken in June 2008. While we note activities which will address personal holdings are planned, to date only 2 of 6 recommendations have been implemented, with only 1 meeting implementation in 2014/15.

2014-15 saw the inclusion of 8 new recommendations around the management and response to malware infections driving a slight decrease in the percentage of active recommendations implemented.

However, it should be noted that as at 30 June 2015, Victoria Police has a number of outstanding recommendations close to full implementation.


Status Pre IWG 30/6/12 30/6/13 30/6/14 30/6/15

Implemented 41 71 132 164 166

Not Fully Implemented 110 54 41 25 24

Not Implemented 62 56 41 23 30

Withdrawn 0 32 39 41 41

Total Recommendations 213 213 253 253 261

Total Outstanding 172 110 82 48 54

% of active recommendations implemented 19% 39% 62% 77% 75%

Breach Reporting – Security Incident Register (SIR)In 2013 Victoria Police initiated the Security Incident Register (SIR) as the central organisational repository for the reporting, recording, recovery and post-incident analysis of information security incidents. The security incident register is important in that it is designed to capture security incidents that do not necessarily involve misconduct or illegal activity.

It does however record and maintain all information security incidents reported to the Professional Standards Command (PSC).

Part of the process of continual improvement of the SIR in 2015-15 was the development and promulgation of a protocol for establishing, maintaining and communicating the reporting, escalation and response procedures for ‘information events and weaknesses that may affect law enforcement data’1.

SIR Statistics

This is the first year that statistical analysis has been attempted on events and incidents captured by the SIR. CPDP receives weekly reports from the SIR that include all events/incidents captured over the preceding week. The information is divided into categories (Information, ICT, Information, and Physical) and types of event/incident, using defined typologies for each category.

A total 332 information security events and incidents were reported in 2014-15. CPDP will begin more detailed, analytical reporting on SIR statistics by type in 2015-16.

Breach Reporting – Register of Complaints Serious Incidents and Discipline (ROCSID)ROCSID is a major source for recording, managing and investigating incidents involving sworn members of Victoria Police. This database is used and managed by the Professional Standards Command (PSC).

While investigations are managed by PSC, information security incidents should be reported to the Security Incident Registry that, as already noted, has been developed to (attempt to) capture all substantiated and unsubstantiated security incidents involving sworn and unsworn staff, and incidents that do not necessarily involve misconduct or illegal activity.

To align with the previous annual report, CPDP analysed data extracted via a standardised report function executed within the ROCSID database. This report returned 348 incidents entered onto ROCSID in 2014/152.

CPDP reviewed all files individually and assessed them against the information contained within the file. Three reports were identified as not being information security breaches and were excluded. Overall, 46 breaches had been substantiated as at 30 June 2015 (Figure 1), although this number will likely increase with 85 alleged incidents still being investigated.

1 Standards for Law Enforcement Data Security, standard 32.

2 Report run 10 July 2015. Figures are correct at time of compilation. Factors such as re-classification of complaint files, and general ongoing quality control by Victoria Police, will cause variations in extracted data.


Figure 1. Confirmed Breaches

2014

/15

2013

/14

2012

/13

2011

/12

2010

/11

2009/

10

2008/0

9

2007/

08

2006/

07

0

10

20

30

40

50

60

70

Nu

mb

er

Year

5861 61 61

57 57

27

47 46

It should be noted that statistics contained within ROCSID are likely to be partially, or totally, duplicated in the 332 incidents reported and recorded by the SIR. However, no separation of statistics was possible given limitations in the information provided, and overall data accuracy.

For consistency CPDP is reporting against the key breach categories outlined in last year’s CLEDS report.

Misuse of LEAP (Figure 2) has decreased since 2013/14 but maintains the mean value of incidents reported since 2006/07, being 21 incidents.

Figure 2. Misuse of LEAP

0

5

10

15

20

25

30

35

40

45

50

2014

/15

2013

/14

2012

/13

2011

/12

2010

/11

2009/1

0

2008/0

9

2007/

08

2006/0

7

Year

Nu

mb

er


The number of breaches identified as being due to ‘personal convenience’ (improper access to law enforcement data for non-criminal, non-work related and private matters, such as checking a family member’s vehicle registration) is at its lowest point in 9 years, with 3 identified incidents (Figure 3).

Figure 3. Personal Convenience

0

5

10

15

20

25

30

2014

/15

2013

/14

2012

/13

2011

/12

2010

/11

2009/1

0

2008/0

9

2007/

08

2006/0

7

Year

Nu

mb

er

While incidents have been reported concerning allegations of improper release to the media, there have been no confirmed breaches in 2014/15 (Figure 4).

Figure 4. Improper release to the Media

0

2

4

6

8

10

12

14

2014

/15

2013

/14

2012

/13

2011

/12

2010

/11

2009/1

0

2008/0

9

2007/

08

2006/0

7

Year

Nu

mb

er


Improper disclosure to members of the public (Figure 5) have fluctuated over the years, with 2014/15 results (9 incidents) remaining slightly above the 9-year average (7 incidents).

Figure 5. Improper disclosure to Members of the Public

0

2

4

6

8

10

12

2014

/15

2013

/14

2012

/13

2011

/12

2010

/11

2009/1

0

2008/0

9

2007/

08

2006/0

7

Year

Nu

mb

er

It is important to reiterate concerns raised with ROCSID data from the 2013/14 CLEDS report: that some of the figures are so low / and or coming off such a low base, that their statistical use is questionable.

Furthermore, no assessment could be made as to whether all incidents recorded with PSC were being captured by the SIR – incidents listed with the SIR as being investigated by PSC did not contain a ROCSID reference number and therefore datasets could not be aligned.

CPDP intends to conduct a review of security incident reporting in 2015/16. While this will be a general review to support implementation of the VPDSS, not targeted at Victoria Police, the security incident reporting processes and experience of Victoria Police will be at its heart. It is expected that this review will assist in developing more transparent information sharing between PSC, the SIR and CPDP and consequently in the creation of a more robust and accurate data capture and reporting process.

Statistical processes aside, the figures point to a disturbing and unacceptable plateau in Victoria Police’s security performance across a range of indices. During 2015-16 we will be asking Victoria Police to take further steps to address these issues and to analyse and remedy its security performance.

Site InspectionsThe site inspection program is designed to assess information security process and procedures ‘on the ground’ in operational policing environments

One site inspection was carried out in 2014/15 at a metropolitan Police station, incorporating Uniform general duties, Highway Patrol, and Youth Resource Officers.

This review differed in both style and scope from previous site inspections, with a thematic approach being developed to help identify and consider key areas of relevance to the station. The theme-based inquiry also allowed CPDP to consider key information security priorities being focused on by both Victoria Police and CPDP at an operational and strategic level.

The site inspection identified Force-wide organisational issues that are played out at the local level. There continues to be confusion amongst personnel around information management and information security (IM/IS) policy and procedures at both a local and organisational level.

Personnel remain confused or unaware of organisational changes to information classification and information protective markings. This finding, overall, highlights an ongoing lack of understanding of the inherent value of law enforcement data obtained, stored, accessed, and used, within the organisation.


Victoria Police will need to remain focused on the rapidly evolving landscape of the ‘bring your own device’ culture. No different to any workplace, Victoria Police personnel continue to use personal smart phones, USB’s and other mass storage devices, and visual recording devices in aspects of their work. While this site inspection noted a more robust culture against the use of personal devices at work, personal devices continue to be considered a viable option to undertake official duties if required.

Organisationally, training focused on information management and information security remains diffuse and fragmented. Personnel often learn ‘on the job’ from colleagues or from experience, or rely on ‘common sense’ rather than policy. Finally, there is limited to no engagement of unsworn personnel around IM/IS training. Unsworn personnel exhibited the mindset that they just ‘process admin’ rather than realising that they handle and manage the same law enforcement data as their sworn counterparts.

Theme-based reviews will also inform the way ahead for site inspections planned in 2015/16. While internal reports will be developed from findings at each inspection, an overall omnibus report will be authored for publishing at the conclusion of the final inspection.

Survey of Victoria Police MembersFollowing the second wave of the quantitative survey into the attitude of sworn members of Victoria Police to information security, the Commissioner undertook further qualitative research in 2014-15 in order to gain more insight into some of the quantitative findings.

The research took the form of eight group sessions across both metropolitan and regional police complexes. Its specific objectives were to:

• gain a broad understanding of members’ knowledge of Victoria Police data security policies

• explore the perceived relevance of these policies

• understand members’ attitudes toward information management

• identify the key influences on attitudes and behaviours in relation to data security management

• explore the motivations and barriers to adopting appropriate behaviours, and

• explore attitudes and behaviours with regard to the use of personally owned devices, data storage, working off-site and the disclosure of classified information.

The key take outs of the qualitative research were:

• members have general awareness of and confidence in Victoria Police’s data security protocols

• awareness by members that management accept ‘work arounds’ with regard to data security so long as they are justified by good judgement

• understanding by members of the potential impact of data security breaches on themselves, colleagues and Victoria Police as a whole

• a disconnect between the real world of modern technology in which members live and the equipment and supporting policy provided by Victoria Police, leading to greater use of personally owned devices.

Cultural ChangeIn reviews conducted in 2009 and 2011, the Commissioner for Law Enforcement Data Security recommended that Victoria Police develop and implement a plan for information security cultural change.

Victoria Police continued cultural change implementation activities throughout 2014-15, notably:

• reviewing workplace inspection templates to identify information security and management gaps

• publishing guides to the management of portable computing devices

• revising the End of Service Form to include the return of personal holdings of law enforcement data upon retirement or resignation

• widening the scope of the SIR in order to capture incidents involving contact reporting and social grooming

• developing a project plan to implement an Amnesty for the return of personal holdings of law enforcement data

• developing a communications plan to embed information security messages and expectations of behaviours


The planned roll out of Regional Sergeant Information Management and Information Security Portfolios – ‘go to’ officers, the need for which was also identified during the qualitative research sessions, is scheduled to commence at the beginning of the 2015-16 reporting period.

Insider IntrusionAn insider intruder is a trusted person such as an employee, contractor, consultant or business partner of an organisation who has access to official information, assets and resources as part of their duties and who conducts activities (intentional or unintentional) that cause harm to the organisation.

The inside intruder represents a real and on-going risk to an organisation and highlights the need for robust personnel practices – both at time of employment or contract and at regular intervals.

There have been past incidences of insider intrusion within Victoria Police, which have been investigated and appropriate action taken. The Commissioner holds concerns about the possibility of further incidences, particularly with regard to external parties with direct access to Victoria Police law enforcement data systems and outsourced service providers. The Commissioner is undertaking analytic work in collaboration with Victoria Police in relation to identifying and minimising insider intrusion risks during 2015-16.

PART THREE About the office


About the Office of the Commissioner for Privacy and Data ProtectionThe Office of the Commissioner for Privacy and Data Protection was formed through the amalgamation of the Offices of the Commissioner for Law Enforcement Data Security and of the Victorian Privacy Commissioner.

This amalgamation involved the physical relocation of the two legacy agencies to a single location, the fit out of new premises and essential ICT upgrades to create a single environment from two very different legacy systems. No extra funding was provided for this quite major work, with costs being covered from the existing budget of the Commissioner for Law Enforcement Data Security.

The amalgamation also involved a staffing restructure, to better reflect the new functions and responsibilities of the Commissioner under the Privacy and Data Protection Act 2014.

The Office of the Commissioner for Privacy and Data Protection came into existence on 17 September 2014. While an independent statutory body, the Office came under the portfolio of the Department of Justice and Regulation until 31 December 2014. It moved to the portfolio of the Department of Premier and Cabinet on 1 January 2015.


Org

anis

atio

nal

Str

uct

ure

an

d S

taffi

ng

Commissioner

Exe

cuti

ve

Ass

ista

nt

VP

S4

Sp

ecia

l Ad

vis

or

Sec

on

dm

ent

Offi

ce

Man

ager

Sen

ior

Dat

a P

rote

ctio

n

Ad

vis

or

Sen

ior

Dat

a P

rote

ctio

n

Offi

cer

Pri

vac

y

Ass

ura

nce

&

Su

pp

ort

O

ffice

r

Leg

al S

up

po

rt

Offi

cer

Sta

keh

old

er

En

gag

emen

t O

ffice

r

Sta

keh

old

er

En

gag

emen

t Su

pp

ort

O

ffice

r

IT

Co

-ord

inat

or

/Op

erat

ion

s O

ffice

r

Str

ateg

ic P

riv

acy

P

oli

cy B

ran

chS

pec

ial C

ou

nse

l,

Pri

vac

y b

y D

esig

n

Ass

ista

nt

Co

mm

issi

on

erD

ata

Pro

tect

ion

Ass

ista

nt

Co

mm

issi

on

erO

per

atio

nal

Pri

vac

y &

A

ssu

ran

ce

Ass

ista

nt

Co

mm

issi

on

erS

take

ho

lder

E

ng

agem

ent

Ass

ista

nt

Co

mm

issi

on

erP

roje

cts

& O

per

atio

ns

Po

licy

An

aly

st

Sen

ior

Po

licy

&

Ass

ura

nce

O

ffice

r

Sen

ior

Leg

al

Ad

vis

or

Man

ager

Sta

keh

old

er

En

gag

emen

t

Man

ager

Sta

tuto

ry

Co

mp

lian

ce

Law

E

nfo

rcem

ent

Lia

iso

n

Offi

cer


The Office of the Commissioner for Privacy and Data Protection also includes an Audit and Finance Committee comprised of three external members and governed by a charter.

The Office had a staff of 20.4 FTE at 30 June 2015, of which 1FTE was on secondment from the Victorian Auditor General’s Office, 3FTE on fixed term contracts and 16.4 FTE on-going members of the Victorian Public Service.

Gender On-going Fixed term Secondment

Female 9 3 0

Male 6.4 1 1

Age On-going Fixed term Secondment

Under 25 0 1 0

25 – 34 5.4 1 0

35 – 44 4.6 1 0

45 – 54 3 0 1

55 – 64 1.8 1 0

Over 64 1.6 0 0

Classification On-going Fixed term Secondment

VPS1 0 0 0

VPS2 0 0 0

VPS3 2 1 0

VPS4 3.4 1 0

VPS5 4.6 1 0

VPS6 4.6 0 0

STS 0.8 0 0

EO3 0 0 1

Statutory Office Holder 0 1 0

The Commissioner is committed to applying merit and equity principles when appointing staff. The selection process ensures that applicants are assessed and evaluated fairly and equitably on the basis of key selection criteria and other accountabilities without discrimination. The Commissioner offers a flexible working environment and is committed to fostering diversity in the workplace.

Governance and ReportingThe Commissioner maintains a compliance register to ensure it meets its statutory obligations.

Internal work reporting occurs on a monthly basis, linked to projects identified in the Commissioner’s strategic plan. This reporting feeds into reporting to the Audit and Finance Committee and, ultimately, Budget Paper 3 output reporting to government.

The Budget Paper 3 output measures reported for 2014-15 in Appendices are legacy measures from the previous Office of the Victorian Privacy Commissioner.

As such, they do not adequately reflect the scope of work of the Commissioner for Privacy and Data Protection.

In January 2015, the Commissioner and the Department of Premier and Cabinet agreed to discontinue the legacy measures and introduce new CPDP specific measures, to commence with the 2015-16 reporting year.


The new output measures will be:

• number of law enforcement, data security and privacy reviews completed – quantity

• % client satisfaction with data security and privacy training provided – quality

• responses with 15 days to written enquiries relating to the legislated responsibilities of the Commissioner for Privacy and Data Protection – timeliness.

Shared ServicesA range of corporate support services is provided to the Commissioner by the Department of Premier and Cabinet, notably in the areas of human resources and financial management.

Communications and PublicationsThe Commissioner and staff had an active program of speaking engagements over the reporting period, principally around introducing the Privacy and Data Protection Act 2014, embedding Privacy by Design and explaining the proposed Victorian Protective Data Security Framework. This program covered Victorian public sector agencies and umbrella bodies, national and international forums.

Apart from technical, topic-specific publications, the Commissioner also launched the monthly on-line information sheet Victoria Data Bites.

A CPDP website was launched in 2015. This basic website will be developed and enhanced in 2015-16 to provide information and tools for the public as well as privacy and data protection practitioners.

Occupational Health and SafetyThe Commissioner aims to provide employees with a healthy and safe workplace. No time was lost in 2014-15 due to workplace injuries. The Office OH&S representative conducted a workplace hazard inspection and completed an office safety checklist during the year. No unacceptable OH&S risks were identified.

Workplace RelationsThe Commissioner is advised on industrial relations issues by the Department of Premier and Cabinet. No industrial relations issues were registered or grievances received in the course of the reporting period.

Public Sector ConductStaff of the Commissioner for Privacy and Data Protection uphold the Code of Conduct for Victorian Public Sector Employees. No breaches of the Code of Conduct by the Commissioner’s staff occurred in 2014-15.

Environmental ImpactsUnder the terms of the Occupancy Agreement between the Department of Treasury and Finance/Shared Services Provider and the Commissioner for Privacy and Data Protection, the lessor has responsibility for the provision of energy, water and waste disposal for the premises occupied by the Commissioner. Energy and water are not metered separately. The principal environmental impacts of the Office of the Commissioner are therefore not included in this report.

Risk ManagementThe Commissioner has risk management processes in place which meet the requirements of the Victorian Government Risk Management Framework 2015, including the Australian/New Zealand Risk Management Standard AS/NZS ISO 31000:2009. These processes include the maintenance of a risk management plan, risk register and regular reviews.


Freedom of InformationThe Commissioner received one Freedom of Information request in 2014-15, which was successfully handled and finalised in the course of the reporting period.

The Commissioner maintains copies of all reviews undertaken by his office and relevant working papers and correspondence. Due to the nature of the functions of the office, particularly with regard to public sector information security and law enforcement data, the Commissioner holds much information that would be considered exempt material under the Freedom of Information Act 1982.

ConsultanciesThe following consultancies were entered into in the course of 2014-15.

Consultant Service provided $ ex GST

Corporate Capability Pty Ltd Human resources 18,750

Cirk Risk Solutions Risk management 15,500

EY Sweeney Market research 40,000

Nous Group Market research 22,500

Sandra Beanham and Associates Marketing 21,000

Trusted Impact Data protection 21,850

Overseas TravelThe Commissioner attended the 36th Annual Meeting of Privacy and Data Protection Commissioners in Mauritius in October 2014 and a meeting of the Asia Pacific Privacy Authorities in Hong Kong in June 2015.

Major ContractsThe Commissioner did not enter into any contracts valued at more than $10 million in 2014-15.

Protected DisclosuresThe Commissioner received no disclosures made under the Protected Disclosures Act 2012 during 2014-15.

Gifts, Benefits and HospitalityThe Commissioner maintains a register of gifts, benefits and hospitality. No declarable items were registered in 2014-15.

Statement of Availability of Other InformationThe Directions of the Minister for Finance pursuant to the Financial Management Act 1994 require a range of information to be prepared for the reporting period. The relevant information is included in this report, with the exception of a statement that declarations of pecuniary interests have been duly completed by all relevant officers, which is held by the Commissioner and is available on request to the relevant Minister, Members of Parliament and the public (subject to Freedom of Information requirements, if applicable).

ANNUAL FINANCIAL STATEMENTS 2014–2015


Annual Financial Statements 2014-15

Contents ...................................................................................................................................................... Page

Accountable Officer’s and Chief Finance and Accounting Officer’s Declaration ..............................37

Comprehensive operating statement ..............................................................................................................38Balance sheet .......................................................................................................................................................... 39Statement of changes in equity .........................................................................................................................40Cash flow statement .............................................................................................................................................41Note 1. Summary of significant accounting policies ..................................................................................... 42Note 2. Expenses from transactions .................................................................................................................51Note 3. Other economic flows included in net result ...................................................................................51Note 4. Receivables .............................................................................................................................................. 52Note 5. Property, plant and equipment ........................................................................................................... 53Note 6. Intangible assets ..................................................................................................................................... 55Note 7. Payables ..................................................................................................................................................... 56Note 8. Provisions ................................................................................................................................................. 56Note 9. Leases ........................................................................................................................................................ 57Note 10. Superannuation ...................................................................................................................................... 57Note 11. Commitments for expenditure .........................................................................................................58Note 12. Contingent assets and contingent liabilities ...................................................................................58Note 13. Financial instruments ............................................................................................................................58Note 14. Cash flow information ..........................................................................................................................60Note 15. Responsible persons ..............................................................................................................................61Note 16. Remuneration of executives ................................................................................................................61Note 17. Remuneration of auditors .....................................................................................................................61Note 18. Subsequent events .................................................................................................................................61Note 19. Glossary of terms ...................................................................................................................................62


Accountable Officer’s and Chief Finance and Accounting Officer’s Declaration

The attached financial statements for the Office of the Commissioner for Privacy and Data Protection have been prepared in accordance with Standing Direction 4.2 of the Financial Management Act 1994, applicable Financial Reporting Directions, Australian Accounting Standards including Interpretations, and other mandatory professional reporting requirements.

We further state that, in our opinion, the information set out in the comprehensive operating statement, balance sheet, statement of changes in equity, cash flow statement and accompanying notes, presents fairly the financial transactions during the period ended 30 June 2015 and financial position of the Office of the Commissioner for Privacy and Data Protection at 30 June 2015.

At the time of signing, we are not aware of any circumstances which would render any particulars included in the financial statements to be misleading or inaccurate.

We authorise the attached financial statements for issue on 10 September 2015.

David Watts Ingrid Klein Commissioner for Privacy and Data Protection Chief Finance and Accounting Officer Melbourne Melbourne 10 September 2015 10 September 2015

Notes to the financial statements for the financial period 17 September 2014 to 30 June 2015


Comprehensive operating statement

for the financial period 17 September 2014 to 30 June 2015

Notes2015

$

Income from transactions

Grants from State Government 3,796,432

Resources received free of charge 234,410

Other income 135,374

Total income from transactions 4,166,216

Expenses from transactions

Employee expenses 2(a) 2,423,452

Supplies and services 2(b) 1,223,973

Depreciation and amortisation 2(c) 54,823

Total expenses from transactions 3,702,248

Net result from transactions (net operating balance) 463,968

Other economic flows included in net result

Other gains/(losses) from other economic flows 3 (1,399)

Total other economic flows included in net result (1,399)

Net result 462,569

Other economic flows - other comprehensive income -

Total other economic flows - other comprehensive income -

Comprehensive result 462,569

The above comprehensive operating statement should be read in conjunction with the accompanying notes.



Balance sheet

as at 30 June 2015

Notes2015

$

Assets

Financial assets

Receivables 4 1,720,209

Total financial assets 1,720,209

Non-financial assets

Property, plant and equipment 5 352,693

Intangible assets 6 37,500

Total non-financial assets 390,193

Total assets 2,110,402

Liabilities

Payables 7 765,406

Provisions 8 809,456

Total liabilities 1,574,862

Net assets 535,540

Equity

Accumulated surplus 462,569

Contributed capital 72,971

Net worth 535,540

Commitments for expenditure 11

Contingent assets and contingent liabilities 12

The above balance sheet should be read in conjunction with the accompanying notes.



Statement of changes in equity


Accumulated Surplus

$

Contributions by owners

$Total

$

Balance at 17 September 2014 - - -

Net result for the period 462,569 462,569

Net asset transfers through contributed capital 72,971 72,971

Balance at 30 June 2015 462,569 72,971 535,540

The above statement of changes in equity should be read in conjunction with the accompanying notes.



Cash flow statement


Notes2015

$

Cash flows from operating activities

Receipts from Government 2,256,176

Payments to suppliers (478,303)

Payments to employees (1,597,467)

Net cash flows from operating activities 14(b) 180,406

Cash flows from investing activities

Purchases of non-financial assets (180,406)

Net cash flows used in investing activities (180,406)

Net increase/(decrease) in cash and cash equivalents -

Cash and cash equivalents at the beginning of the financial period -

Cash and cash equivalents at the end of the financial period 14(a) -

The above cash flow statement should be read in conjunction with the accompanying notes.




Note 1. Summary of significant accounting policies

The Office of the Commissioner for Privacy and Data Protection (the Office) was established by the Privacy and Data Protection Act 2014 and commenced operations on 17 September 2014. The Office brought together the skills and resources of the Office of the Victorian Privacy Commissioner and the Commissioner for Law Enforcement Data Security, which it replaced. The functions and powers of both former agencies have been vested in the Office of the Commissioner for Privacy and Data Protection, with the additional obligations on the Commissioner to oversee the implementation of privacy flexibility mechanisms and the establishment of a Victorian Protective Data Security Framework.

These annual financial statements represent the audited general purpose financial statements for the Office for the period from 17 September 2014 to 30 June 2015. The purpose of the report is to provide users with information about the Office’s stewardship of resources entrusted to it.

(a) Statement of compliance

These general purpose financial statements have been prepared in accordance with the Financial Management Act 1994 (FMA) and applicable Australian Accounting Standards (AAS), which include Interpretations issued by the Australian Accounting Standards Board (AASB). In particular, they are presented in a manner consistent with the requirements of AASB 1049 Whole of Government and General Government Sector Financial Reporting.

Where appropriate, those AAS paragraphs applicable to not-for-profit entities have been applied.

Accounting policies are selected and applied in a manner which ensures that the resulting financial information satisfies the concepts of relevance and reliability, thereby ensuring that the substance of the underlying transactions or other events is reported.

To gain a better understanding of the terminology used in this report, a glossary of terms can be found in Note 19.

These annual financial statements were authorised for issue by the Commissioner on 10 September 2015.

(b) Basis of accounting preparation and measurement

The accrual basis of accounting has been applied in the preparation of these financial statements whereby assets, liabilities, equity, income and expenses are recognised in the reporting period to which they relate, regardless of when cash is received or paid.

Judgements, estimates and assumptions are required to be made about the carrying values of assets and liabilities that are not readily apparent from other sources. The estimates and associated assumptions are based on professional judgements derived from historical experience and various other factors that are believed to be reasonable under the circumstances. Actual results may differ from these estimates.

Revisions to accounting estimates are recognised in the period in which the estimate is revised and also in future periods that are affected by the revision. Judgements and assumptions made by management in the application of AASs that have significant effects on the financial statements and estimates relate to:

• the fair value of plant and equipment, (refer to Note 1(j));

• actuarial assumptions for employee benefit provisions based on likely tenure of existing staff, patterns of leave claims, future salary movements and future discount rates (refer Note 1(k)); and

• superannuation expense (refer to Note 1(f)).



These financial statements are presented in Australian dollars, and prepared in accordance with the historical cost convention, except where noted.

Consistent with AASB 13 Fair Value Measurement, the Office determines the policies and procedures for both recurring fair value measurements such as property, plant and equipment and financial instruments and for non-recurring fair value measurements such as non-financial physical assets held for sale, in accordance with the requirements of AASB 13 and the relevant Financial Reporting Directions.

All assets and liabilities for which fair value is measured or disclosed in the financial statements are categorised within the fair value hierarchy, described as follows, based on the lowest level input that is significant to the fair value measurement as a whole:

• Level 1 — Quoted (unadjusted) market prices in active markets for identical assets or liabilities

• Level 2 — Valuation techniques for which the lowest level input that is significant to the fair value measurement is directly or indirectly observable; and

• Level 3 — Valuation techniques for which the lowest level input that is significant to the fair value measurement is unobservable.

For the purpose of fair value disclosures, the Office has determined classes of assets and liabilities on the basis of the nature, characteristics and risks of the asset or liability and the level of the fair value hierarchy as explained above.

In addition, the Office determines whether transfers have occurred between levels in the hierarchy by reassessing categorisation (based on the lowest level input that is significant to the fair value measurement as a whole) at the end of each reporting period.

(c) Reporting entity

The financial statements cover the Office as an individual reporting entity.

The financial statements include all activities of the Office. Its principal address is: Level 6 121 Exhibition Street Melbourne VIC 3000

Enabling legislation (Privacy and Data Protection Act 2014)

The Office is a department established under Part 6(1)(f) of the Public Administration Act 2004 and is preparing this report in accordance with the Privacy and Data Protection Act 2014 (the Act) under Division 3, Section 116. The Office is operating under the auspices of the Department of Premier and Cabinet and reporting to Parliament through the Special Minister of State. The Office’s purposes, functions, powers and duties are set out in Part 1 and Part 3 of the Act.

Objectives and Funding

The main functions of the Office of the Commissioner for Privacy and Data Protection, under the Act, are:

• to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;

• to balance the public interest in promoting open access to public sector information with the public interest in protecting its security;

• to promote awareness of responsible personal information handling practices in the public sector;

• to promote the responsible and transparent handling of personal information in the public sector;

• to promote responsible data security practices in the public sector.

The Office is funded for the provision of outputs consistent with its statutory functions. Funds are from accrual-based grants derived from monies appropriated annually by Parliament through the Department of Premier and Cabinet.



(d) Scope and presentation of financial statements


The comprehensive operating statement comprises three components, being ‘net result from transactions’ (or termed as ‘net operating balance’), ‘other economic flows included in net result’, as well as ‘other economic flows – other comprehensive income’. The sum of the former two represents the net result.

The net result is equivalent to profit or loss derived in accordance with AASs.

‘Other economic flows’ are changes arising from market remeasurements. They include:

• gains and losses from disposals of non-financial assets;

• revaluations and impairments of non-financial physical and tangible assets;

• remeasurement arising from defined benefit superannuation plans;

• fair value changes of financial instruments and agricultural assets; and

• depletion of natural assets (non-produced) from their use or removal.

This classification is consistent with the whole of government reporting format and is allowed under AASB 101 Presentation of Financial Statements.

Balance sheet

Assets and liabilities are presented in liquidity order with assets aggregated into financial assets and non-financial assets.

Current and non-current assets and liabilities (non-current being those assets or liabilities expected to be recovered or settled beyond 12 months) are disclosed in the notes, where relevant.

Cash flow statement

Cash flows are classified according to whether or not they arise from operating, investing, or financing activities. This classification is consistent with requirements under AASB 107 Statement of Cash Flows.


The statement of changes in equity presents reconciliations of each non-owner and owner changes in equity from opening balance at the beginning of the reporting period to the closing balance at the end of the reporting period. It also shows separately changes due to amounts recognised in the ‘comprehensive result’ and amounts recognised in ‘other economic flows - other movements in equity’ related to ‘transactions with owner in its capacity as owner’.

(e) Income from transactions

Income is recognised to the extent that it is probable that the economic benefits will flow to the entity and the income can be reliably measured at fair value.

Grants

Income from grants (other than contribution by owners) is recognised when the Office obtains control over the contribution.

Fair value of assets and services received free of charge or for nominal consideration

Contributions of resources received free of charge or for nominal consideration are recognised at fair value when control is obtained over them, irrespective of whether these contributions are subject to restrictions or conditions over their use. Contributions in the form of services are only recognised when a fair value can be reliably determined and the services would have been purchased if not received as a donation.

The Department of Premier and Cabinet has been centrally funded for services it provides to the Office. These services are not recognised in the financial statements of the Office as their fair values cannot be reliably determined. The services that are utilised include the use of financial systems, payroll systems, accounts payable, asset register and IT network.



(f) Expenses from transactions

Expenses from transactions are recognised as they are incurred and reported in the financial period to which they relate.

Employee expenses

Refer to the section in Notes 1(k) regarding employee benefits.

These expenses include all costs related to employment, including wages and salaries, superannuation, fringe benefits tax, leave entitlements, redundancy payments and WorkCover premiums.

The amount recognised in the comprehensive operating statement for superannuation expense is the employer contributions for members of both defined benefit and defined contribution superannuation plans that are paid or payable to these plans during the reporting period.

The Department of Treasury and Finance (DTF), in their annual financial statements, disclose on behalf of the State as the sponsoring employer, the net defined benefit cost related to the members of these plans as an administered liability. Refer to DTF’s Annual Financial Statements for more detailed disclosures in relation to these plans.

Depreciation and amortisation

Depreciation is generally calculated on a straight-line basis, at rates that allocate the asset’s value, less any estimated residual value, over its estimated useful life.

Intangible assets with finite useful lives are depreciated as an expense on a straight line basis over the asset’s useful life.

Refer to Note 1(j) for the amortisation policy for leasehold improvements.

The estimated useful lives, residual vales and depreciation method are reviewed at the end of each annual reporting period, and adjustments made where appropriate.

The following are typical estimated useful lives for the different asset classes.

• plant, computers and communications equipment - 3-10 years

• leasehold improvements - 8 years

• software development and licence costs - 3 years

Supplies and services

Supplies and services costs are recognised as expenses in the reporting period in which they are incurred.

(g) Other economic flows included in the net result

Other economic flows measure the change in volume or value of assets or liabilities that do not result from transactions.

Net gain/(loss) on non-financial assets

Net gain/(loss) on non-financial assets and liabilities includes realised and unrealised gains and losses as follows:

Disposal of non-financial assets

Any gain or loss on the disposal of non-financial assets is recognised at the date of disposal and is determined after deducting from the proceeds the carrying value of the asset at that time.

Impairment of non-financial assets

All non-financial assets are assessed annually for impairment, as to whether their carrying value exceeds their recoverable amount and so require write downs, and whenever there is an indication that the asset may be impaired.

If there is an indication of impairment, the assets concerned are tested as to whether their carrying value exceeds their recoverable amount. Where an asset’s carrying value exceeds its recoverable amount, the difference is written off as an other economic flow, except to the extent that the write-down can be debited to an asset revaluation surplus amount applicable to that class of asset.



If there is an indication that there has been a change in the estimate of an asset’s recoverable amount since the last impairment loss was recognised, the carrying amount shall be increased to its recoverable amount. This reversal of the impairment loss occurs only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised in prior years.

It is deemed that, in the event of the loss or destruction of an asset, the future economic benefits arising from the use of the asset will be replaced unless a specific decision to the contrary has been made. The recoverable amount for most assets is measured at the higher of depreciated replacement cost and fair value less costs to sell. Recoverable amount for assets held primarily to generate net cash inflows is measured at the higher of the present value of future cash flows expected to be obtained from the asset and fair value less costs to sell.

Refer to Note 1(i) in relation to the recognition and measurement of non-financial assets.

Impairment of financial assets

At the end of each reporting period, the Office assesses whether there is objective evidence that a financial asset or group of financial assets is impaired. All financial instrument assets, except those measured at fair value through profit or loss, are subject to annual review for impairment.

Receivables are assessed for bad and doubtful debts on a regular basis. Those bad debts considered as written off by mutual consent are classified as a transaction expense. The allowance for doubtful receivables and bad debts not written off by mutual consent are adjusted as other economic flows.

Net gain/(loss) on financial instruments

Net gain/(loss) on financial instruments includes:

• realised and unrealised gains and losses from revaluations of financial instruments at fair value;

• impairment and reversal of impairment for financial instruments at amortised cost (refer to Note 1(i)); and

• disposals of financial assets.

Other gains/(losses) from other economic flows

Other gains/(losses) from other economic flows include the gains or losses from:

• the revaluation of the present value of the long service leave liability due to changes in the bond interest rates; and

• transfer of amounts from the reserves to accumulated surplus or net result due to disposal or derecognition or reclassification.

(h) Financial instruments

Financial instruments arise out of contractual agreements that give rise to a financial asset of one entity and a financial liability or equity instrument of another entity. Due to the nature of the Office’s activities, certain financial assets and financial liabilities arise under statute rather than a contract. Such financial assets and financial liabilities do not meet the definition of financial instruments in AASB 132 Financial Instruments: Presentation. For example, statutory receivables arising from taxes, fines and penalties do not meet the definition of financial instruments as they do not arise under contract.

Where relevant, for note disclosure purposes, a distinction is made between those financial assets and financial liabilities that meet the definition of financial instruments in accordance with AASB 132 and those that do not.

The following refers to financial instruments unless otherwise stated.

Loans and receivables

Loans and receivables are financial instrument assets with fixed and determinable payments that are not quoted on an active market. These assets are initially recognised at fair value plus any directly attributable transaction costs. Subsequent to initial measurement, loans and receivables are measured at amortised cost using the effective interest method, less any impairment.

Loans and receivables category includes cash and deposits, term deposits with maturity greater than three months, trade receivables, loans and other receivables, but not statutory receivables.



Financial liabilities at amortised cost

Financial instrument liabilities are initially recognised on the date they are originated. They are initially measured at fair value plus any directly attributable transaction costs. Subsequent to initial recognition, these financial instruments are measured at amortised cost with any difference between the initial recognised amount and the redemption value being recognised in profit and loss over the period of the interest-bearing liability, using the effective interest rate method (refer to Note 19).

Financial instrument liabilities measured at amortised cost include all of the Office’s contractual payables, deposits held and advances received, and interest-bearing arrangements other than those designated at fair value through profit or loss.

(i) Financial assets

Receivables

Receivables consist of:

• contractual receivables, such as debtors in relation to goods and services.

• statutory receivables, which include predominantly amounts owing from the Victorian Government.

Where applicable, contractual receivables are classified as financial instruments and categorised as loans and receivables (refer to Note 13 Financial Instruments for recognition and measurement). Statutory receivables are recognised and measured similarly to contractual receivables (except for impairment), but are not classified as financial instruments because they do not arise from a contract.

Receivables are subject to impairment testing as described above. A provision for doubtful receivables is recognised when there is objective evidence that the debts may not be collected, and bad debts are written off when identified.

(j) Non-financial assets

Plant and equipment

All non-financial physical assets are measured initially at cost and subsequently revalued at fair value less accumulated depreciation and impairment. Where an asset is acquired for no or nominal cost, the cost is its fair value at the date of acquisition. Assets transferred as part of a machinery of government change are transferred at their carrying amount.

Plant and equipment is held at fair value. The Office applies an individual asset capitalisation threshold of $5,000. Individual acquisitions below this value are expensed.

Leasehold improvements

The cost of leasehold improvements is capitalised as an asset and depreciated over the shorter of the term of the lease or the estimated useful life of the improvements.

Intangible assets

Intangible assets are initially recognised at cost. Subsequently, intangible assets with finite useful lives are carried at cost less accumulated amortisation and accumulated impairment losses. Costs incurred subsequent to initial acquisition are capitalised when it is expected that additional future economic benefits will flow to the Office.

(k) Liabilities

Payables

Payables consist of:

• contractual payables, such as accounts payable. Accounts payable represent liabilities for goods and services provided to the Office prior to the end of the financial year that are unpaid, and arise when the Office becomes obliged to make future payments in respect of the purchase of those goods and services.

• statutory payables, such as goods and services tax and fringe benefits tax payables.

Contractual payables are classified as financial instruments and categorised as financial liabilities at amortised cost (refer to Note 7). Statutory payables are recognised and measured similarly to contractual payables, but are not classified as financial instruments and not included in the category of financial liabilities at amortised cost, because they do not arise from a contract.



Provisions

Provisions are recognised when the Office has a present obligation, the future sacrifice of economic benefits is probable, and the amount of the provision can be measured reliably.

The amount recognised as a provision is the best estimate of the consideration required to settle the present obligation at reporting period, taking into account the risks and uncertainties surrounding the obligation. Where a provision is measured using the cash flows estimated to settle the present obligation, its carrying amount is the present value of those cash flows, using discount rate that reflects the time value of money and risks specific to the provision.

When some or all of the economic benefits required to settle a provision are expected to be received from a third party, the receivable is recognised as an asset if it is virtually certain that recovery will be received and the amount of the receivable can be measured reliably.

Employee benefits

Provision is made for benefits accruing to employees in respect of wages and salaries, annual leave and long service leave for services rendered to the reporting date.

(i) Wages and salaries and annual leave

Liabilities for wages and salaries, including non monetary benefits annual leave and accumulating sick leave, are all recognised in the provision for employee benefits as ‘current liabilities’, because the Office does not have an unconditional right to defer settlements of these liabilities.

Depending on the expectation of the timing of settlement, liabilities for wages and salaries, annual leave and sick leave are measured at:

• undiscounted value if the Office expects to wholly settle within 12 months; or

• present value if the Office does not expect to wholly settle within 12 months.

(ii) Long service leave

Liability for long service leave (LSL) is recognised in the provision for employee benefits.

Unconditional LSL is disclosed in the notes to the financial statements as a current liability even where the Office does not expect to settle the liability within 12 months because it will not have the unconditional right to defer the settlement of the entitlement should an employee take leave within 12 months.

The components of this current LSL liability are measured at:

• undiscounted value if the Office expects to wholly settle within 12 months; and

• present value if the Office does not expect to wholly settle within 12 months.

Conditional LSL is disclosed as a non-current liability. There is an unconditional right to defer the settlement of the entitlement until the employee has completed the requisite years of service. This non-current LSL liability is measured at present value.

Any gain or loss following revaluation of the present value of non-current LSL liability is recognised as a transaction, except to the extent that a gain or loss arises due to changes in bond interest rates for which it is then recognised as an other economic flow (refer to Note 1(g)).

(iii) Termination benefits

Termination benefits are payable when employment is terminated before the normal retirement date, or when an employee decides to accept an offer of benefits in exchange for the termination of employment. The Office recognises termination benefits when it is demonstrably committed to either terminating the employment of current employees according to a detailed formal plan without possibility of withdrawal or providing termination benefits as a result of an offer made to encourage voluntary redundancy. Benefits falling due more than 12 months after the end of the reporting period are discounted to present value.

(iv) On-costs

Provisions for on-costs such as payroll tax, workers compensation and superannuation are recognised separately from provision for employee benefits.



(l) Leases

A lease is a right to use an asset for an agreed period of time in exchange for payment.

Leases are classified at their inception as either operating or finance leases based on the economic substance of the agreement so as to reflect the risk and reward incidental to ownership. Leases of property, plant and equipment are classified as finance infrastructure leases whenever the terms of the lease transfer substantially all the risks and rewards of ownership from the lessor to the lessee. All other leases are classified as operating leases.

Operating leases

Operating lease payments, including any contingent rentals, are recognised as an expense in the comprehensive operating statement on a straight-line basis over the lease term, except where another systematic basis is more representative of the time pattern of the benefits derived from the use of the leased asset. The leased asset is not recognised in the balance sheet.

All incentives for the agreement of a new or renewed operating lease are recognised as an integral part of the net consideration agreed for the use of the leased asset, irrespective of the incentive’s nature or form or the timing of payments.

In the event that lease incentives are received to enter into operating leases, the aggregate cost of incentives are recognised as a reduction of rental expense over the lease term on a straight-line basis, unless another systematic basis is more representative of the time pattern in which economic benefits from the leased asset are consumed.

(m) Equity

Consistent with the requirements of AASB1004 Contributions, contributions by owners (that is contributed capital and its repayment) are treated as equity transactions and, therefore, do not form part of the income and expenses of the Office.

Additions to net assets which have been designated as contributions by owners are recognised as contributed capital. Other transfers that are in the nature of contributions or distributions have also been designated as contributions by owners.

(n) Commitments

Commitments for future expenditure include operating and capital commitments arising from contracts. These commitments are disclosed by way of a note at their nominal value and exclusive of the goods and services tax (GST) payable. In addition, where it is considered appropriate and provides relevant information to users, the net present values of significant individual projects are stated. These future expenditures cease to be disclosed as commitments once the related liabilities are recognised in the balance sheet.

(o) Contingent assets and contingent liabilities

Contingent assets and contingent liabilities are not recognised in the balance sheet, but are disclosed by way of a note (refer to Note 12) and, if quantifiable, are measured at nominal value. Contingent assets and liabilities are presented inclusive of GST receivable or payable respectively.

(p) Accounting for the goods and services tax (GST)

Income, expenses and assets are recognised net of the amount of associated GST, except where the GST incurred is not recoverable from the taxation authority. In this case, the GST payable is recognised as part of the cost of acquisition of the asset or as part of the expense.

Receivables and payables are stated inclusive of the amount of GST receivable or payable. The net amount of GST recoverable from or payable to the taxation authority is included with other receivables or payables in the balance sheet.

Cash flows are presented on a gross basis. The GST components of cash flows arising from investing or financing activities which are recoverable from or payable to the taxation authority are presented as an operating cash flow.



(q) Events after the reporting period

Assets, liabilities, income or expenses arise from past transactions or other past events. Where the transactions result from an agreement between the Office and other parties, the transactions are only recognised when the agreement is irrevocable at or before the end of the reporting period. Adjustments are made to amounts recognised in the financial statements for events which occur between the end of the reporting period and the date when the financial statements are authorised for issue, where those events provide information about conditions which existed at the reporting date. Note disclosure is made about events between the end of the reporting period and the date the financial statements are authorised for issue where the events relate to conditions which arose after the end of the reporting period that are considered to be of material interest.

(r) Australian Accounting Standards issued that are not yet effective

The Office has elected to early adopt the following standard, which was not mandatory for the 30 June 2015 reporting period:

AASB 2015-7 Amendments to Australian Accounting Standards – Fair Value Disclosures of Not-for-Profit Public Sector Entities, applicable for reporting periods commencing 1 July 2016. This standard provides scope-limited relief for not-for-profit public sector entities from making certain specified disclosures about the fair value measurement of assets within the scope of AASB 116 Property, Plant and Equipment. In accordance with FRD 7A Early Adoption of Authoritative Accounting Pronouncements, the Office has elected to early adopt AASB 2015-7 for the 2014-15 reporting period. Specifically, for fair value measurements that have been categorised within Level 3 of the fair value hierarchy, the Office is no longer required to provide quantitative information about the ‘significant unobservable inputs’ used in the fair value measurement.

As at 30 June 2015, the following standards had been issued but were also not mandatory for the 30 June 2015 reporting period. The Inspectorate has not adopted, and does not intend to adopt, these standards early:

AASB 9 Financial Instruments. The key changes include simplified requirements for the classification and measurement of financial assets, a new hedging accounting model and a revised impairment loss model to recognise impairment losses earlier, as opposed to the current approach that recognises impairment only when incurred. Applicable for annual reporting periods beginning on 1 January 2018. The assessment has identified that the financial impact of available for sale assets will now be reported through other comprehensive income and no longer recycled to the profit and loss. While the preliminary assessment has not identified any material impact arising from AASB 9, it will continue to be monitored and assessed.

AASB 15 Revenue from Contracts with Customers. The core principle of AASB 15 requires an entity to recognise revenue when the entity satisfies a performance obligation by transferring a promised good or service to a customer. Applicable for annual reporting periods beginning on 1 January 2017 (Exposure Draft 263 – potential deferral to 1 January 2018). The changes in revenue recognition requirements in AASB 15 may result in changes to the timing and amount of revenue recorded in the financial statements. The Standard will also require additional disclosures on service revenue and contract modifications.

AASB 2014 4 Amendments to Australian Accounting Standards – Clarification of Acceptable Methods of Depreciation and Amortisation [AASB 116 and AASB 138]. Amends AASB 116 Property, Plant and Equipment and AASB 138 Intangible Assets to:

• establish the principle for the basis of depreciation and amortisation as being the expected pattern of consumption of the future economic benefits of an asset;

• prohibit the use of revenue based methods to calculate the depreciation or amortisation of an asset, tangible or intangible, because revenue generally reflects the pattern of economic benefits that are generated from operating the business, rather than the consumption through the use of the asset. Applicable for annual reporting periods beginning on 1 January 2016. There is no expected impact as the revenue-based method is not used for depreciation and amortisation.



Note 2. Expenses from transactions

2015$

Expenses from transactions includes:

(a) Employee expenses

Salaries and wages 1,877,481

Annual leave and long service leave 300,821

Post employment benefits

Defined contribution superannuation expense 145,492

Defined benefit superannuation expense 10,971

Other on-costs (fringe benefits tax, payroll tax and WorkCover levy) 88,687

Total employee expenses 2,423,452

(b) Supplies and services

Professional services 172,106

Information technology 291,156

Operating lease rentals 465,985

Other 294,726

Total supplies and services 1,223,973

(c) Depreciation and amortisation

Depreciation - plant, computers and communications equipment 23,083

Amortisation - building leasehold improvements 24,240

Amortisation - software development and licence costs 7,500

Total depreciation and amortisation 54,823

Note 3. Other economic flows included in net result

2015$


Net gain/(loss) arising from revaluation of leave liabilities (i) (1,399)

Total other gains/(losses) from other economic flows (1,399)

Note:

(i) Revaluation gain/(loss) due to changes in government bond rates.



Note 4. Receivables

2015$

Current receivables

Statutory

GST recoverable 1,808

Amounts receivable from Victorian government departments (i) 1,668,061

Total current receivables 1,669,869

Non-current receivables

Statutory

Amounts receivable from Victorian government departments (i) 50,340

Total non-current receivables 50,340

Total receivables 1,720,209

(i) The amounts receivable from Victorian government departments represent funding for all commitments incurred through the appropriations and are drawn down as the commitments fall due.



Note 5. Property, plant and equipment

Gross carrying amounts and accumulated depreciation

Gross carrying amount

2015 $

Accumulated depreciation

2015 $

Net carrying amount

2015 $

Leasehold improvements at fair value 226,071 (35,380) 190,691

Construction in progress at cost 80,000 - 80,000

Plant, computers and communications equipment at fair value 93,945 (11,943) 82,002

Total property, plant and equipment 400,016 (47,323) 352,693

Movements in carrying amounts

2015 $

Leasehold improvements at fair value

Opening balance -

Additions 55,406

Transfers free of charge 135,482

Reclassifications 24,043

Amortisation (24,240)

Closing balance 190,691

Construction in progress at cost

Opening balance -

Additions 80,000


Plant, computers and communications

equipment at fair value

Opening balance -

Transfers free of charge 98,928

Transfers through contributed capital 30,200

Reclassifications (24,043)

Depreciation (23,083)




Plant, computers and communications equipment

Plant, computers and communications equipment is held at fair value. When such equipment is specialised in use, such that it is rarely sold other than as part of a going concern, fair value is determined using the depreciation replacement cost method.

There were no changes in valuation techniques throughout the period to 30 June 2015.

For all assets measured at fair value, the current use is considered the highest and best use.

Fair value measurement hierarchy for assets as at 30 June 2015

Carrying amount

$

Fair value measurement, using:

Level 1(i)

$Level 2(i)

$Level 3(i)

$

Leasehold improvements at fair value 190,691 190,691

Plant, computers and communications equipment at fair value

82,002 82,002

Total of property, plant and equipment at fair value 272,693 - - 272,693

(i) Classified in accordance with the fair value hierarchy, see Note 1(b).

Description of significant unobservable inputs to Level 3 valuations

Valuation technique (ii)

Significant unobservable inputs (ii)

Plant, computers and communications equipment Depreciated replacement cost

Cost per unit

Useful life of equipment

Leasehold improvements Depreciated replacement cost

Cost per square metre

Lease period

(i) Plant, computers and communications equipment and leasehold improvements are held at fair value. When such assets are specialised in use, such that they are rarely sold other than as part of a going concern, fair value is determined using the depreciated replacement cost method.



Note 6. Intangible assets

Gross carrying amounts and accumulated amortisation

Gross carrying amount

2015 $

Accumulated amortisation

2015 $

Net carrying amount

2015 $

Software development and licence costs at fair value 45,000 (7,500) 37,500

Total intangible assets 45,000 (7,500) 37,500

Movements in carrying amounts

Opening balance -

Additions 45,000

Amortisation (7,500)




Note 7. Payables

2015$

Current payables

Contractual

Supplies and services 744,181

Other payables 19,142

763,323

Statutory

Fringe benefits tax payable 2,083

2,083

Total payables 765,406

(a) Maturity analysis of contractual payables

Refer to Note 13 for the maturity analysis of contractual payables.

(b) Nature and extent of risk arising from contractual payables

Refer to Note 13 for the nature and extent of risks arising from contractual payables.

Note 8. Provisions

2015$

Current provisions

Employee benefits - annual leave

Unconditional and expected to settle within 12 months 192,135

Unconditional and expected to settle after 12 months 50,909

Employee benefits - long service leave:

Unconditional and expected to settle within 12 months 90,313

Unconditional and expected to settle after 12 months 425,759

Total current provisions 759,116

Non-current provisions

Employee benefits - long service leave 50,340

Total non-current provisions 50,340

Total provisions 809,456



Note 9. Leases

Operating leases

Commitments under a non-cancellable operating lease at the reporting date are as follows:

2015$

Not longer than 1 year 330,649

Longer than one year and not longer than 5 years 1,402,001

Longer than 5 years 785,683

Total commitments 2,518,333

Leasing arrangements

The Exhibition Street, Melbourne office facilities have an initial lease term of eight years, terminating as at 30 June 2022, with an option to extend for a further five years. The Office does not have an option to purchase the leased asset at the expiry of the lease period.

Note 10. Superannuation

Employees of the Office are entitled to receive superannuation benefits and the Office contributes to both defined benefit and defined contribution plans. The defined benefit plans provide benefits based on years of service and final average salary.

The Office does not recognise any defined benefit liability in respect of the plans because the entity has no legal or constructive obligation to pay future benefits relating to its employees; its only obligation is to pay superannuation contributions as they fall due. The Department of Treasury and Finance recognises and discloses the State’s defined benefit liabilities in its disclosure for administered items.

However, superannuation contributions paid or payable for the reporting period are included as part of employee benefits in the comprehensive operating statement of the Office.

The name, details and amounts expensed in relation to the major employee superannuation funds and contributions made by the Office are as follows:

Fund

Paid contribution for the year

2015$

Contribution outstanding at year end

2015$

Defined benefit funds

State Superannuation Fund 10,971 -

Defined contribution funds

VicSuper 124,258 -

Other 21,234 -

Total 156,463 -



Note 11. Commitments for expenditure

Apart from operating lease commitments (refer Note 8), there were no commitments for capital or other expenditure at 30 June 2015.

Note 12. Contingent assets and contingent liabilities

There were no contingent assets or contingent liabilities at 30 June 2015.

Note 13. Financial instruments

(a) Financial risk management objectives and policies

The Office’s financial instruments comprise:

• receivables (excluding statutory receivables); and

• payables (excluding statutory payables).

Details of the significant accounting policies and methods adopted, including the criteria for recognition, the basis of measurement, and the basis on which expenses and income are recognised, with respect to each class of financial asset, financial liability and equity instrument above are disclosed in Note 1 to the financial statements.

The main purpose in holding financial instruments is to prudentially manage the Office’s financial risks in the government policy parameters.

The carrying amounts of the Office’s contractual financial assets and contractual financial liabilities by category are set out below:

Categorisation of financial instruments

2015

Contractual financial liabilities at amortised

cost$

Contractual financial liabilities

Payables (i) 763,323

Total contractual financial liabilities 763,323

(i) The total amounts disclosed here exclude statutory amounts (e.g. amounts owing from Victorian Government and taxes payable).

(b) Credit risk

Credit risk associated with the Office’s financial assets is minimal because the main debtor is the Victorian Government. For debtors other than the Government, it is the Office’s policy to only deal with entities with high credit ratings of a minimum triple B rating and to obtain sufficient collateral or credit enhancements, where appropriate.



Note 13. Financial instruments (cont)

(c) Liquidity risk

Liquidity risk is the risk that the Office would be unable to meet its financial obligations as and when they fall due. The Office operates under the Government fair payments policy of settling financial obligations within 30 days and, in the event of a dispute, make payments within 30 days from the date of resolution.

The Office’s exposure to liquidity risk is deemed insignificant based on the current assessment of risk.

The following table discloses the contractual maturity analysis for the Office’s contractual financial liabilities.

Maturity analysis of contractual financial liabilities (i)

Carrying amount

$

Nominal amount

$

Maturity dates (i)

Less than 1 month

$

1 month to 3

months$

3 months to 1 year

$

1 year to 5 years

$5+ years

$

2015

Payables (ii) 763,323 763,323 763,323 - - - -

763,323 763,323 763,323 - - - -

(i) Maturity analysis is presented using the contractual undiscounted cash flows.

(ii) The carrying amounts disclosed exclude statutory amounts (e.g. FBT payable).

(d) Market risk

The Office’s exposure to market risk is deemed insignificant based on current assessment of risk.

(e) Fair Value

The fair values and net fair values of financial instrument assets and liabilities are determined as follows:

• Level 1 – the fair value of financial instruments with standard terms and conditions and traded in active liquid markets are determined with reference to quoted market prices:

• Level 2 – the fair value is determined using inputs other than quoted prices that are observable for the financial asset or liability, either directly or indirectly; and

• Level 3 – the fair value is determined in accordance with generally accepted pricing models based on discounted cash flow analysis using unobservable market inputs.

The Office considers that the carrying amount of financial assets and financial liabilities recorded in the financial statements to be a fair approximation of their fair values, because of the short term nature of the financial instruments and the expectation that they will be paid in full.



Note 14. Cash flow information

(a) Reconciliation of cash and cash equivalents

2015$

Total cash and cash equivalents disclosed in the balance sheet (i) -

Balance as per cash flow statement -

Note:

(i) Due to the State of Victoria’s investment policy and government funding arrangements, government departments and agencies generally do not hold a large cash reserve in their bank accounts. Cash received by a department and agencies from the generation of revenue is generally paid into the State’s bank account, known as the Public Account. Similarly, any departmental or agency expenditure, including those in the form of cheques drawn by the Office for the payment of goods and services to its suppliers and creditors, are made via the Public Account. The process is such that the Public Account would remit cash required for the amount drawn on the cheques. This remittance by the Public Account occurs upon the presentation of the cheques by the Office’s suppliers or creditors.

(b) Reconciliation of net result for the period

2015$

Net result for the period 462,569

Non-cash movements

Depreciation and amortisation of non-current assets 54,823

Resources received free of charge (234,410)

Movements in assets and liabilities (net of effects of restructuring)

(Increase)/decrease in receivables (1,379,190)

(Decrease)/increase in payables 738,642

(Decrease)/increase in provisions 537,972

Net cash flows from operating activities 180,406



Note 15. Responsible persons

In accordance with the Ministerial Directions issued by the Minister for Finance under the Financial Management Act 1994, the following disclosures are made regarding responsible persons for the reporting period.

Names

The persons who held the positions of Ministers and Accountable Officers in the Office are as follows:

The Hon Robert Clark MP Attorney-General 17 September 2014 to 4 December 2014

The Hon Gavin Jennings MP Special Minister of State 4 December 2014 to 30 June 2015

David Watts Commissioner 17 September 2014 to 30 June 2015

Remuneration

Remuneration received or receivable by the Accountable Officer in connection with the management of the Office during the reporting period (17 September 2014 to 30 June 2015) was in the range:

$220,000 to $229,999

Amounts relating to Ministers are reported in the financial statements of the Department of Premier and Cabinet.

Other transactions

Other related transactions and loans requiring disclosure under the Directions of the Minister for Finance have been considered and there are no matters to report.

Related party transactions

During the financial period, the Office, the Department of Justice and the Department of Premier and Cabinet conducted business transactions at arms length and at normal commercial terms.

Note 16. Remuneration of executives

Other than the Accountable Officer (refer above), there were no executive officers within the Office during the reporting period.

No contractors held significant management responsibilities within the Office.

Note 17. Remuneration of auditors

2015$

Victorian Auditor-General’s Office

Audit of the financial statements 15,000

15,000

Note 18. Subsequent events

No events that should be reported have occurred after the end of the financial period.



Note 19. Glossary of terms

Commitments

Commitments include those operating, capital and other outsourcing commitments arising from non-cancellable contractual or statutory sources.

Comprehensive result

The net result of all items of income and expense recognised for the period. It is the aggregate of operating result and other comprehensive income.

Depreciation

Depreciation is an expense that arises from the consumption through wear or time of a produced physical or intangible asset. This expense is classified as a ‘transaction’ and so reduces the ‘net result from transactions’.

Effective interest method

The effective interest method is used to calculate the amortised cost of a financial asset and of allocating interest income over the relevant period. The effective interest rate is the rate that exactly discounts estimated future cash receipts through the expected life of the financial instrument, or, where appropriate, a shorter period.

Employee benefits expenses

Employee benefits expenses include all costs related to employment including wages and salaries, fringe benefits tax, leave entitlements, redundancy payments, defined benefits superannuation plans, and defined contribution superannuation plans.

Financial asset

A financial asset is any asset that is:

(a) cash;

(b) an equity instrument of another equity;

(c) a contractual or statutory right;

— to receive cash or another financial asset from another entity; or

— to exchange financial assets or financial liabilities with another entity under conditions that are potentially favourable to the entity; and

(d) a contract that will or may be settled in the entity’s own equity instruments and is:

— a non-derivative for which the entity is or may be obliged to receive a variable number of the entity’s own equity instruments; or

— a derivative that will or may be settled other than by the exchange of a fixed amount of cash or another financial asset for a fixed number of the entity’s own equity instruments.

Financial instrument

A financial instrument is any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity. Financial assets or liabilities that are not contractual (such as statutory receivables or payables that arise as a result of statutory requirements imposed by governments) are not financial instruments.



Financial liability

A financial liability is any liability that is:

(a) a contractual obligation:

(i) to deliver cash or another financial asset to another entity; or

(ii) to exchange financial assets or financial liabilities with another entity under conditions that are potentially unfavourable to the entity.

(b) A contract that will or may be settled in the entity’s own equity instruments and is:

(i) a non-derivative for which the entity is or may be obliged to deliver a variable number of the entity’s own equity instruments; or

(ii) a derivative that will or may be settled other than by the exchange of a fixed amount of cash or another financial asset for a fixed number of the entity’s own equity instruments. For this purpose, the entity’s own equity instruments do not include instruments that are themselves contracts for the future receipt or delivery of the entity’s own equity instruments.

Financial statements

A complete set of financial statements comprises:

(a) a balance sheet as at the end of the period;

(b) a comprehensive operating statement for the period;

(c) a statement of changes in equity for the period;

(d) a cash flow statement for the period;

(e) notes, comprising a summary of significant accounting policies and other explanatory information;

(f) comparative information in respect of the preceding period as specified in paragraphs 38 of AASB 101 Presentation of Financial Statements; and

(g) a statement of financial position as at the beginning of the preceding period when an entity applies an accounting policy retrospectively or makes a retrospective restatement of items in its financial statements, or when it reclassifies items in its financial statements in accordance with paragraphs 41 of AASB 101.

Grants

Transactions in which one unit provides goods, services, assets (or extinguishes a liability) or labour to another unit without receiving approximately equal value in return. Grants can either be operating or capital in nature.

While grants to governments may result in the provision of some goods or services to the transferor, they do not give the transferor a claim to receive directly benefits of approximately equal value. For this reason, grants are referred to by the AASB as involuntary transfers and are termed non-reciprocal transfers. Receipt and sacrifice of approximately equal value may occur, but only by coincidence. For example, governments are not obliged to provide commensurate benefits, in the form of goods or services, to particular taxpayers in return for their taxes.

Grants can be paid as general purpose grants which refer to grants that are not subject to conditions regarding their use. Alternatively, they may be paid as specific purpose grants which are paid for a particular purpose and/or have conditions attached regarding their use.

Interest expense

Costs incurred in connection with the borrowing of funds Interest expenses include interest on bank overdrafts and short-term and long-term borrowings, amortisation of discounts or premiums relating to borrowings, interest component of finance leases repayments, and the increase in financial liabilities and non-employee provisions due to the unwinding of discounts to reflect the passage of time.

Net result

Net result is a measure of financial performance of the operations for the period. It is the net result of items of income, gains and expenses (including losses) recognised for the period, excluding those that are classified as ‘other economic flows – other comprehensive income’.



Net result from transactions/net operating balance

Net result from transactions or net operating balance is a key fiscal aggregate and is income from transactions minus expenses from transactions. It is a summary measure of the ongoing sustainability of operations. It excludes gains and losses resulting from changes in price levels and other changes in the volume of assets. It is the component of the change in net worth that is due to transactions and can be attributed directly to government policies.

Net worth

Assets less liabilities, which is an economic measure of wealth.


Non-financial assets are all assets that are not ‘financial assets’. It includes land, buildings, plant and equipment and intangible assets.

Other economic flows included in net result

Other economic flows included in net result are changes in the volume or value of an asset or liability that do not result from transactions. It includes:

• gains and losses from disposals, revaluations and impairments of non financial physical and intangible assets;

• fair value changes of financial instruments and agricultural assets; and

• depletion of natural assets (non produced) from their use or removal.

Payables

Includes short and long term trade debt and accounts payable, grants, taxes and interest payable.

Receivables

Includes amounts owing from government through appropriation receivable, short and long term trade credit and accounts receivable, accrued investment income, grants, taxes and interest receivable.


Supplies and services generally represent cost of goods sold and the day-to-day running costs, including maintenance costs, incurred in the normal operations of the Inspectorate.

Transactions

Transactions are those economic flows that are considered to arise as a result of policy decisions, usually an interaction between two entities by mutual agreement. They also include flows within an entity such as depreciation where the owner is simultaneously acting as the owner of the depreciating asset and as the consumer of the service provided by the asset. Taxation is regarded as mutually agreed interactions between the government and taxpayers. Transactions can be in kind (e.g. assets provided/given free of charge or for nominal consideration) or where the final consideration is cash. In simple terms, transactions arise from the policy decisions of the government.

APPENDICES


Disclosure Index

The Annual Report of the Commissioner for Privacy and Data Protection is prepared in accordance with all relevant Victorian legislation. This index has been prepared to facilitate identification of compliance with statutory disclosure requirements.

Legislation RequirementPage

Reference

Ministerial Directions

Report of Operations – FRD Guidance

Charter and purpose

FRD 22F Manner of establishment and the relevant Ministers Page 9

FRD 22F Objectives, functions, powers and duties Page 9–10

FRD 22F Nature and range of services provided Page 12–28

Management and structure

FRD 22F Organisational structure Page 31

Financial and other information

FRD 8C Performance against output performance measures Page 68

FRD 10 Disclosure index –67

FRD 12A Disclosure of major contracts Page 34

FRD 15B Executive officer disclosures Page 34

FRD 22F Employment and conduct principles Page 32

FRD 22F Occupational health and safety policy Page 33

FRD 22F Summary of the financial results for the year Page 36–64

FRD 22F Application and operation of Freedom of Information Act 1982 Page 34

FRD 22F Application and operation of the Protected Disclosure Act 2012 Page 34

FRD 22F Details of consultancies over $10 000 Page 34

FRD 22F Details of consultancies under $10 000 Page 34

FRD 22F Statement of availability of other information Page 34

FRD 24C Reporting of officebased environmental impacts Page 33

FRD 29A Workforce Data disclosures Page 32

SD 4.5.5.5 Risk management compliance attestation Page 33

SD.4.5.5.1 Insurance compliance attestation Page 70

Financial statements required under Part 7 of the FMA

SD4.2(a) Statement of changes in equity Page 40

SD4.2(b) Operating statement Page 38

SD4.2(b) Balance sheet Page 39

SD4.2(b) Cash flow statement Page 41


Other requirements under Standing Directions 4.2

SD4.2(c) Compliance with Australian accounting standards and other authoritative pronouncements

Page 37

SD4.2(c) Compliance with Ministerial Directions Page 37

SD4.2(c) Accountable officers’ declaration Page 37

Other disclosures required by FRDs in notes to the financial statements

FRD21B Disclosure of Responsible Persons, Executive Officers and other Personnel (Contractors with Significant Management Responsibilities) in the Financial Report

Page 47

FRD103E Non-current Physical Assets Page 41

FRD110 Cash Flow Statements Page 58

FRD114A Financial Instruments – General Government Entities and Public Non Financial Corporations

Legislation

Commissioner for Privacy and Data Protection Act 2014

Freedom of Information Act 1982

Protected Disclosure Act 2012

Financial Management Act 1994

Audit Act 1994

Financial Statements


Budget Paper Number Three (BP3) Output Performance 2014-15 The performance measures detailed below are legacy measures published in the 2014-15 budget papers for the former Office of the Victorian Privacy Commissioner (OVPC). Performance measures for the Office of the Commissioner for Privacy and Data Protection (CPDP) have been published in the 2015-16 budget papers.

Performance measuresUnit of

measure2014–15

actual2014–15

targetPerformance variation (%)

Result 1

Quantity

Compliance activities conducted number 2255 2700 -7.7

Underperformance in this former OVPC measure reflects changes to enquiries and complaint handling consistent with CPDP legislation and priorities.

Privacy awareness activities number 101 195 -48

Underperformance in this former OVPC measure is due to reprioritisation of activities to reflect CPDP legislation and priorities.

Quality

Client feedback of satisfaction with complaint handling and training services provided.

level high high 0

Timeliness

Statutory or agreed timelines met. per cent 90.0 90.0 0

Note:

1. Performance target not achieved – exceeds 5 per cent variance.

Performance target achieved or exceeded. [A variance exceeding 5 per cent is a significant variance that requires an explanation, including internal or external factors that cause the variance].

™ Performance target not achieved – within 5 per cent variance;


Attestation on Compliance with the Australian / New Zealand Risk Management Standard

I, David Watts, certify that the Office of the Commissioner for Privacy and Data Protection has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The Commissioner for Privacy and Data Protection’s Audit and Finance Committee verified this assurance and that the risk profile of the Commissioner for Privacy and Data Protection has been critically reviewed within the past twelve months.

David Watts Commissioner for Privacy and Data Protection 30 June 2015


Attestation on Insurance

I, David Watts, certify that the Office of the Commissioner for Privacy and Data Protection has complied with Ministerial Direction 4.5.5.1- Insurance.

David Watts Commissioner for Privacy and Data Protection June 30 2015









Enquiries Line 1300 666 444 www.dataprotection.vic.gov.au









Commissioner for Privacy and Data Protection Supplement to Annual Report 2014-15

The Hon. Gavin Jennings, MP Special Minister of State 55 St Andrews Place Melbourne Victoria 3002

Dear Minister

I am pleased to present to you a report in accordance with the Financial Management Act 1994 and Schedule 2, s 11-15 of the Privacy and Data Protection Act 2014, for the financial period ending 16 September 2014, for presentation to Parliament.

Yours sincerely

David Watts Commissioner for Privacy and Data Protection

19 October 2015

Ordered to be published

PP No 1, Session 2014-2015

© The State of Victoria Commissioner for Privacy and Data Protection 2015

This work is licensed under a Creative Commons Attribution 3.0 Australia licence. You are free to re-use the work under that licence, on the condition that you credit the State of Victoria as author. The licence does not apply to any images, photographs or branding, including the Victorian Coat of Arms, the Victorian Government logo and the Commissioner for Privacy and Data Protection logo. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/au/deed.en

Accessibility

If you would like to receive this publication in an alternative format, please telephone the Commissioner for Privacy and Data Protection Enquiries Line on 1300 666 444, email [email protected], via the National Relay Service on 133 677 www.relayservice.com.au. This document is also available on the internet at www.cpdp.vic.gov.au

Disclaimer

This publication may be of assistance to you but the State of Victoria and its employees do not guarantee that the publication is without flaw of any kind or is wholly appropriate for your particular purposes and therefore disclaims all liability for any error, loss or other consequence which may arise from you relying on any information in this publication.

Supplement to Annual Report 2014-15 1

Contents

Commissioner’s Foreword 3

Commissioner for Law Enforcement Data Security 6

Security Incident Escalation 6

Breach Reporting 6

Site Inspections 7

Implementation of CLEDS Recommendations 7

Survey of Victoria Police Members 7

The Office of the Victorian Privacy Commissioner 10

Objects and Functions 10

2014-15 Key Objectives 10

Our Values 11

Output Reporting 11

Annual Reporting Framework 11

Compliance 12

Compliance Summary 12

Enquiries, Complaints and Conciliations 12

Enquiries 13

Complaints under the Information Privacy Act 15

Voter Information - Public Interest Determinations 16

Interventions at the Victorian Civil and Administrative Tribunal (VCAT) 16

Expert Knowledge 17

Consultations 17

Submissions to Parliamentary or Other Public Inquiries 17

Legislative Review 18

Investigate and Enforce: Audits, Breach Notifications, and Part 6 Investigations 18

Stakeholder Engagement 20

Stakeholder Engagement Summary 20

Privacy Training Program 21

Privacy Awareness 21

Other Stakeholder Activities 22

About the Office and Regulatory Compliance 24

Organisational Structure and Corporate Governance Arrangements 24

External Financial and Administrative Services 25

Disclosures 25



Office of the Victorian Privacy Commissioner Financial Statements for the period ended 16 September 2014 30

Comprehensive operating statement for the period ended 16 September 2014 31

Balance sheet as at 16 September 2014 32

Statement of changes in equity for the period ended 16 September 2014 33

Cash flow statement for the period ended 16 September 2014 34

Notes to the financial statements for the financial year ended 16 September 2014 35

Accountable Officer’s and Chief Finance and Accounting Officer’s declaration 53

Auditor-General’s Report 54

Appendices 58

Appendix A Disclosure Index 59

Appendix B Major Outputs 61

Appendix C Other Available Information 62

Appendix D Attestation - Insurance 63

Appendix E Attestation - Risk Management 64



Commissioner’s Foreword

The Privacy and Data Protection Act 2014 (PDPA) came into effect on 17 September 2014. The PDPA amalgamated the Office of the Victorian Privacy Commissioner and that of the Commissioner of Law Enforcement Data Security to form the Office of the Commissioner for Privacy and Data Protection.

Schedule B of the PDPA requires the Commissioner for Privacy and Data Protection to present to the Minister a report on the operations of the legacy entities for the period 1 July to 16 September 2014.

Due to differences in legislative requirements the report on the operations of the previous Office of the Victorian Privacy Commissioner is in ‘full form’, to meet the requirements of the Standing Directions of the Minister for Finance. The previous Commissioner for Law Enforcement Data Security was not bound by such requirements and therefore offers a summary description of activities over the very brief reporting period.

The Commissioner takes this opportunity to thank all staff from the legacy entities involved in the establishment of the Office of the Commissioner for Privacy and Data Protection.



This page has been left blank intentionally


Commissioner For Law enForCement Data seCurity


Commissioner for Law enforcement Data security

The period 1 July to 16 September 2014 was very much one of transition.

The Commissioner is not legally required to comply with the reporting requirements of the Financial Management Act 1994.

Staff of the Commissioner for Law Enforcement Data Security (CLEDS) managed the physical amalgamation of the two legacy entities. Most of their time was occupied with the myriad details of office fit-out, physical relocation and managing the expectations of two offices with very different cultures.

The Office of the Commissioner for Law Enforcement Data Security physically moved to the new premises in August 2014.

At the same time, legislative obligations placed on the embryonic new entity by the Privacy and Data Protection Act 2014 were already known (the Act was passed during the period and assented to in early September 2014). Key CLEDS staff not involved on a daily basis in the physical amalgamation and relocation, staff who were to form the Data Protection Branch in the new entity, had already commenced work on developing the Victorian Protective Data Security Framework, continued on-going work on cloud computing and started the process of adapting the Standards for Law Enforcement Data Security to a version applicable to the Crime Statistics Agency.

While no new initiatives with Victoria Police were undertaken during the period, business carried on as usual.

The following were the key activities during the period.

security incident escalation

CLEDS was in intense negotiations with Victoria Police on the development of a protocol to manage the process for escalation of law enforcement data security incidents. Particular issues surrounded timeframes for reporting and the classification of seriousness of an incident.

All issues were resolved after the reporting period and the protocol is now in place and functioning well.

Breach reporting

The time consuming process was undertaken of collating and analysing 2013-14 statistics from the Register of Complaints Serious Incidents and Discipline (ROCSID) for publication in the CLEDS 2013-14 annual report. As ROCSID statistics were complied by CLEDS on a quarterly basis, no breakdown was available for the reporting period.

Victoria Police continued providing CLEDS with weekly reports from its Security Incident Register (SIR). 49 new incidents were reported between 1 July and 16 September 2014. Statistical analysis of SIR data is not scheduled to commence until the 2015-16 reporting year.



site inspections

While no new inspections of Victoria Police facilities were undertaken, the inspection of an operational unit within the Victoria Police complex in Melbourne was finalised to consultation draft stage.

While there were many findings of a location-specific/moment-in-time nature, key findings supporting those of other reviews were:

• theneedforcentralpointsofcontactforinformationsecurityadvice,specificallytheneedfor the establishment of an Information Security Portfolio (it should be noted that Victoria Police is in the process of rolling out these portfolios)

• theneedforstandardisationofunit-wideinformationsecuritydocumentationandStandardOperating Procedures

• theneedfortargetedtrainingtoprovidepracticalinformationsecurityinstruction.

implementation of CLeDs recommendations

The joint Victoria Police-CLEDS Implementation Working Group (IWG) continued to meet. The purpose of the IWG was to drive the implementation of outstanding recommendations made in CLEDS reviews of compliance with the Standards for Law Enforcement Data Security. During the reporting period, one further recommendation was implemented by Victoria Police.

survey of Victoria Police members

Following the second wave of the CLEDS quantitative longitudinal survey into the information security culture of sworn members of Victoria Police, it was decided to conduct a series of focus groups to provide qualitative insights into the survey findings.

The reporting period was dedicated to a series of meetings with Victoria Police to prepare for the focus groups and define methodology. This qualitative research was carried out after 16 September and is reported on in the body of the Commissioner for Privacy and Data Protection’s report for the period 17 September 2014 to 30 June 2015.


the oFFiCe oF the ViCtorian PriVaCy Commissioner


the office of the Victorian Privacy Commissioner

Prior to the passage of the Privacy and Data Protection Act, the Victorian Privacy Commissioner was an independent statutory office created by the Information Privacy Act 2000. The Privacy Commissioner and staff, known as the Office of the Victorian Privacy Commissioner or Privacy Victoria, was the key body in a system regulating the way Victorian government agencies and local councils collect and handle personal information. The Privacy Commissioner reported to the Victorian Parliament through the Attorney General.

objects and Functions

The objects of the Information Privacy Act 2000 were to: ■ balance the public interest in the free flow of information with the public interest in protecting the

privacy of personal information in the public sector ■ promote awareness of responsible personal information handling practices in the public sector

and ■ promote the responsible and transparent handling of personal information in the public sector.

The Act provided for the Privacy Commissioner to perform several functions. These were to: ■ promote understanding and acceptance of ten Information Privacy Principles (IPPs) and the

objects of those Principles ■ educate people in the public sector and the wider community about information privacy ■ receive and deal with complaints of alleged breaches of privacy by public sector organisations ■ advise government on privacy legislation and policies, and advise organisations on developing

codes of practice ■ monitor developments in data processing and information technology ■ assess and approve codes of practice submitted by public sector agencies, and ■ make public statements on any matter affecting personal privacy.

2014-15 Key objectives

The Privacy Commissioner adopted the following key objectives for the reporting period ending 16 September 2014:

■ Participate in the transition to the establishment of the Commissioner for Privacy and Data Protection

■ Promote and enable a positive privacy culture across the Victorian public sector ■ Continually improve understanding of privacy issues, rights and best privacy practice ■ Model fair and efficient procedures for the handling of enquiries and complaints under the

Information Privacy Act ■ Foster respectful and constructive relationships ■ Provide leadership in privacy issues ■ Operate a cohesive, well managed, accountable and independent Office


our Values

Privacy Victoria’s staff aspired to apply the following values in all that they did: ■ Respect ■ Integrity ■ Collaboration ■ Quality ■ Accountability ■ Impartiality ■ Recognition ■ Accessibility

output reporting

In line with the guidelines issued by the Department of Treasury and Finance, Privacy Victoria continued to work within an accrual output management framework. Targets for the Privacy Regulation Output identified in the 2014-15 Budget Papers (BP3) produced the outcomes that are outlined in Appendix B.

annual reporting Framework

Privacy Victoria’s work fell broadly into three areas: Compliance, Expert Knowledge and Stakeholder Engagement. Consequently, this Annual Report uses these categories to describe the range of activities undertaken by the Office during the reporting period.


Compliance

Some of the key functions of the Privacy Commissioner as outlined by the Information Privacy Act included the following:

■ to provide advice to any individual on matters relevant to the operation of the Act ■ to receive complaints about an act or practice of an organisation that may contravene an

Information Privacy Principle (IPP) or interfere with the privacy of an individual, and ■ where appropriate, to endeavour by conciliation to effect a settlement of the matter giving rise to

the complaint.

These functions were reflected in Privacy Victoria’s compliance arm, where the main compliance activities encompassed responding to enquiries, investigating and conciliating complaints, conducting compliance notice investigations and audits, and giving advice in relation to breach notifications. Privacy Victoria monitored these compliance activities to ensure that emerging trends were identified and that training and awareness services were responsive to current and emerging issues. They also informed ongoing policy and advice work.

The Privacy and Data Protection Act has maintained the complaint handling system that applied under the Information Privacy Act.

Compliance summary

Between 1 July to 16 September 2014, (the reporting period): ■ 539 enquiries were handled

■ 24 complaints were handled, including 23 new complaints, and

■ three complaints referred to conciliation were successfully resolved.

enquiries, Complaints and Conciliations

Privacy Victoria received enquiries via telephone, email, fax and walk-in on a daily basis. The enquiries involved a range of subject matters and often may or may not have fallen within the jurisdiction of the Information Privacy Act.

If the enquiry was not within jurisdiction, the enquirer was referred to a more appropriate office or regulator who could provide assistance.

In the event that an enquiry related to the Act, guidance was provided in line with the Information Privacy Principles. In particular, where an enquiry raised concern about an interference with privacy under the Information Privacy Act, Privacy Victoria had a statutory obligation under s 25 (5) of the Act to provide appropriate assistance to a potential complainant to make and formulate the complaint. This involved the following stages:

how an enquiry may have become a complaint

STAGe 1: Assessing whether the enquiry involved the following: ■ ‘personal information’ as defined under s 3 of the Act ■ an organisation that fell within s 9 of the Act (Section 9 organisation) and ■ an act or practice of the organisation which may have interfered with the enquirer’s right under

the Act.

Should the enquiry have satisfied the threshold requirements stated above, it could have been made into a formal complaint. Note that a formal complaint may have been received without any prior contact with the Office.

STAGe 2: Conducting a formal investigation into the complaint.


Chart 1: enquiries by type

eComplaint 5.0%

Email 17.4%

Fax 0.0%

Phone 75.3%

Post 1.5%

In Person 0.7%

Chart 2: enquiries by subject matter

Commonwealth 27.6%

Direct Marketing 0.6%Freedom of Information 0.9%

Health 12.8%

Other 11.3%

Property 1.9%

Publications 0.4%

Surveillance 7.6%

Victorian Information Privacy Act 36.2%

Workplace 0.7%

STAGe 3: The Commissioner reaching one of the following decisions: ■ to decline the complaint under s 29, or ■ refer it to conciliation under s 33, or

■ where conciliation is not reasonably possible, to declare conciliation inappropriate under s 32.

If the Privacy Commissioner did not believe that there were grounds under s 29 to decline a complaint, under s 33, all reasonable endeavors were required to be made to conciliate it, unless conciliation was not reasonably possible.

STAGe 4: The complainant had 60 days to request referral of the complaint to the Victorian Civil and Administrative Tribunal (VCAT). If this request was not made, the complaint was dismissed and no further action could be taken in relation to it.

enquiries

Privacy Victoria received enquiries via telephone, eComplaint, email, fax and in person on a daily basis. As Chart 1 indicates 75% of enquiries were received by telephone, 17.4%, were received by email and 5% through the eComplaints facility.

The enquiries involved a range of subject matters, some of which did not fall within Privacy Victoria’s jurisdiction. As demonstrated by Chart 2, 36.2% of the 539 enquiries received related to the Information Privacy Act. 27.6% of the total related to the Commonwealth Privacy Act and 12.8% related to health information.

Where an enquiry raised concerns under the Information Privacy Act, a statutory obligation under s 25 (5) of the Act was to provide appropriate assistance to a potential complainant to lodge a complaint.

Where enquiry was not within jurisdiction, the enquirer was referred to the appropriate office or regulator for further assistance. Table 1 demonstrates the top five referrals provided during the reporting period. Note that one enquiry may raise multiple issues. For example, an enquiry relating to the Information Privacy Act may also raise issues with the Surveillance Devices Act 1999 (Vic). Therefore, the number of referrals may appear to be fairly high, but does not demonstrate the actual number of referrals made to other organisations.


For the reporting period, more than half of the enquiries, (59.74%) received were referred to other agencies. Of this amount, 163 were referred to the Office of the Australian Information Commissioner (OAIC), 65 were referred to the Health Services Commissioner, and 31 were referred to Victoria Police.

As indicated by Chart 3, of the enquiries received by this office 79.8% were from members of the public. 7.8%, were received from private organisations and 5.9% were received from Victorian Government organisations.

enquiry trends by information Privacy Principles

There were 10 Information Privacy Principles (IPPs) in the Information Privacy Act which set out the way personal information had to be collected, used, disclosed, transmitted and disposed of. Some areas of information handling by the Victorian public sector raised greater concerns for enquirers than others.

Chart 4 shows a breakdown of the relevant IPPs for enquiries received under the Information Privacy Act. During the reporting period, most enquiries concerned the use and disclosure of personal information by the Victorian public sector (IPP2), and data security issues (IPP4) as well as matters concerning the collection of personal information and appropriate notification (IPP1).

Chart 4: enquiries by IPP

IPP1 - Collection 44

IPP2 - Use and Disclosure 100

IPP3 - Data Quality 7

IPP4 - Data Security 66

IPP5 - Openness 6

IPP6 - Access and Correction 14

IPP7 - Unique Identifiers 1

IPP8 - Anonymity 1

IPP9 - Transborder Data Flows 2

IPP10 - Sensitive Information 2

Chart 3: Source of enquiries

Community Organisation 1.1%

Contracted Service Provider 2.0%

Government Organisation 5.9%

Local Council 3.3%

Member of Parliament 0.0%

Member of Public 79.8%

Private Organisation 7.8%

Table 1: Top 5 referred to agencies

Federal Privacy Commissioner 163 50.62%

Health Services Commissioner 65 20.19%

Victoria Police 31 9.63%

Surveillance Devices Act 1999 (Vic) 15 4.66%

Victorian Ombudsman 4 1.24%

Total 278 86.34%

Total enquiries for 1 July 2014 - 16 Sept 2014 539

Total enquiries referred to other organisations 322

% of enquiries referred (322) / enquiries received (539) 59.74%

* There were a total of 22 specified referral agencies accounting for 304 of the 322 referrals (94.41 %)

* It is possible for one enquiry to raise multiple issues (e.g. One enquiry may raise an issue under the Information Privacy Act, as well as a separate out of jurisdiction issue under the FoI Act or the Surveillance Devices Act.) This results in an enquiry being dealt with under the Information Privacy Act, and referred elsewhere. Consequently a high number of enquiries (322) out of the total (539) are referred to other agencies.


Complaints under the information Privacy act

For the reporting period: ■ 63 potential complaints were received

■ 12 new complaints were created, and

■ seven complaints were referred to conciliation.

Potential Complaints and total Complaints made

Potential complaints refer to enquiries received by Privacy Victoria that were preliminarily assessed to be potential complaints, pending further review. Chart 5 Total enquiries that were potential complaints indicates that of the 539 enquiries received, 63 enquiries were assessed to be potential complaints.

During the reporting period, 12 complaints were carried over from the last reporting period and 12 new complaints were created. At the close of the reporting period, there were 20 ongoing complaints and four complaints were closed.

Of the 20 ongoing complaints, eleven were being investigated, four were referred to conciliation but failed, three were declined and one was deemed inappropriate for conciliation.

Of the four complaints that were closed, three were conciliated successfully, and one was dismissed without referral to VCAT.

As Chart 6 indicates, five out of the 12 complaints were made against Victorian government organisations, five were made against statutory authorities and one was made against a local council.

Chart 7 New Complaints by IPPs sets out the IPPs allegedly breached by Victorian government organisations in the current reporting period. Note that because one complaint can raise issues with more than one IPP, the number of new complaints by IPPs may be more than the actual number of new complaints created.

In this reporting period, consistent with the enquiry trends over previous periods, IPP 2 – Use and Disclosure allegations have motivated the most complaints. Eleven complainants alleged a use and disclosure infringement, resulting in 32.4% of new complaints being investigated under IPP 2. This is closely followed by 10 allegations of data security breaches under IPP 4, which made up 29.4% of new complaints.

Chart 5: Total enquiries that were potential complaints

% of enquiries that are potential complaints 11.7%

Total number of enquiries

539

Total potential complaints

63

Chart 7: New complaints by IPPs

IPP1 - Collection 2

IPP2 - Use and Disclosure 11

IPP3 - Data Quality 0

IPP4 - Data Security 10

IPP5 - Openness 5

IPP6 - Access and Correction 0

IPP7 - Unique Identifiers 3

IPP8 - Anonymity 0

IPP9 - Transborder Data Flows 3

IPP10 - Sensitive Information 0

NOTE: New complaints means all complaints that are created/opened between 1 July – 16 September 2014. The total IPPs for new complaints will exceed the number of new complaints created due to some complaints having multiple IPPs selected.

Chart 6: New complaints by respondent organisations

Local Council 1

Government Department 5

Statutory Authority 5

Public Health 0

Tertiary Institution 0

Contracted Service Provider 0

Law Enforcement 1

Court or Tribunal 0

No organisation (Minister) 0


Conciliation

Conciliation is an opportunity for each party to offer their perspective on the complaint, and to listen and gain an understanding of each other’s views about what has happened. This can be done ‘face to face’ or over the telephone. Privacy Victoria conducted the conciliations, where parties can explore options to resolve the complaints.

Privacy Victoria endeavored to conciliate complaints wherever it was appropriate to do so. Unless a complaint had been declined under s 29, declared inappropriate to conciliate under s 32, or dismissed under s 30 of the Information Privacy Act, the Privacy Commissioner was required under s 33 to undertake all reasonable endeavors to conciliate the complaint if he considered that there is a reasonable likelihood that the complaint may have been conciliated.

Of the total number of closed complaints for the current reporting period, the Privacy Commissioner referred three complaints to conciliation, all of which were successfully conciliated.

Voter information - Public interest Determinations

Under the Electoral Act 2002 (Vic) and the Local Government Act 1989 (Vic), requests to access the Victorian Electoral Roll and the local government voters’ roll required either consultation with, or approval by, the Privacy Commissioner. The requirement to consult has been maintained in the Privacy and Data Protection Act.

Upon receipt of such requests, Privacy Victoria carefully assessed the request by considering the impact on the privacy of the voters and the public interest of allowing access to the information. Considerations included ensuring that only relevant information is requested, that there was adequate security for electoral information if disclosed, and whether the purpose of the request contained a sufficient public interest to outweigh the interest in protecting the privacy of voters.

Privacy Victoria received no requests in the period 1 July - 16 September 2014.

interventions at the Victorian Civil and administrative tribunal (VCat)

The Privacy Commissioner may have intervened regarding complaints referred to VCAT. As an intervening party, the Commissioner provided his views concerning legal issues to the Tribunal in an independent and impartial manner, and did not advocate for either party. The Commissioner intervened in proceedings which involved a significantly new or different interpretation, or an unusual legal question, concerning the Information Privacy Act.

During the reporting period, the Privacy Commissioner did not intervene in any proceeding before the Tribunal.


expert Knowledge

The Privacy Commissioner provided expert knowledge to public sector organisations, government departments, agencies, local councils and to Parliament. This work was undertaken as part of the Commissioner’s functions to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector, and of providing advice on proposed legislation and policies relating to privacy and protection of personal information.

Consultations

Organisations often approached Privacy Victoria for advice on a range of privacy matters, including matters of public interest, organisational practices, projects, policy proposals or legislative/regulatory reforms. The Commissioner may have also requested a briefing or consultation from an organisation to discuss privacy matters arising from media reporting, public interest concerns or a complaint received.

Privacy Victoria aimed to assist organisations to understand their privacy obligations and to craft solutions that achieve an organisation’s objectives while simultaneously protecting privacy.

Privacy Victoria conducted 33 such consultations over the reporting period. Issues on which advice was provided included matters relating to the use of biometrics in schools (see page 15), the incorporation of privacy by design, surveillance, a government data-linking initiative, new technology and privacy impact assessments, cloud computing and outsourcing.

Consultation update: Fingerprint scanning in secondary schools

In the 2012-13 Annual Report Privacy Victoria reported on the use of fingerprint scanning technologies by two Victorian secondary schools. Some of the reasons outlined by the schools for the use of the technology included the recording of late arrival and early departure of students to and from school, the recording of student visits to first aid and welfare offices, and to allow for quick entry to school for students who arrive late due to public transport delays.

After further consultations with the Department of Education and Early Childhood Development (the Department) the Privacy Commissioner concluded that the practice of fingerprint scanning in schools for the stated purposes was contrary to the Information Privacy Principles, as it did not meet the necessity tests prescribed by IPP 1.1 and IPP 7.1. He noted that this conclusion, “should not preclude the use of technologies by schools. Rather the technology offerings should be tailored for the purpose required, taking into consideration privacy requirements [....] to ensure that the technology is both appropriate and adapted to the proposed use [...] in this case for the identification of students as they enter and leave Victorian government schools.

The Department has since communicated this advice to the schools involved and has indicated that they will respond to the complaints lodged by parents. The Department has agreed that the privacy of students is of vital importance, and has advised Privacy Victoria that it intends to implement the Privacy Commissioner’s recommendations in the schools involved.

submissions to Parliamentary or other Public inquiries

Privacy Victoria often provided submissions to Parliamentary or other public inquiries with regard to proposals for new laws, reviews of existing laws, or other issues which may impact on privacy. Privacy Victoria’s submissions are generally available on the website.

During the reporting period Privacy Victoria made one submission to a public inquiry.


Submission Example: Submission to the Victorian Law Reform Commission regarding their inquiry into photographing and filming tenants’ possessions for advertising purposes.

Over 400,000 Victorian households rent the premises in which they live. It has become common practice for landlords and agents to use photographs and videos when advertising these premises for sale or lease. The photographs and videos often show tenant’s possessions. Victorian law is unclear about whether landlords can take or use these photographs and videos without tenants’ consent. In 2014 the Victorian Law Reform Commission (VLRC) commenced an inquiry into this issue.

Privacy Victoria made a submission to the VLRC’s Consultation Paper in August 2014. It was noted that Privacy Victoria regularly received enquiries relating to this issue (even though such enquiries are typically not within jurisdiction), and that these enquiries had more than tripled during the 2013-14 reporting period. Examples include photographs of family portraits being placed on an advertising billboard, and photographs of possessions which may identify the owner used in online advertising.

It was Privacy Victoria’s view that it is an invasion of a person’s privacy to take or use images of his or her possessions – particularly inside a home – without the person’s consent first being provided or appropriate notice being given. This raises issues with a number of aspects of privacy, including information privacy, and ‘territorial privacy’, which are not currently regulated by federal or state legislation.

In formulating recommendations for reform, Privacy Victoria noted that the tenant’s interest in protecting their privacy must be balanced with the landlord’s interest in being able to take photographs of their property for advertising purposes. In order to ensure this balance, Privacy Victoria proposed both notice and consent requirements be introduced to the Residential Tenancy Act 1997 (Vic) in relation to the taking of photographs and videos of tenants’ possessions for advertising purposes. Details of this proposal can be found in the submission, available on the Privacy Victoria website.

The VLRC is considering the submission as it formulates its recommendations to be published in their Final Report.

Legislative review

Section 58(l) of the Information Privacy Act requires the Commissioner to examine and assess proposed legislation that may have an adverse impact on the privacy rights of Victorians. Privacy Victoria may have been consulted prior to the drafting of legislation or legislative amendments. This allowed privacy issues to be identified and resolved in an efficient and effective fashion. Alternatively, the Commissioner may have reviewed legislation when a draft bill was before Cabinet, or may have made a submission to the Scrutiny of Acts and Regulations Committee (SARC).

During the reporting period, Privacy Victoria provided advice in relation to one piece of legislation that was being reviewed by another body. Details cannot be provided due to confidentiality requirements.

investigate and enforce: audits, Breach notifications, and Part 6 investigations

Breach notifications

A privacy breach may occur due to a large amount of personal information being stolen (e.g. a stolen laptop containing personal information), lost (a misplaced USB stick) or mistakenly disclosed (documents emailed or faxed to the wrong people or location). A breach may also occur as a consequence of a faulty business procedure or an operational break-down.

Regardless of how the incident occurred, the term ‘breach notification’ refers to an organisation’s reporting of a privacy breach that has potentially contravened one or more of the IPPs. Neither the former Information Privacy Act nor the Privacy and Data Protection Act imposes an obligation on organisations for mandatory breach notification to the Commissioner when privacy breaches occur. However, it was considered to be best practice for organisations to approach Privacy Victoria (and now Privacy and Data Protection Victoria) should such incidents occur.


When the Commissioner received notifications that an incident amounting to a privacy breach had occurred, advice was provided to the organisations on possible steps to achieve the following:

1. containing the breach

2. assessing the damage/harm

3. whether to notify the affected individuals, and

4. taking steps to prevent reoccurrences in the future.

Privacy Victoria produced two documents designed to help organisations investigate and rectify the harm associated with a serious data breach, Responding to Privacy Breaches – Guide and Responding to Privacy Breaches – Checklist. These are available on the Privacy Victoria website.

Within the reporting period, one notification was received from an organisation seeking the assistance of Privacy Victoria’s staff following a significant breach.

Part 6 investigations

No investigations under Part 6 of the Information Privacy Act were conducted during the period 1 July – 16 September 2014.


stakeholder engagement

In addition to consultation services, and consistent with the Privacy Commissioner’s statutory functions, Privacy Victoria undertook a wide range of other stakeholder engagement activities to continually improve understanding of privacy issues, rights and best privacy practice amongst the Victorian public sector, other organisations regulated by the Information Privacy Act and throughout the Victorian community more broadly.

Privacy and Data Protection Victoria is expected to strengthen Privacy Victoria’s engagement with public sector agencies. This will involve a refocusing of training delivery and include an increased profile for online training related to the Privacy and Data Protection Act.

stakeholder engagement summary

During the period 1 July – 16 September 2014: ■ 52 public sector and general public awareness and training activities were delivered

■ 89 organisations and approximately 930 individuals participated in our privacy awareness and training program

■ 582 staff from 23 public sector and other organisations registered for online training, and

■ at 16 September 2014, 724 people were members of the Privacy Victoria Network.

Participation

A total of 89 organisations participated in the privacy awareness and training program during the reporting period (see Chart 8). Twenty-eight local councils participated in the program. The “other authorities” category includes regulators and oversight bodies, water authorities, arts organisations, law enforcement agencies and emergency services.

In addition to awareness and training program activities, the Privacy Commissioner and other staff delivered a number of presentations to public sector and community audiences.

Chart 8: Types of organisations participating in awareness and training activities

Council 28

Contracted Service Provider 6

Department 7

Education 5

Health 5

Other Authority 38


Privacy training Program

Privacy Victoria’s privacy training program for organisations regulated by the Information Privacy Act was the organisation’s priority stakeholder engagement activity.

Privacy Victoria’s training services were designed to assist organisations inform and educate staff about the requirements of the Information Privacy Act, with a focus on practical day-to-day privacy risk assessment and compliance. Training sessions were tailored for the requirements of participating organisations to ensure that they had value and were as effective as possible in educating and motivating participants to become both privacy aware and privacy compliant. Training evaluations during the reporting period recorded high levels of participant satisfaction.

Public sector awareness and training Delivery and Participation

Privacy Victoria delivered 44 public sector awareness and training activities, including 35 training activities and one meeting of the Privacy Victoria Network.

Tailored presentations and training sessions, representing 76% of total, were the most popular activity for organisations requesting Privacy Victoria’s awareness and training services. Tailored sessions enabled organisation-specific issues to be considered within the legislative framework applying to the organisation and were scheduled to maximise local participation.

Privacy Victoria’s public sector awareness and training activities were conducted in the Melbourne Central Business District (including at Privacy Victoria), throughout metropolitan Melbourne and across regional Victoria. During the reporting period, 80% of these activities were conducted in metropolitan Melbourne (excluding the CBD).

online training

Privacy Victoria continued to offer, through e3Learning (part of Open Universities Australia), a low-cost online training course for staff of organisations regulated by the Information Privacy Act. The course aimed to provide a minimum level of knowledge and was necessarily generic in nature. During the reporting period, 582 staff from 23 organisations registered for the online training course.

It is expected that an updated online training module for the privacy components of the Privacy and Data Protection Act will be made available by Privacy and Data Protection Victoria.

evaluation and Feedback

Evaluation was continually undertaken to inform the Quality component of Privacy Victoria’s Output Reporting and to ensure that the Office engaged in continuous improvement processes and practices. Evaluation of Privacy Victoria’s training and awareness activities included:

■ participant feedback at training and events (e.g. Privacy Victoria Network meetings) ■ evaluation following the delivery of major events (e.g. Privacy Awareness Week), and ■ the monitoring of responsiveness to requests for training and awareness activities.

Privacy awareness

During the reporting period, Privacy Victoria undertook or participated in a number of privacy awareness presentations for the education sector.

Guidance, information sheets and other Publications

The Privacy Commissioner issued publications to help organisations comply with the Information Privacy Act. Topics for guidance usually resulted from advances in new technology, issues arising in multiple complaints, or consultation requests on a particular issue which may have indicated that guidance is needed in a particular area.

Information Sheets

No Information Sheets were published in the reporting period.


Privacy Aware newsletter

One edition of the Privacy Aware newsletter was published during the reporting period. Privacy Aware was published electronically and made available on the Privacy Victoria website.

information and Promotional materials

During the reporting period, Privacy Victoria responded to ad hoc requests for information and promotional materials from public sector organisations, educational institutions and community and other groups. These materials, and copies of all information sheets and other documents, were provided free of charge to Victorian public sector organisations, schools and community groups upon request.

All current Privacy Victoria materials can be read online.

media engagement

During the reporting period, Privacy Victoria engaged with the media on a range of matters directly related to the Information Privacy Act and other privacy and data security topics. The Office also published one media release.

social media

The Office used the @privacyvictoria Twitter account to provide the Office with a low cost yet global dissemination channel for privacy awareness messages and other announcements related to our work. Following implementation of the Privacy and Data Protection Act, the Twitter account has been renamed to @CPDPVicGov and is managed by the Privacy and Data Protection Victoria.

speaking engagements

The Privacy Commissioner and other Privacy Victoria staff spoke to a range of public sector and general community audiences to provide information about Victoria’s privacy laws and the rights and responsibilities they conferred. Five presentations were given during the reporting period.

youth advisory Group

The aim of Privacy Victoria’s Youth Advisory Group, established in 2009, was to inform and support the Office’s privacy awareness and policy work with young people. Due to the transition to the Office of the Commissioner for Privacy and Data Protection, the group did not meet during the reporting period.

other stakeholder activities

Privacy Victoria regularly participated in a range of Victorian public sector seminars, conferences and other events, as well as attending meetings of the Asia Pacific Privacy Authorities (APPA) forum and participating in Global Privacy Enforcement Network initiatives. Such activities allow the exchange of ideas and strategies as well as discussion of issues of mutual concern relating to privacy and data security. No formal meetings were held during the reporting period.

Privacy Victoria network

The Privacy Victoria Network was established in 2002 to facilitate and encourage information exchange about the Information Privacy Act, and privacy issues more broadly, within the Victorian public sector. The Network:

■ provided an opportunity for privacy officers to be informed about issues relating to the implementation of the Information Privacy Act

■ facilitated information exchange about privacy issues between public sector agencies ■ provided an opportunity for agencies to give feedback to Privacy Victoria, and ■ assisted Privacy Victoria in its work to promote compliance with the Information Privacy Act

across the Victorian public sector.


There were 724 Network members registered at 16 September 2014.

The last Privacy Victoria Network meeting was held on 10 September 2014 and hosted by RMIT University. The meeting featured presentations on the Privacy and Data Protection Act, Privacy by Design, the work of the Victorian Registry of Births, Deaths and Marriages and the Local Government Information Management Strategy. Presentation materials are available on Privacy Victoria’s website.

Privacy and Data Protection Victoria is committed to strengthening stakeholder engagement with agencies and other groups affected by the Privacy and Data Protection Act. An increased level of engagement with data protection/security representatives and industry will be a feature of the new organisation’s work. While details had not been finalised by the time of this report, the activities of the former Privacy Victoria Network are expected to continue.

Privacy Victoria Network eNews

The Privacy Victoria Network eNews was published monthly. ENews contained information on Privacy Victoria’s activities, national and international privacy developments and a selected privacy news digest.


about the office and regulatory Compliance

organisational structure and Corporate Governance arrangements Chart 9: Office of the Victorian Privacy Commissioner staffing structure at 16 September 2014

Chief Financial and Accounting Officer (mandatory under

the Financial Management Act

1994)

Ingrid Klein

Department of Justice

external Services Provided

Director Compliance

(Vacant)Operations Manager

(Vacant)

Executive Assistant

Acting Privacy Commissioner

David Watts

Director Awareness

David Taylor

Director Technology

Jon Armstrong

Strategic Advisor and Manager Transition /

Integration

Jacinta Thomson

Deputy Commissioner

Helen Lewin

Policy and Compliance

Officer

Senior Policy and Compliance

Officer

Administrative Support Officer

Research Officer

Training Officer

Training and Communications

Officer

Compliance Officer

Compliance and Data

Coordination Officer

Administration Officer

Senior Policy and Compliance

Officer

Table 2: Privacy Victoria staffing

Ongoing (FTe) Fixed Term (FTe) Total (FTe)

As at 30-Jun-14 As at 16-Sep-14 As at 30-Jun-14 As at 16-Sep-14 As at 30-Jun-14 As at 16-Sep-14

M F M F M F M F

Statutory Office Holder 1 0 1 0 0 0 0 0 1 1

VPSG 6 2 1.5 2 1.5 0 1 0 1 4.5 4.5

VPSG 5 0 2.6 0 2.6 0 0 0 0 2.6 2.6

VPSG 4 1 3 1 3 0 1 0 1 5 5

VPSG 3 0 2 0 2 0 0 0 0 2 2

VPSG 2 0 1 0 1 0 0 0 0 1 1

VPSG 1 0 0 0 0 0 0 0 0 0 0

Total 4 10.1 4 10.1 0 2 0 2 16.1 16.1


Privacy Victoria had a core staff of 17 (headcount) and 16.1 (full time equivalent) as at 16 September 2014 (see Table 2).

Contractors were engaged to assist in the management of information technology infrastructure as well as to perform the duties of the Chief Financial and Accounting Officer.

external Financial and administrative services

audit and Finance Committee

The Audit and Finance Committee’s main role was to consult, advise and warn the Privacy Commissioner about responsibilities for financial reporting, maintaining systems of internal control and governance. Sound financial management links the budget allocation process with strong financial and management reporting systems to ensure that the financial resources of the Office are used to the optimum.

Chief Financial and accounting officer

The Chief Financial and Accounting Officer (CFAO) was responsible for assisting the Privacy Commissioner in relation to Privacy Victoria’s financial concerns. Principally, this involved the preparation of the Annual Financial Statements for inclusion in the Office’s Annual Report, reporting to the Privacy Commissioner on a monthly basis on the state of actual operations compared to budget, and performing the annual review of the Financial Management Compliance Framework questionnaire to satisfy requirements under the Financial Management Act 1994. Ingrid Klein from the Department of Justice was the CFAO at 16 September 2014.

internal auditor

Privacy Victoria had a Ministerial exemption from the Financial Management Act 1994 requirement to have an internal auditor. However, the internal audit function continued, using existing resources with oversight by the Audit and Finance Committee.

Disclosures

additional information

Additional Privacy Victoria information available upon request is listed in Appendix C.

Compliance with the Building act 1993

Privacy Victoria did not own or control any government buildings and consequently was exempt from notifying its compliance with the building and maintenance provisions of the Building Act 1993.

Compliance with the Carers recognition act 2012

The Office took all practical measures to comply with its obligations under the Carers Recognition Act 2012.

These measures included supporting staff members who may have caring responsibilities to balance work and their role as a carer by providing access to personal leave that can be used for caring purposes and access to a wide range of flexible working arrangements. The Office also made reasonable accommodations to support staff who required a carer to attend the workplace wherever necessary, and considered the carer relationships principles set out in the Act when setting policies and providing services.

Compliance with the Protected Disclosure act 2012

To the Privacy Commissioner’s knowledge, no disclosures of improper conduct or detrimental action were made under the Protected Disclosure Act during the reporting period.


Consultancies

Privacy Victoria did not engage any consultants in the reporting period.

Disclosure index

An index identifying Privacy Victoria’s compliance with statutory disclosure requirements is contained in Appendix A.

employment and Conduct Principles

The Privacy Commissioner was committed to applying merit and equity principles when appointing staff. The selection processes ensured that applicants were assessed and evaluated fairly and equitably on the basis of the key selection criteria and other accountabilities without discrimination.

Freedom of information

One Freedom of Information (FoI) application was ongoing and no further FoI applications were received in the reporting period.

Grievances

No grievances were received by the Privacy Commissioner in his capacity as Agency Head in the reporting period.

managing and Valuing Diversity

In light of the small number of employees, broad-based initiatives in this area were neither necessary nor viable. A flexible and supportive workplace was provided through flexible working hours, leave arrangements and home-based work.

occupational health and safety

The Privacy Commissioner was committed to adhering to the obligations of the Occupational Health and Safety Act 2004. Privacy Victoria monitored incidents and recorded no injuries during the reporting period.

Public administration Values and employment Principles

Privacy Victoria maintained a suite of detailed employment policies, including policies with respect to grievance resolution, selecting on merit, managing diversity, performance management and discipline.

The importance of discretion and security in a Privacy Commissioner’s office imposed on all staff a high level of obligation. Proper standards of behaviour and ethical conduct at work were of the utmost importance to the Office and were supported by s 67 of the Information Privacy Act, which made unauthorised disclosure an offence. The Code of Conduct for Victorian Public Sector Employees of Special Bodies issued by the Public Sector Commissioner applied within the Office of the Victorian Privacy Commissioner.

national Competition Policy

Under the National Competition Policy, the guiding legislative principle is that legislation, including future legislative proposals, should not restrict competition unless it can be demonstrated that:

■ the benefits of the restriction to the community as a whole outweigh the costs, and ■ the objectives of the legislation can only be achieved by restricting competition.

If and where applicable, Privacy Victoria complied with the requirements of the National Competition Policy.


risk management

An attestation of compliance with the Australian/New Zealand Risk Management Standard appears at Appendix E.

Victorian industry Participation

The Victorian Industry Participation Policy Act 2003 requires public bodies and departments to report on the implementation of the Victorian Industry Participation Policy (VIPP). Departments and public bodies are required to apply VIPP in all tenders over $3 million in metropolitan Melbourne and $1 million in regional Victoria.

Privacy Victoria did not engage in any applicable tenders during the reporting period.

workplace relations

The Privacy Commissioner was a signatory to the Victorian Public Service Workplace Determination 2012 as a separate employer within the Victorian public sector.

office-Based environmental impactsTable 3: Office-based environmental impacts

environmental Aspect Description Unit of Measure

1 July – 16 September

2014 2013-14

Energy User per FTE kWh per FTE 472.72 3,290.81

User per square meter of office space kWh /m 12.78 87.52

Total use – Electricity kWh 7138 52,982

Total use – Natural Gas kWh N/A N/A

Total use – LPG kWh N/A N/A

Total use kWh 7138 52,982

Total associated greenhouse gas emissions Tonnes of CO2

Equivalent 6.1 23.0

Total GreenPower kWh 1.32 6.42

Total cost of GreenPower Dollars 94.23 709.56

Paper Use per FTE Reams per FTE 2.72 12.11

Total use Reams 41 195

Transportation Total energy consumption Giga joules 25.7 25.7

Energy consumption per FTE Giga joules per FTE 1.70 1.60

Total associated greenhouse gas emissions Tonnes of CO2

Equivalent0.7 2.4

Associated greenhouse gas emissions per FTE Tonnes of CO2

Equivalent per FTE0.05 0.18

Total Travel associated with departmental operations Kilometres 1425 5,142

Travel associated with departmental operations per FTE

Kilometres per FTE 94 319

Employees regularly (>75 per cent of time) using public transport, cycling or walking to and from work

per cent 94% 94%

Waste Generated per FTE Kilograms per FTE N/A N/A

Total recycled (Approx.) Kilograms N/A N/A

Water Consumption per FTE Litres per FTE N/A N/A

Total consumption Litres N/A N/A

oFFiCe oF the ViCtorian PriVaCy Commissioner

Financial Statements


office of the Victorian Privacy Commissioner

Financial statements for the period ended 16 september 2014

Comprehensive operating statement for

the financial year ended 16 September 2014 31

Balance sheet as at 16 September 2014 32

Statement of changes in equity for

the financial year ended 16 September 2014 33

Cash flow statement for the

financial year ended 16 September 2014 34

Notes to the financial statements for

the financial year ended 16 September 2014 35-52

Accountable Officer’s and Chief Finance

and Accounting Officer’s declaration 53

Auditor-General’s Report 54


Comprehensive operating statement for the period ended 16 september 2014

Notes

16 September 2014 $

30 June 2014 $

Income from transactions

Grant from the Department of Justice and Regulation 2 421,941 2,039,700

Other income 2 321 236

Total income from transactions 422,262 2,039,936

expenses from transactions

Employee expenses 3(a) 286,291 1,518,431

Supplies and services 3(b) 75,090 277,459

Depreciation 3(c) 7,343 29,373

Other operating expenses 3(d) 59,367 217,693

Total expenses from transactions 428,091 2,042,956

Net result from transactions (net operating balance) (5,829) (3,020)

Total other economic flows included in net result 4 (549) (2,124)

Net result (6,378) (5,144)

Total other economic flows - other non-owner changes in equity

0 0

Comprehensive result (6,378) (5,144)

The comprehensive operating statement should be read in conjunction with the accompanying notes 1 to 18.


Balance sheet as at 16 september 2014

Notes

16 September 2014 $

30 June 2014 $

ASSeTS

Financial assets

Cash 14 (a) 1,000 2,600

Receivables 5 355,891 376,820

Total financial assets 356,891 379,420


Prepayments 6 0 20,783

Plant and equipment 7 0 23,216

Total non-financial assets 0 43,999

Total assets 356,891 423,419

LIABILITIeS

Payables 8 18,014 34,229

Provisions 9 271,484 315,419

Total liabilities 289,498 349,648

Net assets 67,393 73,771

eQUITY

Accumulated surplus/(deficit) (648,066) (641,689)

Contributed capital 715,460 715,460

Net worth 67,393 73,771

Commitments for expenditure 11

Contingent assets and contingent liabilities 12

The balance sheet should be read in conjunction with the accompanying notes 1 to 18.


statement of changes in equity for the period ended 16 september 2014

Accumulated Surplus/ (Deficit)

$

Contributions

by owner $

Total $

Balance at 30 June 2013 (636,543) 715,460 78,525

Net result for the year (5,144) 0 (5,144)

Other comprehensive income for the year 0 0 0

Transfer to accumulated surplus 0 0 0

Transactions with the State in its capacity as owner

0 0 0

Government funding provided for capital expenditure

0 0 0

Balance at 30 June 2014 (641,689) 715,460 73,771

Net result for the year (6,378) 0 (6,378)

Other comprehensive income for the year 0 0 0

Transfer to accumulated surplus 0 0 0

Transactions with the State in its capacity as owner 0 0 0

Government funding provided for capital expenditure

0 0 0

Balance at 16 September 2014 (648,069) 715,460 67,393

The statement of changes in equity should be read in conjunction with the accompanying notes 1 to 18.


Cash flow statement for the period ended 16 september 2014

Notes

16 September 2014 $

30 June 2014 $

Cash flows from operating activities

Receipts:

Receipts - Government and Sec. 29 revenue 459,064 2,253,461

Total receipts 459,064 2,253,461

Payments:

Payments to employees (330,775) (1,655,866)

Payments to suppliers (129,889) (595,095)

Total payments (460,664) (2,250,961)

Net cash flows from / (used in) operating activities 14 (b) (1,600) 2,500

Cash flows from investing activities

Purchase of non-financial assets 7 0 0

Net cash flows from / (used in) investing activities 0 0

Cash flows from financing activities

Government funding provided for capital expenditure/(refunded)

0 0

Net cash flows from / (used in) financing activities 0 0

Net increase / (decrease) in cash and cash equivalents (1,600) 2,500

Cash and cash equivalents at beginning of financial year 2,600 100

Cash and cash equivalents at end of financial year 14 (a) 1,000 2,600

The cash flow statement should be read in conjunction with the accompanying notes 1 to 18.


notes to the Financial statements for the period ended 16 september 2014

Note Number Contents Page

1 Summary of significant accounting policies 36-42

2 Income from transactions 42

3 Expenses from transactions 43

4 Other economic flows included in net result 43

5 Receivables 43

6 Prepayments 43

7 Plant and equipment 44-45

8 Payables 45

9 Provisions 46

10 Superannuation 47

11 Commitments for expenditure 47

12 Contingent assets and contingent liabilities 47

13 Financial instruments 48-49

14 Cash flow information 49

15 Responsible persons 49-50

16 Remuneration of auditors 50

17 Cessation of OVPC 50

18 Glossary of terms and style conventions 50-52


notes to the Financial statements for the period ended 16 september 2014

1. summary oF siGniFiCant aCCountinG PoLiCiesThese annual financial statements represent the audited general purpose financial statements for the Office of the Victorian Privacy Commissioner (OVPC) for the period ended 16 September 2014. The purpose of the report is to provide users with information about the OVPC’s stewardship of resources entrusted to it.

On 20 December 2012, the Victorian Attorney-General announced reforms to strengthen data security and the privacy and protection of personal information within the Victorian Public Sector. A new Privacy and Data Protection Commissioner will be responsible for oversight of the current Victorian privacy and law enforcement data security regimes, as well as the implementation of a new Victorian Protective Security Policy Framework (VPSPF).

In his announcement, the Attorney-General said that the new Office of the Privacy and Data Protection Commissioner would bring together the skills and resources of the Privacy Commissioner and the Commissioner for Law Enforcement Data Security, the current Commissioner for Law Enforcement Data Security leading the transition project to bring the two existing bodies into the one new entity. The Attorney-General also highlighted that these changes would not alter any legal obligations under the Victorian privacy regime or under the law enforcement data security regime.

Legislation to establish the new Privacy and Data Protection Commissioner was passed in Parliament on 19 August 2014. The proclamation date is 17 September 2014.

New premises have been entered into for the Privacy and Data Protection Commissioner. The existing leasehold costs will be incurred by the new entity for the remaining period of the lease contract or until the lessor arranges for another tenant. The current office lease contract expires on 31 March 2015.

The Privacy and Data Protection Act 2014 was gazetted on 16 September 2014 to commence on 17 September 2014. In accordance to schedule 2 section 5 of the Privacy and Data Protection Act 2014, all of the assets and liabilities of OVPC, including all of the debts and obligations of OVPC, become assets and liabilities and debts and obligations of the Office of the Commissioner for Privacy and Data Protection.

(A) Statement of complianceThese general purpose financial statements have been prepared in accordance with the Financial Management Act 1994 (FMA) and applicable Australian Accounting Standards (AAS) which include Interpretations, issued by the Australian Accounting Standards Board (AASB). In particular, they are presented in a manner consistent with the requirements of the AASB 1049 Whole of Government and General Government Sector Financial Reporting.

Where appropriate, those AAS paragraphs applicable to not-for-profit entities have been applied.

Accounting policies are selected and applied in a manner which ensures that the resulting financial information satisfies the concepts of relevance and reliability, thereby ensuring that the substance of the underlying transactions or other events is reported.

To gain a better understanding of the terminology used in this report, a glossary of terms and style conventions can be found in Note 18.

These annual financial statements were authorised for issue by the Accountable Officer of the Office of the Commissioner for Privacy and Data Protection on 19 October 2015.

(B) Basis of accounting preparation and measurementThe accrual basis of accounting has been applied in the preparation of these financial statements whereby assets, liabilities, equity, income and expenses are recognised in the reporting period to which they relate, regardless of when cash is received or paid.

Judgements, estimates and assumptions are required to be made about the carrying values of assets and liabilities that are not readily apparent from other sources. The estimates and associated assumptions are based on professional judgements derived from historical experience and various other factors that are believed to be reasonable under the circumstances. Actual results may differ from these estimates.

Revisions to accounting estimates are recognised in the period in which the estimate is revised and also in future periods that are affected by the revision. Judgements and assumptions made by management in the application of AASs that have significant effects on the financial statements and estimates relate to:

• thefairvalueofplantandequipment,(refertonote1J);and• actuarialassumptionsforemployeebenefitprovisionsbasedonlikelytenureofexistingstaff,patterns

of leave claims, future salary movements and future discount rates (refer to note 1 K).

These financial statements are presented in Australian dollars, and prepared in accordance with the historical cost convention except for:

• Non-financialphysicalassetswhich,subsequenttoacquisition,aremeasuredatarevaluedamountbeing their fair value at the date of the revaluation less any subsequent accumulated depreciation and subsequent impairment losses. Revaluations are made with sufficient regularity to ensure that the carrying amounts do not materially differ from their fair value.


notes to the Financial statements for the period ended 16 september 2014 continued

1. summary oF siGniFiCant aCCountinG PoLiCies continued

(C) Reporting entityThe financial statements cover the OVPC as an individual reporting entity.

The OVPC was a government agency of the State of Victoria, established under the Information Privacy Act 2000 (Vic) (the Act), which was proclaimed on 1 September 2001 and was headed by the Privacy Commissioner whose functions and powers are detailed in sections 58 and 59 of the Act. Its principal address was:

The Office of the Victorian Privacy Commissioner Level 11 10-16 Queen Street Melbourne VIC 3000

The OVPC was an administrative agency acting on behalf of the Crown.

A description of the nature of the OVPC’s operations and its principal activities is included in the report of operations on pages 10-27, which does not form part of these financial statements.

Objectives and funding

The OVPC was the key body in a system regulating the way Victorian government, its agencies and local councils collect and handle personal information.

OVPC’s objectives were:

(i) to balance the public interest in the free flow of information with the public interest in respecting privacyandprotectingpersonalinformationinthepublicsector;

(ii) topromotetheresponsibleandtransparenthandlingofpersonalinformationinthepublicsector;and

(iii) to promote awareness of the same practices.

The OVPC was funded for the provision of outputs consistent with its statutory functions. Funds were predominantly from accrual-based grants derived from monies appropriated annually by Parliament through the Department of Justice (DOJ).

(D) Scope and presentation of financial statements


The comprehensive operating statement comprises three components, being ‘net result from transactions’ (or termed as ‘net operating balance’), ‘other economic flows included in net result’, as well as ‘other economic flows – other comprehensive income’. The sum of the former two, together with the net result from discontinued operations, represents the net result.

The net result is equivalent to profit or loss derived in accordance with AASs.

This classification is consistent with the whole of government reporting format and is allowed under AASB 101 Presentation of Financial Statements.

Balance sheet

Assets and liabilities are presented in liquidity order with assets aggregated into financial assets and non-financial assets.

Current and non-current assets and liabilities (non-current being those assets or liabilities expected to be recovered or settled more than 12 months after the reporting period) are disclosed in the notes, where relevant.

Cash flow statement

Cash flows are classified according to whether or not they arise from operating, investing, or financing activities. This classification is consistent with requirements under AASB 107 Statement of Cash Flows.


The statement of changes in equity presents reconciliations of non-owner and owner changes in equity from opening balance at the beginning of the reporting period to the closing balance at the end of the reporting period. It also shows separately changes due to amounts recognised in the ‘Comprehensive result’ and amounts recognised in ‘Other economic flows – other movements in equity’ related to ‘Transactions with owner in its capacity as owner’.

Rounding

Amounts in the financial statements have been rounded to the nearest dollar, unless otherwise stated. Please refer to the end of Note 18 for a style convention explanation of minor discrepancies resulting from rounding.

(e) Changes in accounting policiesThere has been no change in accounting policies from 1 July 2014 to 16 September 2014.




(F) Income from transactionsIncome is recognised to the extent that it is probable that the economic benefits will flow to the entity and the income can be reliably measured at fair value.

Grant from the Department of Justice

Income from the outputs the OVPC provides to Government is recognised when those outputs have been delivered and the relevant Minister has certified delivery of those outputs in accordance with specified performance criteria.

Other income

The OVPC is permitted under Section 29 of the Financial Management Act 1994 to have certain income annotated to the annual grant. The income which forms part of a Section 29 agreement is recognised by the OVPC and the receipts paid into the Consolidated Fund as an administered item. At the point of revenue recognition, Section 29 provides for an equivalent amount to be added to the annual grant. Section 29 proceeds are principally from the provision of training packages and services.

Fair value of assets and services received free of charge or for nominal consideration

The DOJ has been centrally funded for services it provides to the OVPC. These services are not recognised in the financial statements of the OVPC as their fair values can not be reliably determined. The services that are utilised include the use of the Department’s office accommodation, financial systems, payroll systems, accounts payable, asset register and IT network.

(G) expenses from transactionsExpenses from transactions are recognised as they are incurred, and reported in the financial year to which they relate.

Employee expenses

Refer to the section in Note 1 (K) regarding employee benefits.

These expenses include all costs related to employment (other than some superannuation which is accounted for separately) including wages and salaries, fringe benefits tax, leave entitlements, redundancy payments and WorkCover premiums.

Superannuation

The amount recognised in the comprehensive operating statement is the employer contributions for members of both defined benefit and defined contribution superannuation plans that are paid or payable during the reporting period.

The Department of Treasury and Finance (DTF) in their Annual Financial Statements, disclose on behalf of the State as the sponsoring employer, the net defined benefit cost related to the members of these plans as an administered liability. Refer to DTF’s Annual Financial Statements for more detailed disclosures in relation to these plans.

Depreciation

Depreciation is generally calculated on a straight-line basis, at rates that allocate the asset’s value, less any estimated residual value, over its estimated useful life. Refer to Note 1 (I) for the depreciation policy for leasehold improvements.

The estimated useful lives, residual values and depreciation method are reviewed at the end of each annual reporting period, and adjustments made where appropriate.

The following are typical estimated useful lives for the different asset classes for the period ended 16 September 2014.

Computer and Communication Equipment 4 years

Plant and Equipment 5 - 10 years

Leasehold Improvements 4 years

The assets of the OVPC have been fully written off as at the end of the financial period, 16 September 2014.

Other operating expenses

Other operating expenses generally represent the day-to-day running costs incurred in normal operations and include:


Supplies and services costs which are recognised as an expense in the reporting period in which they are incurred.




(H) Other economic flows included in the net resultOther economic flows measure the change in volume or value of assets or liabilities that do not result from transactions.

Net gain/(loss) on non-financial assets

Net gain/(loss) on non-financial assets and liabilities includes realised and unrealised gains and losses as follows:

Disposal of non-financial assets

Any gain or loss on the disposal of non-financial assets is recognised at the date of disposal and is determined after deducting from the proceeds the carrying value of the asset at that time.

Impairment of non-financial assets

All non-financial assets are assessed annually for impairment, as to whether their carrying value exceeds their recoverable amount and so require write downs, and whenever there is an indication that the asset may be impaired.

If there is an indication of impairment, the assets concerned are tested as to whether their carrying value exceeds their recoverable amount. Where an asset’s carrying value exceeds its recoverable amount, the difference is written off as an other economic flow, except to the extent that the write-down can be debited to an asset revaluation surplus amount applicable to that class of asset.

If there is an indication that there has been a change in the estimate of an asset’s recoverable amount since the last impairment loss was recognised, the carrying amount shall be increased to its recoverable amount. This reversal of the impairment loss occurs only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised in prior years.

It is deemed that, in the event of the loss or destruction of an asset, the future economic benefits arising from the use of the asset will be replaced unless a specific decision to the contrary has been made. The recoverable amount for most assets is measured at the higher of depreciated replacement cost and fair value less costs to sell. Recoverable amount for assets held primarily to generate net cash inflows is measured at the higher of the present value of future cash flows expected to be obtained from the asset and fair value less costs to sell.

Refer to Note 1 (J) in relation to the recognition and measurement of non-financial assets.

Net gain/(loss) on financial instruments

Net gain/(loss) on financial instruments includes:

• realisedandunrealisedgainsandlossesfromrevaluationsoffinancialinstrumentsatfairvalue;

• impairmentandreversalofimpairmentforfinancialinstrumentsatamortisedcost(refertoNote1(H));and

• disposalsoffinancialassets.


Other gains/(losses) from other economic flows include the gains or losses from:

• therevaluationofthepresentvalueofthelongserviceleaveliabilityduetochangesinthebondinterestrates;and

• transferofamountsfromthereservestoaccumulatedsurplusornetresultduetodisposalorderecognition or reclassification.

(I) Financial assets

Cash

Cash comprises of cash on hand.

Receivables

Receivables consist of:

• Statutoryreceivables,whichincludepredominantlyamountsowingfromtheVictorianGovernment.

Receivables that are contractual are classified as financial instruments. Statutory receivables are not classified as financial instruments.

Receivables are recognised initially at fair value and subsequently measured at amortised cost, using the effective interest method, less an allowance for impairment.

A provision for doubtful receivables is recognised when there is objective evidence that the debts may not be collected, and bad debts are written off when identified.




(J) Non-financial assets

Plant and equipment

All non-current physical assets are measured initially at cost and subsequently revalued at fair value less accumulated depreciation and impairment. OVPC applies an individual asset capitalisation threshold of $5,000. Individual acquisitions below this value are expensed.


The cost of a leasehold improvements is capitalised as an asset and depreciated over the shorter of the remaining term of the lease or the estimated useful life of the improvements.

Other non-financial assets

Prepayments

Other non-financial assets include prepayments which represent payments in advance of receipt of goods or services or that part of expenditure made in one accounting period covering a term extending beyond that period.

(K) Liabilities

Payables

Payables consist of:

• contractualpayables,suchasaccountspayable.Accountspayablerepresentliabilitiesforgoodsandservices provided to the OVPC prior to the end of the financial year that are unpaid, and arise when the OVPC becomes obliged to make future payments in respect of the purchase of those goods and services;and

• statutorypayables,suchasgoodsandservicestaxandfringebenefitstaxpayables.

Contractual payables are classified as financial instruments and categorised as financial liabilities at amortised cost. Statutory payables are recognised and measured similarly to contractual payables, but are not classified as financial instruments and not included in the category of financial liabilities at amortised cost, because they do not arise from a contract.

Provisions

Provisions are recognised when the OVPC has a present obligation, the future sacrifice of economic benefits is probable, and the amount of the provision can be measured reliably.

The amount recognised as a provision is the best estimate of the consideration required to settle the present obligation at reporting date, taking into account the risks and uncertainties surrounding the obligation. Where a provision is measured using the cash flows estimated to settle the present obligation, its carrying amount is the present value of those cash flows, using discount rate that reflects the time value of money and risks specific to the provision.

When some or all of the economic benefits required to settle a provision are expected to be received from a third party, the receivable is recognised as an asset if it is virtually certain that recovery will be received and the amount of the receivable can be measured reliably.

Employee benefits

Provision is made for benefits accruing to employees in respect of wages and salaries, annual leave and long service leave for services rendered to the reporting date.

(i) Wages and salaries, annual leave and sick leave

Liabilities for wages and salaries, including non-monetary benefits annual leave are recognised in the provision for employee benefits, classified as ‘current liabilities’ because the OVPC does not have an unconditional right to defer settlements of these liabilities.

Depending on the expectation of the timing of settlement, liabilities for wages and salaries, annual leave and sick leave are measured at:

• undiscountedvalueiftheOVPCexpectstowhollysettlewithin12months;or

• presentvalueiftheOVPCdoesnotexpecttowhollysettlewithin12months.




(K) Liabilities continued

(ii) Long service leave

Liability for long service leave (LSL) is recognised in the provision for employee benefits.

Unconditional LSL is disclosed in the notes to the financial statements as a current liability, even where the OVPC does not expect to settle the liability within 12 months because it will not have the unconditional right to defer the settlement of the entitlement should an employee take leave within 12 months.

The components of this current LSL liability are measured at:

• nominalvalue—iftheOVPCexpectstowhollysettlewithin12months;and

• presentvalue—iftheOVPCdoesnotexpecttowhollysettlewithin12months.

Conditional LSL is disclosed as a non-current liability. There is an unconditional right to defer the settlement of the entitlement until the employee has completed the requisite years of service. This non-current LSL liability is measured at present value.

Any gain or loss following revaluation of the present value of non-current LSL liability is recognised as a transaction, except to the extent that a gain or loss arises due to changes in bond interest rates for which it is then recognised as an other economic flow (refer to Note 1(G)).

Employee benefits on-costs

Employee benefits on-costs such as payroll tax, workers compensation and superannuation are recognised separately from the provision for employee benefits.

Termination Benefits

Termination benefits are payable when employment is terminated before the normal retirement date, or when an employee decides to accept an offer of benefits in exchange for the termination of employment. The OVPC recognises termination benefits when it is demonstrably committed to either terminating the employment of current employees according to a detailed formal plan without possibility of withdrawal or providing termination benefits as a result of an offer made to encourage voluntary redundancy. Benefits falling due more than 12 months after the end of the reporting period are discounted to present value.

(L) LeasesA lease is a right to use an asset for an agreed period of time in exchange for payment.

Leases are classified at their inception as either operating or finance leases based on the economic substance of the agreement so as to reflect the risks and rewards incidental to ownership. Leases of property, plant and equipment are classified as finance infrastructure leases whenever the terms of the lease transfer substantially all the risks and rewards of ownership from the lessor to the lessee. All other leases are classified as operating leases.

Operating leases

OVPC as lessee

Operating lease payments, including any contingent rentals, are recognised as an expense in the comprehensive operating statement on a straight-line basis over the lease term, except where another systematic basis is more representative of the time pattern of the benefits derived from the use of the leased asset. The leased asset is not recognised in the balance sheet.

All incentives for the agreement of a new or renewed operating lease are recognised as an integral part of the net consideration agreed for the use of the leased asset, irrespective of the incentive’s nature or form or the timing of payments.

In the event that lease incentives are received to enter into operating leases, the aggregate cost of incentives are recognised as a reduction of rental expense over the lease term on a straight-line basis, unless another systematic basis is more representative of the time pattern in which economic benefits from the leased asset are consumed.

(M) equity

Contributions by owners

Additions to net assets which have been designated as contributions by owners are recognised as contributed capital. Other transfers that are in the nature of contributions or distributions have also been designated as contributions by owners.

Transfers of net assets arising from administrative restructurings are treated as distributions to or contributions by owners. Transfers of net liabilities arising from administrative restructurings are treated as distributions to owners.




(N) CommitmentsCommitments for future expenditure include operating and capital commitments arising from contracts. These commitments are disclosed by way of a note (refer to Note 11 Commitments for expenditure) at their nominal value and inclusive of the GST payable. In addition, where it is considered appropriate and provides additional relevant information to users, the net present values of significant individual projects are stated. These future expenditures cease to be disclosed as commitments once the related liabilities are recognised in the balance sheet.

(O) Contingent assets and contingent liabilitiesContingent assets and contingent liabilities are not recognised in the balance sheet, but are disclosed by way of a note (refer to Note 12 Contingent assets and contingent liabilities) and, if quantifiable, are measured at nominal value. Contingent assets and liabilities are presented inclusive of GST receivable or payable respectively.

(P) Accounting for the goods and services tax (GST)Income, expenses and assets are recognised net of the amount of associated GST, except where GST incurred is not recoverable from the taxation authority. In this case, the GST payable is recognised as part of the cost of acquisition of the asset or as part of the expense.

DoJ manages the GST transactions on behalf of the OVPC and the net amount of GST recoverable from or payable to the Australian Taxation Office is recognised in the DoJ financial statements.

(Q) events after the reporting periodWith the entity ceasing to exist on 16 September 2014, all assets and liabilities transfer to the new Office of the Commissioner for Privacy and Data Protection.

(R) Australian Accounting Standards issued that are not yet effective Certain new AASs have been published that are not mandatory for the 16 September 2014 reporting period. OVPC assesses the impact of all these new standards and advises entities of their applicability and early adoption where applicable.

As at 16 September 2014, the following AASs have been issued by the AASB but not yet effective. They become effective for the first financial statements for reporting periods commencing after the stated operating dates as follows:

Standard / Interpretation Summary

Applicable for annual reporting periods beginning on

Impact on public sector entity financial statements

AASB 9 Financial instruments

This standard simplifies requirements for the classification and measurement of financial assets resulting from Phase 1 of the IASB’s project to replace IAS 39 Financial Instruments: Recognition and Measurement (AASB 139 Financial Instruments: Recognition and Measurement).

1 Jan 2018 Subject to AASB’s further modifications to AASB 9, together with the anticipated changes resulting from the staged projects on impairments and hedge accounting, details of impacts will be assessed.

2. inCome From transaCtions

16 September 2014 $

30 June 2014 $

Annual grant revenue provided to OVPC by the Department of Justice 421,941 2,039,700

Net grant revenue received 421,941 2,039,700

Other income

Section 29 revenues - training and conference activities 321 236



3. eXPenses From transaCtions 16 September 2014 $

30 June 2014 $(a) employee expenses

Salaries 247,770 1,331,102

Voluntary Departure Payment 0 0

Superannuation contributions (Note 10) 22,512 113,074

Payroll tax 15,397 69,075

Leave expense 0 0

Workers compensation 177 4,007

Fringe benefits tax 437 1,173

Total employee expenses 286,291 1,518,431

(b) Supplies and Services

Computer requisites 0 0

Other supplies and services 20,993 98,264

Systems development and maintenance 18,930 25,468

Advertising, printing and subscriptions 27,240 46,879

Professional services 6,107 84,796

Telephones, facsimile 1,820 22,052

Total supplies and services 75,090 277,459

(c) Depreciation

Computer and communication equipment 0 0

Plant and equipment 760 3,039

Leasehold improvements 6,583 26,334

Total Depreciation (Note 7) 7,343 29,373

(d) Other Operating expenses

Rental expense relating to operating leases 51,165 188,869

Other 8,202 28,824

59,367 217,693

4. other eConomiC FLows inCLuDeD in net resuLtNet gain/(loss) arising from revaluation of long service leave liability (i) (549) (2,124)

(549) (2,124)

5. reCeiVaBLesCurrent receivables - statutory

Amount owing from the Department of Justice and Regulation 355,891 376,820

Total current receivables 355,891 376,820

Non-current receivables - statutory

Amount owing from the Department of Justice and Regulation 0 0

Total non-current receivables 0 0

Total receivables 355,891 376,820

6. PrePaymentsBy expense activity:

Privacy law compliance 0 7,154

Privacy education and training 0 1,426

Information technology responsibilities 0 8,864

Administration 0 3,339

Total prepayments 0 20,783



7. PLant anD eQuiPment

16 September 2014 $

30 June 2014 $

Computer and communication equipment - at cost 42,162 42,162

Less: Accumulated depreciation 42,162 42,162

0 0

Plant and equipment - at cost 20,759 20,759


0 4,308

Leasehold improvements - at cost 248,938 248,937


0 18,908

Total Plant and equipment 0 23,216

All OVPC’s Plant & Equipment are classified into the Public Administration Purpose Group.

ReconciliationsReconciliations of the carrying amounts of each class of plant and equipment at the beginning and end of the current and previous financial year are set out below.

Computer & Communication

equipmentPlant &

equipmentLeasehold

Improvements Total

Balance at 1 July 2013 0 7,346 45,243 52,589

Additions 0 0 0 0

Disposals 0 0 0 0

Depreciation/amortisation expense (Note 3 (c))

0 (3,039) (26,334) (29,373)

Balance at 30 June 2014 0 4,307 18,909 23,216

Balance at 1 July 2014 0 4,307 18,909 23,216

Additions 0 0 0 0

Disposals 0 (3,547) (12,326) (15,873)

Depreciation/amortisation expense (Note 3 (c))

0 (760) (6,583) (7,343)

Balance at 16 September 2014 0 0 0 0

Reconciliation of funding for capital expenditure and depreciation and amortisation expenditure:

16 September 2014 $

30 June 2014 $

Funding provided for depreciation and amortisation 0 0

Actual depreciation and amortisation for the year 7,343 29,374

Funding - provided in excess of expenditure/(shortfall to expenditure) (7,343) (29,374)

Classification by ‘Public safety and environment’ Purpose Group – Movements in carrying amounts

Fair value measurement hierarchy for assets as at 16 September 2014

Carrying amount as at 16 September 2014

$

Fair value measurement at end of reporting period using:

Level 1(i) Level 2(i) Level 3(i)

Plant and Equipment

Plant and equipment at fair value 0 0 0 0

Total of plant and equipment at fair value 0 0 0 0

Leasehold fitout

Leasehold fitout at fair value 0 0 0 0

Total of leasehold fitout at fair value 0 0 0 0

Notes: (i) Classified in accordance with the fair value hierarchy, see Note 1 (B).



7. PLant anD eQuiPment continued

16 September 2014 Plant and equipment $

Opening balance

Purchases 4,307

Sales 0

Gains or losses recognised in net result (3,547)

Depreciation (760)

Closing Balance 0

16 September 2014 Leasehold improvements $

Opening balance

Purchases 18,909

Sales 0

Gains or losses recognised in net result (12,326)

Depreciation (6,583)

Closing Balance 0

Plant and equipment

Plant and equipment is held at fair value. When plant and equipment is specialised in use, such that it is rarely sold other than as part of a going concern, fair value is determined using the depreciation replacement cost method.

There were no changes in valuation techniques throughout the period to 30 June 2014.

For all assets measured at fair value, the current use is considered the highest and best use.

Description of significant unobservable inputs to Level 3 valuations

Plant and equipment

Valuation technique (i)

Significant unobservable

inputs (i)

Range (weighted average) (i)

Sensitivity of fair value measurement to changes in significant unobservable inputs

Depreciated replacement

cost

Cost per unit$5,226–$15,196 per unit (average $7,865 per unit)

A significant increase or decrease in cost per unit would result in a significantly higher or lower fair value

Useful life of plant and

equipment

5–10 years (7 years)

A significant increase or decrease in the estimated useful life of the asset would result in a significantly higher or lower valuation.


Depreciated replacement

cost

Cost per sqm $480 per sqmA significant increase or decrease in cost per square metre would result in a significantly higher or lower fair value

Lease period 4 yearsA significant increase or decrease in the lease period would result in a significantly higher or lower valuation.

8. PayaBLes 16 September 2014 $

30 June 2014 $

Current payables

Contractual(i) Supplies and services 17,250 33,902

Statutory

Taxes payable 764 327

Total current payables 18,014 34,229(i) The average credit period is 30 days.

(a) Maturity analysis of contractual payables. Please refer to table (c) in Note 13 for the maturity analysis of contractual payables.

(b) Nature and extent of risk arising from contractual payables. Please refer to Note 13 for the nature and extent of risks arising from contractual payables.



9. ProVisions 16 September 2014 $

30 June 2014 $

CurrentCurrent provisions(i) Employee benefits - annual leave and long service leave:

Annual leave: (ii) Unconditional and expected to settle within 12 months 55,156 64,138(ii) Unconditional and expected to settle after 12 months 6,782 9,105

Long service leave: (ii) Unconditional and expected to settle within 12 months 103,407 99,106(ii) Unconditional and expected to settle after 12 months 16,848 50,932

Provisions for on-costs: (ii) Unconditional and expected to settle within 12 months 28,922 30,591(ii) Unconditional and expected to settle after 12 months 4,231 10,216

Total current provisions 215,346 264,089

Notes: (i) Employee benefits consist of annual leave and long service leave accrued by employees. On-costs such as payroll tax and workers’ compensation insurance are not employee benefits and are reflected as a separate provision.(ii) Amounts are measured at present values.

Non-current provisions(i) Employee benefits

On-costs 48,873 44,671

Other provisions 7,265 6,660

Total non-current provisions 56,138 51,330

Total provisions 271,484 315,419

Employee benefits and related on-costs

Current employee benefits

Annual leave 61,938 73,243

Long service leave 120,255 150,039

Non-current employee benefits

Long service leave 48,873 44,671

Total employee benefits 231,066 267,953

Current on-costs 28,922 40,807

Non-current on-costs 11,496 6,660

Total on-costs 40,418 47,466

Total employee benefits and on-costs 271,484 315,419

Note: (i) Employee benefits consist of annual leave and long service leave accrued by employees. On-costs such as payroll tax and workers’ compensation insurance are not employee benefits and are reflected as a separate provision.

Movements in provisionsOpening balance 47,466 67,241

Additional provisions recognised 0 0

Reductions arising from payments/other sacrifices of economic benefits

(7,048) (19,775)

Closing balance 40,418 47,466

Current 28,922 40,807

Non-current 11,496 6,660

40,418 47,466



10. suPerannuation

16 September 2014 $

30 June 2014 $

State Superannuation Schemes (Defined benefit scheme) (i) 2,891 12,451

VicSuper (Accumulation scheme) 11,709 81,904

Other 7,912 18,719

Total superannuation 22,512 113,074

Employees of the OVPC are entitled to receive superannuation benefits and the OVPC contributes to both defined benefit and defined contribution plans. The defined benefit plan provides benefits based on years of service and final average salary.

OVPC does not recognise any defined benefit liability in respect of the plan(s) because the entity has no legalorconstructiveobligationtopayfuturebenefitsrelatingtoitsemployees;itsonlyobligationistopay superannuation contributions as they fall due. The Department of Treasury and Finance discloses the State’s defined benefit liabilities in its disclosure for administered items.

However, superannuation contributions paid or payable for the reporting period are included as part of employee benefits in the Comprehensive operating statement for OVPC.Notes: (i)Employees of the Department are entitled to receive superannuation benefits and the Department contributes to both defined benefit and defined contribution plans. The defined benefit plan(s) provides benefits based on years of service and final average salary.

11. Commitments For eXPenDiture The following commitments have not been recognised as liabilities in the financial statements:

16 September 2014 $

30 June 2014 $

Operating leases

Commitments under a non-cancellable operating lease at the reporting date are as follows (i):

Not longer than 1 year 108,000 166,041

Longer than one year and not later than 5 years 0 0

Longer than 5 years 0 0

108,000 166,041

Notes: (i)Figures are inclusive of GST

Leasing arrangements

The operating lease relates to office facilities with an initial lease term of 4 years, terminating as at 31 March 2015 with an option to extend for a further 3 years. OVPC does not have an option to purchase the leased asset at the expiry of the lease period.

Commitments for capital expenditure are not recognised as liabilities in the financial statements. Commitments for capital expenditure at 16 September 2014 were $Nil (30 June 2014 $Nil).

12. ContinGent assets anD ContinGent LiaBiLities There were no contingent assets or contingent liabilities as at 16 September 2014 (30 June 2014: Nil)



13. FinanCiaL instruments

(a) Financial risk management and objectives and policiesThe OVPC’s financial instruments comprise of:

Cash;and

Payables (excluding statutory payables)

Details of significant accounting policies and methods adopted, including the criteria for recognition, the basis of measurement and the basis on which income and expenses are recognised, in respect of each class of financial asset, financial liability and equity instrument are disclosed in Note 1 to the financial statements.

Carrying amount 16 September 2014 $

Carrying amount 30 June 2014 $

Table 13.1 Categorisation of financial instruments

Financial assets Note Category

Cash on hand 14 (a) Cash 1,000 2,600

Financial liabilities

Payables 8 Financial liabilities measured at amortised cost 17,250 33,902

(b) Credit riskCredit risk arises from the financial assets of OVPC.

OVPC’s exposure to credit risk arises from the potential default of counter parties on their contractual obligations resulting in financial loss to OVPC. Credit risk is measured at fair value and is monitored on a regular basis.

Credit risk associated with OVPC’s financial assets is minimal because the only debtor is the Department of Justice.

Provision of impairment for financial assets is calculated based on past experience and current and expected changes in client credit ratings.

The carrying amount of financial assets recorded in the financial statements net of any allowances for losses, represents OVPC’s maximum exposure to credit risk without taking account of the value of collateral obtained.

Currently, OVPC does not hold any collateral as security nor credit enhancements relating to any of its financial assets.

As at the reporting date, there is no evidence to indicate that any of the financial assets were impaired.

(c) Liquidity riskLiquidity risk is the risk that the OVPC would be unable to meet its financial obligations as they fall due. OVPC operates under the Government fair payments policy of settling financial obligations within 30 days and in the event of a dispute, make payments within 30 days from the date of resolution.

The OVPC’s exposure to liquidity risk is deemed insignificant based on prior periods’ data and current assessment of risk.

Maximum exposure to liquidity risk is the carrying amounts of financial liabilities in the financial report.

The following table discloses the contractual maturity analysis for OVPC’s financial liabilities:

Maturity dates

16 September 2014

Carrying amount

Nominal amount

Less than 1 month

1 – 3 months

3 months - 1 year

1 – 5 years

Payables 17,250 17,250 17,250 0 0 0

17,250 17,250 17,250 0 0 0

30 June 2014

Payables 33,902 33,902 33,902 0 0 0

33,902 33,902 33,902 0 0 0



13. FinanCiaL instruments continued

(d) Market riskOVPC is not exposed to market risk.

(e) Fair valueManagement consider that the carrying amount of financial assets and liabilities recorded in the financial report approximate their fair values because of the short term nature of the financial instruments and the expectation they will be paid in full. The financial assets are determined at level 1 of the fair value hierarchy.

14. Cash FLow inFormation

(a) Reconciliation of cashFor purposes of the Cash Flow Statement, cash includes cash on hand. Cash at the end of the reporting period as shown in the Cash Flow Statement is reconciled to the related items in the Balance Sheet as follows:

16 September 2014 $

30 June 2014 $

Cash 1,000 2,600

1,000 2,600

(b) Reconciliation of net result for the reporting period to net cash inflow from operating activities

Net result for the period (6,378) (5,144)

Non-cash movements:

Depreciation 7,343 29,373

Write off of assets 15,872 0

23,215 29,373

Movements in assets and liabilities:

(Increase)/Decrease in receivables 20,929 213,525

(Increase)/Decrease in prepayments 20,783 4,983

(Decrease)/Increase in payables (16,215) (104,926)

(Decrease)/Increase in provision for employee benefits (43,935) (135,309)

(18,438) (21,727)

Net cash flows from (used in) operating activities (1,600) 2,500

15. resPonsiBLe Persons In accordance with the Ministerial Directions issued by the Minister for Finance under the Financial Management Act 1994, the following disclosures are made regarding responsible persons for the reporting period.

The names of persons who were Responsible Persons during the financial year are as follows:

Minister: Attorney-General The Hon. Robert Clark, MP 1 July 2014 to 16 September 2014

Privacy Commissioner David Watts 1 July 2014 to 16 September 2014

There are no other executive officers other than the above.

Remuneration received or receivable by the executive officer in connection with the management of the OVPC during the reporting period was in the range:

16 September 2014 $

30 June 2014 $

$60,000 - $69,999 1 0

$160,000 - $169,999 0 0

$260,000- $269,999 0 1

Amounts relating to Ministers are reported in the financial report of the Department of Premier and Cabinet.



15. resPonsiBLe Persons continued

Payments to other personnel (i.e. contractors with significant management responsibilities)There are no contractors with significant management responsibilities engaged in the OVPC and, as such, no payments have been made (2013: 0)

Other transactionsOther related transactions and loans requiring disclosure under the Directions of the Minister for Finance have been considered and there are no matters to report.

There were no related-party transactions for the year ended 16 September 2014 (30 June 2014:Nil)

16. remuneration oF auDitors

16 September 2014 $

30 June 2014 $

Victorian Auditor-General’s Office 8,500 13,750

Audit or review of the financial statements 8,500 13,750

17. Cessation oF oVPCThe OVPC ceased operations on 16 September 2014. The Privacy and Data Protection Act 2014 was proclaimed on 17 September 2014.

Net assets of $67,393 were transferred to the Office of the Commissioner for Privacy and Data Protection.

18. GLossary oF terms anD styLe ConVentions

Comprehensive resultThe net result of all items of income and expense recognised for the period. It is the aggregate of operating result and other comprehensive income.

CommitmentsCommitments include those operating, capital and other outsourcing commitments arising from non-cancellable contractual or statutory sources.

DepreciationDepreciation is an expense that arises from the consumption through wear or time of a produced physical or intangible asset. This expense is classified as a ‘transaction’ and so reduces the ‘net result from transaction’.

employee benefits expensesEmployee benefits expenses include all costs related to employment including wages and salaries, fringe benefits tax, leave entitlements, redundancy payments, defined benefits superannuation plans, and defined contribution superannuation plans.

Financial assetA financial asset is any asset that is:

(a) cash;

(b) anequityinstrumentofanotherentity;

(c) a contractual or statutory right:

• toreceivecashoranotherfinancialassetfromanotherentity;or

• toexchangefinancialassetsorfinancialliabilitieswithanotherentityunderconditionsthatarepotentiallyfavourabletotheentity;or

(d) a contract that will or may be settled in the entity’s own equity instruments and is:

• anon-derivativeforwhichtheentityisormaybeobligedtoreceiveavariablenumberoftheentity’sownequityinstruments;or

• aderivativethatwillormaybesettledotherthanbytheexchangeofafixedamountofcashoranother financial asset for a fixed number of the entity’s own equity instruments.



18. GLossary oF terms anD styLe ConVentions continued

Financial instrumentA financial instrument is any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity. Financial assets or liabilities that are not contractual (such as statutory receivables or payables that arise as a result of statutory requirements imposed by governments) are not financial instruments.

Financial liabilityA financial liability is any liability that is:

(a) A contractual obligation:

(i) Todelivercashoranotherfinancialassettoanotherentity;or

(ii) To exchange financial assets or financial liabilities with another entity under conditions that are potentiallyunfavourabletotheentity;or

(b) A contract that will or may be settled in the entity’s own equity instruments and is:

(i) A non-derivative for which the entity is or may be obliged to deliver a variable number of the entity’s ownequityinstruments;or

(ii) A derivative that will or may be settled other than by the exchange of a fixed amount of cash or another financial asset for a fixed number of the entity’s own equity instruments. For this purpose the entity’s own equity instruments do not include instruments that are themselves contracts for the future receipt or delivery of the entity’s own equity instruments.

Financial statements

A complete set of financial statements comprises:

(a)balancesheetasattheendoftheperiod;

(b) comprehensiveoperatingstatementfortheperiod;

(c) astatementofchangesinequityfortheperiod;

(d) cashflowstatementfortheperiod;

(e) notes,comprisingasummaryofsignificantaccountingpoliciesandotherexplanatoryinformation;

(f) comparative information in respect of the preceding period as specified in paragraphs 38 of AASB 101 PresentationofFinancialStatements;and

(g) a balance sheet as at the beginning of the preceding period when an entity applies an accounting policy retrospectively or makes a retrospective restatement of items in its financial statements, or when it reclassifies items in its financial statements in accordance with paragraphs 41 of AASB 101.

Grants and other transfersTransactions in which one unit provides goods, services, assets (or extinguishes a liability) or labour to another unit without receiving approximately equal value in return. Grants can either be operating or capital in nature.

While grants to governments may result in the provision of some goods or services to the transferor, they do not give the transferor a claim to receive directly benefits of approximately equal value. For this reason, grants are referred to by the AASB as involuntary transfers and are termed non-reciprocal transfers. Receipt and sacrifice of approximately equal value may occur, but only by coincidence. For example, governments are not obliged to provide commensurate benefits, in the form of goods or services, to particular taxpayers in return for their taxes.

Grants can be paid as general purpose grants which refer to grants that are not subject to conditions regarding their use. Alternatively, they may be paid as specific purpose grants which are paid for a particular purpose and/or have conditions attached regarding their use.

Net resultNet result is a measure of financial performance of the operations for the period. It is the net result of items of income, gains and expenses (including losses) recognised for the period, excluding those that are classified as ‘other economic flows - other comprehensive income’.

Net result from transactions/net operating balanceNet result from transactions or net operating balance is a key fiscal aggregate and is income from transactions minus expenses from transactions. It is a summary measure of the ongoing sustainability of operations. It excludes gains and losses resulting from changes in price levels and other changes in the volume of assets. It is the component of the change in net worth that is due to transactions and can be attributed directly to government policies.



18. GLossary oF terms anD styLe ConVentions continued

Net WorthAsset less liabilities, which is an economic measure of wealth.

Non-financial assetsNon-financial assets are all assets that are not ‘financial assets’. It includes inventories, land, buildings, infrastructure, road networks, land under roads, plant and equipment, investment properties, cultural and heritage assets, intangible and biological assets.

Other economic flows included in net resultOther economic flows are changes in the volume or value of an asset or liability that do not result from transactions. It includes:

• gainsandlossesfromdisposals,revaluationsandimpairmentsofnon-financialphysicalandintangibleassets;

• actuarialgainsandlossesarisingfromdefinedbenefitsuperannuationplans;

• fairvaluechangesoffinancialinstrumentsandagriculturalassets;and

• depletionofnaturalassets(non-produced)fromtheiruseorremoval.

In simple terms, other economic flows are changes arising from market remeasurements.

PayablesIncludes short and long term trade debt and accounts payable, grants, taxes and interest payable.

Receivables Includes amounts owing from government through appropriation receivable, short and long term trade credit and accounts receivable, accrued investment income, grants, taxes and interest receivable.

Supplies and servicesSupplies and services generally represent cost of goods sold and the day-to-day running costs, including maintenance costs, incurred in the normal operations of the OVPC.

TransactionsTransactions are those economic flows that are considered to arise as a result of policy decisions, usually an interaction between two entities by mutual agreement. They also include flows within an entity such as depreciation where the owner is simultaneously acting as the owner of the depreciating asset and as the consumer of the service provided by the asset. Taxation is regarded as mutually agreed interactions between the government and taxpayers. Transactions can be in kind (e.g. assets provided/given free of charge or for nominal consideration) or where the final consideration is cash. In simple terms, transactions arise from the policy decisions of the government.

Style conventionsFigures in the tables and in the text have been rounded. Discrepancies in tables between totals and sums of components reflect rounding. Percentage variations in all tables are based on the underlying unrounded amounts.

The notation used in the tables is as follows:

0 zero, or rounded to zero

(xxx.x) negative numbers

200x year period

200x-0x year period

The financial statements and notes are presented based on the illustration for a government department in the 2013-14 Model Report for Victorian Government Departments. The presentation of other disclosures is generally consistent with the other disclosures made in earlier publications of the OVPC’s annual reports.


accountable officer’s and Chief Finance and accounting officer’s declaration

Accountable Officer’s and Chief Finance and Accounting Officer’s declaration

The attached financial statements for the Office of the Victorian Privacy Commissioner have been prepared in accordance with Standing Directions 4.2 of the Financial Management Act 1994, applicable Financial Reporting Directions, Australian Accounting Standards including Interpretations, and other mandatory professional reporting requirements.

We further state that, in our opinion, the information set out in the comprehensive operating statement, balance sheet, statement of changes in equity, cash flow statement and accompanying notes, presents fairly the financial transactions for the period ended 16 September 2014 and financial position of the Office of the Victorian Privacy Commissioner at 16 September 2014.

At the time of signing, we are not aware of any circumstance which would render any particulars included in the financial statements to be misleading or inaccurate.

We authorise the attached financial statements for issue on 19 October 2015.


Melbourne 19 October 2015

Ingrid Klein Chief Finance and Accounting Officer

Melbourne 19 October 2015


auditor-General’s report

aPPenDiCes


appendices

No Content Page

A Disclosure Index 59

B Major Outputs 61

C Other Available Information 62

D Attestation – Insurance 63

E Attestation – Risk Management 64


appendix a Disclosure index

Legislation Requirement Page reference

Ministerial Directions

Report of operations – FRD guidance

Charter and purpose

FRD 22E Manner of establishment and the relevant Ministers 10

FRD 22E Objectives, functions, powers and duties 10

FRD 22E Nature and range of services provided 10-27

management and structure

FRD 22E Organisational structure 24

Financial and other information

FRD 8B Budget portfolio outcomes 61

FRD 10 Disclosure index 59-60

FRD 12A Disclosure of major contracts 26

FRD 15B Executive officer disclosures n/a

FRD 22E, SD 4.2(k) Operational and budgetary objectives and performance against objectives 59

FRD 22E Employment and conduct principles 26

FRD 22E Occupational health and safety policy 26

FRD 22E Summary of the financial results for the year 31-34

FRD 22E Significant changes in financial position during the year 31-34

FRD 22E Major changes or factors affecting performance 10-27

FRD 22E Subsequent events 50

FRD 22E Application and operation of Freedom of Information Act 1982 26

FRD 22E Compliance with building and maintenance provisions of Building Act 1993 25

FRD 22E Statement on National Competition Policy 26

FRD 22E Application and operation of the Protected Disclosure 2012 25

FRD 22E Application and operation of the Carers Recognition Act 2012 25

FRD 22E Details of consultancies over $10 000 26

FRD 22E Details of consultancies under $10 000 26

FRD 22E Statement of availability of other information 62

FRD 24C Reporting of office based environmental impacts 27

FRD 25B Victorian Industry Participation Policy disclosures 27

FRD 29 Workforce Data disclosures 25-26

SD 4.5.5 Risk management compliance attestation 64

SD 4.5.5.1 Ministerial Standing Direction 4.5.5.1 compliance attestation 63

SD 4.2(g) Specific information requirements inside front cover

SD 4.2(j) Signoff requirements inside front cover


Legislation Requirement Page reference

Ministerial Directions continued

Financial Report

Financial statements required under Part 7 of the Fma

SD4.2(a) Statement of changes in equity 33

SD4.2(b) Operating statement 31

SD4.2(b) Balance sheet 32

SD4.2(b) Cash flow statement 34

other requirements under standing Directions 4.2

SD4.2(c)Compliance with Australian accounting standards and other authoritative pronouncements

36

SD4.2(c) Compliance with Ministerial Directions 36

SD4.2(d) Rounding of amounts 52

SD4.2(c) Accountable officer’s declaration 53

SD4.2(f) Compliance with Model Financial Report 1-64

other disclosures as required by FrDs in notes to the financial statements

FRD 9A Departmental Disclosure of Administered Assets and Liabilities by Activity n/a

FRD 11A Disclosure of ExGratia Expenses n/a

FRD 13 Disclosure of Parliamentary Appropriations n/a

FRD 21BDisclosures of Responsible Persons, Executive Officers and other Personnel (Contractors with Significant Management Responsibilities) in the Financial Report

49

FRD 102 Inventories n/a

FRD 103D Noncurrent Physical Assets 44-45

FRD 104 Foreign Currency n/a

FRD 106 Impairment of Assets 39-40

FRD 109 Intangible Assets n/a

FRD 107 Investment Properties n/a

FRD 110 Cash Flow Statements 34

FRD 112D Defined Benefit Superannuation Obligations 47

FRD 113 Investments in Subsidiaries, Jointly Controlled Entities and Associates n/a

FRD 114AFinancial Instruments – General Government Entities and Public Non Financial Corporations

48-49

FRD 119A Transfers through Contributed Capital 41

Legislation

Building Act 1983 25

Carers Recognition Act 2012 25

Financial Management Act 1994 36

Freedom of Information Act 1982 26

Protected Disclosure Act 2001 25

Victorian Industry Participation Policy Act 2003 27


appendix B major outputs

Budget Paper 3 for 2014-15 (p.194) describes the outputs for the Office of the Victorian Privacy Commissioner. The results for the reporting period 1 July – 16 September 2014 are as follows:

Privacy regulation

The Information Privacy Act 2000 regulates the collection and handling of personal information by the Victorian public sector and local government. The Office of the Victorian Privacy Commissioner (OVPC) receives and deals with complaints of alleged breaches of privacy and promotes privacy protection through advocacy, education and training, audit and investigation of breaches of the Act.

Unit2014-15 Target

Actual at 16 September 2014

Quantity

Compliance activities conducted number 2,700 595

Privacy awareness activities conducted number 195 52

Quality

Client feedback of satisfaction with complaint handling and training services provided

level high high

Timeliness

Statutory or agreed timelines met per cent 90 90

The increase in output cost targets between financial years and the increase from the 2013-14 target to the 2013-14 expected outcome reflects the functions of the Commissioner for Law Enforcement Data Security being transferred from the Policing Services output during the 2013-14 financial year.


appendix C other available information

In compliance with the requirements of the Standing Directions of the Minister for Finance, details in respect of the items listed below have been retained by the Office and are available to the relevant ministers, Members of Parliament and the public on request (subject to the freedom of information requirements, if applicable):

a) a statement that declarations of pecuniary interests have been duly completed by all relevant officers;

b) details of shares held by a senior officer as nominee or held beneficially in a statutory authority orsubsidiary;

c) detailsofpublicationsproducedbytheOfficeaboutitself,andhowthesecanbeobtained;

d) detailsofchangesinprices,fees,charges,ratesandlevieschargedbytheOffice;

e) detailsofanymajorexternalreviewscarriedoutontheOffice;

f) detailsofmajorresearchanddevelopmentactivitiesundertakenbytheOffice;

g) details of overseas visits undertaken including a summary of the objectives and outcomes of eachvisit;

h) details of major promotional, public relations and marketing activities undertaken by the Office todevelopcommunityawarenessoftheOfficeanditsservices;

i) details of assessments and measures undertaken to improve the occupational health and safetyofemployees;

j) a general statement on industrial relations within the Office and details of time lost through industrialaccidentsanddisputes;

k) a list of major committees sponsored by the Office, the purposes of each committee and the extenttowhichthepurposeshavebeenachieved;and

l) details of all consultancies and contractors including:

(I) consultants/contractorsengaged;

(II) servicesprovided;and

(III) expenditure committed to for each engagement.

The information is available on request from:

Office of the Commissioner for Privacy and Data Protection

GPO Box 24014 MELBOURNE Victoria 3001

Phone: 1300 666 444 Email: [email protected]


appendix D attestation - insurance

attestation for Compliance with the ministerial standing Direction 4.5.5.1 - insurance

I, David Watts, certify that the Office of the Victorian Privacy Commissioner has complied with the Ministerial Direction 4.5.5.1 – Insurance.


1 October 2015


appendix e attestation - risk management

attestation for Compliance with the australian/new Zealand risk management standard

I, David Watts, certify that the Office of the Victorian Privacy Commissioner has risk management processes in place consistent with AS/NZS ISO 31000:2009 (or equivalent designated standard) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures.


1 October 2015









Enquiries Line 1300 666 444 www.dataprotection.vic.gov.au

commissioner for privacy and data protection · annual report 2014–15 3 commissioner for privacy...

Documents