Legislative Framework

4.1 Review questions addressed in this chapter

This chapter responds to the following review questions:

Are there any unintended consequences of interpretation – both positive and negative?
Do the findings of the review support any considerations for changes to the legislative settings of the reform?
What are the impacts of the current Child Wellbeing and Safety (Information Sharing) Regulations 2018 and what are the issues related to the Regulations (if any)?
What could be done to address the issues, if any, of the Regulations?

4.2 Are there any unintended consequences of interpretation?

This Review did not identify any unintended consequences of CISS in relation to interpretation of the legislative framework.

There will be opportunities to identify and address potential misinterpretation in the future, as the compliance monitoring and reporting process continues to mature.

4.3 Do the findings of the review support any considerations for changes to the legislative settings of the reform?

Overall, Part 6A of the Act is comprehensive, providing for:

principles governing information sharing, including a clear focus on child wellbeing and safety
prescription of both ISEs and restricted ISEs
voluntary or requested disclosure of confidential information for relevant purposes to other ISEs
voluntary disclosure of confidential information for relevant purposes to the child, a person with parental responsibility for the child, or a person who lives with the child
issuance of Ministerial Guidelines
protection of good faith use and disclosure
record keeping requirements
interactions with other privacy, information sharing and data protection laws
offences for misusing information shared through CISS or falsely claiming to be an ISE.

There is strong alignment between the legislation and intended outcomes. This Review did not identify any legislative amendments required to enable CISS to meet its intended outcomes.

Noting the legislation is sufficient to achieve its intended outcomes, some issues could be further clarified to promote transparency and accountability within CISS.

This Review recognises there is an established pathway for children and their families to make privacy-related complaints to the OVIC or the HCC about the disclosure or use of their confidential information.

Currently, it is unclear which court jurisdiction or enforcement body has jurisdiction to investigate and enforce the offences listed in Part 6A, Division 5 of the Act. Currently, there is no body or authority ISEs or non-ISEs should report or escalate potential misuse of information shared through CISS (i.e., professionals) or refusal to share pertinent information under CISS (as opposed to children and their families making a privacy complaint to the OVIC or the HCC about the disclosure or use of their confidential information).

Other information schemes, such as the Privacy and Data Protection Act 2014 and Health Records Act 2001, provide members of the public with recourse to the Victorian Civil and Administrative Tribunal (VCAT) to consider complaints and issues related to these Acts. Alternatively, compliance powers and functions are provided to an agency to make a decision or take action against the offending party, subsequent to which parties may be provided legislative recourse to VCAT to dispute the regulatory decision. Currently, neither of these pathways to progress or resolve complaints are provided for in Part 6A of the Act.

There is an identified gap in a clear pathway for non-privacy related issues or complaints to be raised by any person. It is also primarily not clear to what body or authority ISEs or non-ISEs should report or escalate potential misuse of information shared through CISS (e.g., professionals) as complaints are managed at an ISE level (see Section 4.4.3 for further detail). Further consideration should be given to ensuring members of the public have a clear pathway to progress offences committed under Part 6A of the Act.

The current prescribed ISEs, detailed in Section 1.3.2.1, are of targeted scope, linked to the recommendations of the Royal Commission into Institutional Responses to Child Sexual Abuse and Royal Commission into Family Violence, and aligning with prescribed workforces under family violence reforms.

The CISSC has considered the possibilities for the expansion of CISS to include additional services and workforces to further strengthen the ability of CISS to promote child wellbeing and safety.⁷³ Initial policy work identified disability and TAFE workforces as early possibilities, with further scoping and consultation considering additional funded agencies and workforces across Victorian Government departments and agencies. Prescription of additional ISEs depends on regulatory amendments.

It is noted that scoping and consultation does not appear to have progressed beyond the Victorian Government, and further consultation may be required with the Commonwealth and neighbouring jurisdictions (i.e., New South Wales, South Australia and Tasmania) to identify other workforces operating in or near Victoria, supporting Victorian children, that may be relevant to prescribe in the Regulations.

This Review did not identify any issues associated with certain workforces not being prescribed within the first five years of operation, however, a lack of access to CISS may prevent identification and management of risks to child wellbeing and safety when they are engaged with these services in a manner that prevents CISS from achieving its intended outcomes, which are intentionally broadly scoped.

The long-term vision of CISS is for all appropriate service providers supporting a child to be actively engaged in identifying and monitoring risks or issues associated with the child’s wellbeing or safety, regardless of how that service is funded (e.g., Commonwealth, State or private) or where that service is delivered (e.g., interstate within a border community). From this perspective, if the limited scope of prescribed workforces persists over the medium- to long-term, the Regulations may limit the ability of CISS to achieve its intended outcomes.

Part 3(7) of the Regulations prescribes information that must be recorded about information shared through CISS, including:

the names of the ISE requesting and/or receiving confidential information
the confidential information requested and disclosed
the date of request and disclosure
family violence risk assessments and safety plans in place (if applicable)
details regarding engagement with the child and/or parents regarding the disclosure
if the request is denied, the reason provided.

Provision for the secure storage and disposal of confidential information already exists within the relevant privacy and data protection legislative frameworks, and CISS does not make further specifications regarding these matters.

The Two-Year Review noted that there was an expectation that ISEs would leverage their existing systems to meet their record keeping requirements. Three quarters of those surveyed indicated that changes had been made to their record keeping arrangements in response to CISS.⁷⁴

In developing the Regulations, an option was considered in relation to record keeping that would impose additional requirements on ISEs to record aggregate level data.⁷⁵ Under this option, it was assumed that ISEs would receive weekly requests to report on aggregate data and that ISEs would respond to these requests. The option was not selected as it was noted that the Regulations could only prescribe record keeping requirements, not reporting requirements and that any additional requirement to report on aggregate data would need to be imposed through other means or powers, such as the Ministerial Guidelines.⁷⁶ No additional requirements to report were ultimately imposed through the Ministerial Guidelines.

The Two-Year Review recommended that the Victorian Government consider the adequacy of the current minimum record keeping requirements of CISS, including the Department’s consideration of the role of CISS in responding to the needs of diverse population groups.⁷⁷ In the Victorian Government Response to the Two-Year Review, a commitment to simplifying the process of information sharing and record keeping, and to streamlining existing data collection for monitoring and reporting purposes where possible, was supported. However, the government did not support changes to the record keeping requirements as specified in the Ministerial Guidelines.

CISS Workforce Survey respondents identified some barriers to using CISS due to the slow response by some ISEs to requests for information. This did not appear to be linked to the Regulations’ record keeping requirements and was generally associated with organisational capacity restrictions (e.g., staff shortages) or local administrative processes (e.g., ISE’s specific procedures regarding approvals for sharing confidential information). Given the concerns throughout implementation regarding the administrative burden of record keeping regulations, it does not appear that the current record keeping requirements in the Regulations are onerous or otherwise impeding the operation of CISS as intended.

The prescribed details regarding record keeping in the Regulations are sufficient to manage the breadth of risks identified in this Review (e.g., clearly identifying who the confidential information was shared with and for what purpose). However, as this data is not collated, there are missed opportunities to identify and address common issues and risks associated with child wellbeing and safety.

4.4.3 Complaints record keeping

The Regulations prescribe details to be recorded when an ISE receives a complaint. Information to be recorded includes:

the date that the complaint was made and received
the nature of the complaint
the time taken to resolve the complaint (if resolved)
any action taken in response, including to resolve the complaint or prevent or lessen risks of similar complaints.

Complaints may be made by any person, including children and their family members (e.g., if they consider that their privacy was breached) and other ISEs (e.g., if a request for information was not fulfilled). Privacy complaints may also be made to the relevant bodies under Victorian and Commonwealth privacy law.⁷⁸ Complaints information held by ISEs is not centrally collated or reported.

The current approach has the advantage that any complaints which arise can be responded to in a timely manner. For example, addressing the complaint within the ISE will allow any organisational knowledge gaps to be quickly identified and addressed. Where a complaint is escalated by the complainant to the relevant Victorian or Commonwealth complaints body, it can be considered and monitored as part of a broader and more systemic response to privacy, information sharing and/or data protection within the respective scope of the body.

While recognising these advantages, there are also disadvantages that come with the lack of a centralised complaints process. ISEs and individuals may be reluctant to make complaints directly with an ISE due to the perceived lack of impartiality with which the complaint may be handled. If the complaint relates to privacy, individuals and other ISEs have avenues through which to raise concerns to an impartial authority. For complaints unrelated to privacy (e.g., the complaint relates to an instance of sharing incomplete information), individuals are limited to resolving their complaint with the ISE that is the subject of the complaint, with no clear pathways for further recourse to VCAT, the Department or another body. Furthermore, the lack of transparent complaints process means that there is no available data source through which to identify common issues or risks.

The prescribed details regarding complaints in the Regulations are sufficient for recording complaints. However, as complaints data is not collated, there are missed opportunities to identify and address common issues and risks associated with child wellbeing and safety and the operation of CISS.

4.4.4 Conclusion

Any potential misuse of information shared under CISS would not necessarily be detected under the current record keeping and data collection arrangements. The responsibility for reporting misuse of information lies with ISEs. However, the pathways and processes for complaints under CISS are lacking in clarity and transparency. As complaints data is not collated, there are missed opportunities to identify and address common issues and risks associated with child wellbeing and safety and the operation of CISS.

4.5 What could be done to address the issues, if any, of the Regulations?

Currently, there is a risk that information relating to the wellbeing or safety of a child is unable to be shared or requested, due to the organisation or individual not being a prescribed ISE. For example, a state-funded kindergarten prescribed in Phase Two cannot share information with the child’s occasional care centre.

To achieve the intended outcomes of CISS and effectively enable collaboration and information sharing between all services supporting the child’s wellbeing and safety, it will be necessary to plan for prescribing all entities who work with children in Victoria as ISEs over the medium- to long-term.

Expanding the operation of CISS carries some risks, particularly to the security of confidential information about children. Phasing should be carefully designed and staged to ensure new workforces are appropriately skilled and supported to share and receive confidential information in compliance with the CISS legislative and regulatory requirements.

Any expansion of CISS would require appropriate tailoring of implementation activities to the broad range of services who work with children in Victoria. These activities would likely incur a significant cost to government and the services. As with Phases One and Two, there is also the risk that understanding and use of CISS would take some time to be adequately embedded among these services.

4.5.2 Records required to be kept are not collated or aggregated to support Ministerial oversight

The Regulations prescribe a range of record keeping activities associated with complaints and instances of information sharing. However, data is not centrally collated or analysed to identify and address common issues and risks associated with child wellbeing and safety. Overall, there remains a risk that the current CISS reporting frameworks do not provide a complete picture of how child wellbeing and safety is being supported by CISS, and that relevant authorities (including ultimately, the Parliament) may not be able to obtain sufficient reporting completeness and transparency to determine the efficacy of CISS (including both benefits of CISS, and any unintended or adverse consequences).

It is acknowledged that there have been concerns throughout implementation regarding the impact of any data collation or reporting activities on ISEs, particularly regarding any potential administrative burden. Given these concerns, the issue of ongoing monitoring of CISS’ operation has not been substantively addressed or resolved. Currently, ISEs are collecting and keeping data regarding the utilisation of CISS, however, this data is not consistently or systemically used to inform an understanding of overall CISS usage or impact.

There remain opportunities to collate and use the records required to be kept by ISEs in an aggregated, de-identified manner to provide greater Ministerial oversight of how CISS is used, as well as informing the design and implementation of CISS in the future. If required, this could be supported by legislating powers to the Minister/s responsible for CISS to compel ISEs to provide data to the Department at nominated intervals or prescribing this in the regulatory requirements relating to the collection of data. However, any move in this direction would need to be proportionate to the anticipated benefit of such reporting requirements taking account of the time and effort burden on ISEs.

4.5.3 The inter-relationship of CISS with regulatory schemes and initiatives

CISS operates in conjunction with inter-related regulatory schemes and initiatives which aim to minimise adverse outcomes for Victorian children. For example, FVISS, MARAM, the Reportable Conduct Scheme, the Child Safe Standards and mandatory reporting. CISS is also subject to the remit of the Commission for Children and Young People, OVIC and HCC. Additionally, the recent establishment of the Human Services Regulator is intended to play a critical part in minimising harm and protecting the safety and rights of children and young people.

However, while there is an expectation that these schemes and initiatives collectively give adequate protection to the safety and wellbeing of children and the appropriate safeguarding of their personal information, they have been established incrementally over time and are intended to complement each other. This Review has focused on CISS, and analysis of the broader effectiveness of these inter-related schemes was beyond its scope. This Review suggests further analysis utilising appropriate legal and audit-based capabilities to assess the inter-relationship and comprehensiveness of these schemes in providing adequate safeguards for Victorian children should be considered.

4.5.4 Application of the legislative framework limited to Victoria

A key limitation of the legislation and regulations that cannot be addressed by the Victorian Government alone is CISS’ relatively limited application within the State’s borders. Many Victorians live in border communities, and services engaged in supporting a child may be dispersed across both Victoria and other jurisdictions (i.e., New South Wales, South Australia and Tasmania). This is also true where a child has recently moved states, and information may need to be sought from or shared by previous service providers. These issues of information sharing across borders were identified by the Royal Commission into Institutional Responses to Child Sexual Abuse, which then made several recommendations for all Australian Governments to support information sharing across borders where required to support children’s wellbeing and safety.

The outcomes of CISS would be best supported through clear links to complementary interstate schemes and clear procedural guidance for when information to support a child’s wellbeing and safety needs to be shared across borders.

4.5.5 Conclusion

The expansion of CISS to include all entities working with children in Victoria is recommended, subject to the relevance and appropriateness of the organisation and the information they hold, but careful planning is essential to manage security risks associated with confidential information. Moreover, the lack of central collation and analysis of records poses a risk to reporting completeness and transparency, hindering the ability to assess the effectiveness of CISS and any potential unintended consequences. Additionally, the limited application of the legislative framework to Victoria alone overlooks the border communities and services dispersed across jurisdictions, highlighting the need for clear links to interstate schemes and procedural guidance for cross-border information sharing to support children’s wellbeing and safety.

Notes

73 CIS Steering Committee, Agenda (17 November 2022).

74 ACIL Allen Consulting, Child Information Sharing Scheme Two-Year Review (December 2020), 30.

75 Victorian Government, Child Wellbeing (Information Sharing) Regulations 2018 – Regulatory Impact Statement (2017), 5

76 Ibid.

77 ACIL Allen Consulting, Child Information Sharing Scheme Two-Year Review (December 2020), 57.

78. Child Information Sharing Scheme Ministerial Guidelines – Guidance for Information Sharing Entities, 50

Updated 29 August 2024