Victorian privacy legislation: Privacy and Data Protection Act

The Privacy and Data Protection Act 2014 (Vic) (‘PDP Act’) sets out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information, and establishes the Office of the Victorian Information Commissioner (‘VI Commissioner’) and roles of VI Commissioner and the Privacy and Data Protection Deputy Commissioner (‘PDP Commissioner’).

Under the PDP Act, ‘personal information’ means information (whether true or not) or an opinion that is recorded in any form about an individual whose identity is apparent or can be reasonably ascertained from the information. The definition of personal information expressly excludes ‘health information’ to which the Health Records Act 2001 (Vic) (‘HR Act’) applies (see ‘Health Records Act’, below).

The PDP Act applies to Victorian ‘public sector organisations’. This includes Victorian Government ministers and parliamentary secretaries, public sector agencies, statutory bodies and local councils (for the full list, see PDP Act s 13). Service providers – including private sector organisations contracted to the Victorian Government – are also bound by the Victorian Information Privacy Principles (IPPs) if there is an enforceable contract that requires this (s 17(4)). 

The objects of the PDP Act are:

• to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector; 

• to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; 

• to promote public awareness of the responsible handling of personal information in the public sector; 

• to promote the responsible and transparent handling of personal information in the public sector; and

• to promote responsible data security practices in the public sector.
  

Key features of the PDP Act include:

• the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;

• conferring on the VI Commissioner functions to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the PDP Act;

• the power of the VI Commissioner to make public interest determinations, information usage arrangements and to issue certificates that state an act or practice is consistent with the IPPs;

• the power of the VI Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;

• remedies for interferences with privacy, including correcting the breach, and apologising and compensating the individual concerned;

• provision for the registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and

• access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) (‘FoI Act (Vic)’) rights do not apply (see Chapter 12.3: Freedom of information law).
  

The VI Commissioner also has several functions under the PDP Act in relation to protective data security and law enforcement data security under part 4 of the PDP Act. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDP Act requires of the Victorian public sector and law enforcement agencies. Part 4 does not apply to local councils, universities, public hospitals and public health services. The type of information that is the subject of these functions includes, but is not limited to, personal information. 

In February 2020, the VI Commissioner published the Victorian Protective Data Security Framework (Version 2.0), which provides direction to the Victorian public sector on their data security obligations. For more information about these functions, the standards and the framework, see www.ovic.vic.gov.au.