Victorian privacy legislation

 

The Victorian public sector must observe standards in 10 Information Privacy Principles (IPPs). Legislation operating from December 2014 is expected to merge the roles of two existing Commissioners to create a single Victorian Commissioner for Privacy and Data Protection, with responsibility for the oversight of the privacy and data protection regime. The IPPs will remain, and government departments will be able to obtain rulings or approvals for proposed use of personal information.

Privacy and Data Protection Act 2014

The Privacy and Data Protection Act 2014 (Vic) (“PDPA”) commenced on 17 September 2014. The PDPA repealed the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) and replaced the two Acts. Effectively, the PDPA merged the two offices and roles of the Victorian Privacy Commissioner and Commissioner for Law Enforcement Data Security into a single Commissioner for Privacy and Data Protection, who is responsible for oversight of the privacy and data protection regime in Victoria.

The PDPA re-enacts the previous Information Privacy Principles (IPPs) in full. The IPPS (described more fully below) set out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information about an individual. There are some exceptions that are detailed below.

“Personal information” means information or an opinion that is recorded in any form, whether true or not, about an individual whose identity is apparent or whose identity can be reasonably ascertained from the information. In WL v La Trobe University [2005] VCAT 2592, VCAT rejected the respondent’s argument that the definition required that a person’s identity could be ascertained from the information in question and accepted that the use of the word “ascertained” allowed for the use of extraneous material to identify a person. The definition expressly excludes “health information” to which the Health Records Act 2001 (Vic) applies (seeHealth Records Act” for more information). The PDPA applies to Victorian “public sector organisations”, including Victorian Government ministers and parliamentary secretaries, public sector agencies, statutory bodies and local councils (for full list, see s 13 PDPA). Service providers – including the private sector who are contracted to the Victorian Government – are also bound by the IPPs if there is an enforceable contract that requires this (s 17(4)).

The objects of the PDPA are:

to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;

to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; and

to promote public awareness of responsible personal information handling practices in the public sector; and

to promote the responsible and transparent handling of personal information in the public sector; and

to promote responsible data security practices in the public sector.

Key features of the PDPA include:

the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;

the establishment of an independent statutory office of the Victorian Privacy and Data Protection Commissioner, with functions to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the PDPA;

the power of the Commissioner to make public interest determinations, information usage arrangements and issue certificates that an act or practice is consistent with the IPPs;

the power of the Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;

remedies for interferences with privacy, including apology, correction and compensation;

provision for registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and

access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) (“FoI Act (Vic)”) rights do not apply (see Freedom of information law).

Victorian Privacy and Data Protection Commissioner

The Victorian Privacy and Data Protection Commissioner (“PDP Commissioner”) reports to the Victorian Parliament through the Attorney-General. The PDP Commissioner’s functions include:

to promote an understanding and acceptance of the IPPs and their objects;

to educate people in the Victorian public sector and the wider community about information privacy;

to receive complaints and facilitate conciliation in accordance with the PDPA relating to alleged breaches of the IPPs by Victorian public sector organisations;

to conduct audits to establish whether records of personal information are kept in accordance with the IPPs or an approved Code of Practice;

to conduct investigations and issue compliance notices if it appears a public sector organisation has committed a serious or flagrant breach of one or more of the IPPS, a code of practice or approved information usage arrangement or a breach has occurred five or more times in the last two years;

to produce guidelines on developing codes of practice under the IPA and to assess codes submitted for approval;

to advise government on legislation and policies affecting privacy; and

to monitor developments in data processing and computer technology.

The PDP Commissioner has the power to make a public interest determination (PID) or a temporary public interest determination (TPID) that permits an organisation to contravene a specified IPP (except IPP 4, 6) or an approved code of practice if the public interest in doing so substantially outweighs the public interest in complying with the IPP or code (pt 3 div 5 PDPA). A PID and TPID can be disallowed by parliament. For detailed information about public interest determinations, see “Guidelines to Public Interest Determinations” at www.oaic.gov.au.

An organisation may apply to the PDP Commissioner for approval of an information usage arrangement with other parties if the proposed handling of personal information does not comply with one or more of the IPPs (other than IPP 4, 6) or approved code of practice and is not otherwise expressly permitted under the PDPA or another Act. Parties to the arrangement can include a person or body that is an agency of the Commonwealth, another state or territory and a private sector organisation, whether or not located in Victoria. The PDP Commissioner must issue a report about an information usage arrangement in respect of which approval has been sought and issue a certificate if they decide that there is a substantial public interest in permitting the arrangement. The report and certificate must then be sent to the responsible government minister for each organisation that is a party to the arrangement for approval. There are provisions for revocation of a usage arrangements and requirements for organisations that are a party to the arrangements to report to the PDP Commissioner at least annually (pt 3 div 6 PDPA).

The PDP Commissioner can certify an act or practice is consistent with the IPPs, an approved code of practice or information handling provision and a person who acts in good faith in accordance with that certificate does not contravene the PDPA. An individual or organisation whose interests are affected by the certificate can apply to VCAT for a review (pt 3 div 7 PDPA)

The PDP Commissioner also has a number of functions under the PDPA in relation to protective data security and law enforcement data security. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDPA require of the Victorian public sector and law enforcement agencies. The information the subject of these functions includes, but is not limited to, personal information. For more information about these functions, see www.dataprotection.vic.gov.au.

To contact the PDP Commissioner, see Commissioner for Privacy and Data Protection under “Contacts”.

Victorian Information Privacy Principles

The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD guidelines were developed in 1980 and form the basis of data protection (information privacy) principles in many jurisdictions.

With limited exemptions (see ss 10–12, 14, 15 IPA), Victorian public sector organisations must comply with the IPPs. The following is a short summary of the IPPs (for full text, see sch 1 IPA).

1 Collection: An organisation must only collect personal information that is necessary for the performance of its functions. An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.

2 Use and disclosure: An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or, a related secondary purpose that a person would reasonably expect. In the case of sensitive information (see IPP 10), it must be directly related to the primary purpose of collection. Generally, where the use or disclosure would not be reasonably expected, the law allows use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, to assist in law enforcement activities or to investigate a suspected unlawful activity. Otherwise use and disclosure for a secondary purpose can only be by consent.

3 Data quality: Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date.

4 Data security: Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.

5 Openness: Organisations must produce a document that clearly expresses their policies on the management of personal information and provide the policies to anyone who asks for them. This document is typically referred to as a “privacy policy”.

6 Access and correction: Individuals have a right to seek access to their personal information and make corrections, subject to some limited exceptions, such as where access would pose a threat to the life or health of any individual. Access and correction rights are mainly handled under the FoI Act (Vic) (see Freedom of information law).

7 Unique identifiers: Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver’s licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions, or by consent

8 Anonymity: If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.

9 Transborder data flows: An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the IPA, or in other limited circumstances. The privacy rights an individual has in Victoria must remain, despite the information being transferred to another jurisdiction.

10 Sensitive information: An organisation can only collect sensitive information in restricted circumstances, or by consent. “Sensitive information” is defined in schedule 1 of the IPA and includes information about an individual’s racial or ethnic origin, political views, religious and philosophical beliefs, sexual preferences, membership of trade union, political, professional or trade union association, or criminal record.

Exemptions from the IPPs and data security standards

The PDPA exempts from compliance with some or all of the IPPs particular acts and practices concerning personal information handling and specific categories of information. These exemptions are:

judicial and quasi-judicial functions of courts and tribunal. This exemption includes court registries and staff carrying out duties relating to those functions. The exemption does not relate to personal information collected for other functions such as maintenance of staff records or general administrative matters (s 10);

royal commissions, boards of inquiry, and formal reviews in connection with their functions (s 10A);

parliamentary committees in the course of carrying out their functions (s 11);

publicly available information – this applies to a publication that is generally available to the public (e.g. a telephone directory). It also includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); or archives within the meaning of the Copyright Act 1968 (Cth) (s 12). Note that public registers are only partially exempt under this provision (s 12(2)). Under section 20(2), organisations administering a public register must “so far as is reasonably practicable” comply with the IPPs;

organisations subject to the FoI Act (Vic) (the FoI Act (Vic) need not comply with IPP 6. Neither are they required to comply with IPP 6 if they are exempt from the FoI Act. (Vic) This exemption clarifies that the PDPA does not limit the operation of the FoI Act (Vic). However private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6;

a law enforcement agency is exempt from some of the IPPs if it believes, on reasonable grounds, that non-compliance is reasonably necessary when carrying out its own or another agencies’ law enforcement activities. “Law enforcement agency” is defined under section 3 and includes a state police force, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the Sheriff, the IBAC and other agencies whose functions are related to law enforcement functions. The exemption is only partial and the agency claiming the exemption must be actually carrying out a law enforcement function at the time. It is also partial in that it does not apply to all the IPPs, such as IPP 3 (data quality) and IPP 4 (data security). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary for the purpose of its community policing functions. In Smith v Victoria Police (General) [2005] VCAT 654, VCAT held that “community policing” was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives. In that case the police had released a “mug-shot” of a convicted person to a newspaper;

organisations granted a public interest determination or temporary public interest determination, or an “information usage arrangement” (seeVictorian Privacy and Data Protection Commissioner”).

Note that the IPPs and any approved code of practice give way to any other Act to the extent that they are inconsistent with other Acts. This means that where another Act expressly permits use and disclosure of personal information that would otherwise not be permitted under the PDPA, the other Act prevails.

Complaints and conciliation

Individuals can complain to the Commissioner about an act or practice that may breach an IPP. The alleged breach must be in relation to the personal information of a living person. There are provisions under the PDPA that enables minors or persons who are unable to complain because of a physical or mental disability to have someone complain on there behalf (ss 59, 60). The Commissioner has an obligation to try to conciliate complaints wherever possible. Where appropriate, complaints can be referred to the Victorian Ombudsman, the Health Services Commissioner, the Australian Privacy Commissioner, the Disability Services Commissioner, the Freedom of Information Commissioner, the Commission for Children and Young People, or the Mental Health Complaints Commissioner.

The Commissioner has the power to decline to entertain complaints in certain circumstances (s 62), including where:

the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;

the complainant has not complained to the organisation before making a complaint to the Commissioner;

the Commissioner has formed the view that the complaint is frivolous, vexatious or lacking in substance; or

where the complainant does not make a complaint to the Commissioner within 45 days of becoming aware of the alleged privacy breach.

Remedies

If the Commissioner declines a complaint – or conciliation of the complaint is not reasonably possible or has been attempted but has failed – a complainant may, in writing, direct the Commissioner to refer their complaint to the Victorian Civil and Administrative Tribunal (VCAT).

A referral to VCAT is considered to be a fresh hearing of the complaint. The Commissioner can decide to intervene in any proceeding before VCAT, and can be joined by VCAT as a party to the proceeding. If VCAT upholds a complaint as a breach of privacy, potential remedies include:

orders to correct information;

restraint orders;

reimbursement of expenses; and

compensation orders of up to $100,000.

Compliance notices (s 78)

The Commissioner can serve a compliance notice on an organisation where it appears that an organisation has done an act that is in serious or flagrant breach of one or more of the IPPs or approved code of practice, or the act or practice (whether or not serious or flagrant) has been done five times in the last two years. The Commissioner has enforceable powers to obtain information and documents and take evidence on oath in relation to an investigation. If an organisation is served with a compliance notice penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.

Information and materials

At the time of writing (June 2015), the Office of Privacy and Data Protection’s website is under construction. The website has links to the former Office of the Victorian Privacy Commissioner website (Privacy Victoria) for access to previous publications in relation to the privacy provisions that are largely unchanged under the PDPA.

Privacy Victoria’s website (www.cpdp.vic.gov.au) has a number of publications on privacy including guidelines for organisations working with the IPPs, issue papers and reports on a range of topics, introductory brochures, information sheets, and case notes.

All publications are available free from Privacy Victoria’s website. Case notes are also published on the privacy law library on the World Legal Information Institute’s website (www.worldlii.org).

Health Records Act, Charter Act and other Victorian laws

Health Records Act

The Health Records Act 2001 (Vic) (“HRA”) commenced operation on 1 July 2002. It establishes a framework to protect the privacy of individuals’ health information that is held by both the public and private sectors in Victoria. It also provides individuals with an enforceable right of access to their health information held in the private sector.

The objects of the HRA are:

to require responsible handling of health information in the public and private sectors;

to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information;

to enhance the ability of individuals to be informed about their health care or disability services;

to promote the provision of quality health services, disability services and aged-care services.

Under the HRA, health information that is collected, held or used by organisations must be handled in accordance with 11 Health Privacy Principles (HPPs). Note that unlike personal information regulated by the PDPA, the health information does not have to be recorded. These HPPs are legally binding and apply to:

all personal information collected in providing a health, mental health, disability, aged-care or palliative care service, including:

information about an individuals expressed wishes about the future provision of health services;

personal information about an individual collected in connection with donation or future donation of human tissue;

genetic information that is or could be predictive of the health of an individual or any of his or her descendants;

and

all health information held by other organisations subject to the HRA listed in section 10 (public sector) and section 11 (private sector).

The following is a short summary of the HPPs, which are set out in full under Schedule 1 of the HRA:

1 Collection: An organisation can only collect health information if it is necessary for one or more of its functions and the individual consents (unless a law enforcement agency), or it is necessary to provide a health service and the individual is incapable of giving consent; for research purposes if in accordance with guidelines approved by the Health Services Commissioner; if it is necessary to prevent serious and imminent threat to the individual or serious threat to the public or if it is required or authorised by law. HPP 1 also prescribes how the information is to be collected.

2 Use and disclosure: An organisation can use and disclose health information for the primary purpose of collection or a directly related secondary purpose that an individual would reasonably expect. Otherwise use and disclosure must be by consent; if authorised or required by law and for other public purposes such as to prevent serious or imminent harm. Disclosure to immediate family is permitted where an individual is incapable of giving consent, has no authorised representative and hasn’t expressed a prohibition when not incapable. Organisations are also permitted to disclose health information if the individual is known or believed to be dead, missing or incapable of giving consent and the information is needed to identify the person or immediate family.

3 Data quality: An organisation must take reasonable steps to ensure individuals’ health information is accurate, complete and up-to-date and relevant to the organisation’s functions.

4 Data security and data retention: An organisation must take reasonable steps to protect health information it holds from misuse, loss, unauthorised access, modification or disclosure. Health service providers must not delete health information even where later found to be inaccurate, except in the limited circumstances listed in the HPP. A health service provider that transfers health information to another individual or organisation and does not keep a copy must record the name and address details of where it was transferred. An organisation other than a health service provider must take reasonable steps to permanently de-identify or destroy health information no longer needed for any purpose. For public sector organisations this will be subject to the Public Records Act 1973 (Vic).

5 Openness: An organisation must have a written policy about how it manages health information and how individuals can access their health information. On request, the organisation must take reasonable steps to tell an individual whether it holds health information about them, and if so, the kind of information, what it is needed for, and how the organisation handles the information.

6 Access and correction: An organisation must provide access to health information it holds about individuals on request in accordance with part 5 of the HRA. There are a number of exceptions to this, including where access would pose a serious threat to the health or safety of a person, have an unreasonable impact on the privacy of others or the information is confidential under section 27 of the HRA. Note that HPP 6 does not apply to public sector organisations subject to the FOI Act (Vic) (seeExemptions from the HRA and HPPs”).

If an individual establishes that health information held by an organisation is not accurate, complete or up-to-date the organisation must take reasonable steps to correct that information – but cannot delete it unless in accordance with HPP 4. If the organisation is unwilling to correct the information it must take reasonable steps to attach any written statement about the inaccuracy to the information. If the organisation accepts the need to correct the information there are a number of provisions that guide the organisation on how to address this where there are difficulties in correcting the information.

If an organisation refuses a request for access and correction, it must provide written reasons for doing so.

7 Identifiers: An organisation can only give an individual an identifier if it is reasonably necessary to enable the organisation to carry out its functions efficiently. If a public sector organisation has assigned an identifier, private sector organisations are only allowed to use and disclose the same identifier in limited circumstance.

8 Anonymity: If lawful and practicable, organisations must give individuals the option of remaining anonymous when engaging with the organisation.

9 Transborder data flows: An organisation can only transfer health information outside Victoria in limited circumstance, including with the individual’s consent and where there are similar safeguards around the privacy of the information to the HRA.

10 Transfer or closure of the practice of a health service provider: This HPP applies where a health service provider sells or otherwise transfers the business, or the business closes down. It details how notice must be given to individuals whose health information is held, and how information is transfered. If individuals request transfer of the information to them, then it is treated as a request for access under part 5 or HPP 6. If the request is for transfer to another health service provider then HPP 11 applies.

11 Making information available to another health service provider: A health service provider must make health information available to another health service provider on request or authority of the individual who the information is about.

Exemptions from the HRA and HPPs

The following exemptions apply to the HRA and HPPs:

individuals who hold health information in connection with their personal, family or household affairs (s 13);

judicial and quasi-judicial functions including registry and other staff carrying out tasks relating to those functions (s 14);

royal commissions, board of inquiries, or formal reviews in connection with their functions (s 14A);

publically available information – this mirrors the exemption under the PDPA. Note it does not apply where the organisation relying on the exemption knows that the health information generally available to the public has been obtained in breach of the HRA (s 15);

organisations subject to the FoI Act (Vic) are not required to comply with any of the access and correction provisions under part 5, HPP 5.2 or HPP 6 (s 16);

news media are exempt from HPP 1, 2 and 9 (collection, use, disclosure and transfer) in relation to news activities. Unless the health information is published, they are not required to comply with part 5, HPP 5.2 or HPP 6 (s 17). News media are defined as organisations whose principal business consists of news activities and news activities include gathering of news, preparation of articles or programs about news or current affairs intended to be or actually published.

Health Services Commissioner

The Health Services Commissioner (“HSC”) administers the HRA and accepts complaints relating to interference with health privacy including access to health information (seeComplaints, rulings and investigations”). The HSC has the power to issue guidelines in relation to certain parts of HPP 1, 2, 6 and 10, or approve guidelines prepared by a public sector body organisation or other person or body, or can vary any guidelines. The guidelines can lessen the protections provided by an HPP but only if it is substantially in the public interest to do so. The Governor in Council can disallow guidelines. The HSC has published two statutory guidelines in February 2002. One on research (HPP 1.21(iii), 2.2(g)(iii)) and one on the transfer and closure of a practice (HPP 11). The HSC has numerous other functions, including conducting audits of records of health information, undertaking research, undertaking educational programs, issuing rulings and compliance notices. (For the full list, see section 87.)

Complaints, rulings and investigations

The HRC can receive complaints about an act or practice that is said to breach one of the HPPs or the access and correction provisions under part 5 of the HRA. The complaint can be about the interference with privacy of a deceased individual up to 30 years after death, whether or not it occurred before or after death. The HRC can also investigate complaints referred by the Ombudsman, the Freedom of Information Commissioner or the Privacy and Data Protection Commissioner. Provision is made for complaints to be made on behalf of children or with a physical or mental disability that makes them incapable of making a complaint (s 47).

The HRC can decline to entertain a complaint on a number of grounds, including:

failure to complain to the respondent to the complaint before complaining to the HRC;

the complaint is made more than 12 months after the complainant became aware of the matter complained of;

the complaint is being dealt with adequately by another body;

the complaint is frivolous, vexatious or lacking in substance (for full list, see section 51).

The HRC can refer the complaint to the Privacy and Data Protection Commissioner, the Australian Privacy Commissioner, or the Disability Services Commissioner. If the complaint is about a registered health practitioner, the HRC can refer any part of the complaint to the appropriate registration board if the board has power to resolve or deal with the matter.

If the complaint is accepted, the HRC can either decide to attempt to conciliate the complaint, decide to make a ruling, or if either are not appropriate, decide not to entertain the complaint any further. If the HRC decides to decline to entertain a complaint, or that conciliation or a ruling are not appropriate or conciliation is attempted and fails the complainant can require the HRC to refer the complaint to VCAT for a hearing.

The HRC can investigate a complaint that has not been declined or conciliated and make a ruling as to whether there has been a breach of the complaint’s privacy and give written notice of the ruling to the complainant and respondent. The ruling must include reasons and specify any action and the time, not exceeding a month, is required to remedy the complaint. The respondent has to report back within a specified time and failure to do so attracts a penalty. The complainant and respondent both have rights to have the complaint referred to VCAT following a ruling.

The HRC also has the power to investigate and serve a compliance notice whether or not a complaint has been made if it appears there has been a serious or flagrant contravention of the HRA or the same type of contravention, whether or not serious or flagrant, has occurred five times or more in the last two years. The HRC has enforceable powers to obtain information and documents to assist the investigation and take evidence on oath. Failure to comply with a compliance notice attracts penalties. And it is an indictable offence. A recipient of a compliance notice, or any individual or organisation affected by the notice, can refer the matter to VCAT for review.

Charter of Human Rights and Responsibilities Act

The Charter of Human Rights and Responsibilities Act 2006 (Vic) (“Charter Act”) provides individuals with the right to not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with (s 13). The wording of section 13 mirrors that of Article 17 of the ICCPR.

The Charter Act does not provide a new avenue of redress for individuals who believe their privacy has been breached but it does impose an obligation on all Victorian public sector organisations to act in a way that is compatible with the human rights protected by the Charter Act. The Victorian Ombudsman can investigate complaints about an administrative action taken by a public authority including actions in breach of the Charter Act. The Charter also allows a person to raise a human rights argument along with existing remedies or legal proceedings involving public authorities and there are a number of examples of proceedings before VCAT where a breach of the right to privacy under the Charter has been raised.

The Charter Act requires that all statutory provisions, whether enacted before or after the Charter Act, are as far as possible interpreted in a way that is compatible with human rights. It also provides that all new legislation introduced into the Victorian Parliament must be accompanied by a statement of compatibility with the Charter Act (see Discrimination and human rights, for more information on the Charter Act and the Victorian Equal Opportunity and Human Rights Commission).

Other related Victorian laws

Freedom of Information Act

The FoI Act (Vic) provides individuals with access and correction rights for documents containing their personal information that are held by public sector organisations. Under section 33 of the FOI Act, a document is an exempt document in relation to an freedom of information application if it would involve the unreasonable disclosure of information relating to the personal affairs of any person (including a deceased person). The exemption would not generally apply if the personal information relates to the applicant only. If a decision is made to grant access to a document containing personal information, then if practicable the individual (or in the case of a deceased person, next of kin) should be notified and advised of their right of appeal to VCAT. (See Freedom of information law.)

Public Records Act

The Public Records Act 1973 (Vic) imposes obligations on public sector organisations with respect to retention and disposal of public records. These obligations over-ride any conflicting provisions in the PDPA or HRA. Where public records transferred to the Public Records Office contain information of a private or personal nature, the government minister responsible can declare that they should not be available for public inspection for a specified period of time.

Surveillance Devices Act

The Surveillance Devices Act 1999 (Vic) regulates the installation, use and maintenance of surveillance devices throughout Victoria and the communication and publication of surveillance records. Breach of the Act is a criminal offence. In August 2010, in Surveillance in Public Places: Final Report, the Victorian Law Reform Commission recommended two courses of action: one dealing with misuse of private information, the other with intrusion upon seclusion, or unwarranted interference with spatial privacy. No changes have resulted from the report at this stage.

Telecommunications (Interception) (State Provisions) Act

The Telecommunications (Interception) (State Provisions) Act 1988 (Vic) enables IBAC and Victoria Police to intercept telecommunications in accordance with the Telecommunications (Interception and Access) Act 1979 (Cth). It provides safeguards and oversight by creating a Public Interest Monitor who must be notified of all applications for a warrant under the Commonwealth Act, including matters that are adverse to granting a warrant; imposes strict record-keeping requirements; limits access to records of information from the interceptions and requires a destruction regime. It also provides for a Victorian Inspectorate who must inspect records of interceptions and report on any contravention of the legislation.