Victorian privacy legislation: Privacy and Data Protection Act 2014

 

The Privacy and Data Protection Act 2014 (Vic) (“PDP Act”) commenced on 17 September 2014. The PDP Act repealed and replaced the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic). Effectively, the PDP Act merged the two offices and roles of the Victorian Privacy Commissioner and the Commissioner for Law Enforcement Data Security into a single Commissioner for Privacy and Data Protection (“PDP Commissioner”), who is responsible for overseeing Victoria’s privacy and data protection regime.

The PDP Act re-enacts the previous Information Privacy Principles (IPPs) in full. The IPPs (described more fully below) set out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information about individuals. There are some exceptions that are detailed below.

“Personal information” means information (whether true or not) or an opinion that is recorded in any form about an individual whose identity is apparent or whose identity can be reasonably ascertained from the information. In WL v La Trobe University [2005] VCAT 2592, the Victorian Civil and Administrative Trubunal (VCAT) rejected the respondent’s argument that the definition required a person’s identity to be ascertained from the information in question; VCAT accepted that the word “ascertained” allowed extraneous material to be used to identify a person. The definition of “personal information” expressly excludes “health information” to which the Health Records Act 2001 (Vic) applies (seeHealth Records Act”).

The PDP Act applies to Victorian “public sector organisations”. This includes Victorian Government ministers and parliamentary secretaries, public sector agencies, statutory bodies and local councils (for the full list, see s 13 PDP Act). Service providers – including private sector organisations contracted to the Victorian Government – are also bound by the IPPs if there is an enforceable contract that requires this (s 17(4)).

The objects of the PDP Act are:

to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;

to balance the public interest in promoting open access to public sector information with the public interest in protecting its security;

to promote public awareness of the responsible handling of personal information in the public sector;

to promote the responsible and transparent handling of personal information in the public sector;

to promote responsible data security practices in the public sector.

Key features of the PDP Act include:

the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;

the establishment of an independent statutory office of the Victorian PDP Commissioner who educates, advises, audits, enquires, monitors, consults, comments on privacy issues and independently receives and conciliates privacy complaints in accordance with the PDP Act;

the power of the PDP Commissioner to make public interest determinations, information usage arrangements and to issue certificates that state an act or practice is consistent with the IPPs;

the power of the PDP Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;

remedies for interferences with privacy, including correcting the breach, and apologising and compensating the individual concerned;

provision for the registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and

access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) rights do not apply (see Freedom of information law).