Victorian Information Privacy Principles

 

The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980; updated 2013). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions.

With limited exemptions (see ss 10–12, 14, 15 Privacy and Data Protection Act 2014 (Vic) (“PDP Act”)), Victorian public sector organisations must comply with the IPPs. The following is a summary of the IPPs (for full text, see sch 1 PDP Act).

IPP 1: Collection

An organisation must only collect personal information that is necessary for the performance of its functions. An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.

IPP 2: Use and disclosure

An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or for a related secondary purpose that a person would reasonably expect. In the case of sensitive information (see IPP 10, below), it must be directly related to the primary purpose of collection. Generally, where the use or disclosure would not be reasonably expected, the law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities or to investigate a suspected unlawful activity. Otherwise use and disclosure for a secondary purpose can only be by consent.

IPP 3: Data quality

Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date.

IPP 4: Data security

Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.

IPP 5: Openness

Organisations must produce a document that clearly expresses their policies on the management of personal information; this document is usually called a “privacy policy”. An organisation must provide their privacy policy to anyone who requests it.

IPP 6: Access and correction

Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the Freedom of Information Act 1982 (Vic) (see Freedom of information law).

IPP 7: Unique identifiers

Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver’s licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions, or by consent.

IPP 8: Anonymity

If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.

IPP 9: Transborder data flows

An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the PDP Act, or in other limited circumstances. The privacy rights an individual has in Victoria remain, despite the information being transferred to another jurisdiction.

IPP 10: Sensitive information

An organisation can only collect sensitive information in restricted circumstances, or by consent. “Sensitive information” is defined in schedule 1 of the PDP Act and includes information about an individual’s race or ethnicity, political views, religious and philosophical beliefs, sexual preferences, membership of a trade union, or a political or professional association, or information about a criminal record.

Exemptions from the Victorian Information Privacy Principles and data security standards

The PDP Act exempts particular acts and practices from needing to comply with the IPPs. These particular acts and practices relate to the handling of personal information and specific categories of information. These exemptions apply to:

Judicial and quasi-judicial functions of courts and tribunals (s 10). This exemption also applies to court registries and other court/tribunal staff carrying out their duties. The exemption does not apply to personal information collected for non-judicial functions (e.g. for the maintenance of staff records and general administrative matters).

Royal commissions, boards of inquiry and formal reviews (s 10A). This exemption only applies when personal information is collected in connection with the function of the Royal commission, board or review.

Parliamentary committees (s 11). This exemption only applies when personal information is collected in connection with the function of a parliamentary committee.

Publicly available information. This exemption applies to publications that are generally available to the public (e.g. a telephone directory). This exemption also includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); and archives within the meaning of the Copyright Act 1968 (Cth) (s 12). Note that public registers are only partially exempt under this provision (s 12(2)): under section 20(2), organisations administering a public register must “so far as is reasonably practicable” comply with the IPPs.

Organisations subject to the Freedom of Information Act 1982 (Vic) (“FoI Act (Vic)”). These organisations do not have to comply with IPP 6 if they are exempt from the FoI Act (Vic). This exemption clarifies that the PDP Act does not limit the operation of the FoI Act (Vic). However, private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6.

Law enforcement agencies. A law enforcement agency is exempt from complying with some of the IPPs if non-compliance is necessary to carry out law enforcement activities. “Law enforcement agency” is defined in section 3 of the PDP Act. Law enforcement agencies include a state police force, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the sheriff, and the Independent Broad-based Anti-corruption Commission (IBAC). The exemption is only partial. The agency claiming the exemption must be actually carrying out a law enforcement function at the time of handling information. The exemption also does not apply to all the IPPs (e.g. IPP 3 (data quality) and IPP 4 (data security)). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary to carry out its community policing functions. In Smith v Victoria Police (General) [2005] VCAT 654 – which dealt with the matter of the police releasing a mug-shot of a convicted person to a newspaper – VCAT held that “community policing” was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives.

Organisations granted a determination. Organisations granted a public interest determination, or temporary public interest determination, or are party to an information usage arrangement (seeVictorian Commissioner for Privacy and Data Protection”) are exempt from needing to comply with the IPPs.

Note that the IPPs and any approved Code of Practice give way to any other Act to the extent that they are inconsistent with the other Act. This means that where another Act expressly permits the use and disclosure of personal information, but this is not permitted under the IPPs, the other Act prevails.