The Information Privacy Act 2000 (Vic) ("IPA 2000") sets standards for the collection and handling of personal information by Victorian public sector organisations. These standards are contained in the ten Information Privacy Principles (IPPs) located in Schedule 1 of the IPA 2000.
The IPA 2000 defines "personal information" as recorded information or opinion, whether true or not, about a readily identifiable individual. This excludes "health information" (see: "Health Records Act 2001 ", below for more information). The IPA 2000 applies to Victorian "public sector organisations", including Victorian government agencies, statutory bodies and local councils (see: s.9 of the IPA 2000 for full list). Service providers who are contracted to the Victorian government are also bound by the IPPs if the contract requires this (s.17).
The objects of the IPA 2000 are:
- to balance the public interest in the free flow of information with the public interest in respect for privacy and the protection of personal information collected and held by Victorian public sector organisations;
- to promote the responsible and transparent handling of personal information by Victorian public sector organisations; and
- to promote public awareness of the handling, collection and use of personal information.
Key features of the IPA 2000 include:
- the requirement for Victorian public sector organisations to handle personal information in accordance with the ten IPPs;
- establishment of an independent statutory office of the Victorian Privacy Commissioner ("Privacy Victoria"), with functions to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the IPA 2000;
- remedies for interferences with privacy, including apology, correction and compensation;
- provision for registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see Part 4); and
- access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) ("FoI Act (Vic)") rights do not apply (see: Chapter 21*6 Freedom of Information)).
The Victorian Privacy Commissioner ("the Commissioner") reports to the Victorian Parliament through the Attorney-General. The Commissioner's functions include:
- to promote an understanding and acceptance of the IPPs and their objects;
- to educate people in the Victorian public sector and the wider community about information privacy;
- to receive complaints, conduct investigations and facilitate conciliation in accordance with the IPA 2000 relating to alleged breaches of the IPPs and interference with information privacy by Victorian public sector organisations;
- to produce guidelines on developing codes of practice under the IPA 2000 and to assess codes submitted for approval;
- to advise government on legislation and policies affecting privacy; and
- to monitor developments in data processing and computer technology.
To contact the Commissioner, see: Privacy Victoria under "Contact details", below.
The Victorian IPPs are based on the Organisation for Economic Cooperation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD guidelines were developed in 1980 and form the basis of data protection (information privacy) principles in many jurisdictions.
With limited exemptions (see: ss.10–13 of the IPA 2000), Victorian public sector organisations must comply with the IPPs. The following is a short summary of the IPPs (see: Schedule 1 of the IPA 2000 for full text).
- Collection: An organisation must only collect personal information that is necessary for the performance of its functions. An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.
- Use and disclosure: An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or, a secondary purpose that a person would reasonably expect. Generally, where the use or disclosure would not be reasonably expected, the law allows use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, to assist in law enforcement activities or to investigate a suspected unlawful activity.
- Data quality: Organisations must take reasonable steps to ensure individuals' personal information is accurate, complete and up to date.
- Data security: Organisations must take reasonable steps to protect individuals' personal information from misuse, loss, unauthorised access, modification or disclosure.
- Openness: Organisations must produce a document that clearly expresses their policies on the management of personal information and provide the policies to anyone who asks for them. This document is typically referred to as a "privacy policy".
- Access and correction: Individuals have a right to seek access to their personal information and make corrections, subject to some limited exceptions, such as where access would pose a threat to the life or health of any individual. Access and correction rights are mainly handled under the FoI Act (Vic) (see: Chapter 21*6 Freedom of Information).
- Unique identifiers: Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual's name, such as a driver's licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions.
- Anonymity: If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.
- Transborder data flows: An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the IPA 2000, or in other limited circumstances. The privacy rights an individual has in Victoria must remain, despite the information being transferred to another jurisdiction.
- Sensitive information: An organisation can only collect sensitive information in restricted circumstances. "Sensitive information" is defined in Schedule 1 of the IPA 2000 and includes information about an individual's racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.
Privacy Victoria has a number of publications on privacy including: guidelines for organisations working with the IPPs, issue papers and reports on a range of topics, introductory brochures, information sheets, case notes and a quarterly newsletter, Privacy Aware.
All publications are available free from Privacy Victoria and from the office's website at www.privacy.vic.gov.au. Case notes are also regularly published on the privacy law library on the World Legal Information Institute's website at www.worldlii.org.
Individuals can complain to the Commissioner about an act or practice that may breach an IPP or interfere with the privacy of the individual. The Commissioner has an obligation to try to conciliate complaints wherever possible. Where appropriate, complaints will be referred to the Victorian Ombudsman, the Health Services Commissioner, the Australian Information Commissioner or the Disability Services Commissioner.
The Commissioner has the power to decline to entertain complaints in certain circumstances, including where:
- the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
- the complainant has not complained to the organisation before making a complaint to the Commissioner; and
- where the complainant does not make a complaint to the Commissioner within 45 days of becoming aware of the alleged privacy breach.
If the Commissioner declines a complaint, or conciliation of the complaint is not reasonably possible or has been attempted but has failed, a complainant may, in writing, direct the Commissioner to refer their complaint to the Victorian Civil and Administrative Tribunal (VCAT).
A referral to the VCAT is considered to be a fresh hearing of the complaint. The Commissioner can decide to intervene in any proceeding before the VCAT, and can be joined by the VCAT as a party to the proceeding. If the VCAT upholds a complaint as a breach of privacy, potential remedies include:
- orders to correct information;
- restraint orders;
- reimbursement of expenses; and
- compensation orders of up to $100,000.
If a Victorian public sector organisation seriously, flagrantly, or continuously contravenes an IPP or a code of practice under the IPA 2000, the Commissioner can issue a compliance notice (Part 6 IPA 2000).
The Health Records Act 2001 (Vic) ("HRA 2001") commenced operation on 1 July 2002. It establishes a framework to protect the privacy of individuals' health information that is held by both the public and private sectors in Victoria. It also provides individuals with an enforceable right of access to their health information held in the private sector.
Under the HRA 2001, health information that is collected, held or used by organisations must be handled in accordance with 11 Health Privacy Principles. These principles are legally binding and apply to:
- all personal information collected in providing a health, mental health, disability, aged care or palliative care service; and
- all health information held by other organisations.
The Health Services Commissioner administers the HRA 2001 and accepts complaints relating to interference with health privacy including access to health information (see: "Contact details", below).
The FoI Act (Vic) provides individuals with access and correction rights for documents containing their personal information that are held by public sector organisations (see: Chapter 21*6 Freedom of Information).
The Public Records Act 1973 (Vic) imposes obligations on public sector organisations with respect to retention and disposal of public records.
The Surveillance Devices Act 1999 (Vic) regulates the installation, use and maintenance of surveillance devices throughout Victoria and the communication and publication of surveillance records.
The Charter of Human Rights and Responsibilities Act 2006 (Vic) ("the Charter") provides individuals with the right to not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with (s.13).
The Charter does not provide a new avenue of redress for individuals who believe their privacy has been breached but it does impose an obligation on all Victorian public sector organisations to act in a way that is compatible with the human rights protected by the Charter. The Charter requires that all statutory provisions, whether enacted before or after the Charter, are as far as possible interpreted in a way that is compatible with human rights. It also provides that all new legislation introduced into the Victorian Parliament must be accompanied by a statement of compatibility with the Charter (See: Chapter 17 Discrimination, for more information on the Charter and the Victorian Equal Opportunity and Human Rights Commission).
 Prev |
 Next
|
|
| COMPLAINTS TO THE COMMISSIONER | CONTACT DETAILS |
Table of Contents
Legislation and Cases
Search The Law Handbook
|
 Printable Version
Glossary of Legal Terms
|
VICTORIAN PRIVACY LEGISLATION :: Last updated: Thu Jul 1st 2010