The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980; updated 2013). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions.
With limited exemptions (see ss 10–12, 14, 15 PDP Act), Victorian public sector organisations must comply with the IPPs.
The Family Violence Protection Amendment (Information Sharing) Act 2017 (Vic) made key changes to the IPPs and the Health Privacy Principles (HPPs) (see “Health Records Act”). In particular, the Act removed the word “imminent” from the “serious and imminent” exceptions in IPP 2, 6 and 10, and in HPP 1 and 2, requiring that the threat need be only serious. The Act also inserted part 5A into the Family Violence Protection Act 2008 (Vic) (“FVP Act”) and created a new scheme for information sharing (see below).
The following is a summary of the IPPs (for full text, see sch 1 PDP Act).
• IPP 1: Collection
An organisation must only collect personal information that is necessary for the performance of its functions. An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.
• IPP 2: Use and disclosure
An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or for a related secondary purpose that a person would reasonably expect. In the case of sensitive information (see IPP 10), it must be directly related to the primary purpose of collection. Generally, where the use or disclosure would not be reasonably expected, the law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities or to investigate a suspected unlawful activity. Otherwise use and disclosure for a secondary purpose can only be by consent.
• IPP 3: Data quality
Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date.
• IPP 4: Data security
Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.
• IPP 5: Openness
• IPP 6: Access and correction
Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the Freedom of Information Act 1982 (Vic) (see Freedom of information law).
• IPP 7: Unique identifiers
Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver’s licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions, or by consent.
• IPP 8: Anonymity
If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.
• IPP 9: Transborder data flows
An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the PDP Act, or in other limited circumstances. The privacy rights an individual has in Victoria remain, despite the information being transferred to another jurisdiction.
An organisation can only collect sensitive information in restricted circumstances or with consent. “Sensitive information” (defined in sch 1 PDP Act) includes information about an individual’s race or ethnicity, political views, religious and philosophical beliefs, sexual preferences, criminal record, or membership of a trade union, or a political or professional association.
The PDP Act exempts particular acts and practices from needing to comply with the IPPs. These particular acts and practices relate to the handling of personal information and specific categories of information. These exemptions apply to:
• Judicial and quasi-judicial functions of courts and tribunals (s 10). This exemption also applies to court registries and other court/tribunal staff carrying out their duties. The exemption does not apply to personal information collected for non-judicial functions (e.g. for the maintenance of staff records and general administrative matters).
• Royal commissions, boards of inquiry and formal reviews (s 10A). This exemption only applies when personal information is collected in connection with the function of the Royal commission, board or review.
• Parliamentary committees (s 11). This exemption only applies when personal information is collected in connection with the function of a parliamentary committee.
• Publicly available information. This exemption applies to publications that are generally available to the public (e.g. a telephone directory). This exemption also includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); and archives within the meaning of the Copyright Act 1968 (Cth) (s 12). Note that public registers are only partially exempt under this provision (s 12(2)): under section 20(2), organisations administering a public register must “so far as is reasonably practicable” comply with the IPPs.
• Organisations subject to the Freedom of Information Act 1982 (Vic) (“FoI Act (Vic)”). These organisations do not have to comply with IPP 6 if they are exempt from the FoI Act (Vic). This exemption clarifies that the PDP Act does not limit the operation of the FoI Act (Vic). However, private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6.
• Law enforcement agencies. A law enforcement agency is exempt from complying with some of the IPPs if non-compliance is necessary to carry out law enforcement activities. “Law enforcement agency” is defined in section 3 of the PDP Act. Law enforcement agencies include a state police force, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the sheriff, and the Independent Broad-based Anti-corruption Commission (IBAC). The exemption is only partial. The agency claiming the exemption must be actually carrying out a law enforcement function at the time of handling information. The exemption also does not apply to all the IPPs (e.g. IPP 3 (data quality) and IPP 4 (data security)). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary to carry out its community policing functions. In Smith v Victoria Police (General)  VCAT 654 – which dealt with the matter of the police releasing a mug-shot of a convicted person to a newspaper – VCAT held that “community policing” was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives.
• Organisations granted a determination. Organisations granted a public interest determination, or temporary public interest determination, or are party to an information usage arrangement (see “Victorian Information Commissioner”) are exempt from needing to comply with the IPPs.
• Information Sharing Entities (ISEs) and the “central information point”, as defined in the FVP Act, are except from certain IPPs and the equivalent HPPs in relation to the collection and disclosure of, and access to, personal information of a perpetrator and alleged perpetrator of family violence (see pt 5A FVP Act). For more information about the family violence sharing scheme, visit https://ovic.vic.gov.au.
Note that the IPPs and any approved Code of Practice give way to any other Act to the extent that they are inconsistent with the other Act. This means that where another Act expressly permits the use and disclosure of personal information, but this is not permitted under the IPPs, the other Act prevails.