The Law Handbook 2024

1116 Section 12: Government and the individual hospitals and public health services. The type of information that is the subject of these functions includes, but is not limited to, personal information. In February 2020, the VI Commissioner published the Victorian Protective Data Security Framework (Version 2.0), which provides direction to the Victorian public sector on their data security obligations. For more information about these functions, the standards and the framework, see www.ovic.vic.gov.au. Victorian Information Privacy Principles The Victorian Information Privacy Principles ( IPPs ) are based on the Organisation for Economic Cooperation and Development’s ( OECD ’s) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions. With limited exemptions (see ss 10–12, 14, 15 PDP Act), Victorian public sector organisations must comply with the IPPs. The following is a summary of the IPPs (for the full text, see sch 1 PDP Act): • IPP 1: Collection An organisation must only collect personal infor­ mation that is necessary for the performance of its functions. In Jurecek v Director, Transport Safety Victoria [2016] VSC 285, the Supreme Court (per Justice Bell) stated that ‘necessary does not mean essential or indispensable, but reasonably necessary for the organisation’s functions or activities’. An organisation must take reasonable steps to advise individuals of the purpose of the collection, the usual disclosures, and a number of other matters outlined in the principle. Note that the PDP Act applies to personal information regardless of how it was collected (i.e. by manual or automatic means). Automated collection may occur through the use of technologies such as video surveillance, cookies, and website analytics. Organisations that have the power to collect information compulsorily must make it clear that they have this power. • IPP 2: Use and disclosure An organisation can only use and disclose personal information for the primary purpose it was collected for, for a related secondary purpose that a person would reasonably expect, with consent, or for other purposes permitted under the principle. In the case of sensitive information (see IPP 10, below), the use or disclosure must be directly related to the primary purpose of collection. The law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities, or to investigate a suspected unlawful activity. If the information is collected compulsorily, the law that underpins the compulsory collection may also limit the use and disclosure of that information, notwithstanding the operation of IPP 2. • IPP 3: Data quality Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date. This obligation arises when the information is collected and whenever it is used or disclosed. • IPP 4: Data security Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records. • IPP 5: Openness Organisations must produce a document that clearly expresses their policies on the management of personal information; this document is usually called a ‘privacy policy’. An organisation must pro­ vide their privacy policy to anyone who requests it. • IPP 6: Access and correction Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the Freedom of Information Act 1982 (Vic) (‘ FoI Act ’) (see Chapter 12.3: Freedom of information law). The right to access personal information under IPP 6 applies to organisations that are not covered by the FoI Act, such as contracted government service providers.