The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1119 organisation is held responsible unless it can establish that it took reasonable precautions and exercised due diligence to avoid the privacy breach (s 118 PDP Act). In the case of TSJ v Department of Health and Human Services (Human Rights) [2016] VCAT 687, a social worker employed by the Victorian Government Department of Health (‘ Department of Health (Vic) ’) sent personal information about the complainant to the wrong email address. The person who received the information immediately contacted the social worker, who took steps to retrieve the information, notified the complainant, and apologised for the breach. VCAT found that the Department of Health (Vic) had taken reasonable precautions and exercised due diligence to prevent the privacy breach under IPP 2, and to protect the personal information under IPP 4, and dismissed the complaint. VCAT procedures & remedies If the VI Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible or has been attempted but has failed – a complainant may, in writing, direct the VI Commissioner to refer their complaint to VCAT. The VI Commissioner sends VCAT the documents setting out the complaint and the grounds of the complaint under the PDP Act. A referral to VCAT is considered to be a fresh hearing of the complaint. VCAT’sHumanRights List determines complaints made under the PDP Act. The proceeding is generally managed through a series of steps before a final hearing. These steps include: • one or more directions hearings; • a consensual referral to mediation, or referral to a compulsory conference; and • a schedule for the exchange between the parties of points of complaint, points of defence, and witness statements. The VI Commissioner can decide to intervene in any proceeding before VCAT and can be joined by VCAT as a party to the proceeding. If VCAT upholds a complaint as a breach of privacy, potential remedies include: • orders to correct information; • restraint orders; • reimbursement of expenses; and • compensation orders of up to $100000. Note that due to the operation of the Open Courts Act 2013 (Vic), PDP Act complaints that reach a final determination in VCAT are generally published in identifying format unless an application for suppression is approved. Compliance notices (s 78) The VI Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years. If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT. Unlike the PA 1988, the PDP Act has no formal Notifiable Data Breaches Scheme. Rather, the PDP Commissioner invites regulated agencies to report data breaches on a voluntary basis and publishes guidance for the public sector on dealing with data breaches. Other Victorian privacy legislation Health Records Act The Health Records Act 2001 (Vic) (‘ HR Act ’) protects the privacy of individuals’ health information held by the public and private sectors in Victoria. It also provides individuals with an enforceable right to access their health information held in the private sector. The objects of the HR Act are: • to require responsible handling of health information in the public and private sectors; • to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information; • to enhance the ability of individuals to be informed about their healthcare and/or disability services; and • to promote the provision of quality health services, disability services and aged-care services. Under the HR Act, health information that is collected, held or used by organisations must be handled in