The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980; updated 2013). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions.
With limited exemptions (see ss 10–12, 14, 15 PDP A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation.), Victorian public sector organisations must comply with the IPPs.
The Family Violence Protection A change made to a legal document or Act of parliament. (Information Sharing) Act 2017 (Vic) made key changes to the IPPs and the Health Privacy Principles (HPPs) (see ‘Health Records Act’, below). In particular, the Act removed the word ‘imminent’ from the ‘serious and imminent’ exceptions in IPP 2, 6 and 10, and in HPP 1 and 2, requiring that the threat need be only serious.
The Act also inserted Part 5A into the Family Violence Protection Act 2008 (Vic) (‘FVP Act’) and created a new scheme for information sharing.
A summary of the Victorian Information Privacy Principles
The following is a summary of the IPPs (for full text, see sch 1 PDP Act):
IPP 1: Collection
An organisation must only collect personal information that is necessary for the performance of its functions. In Jurecek v Director, Transport Safety Victoria  VSC 285, the Supreme An independent body that hears legal claims brought by parties and decides between them. Serious cases are heard by a judge and jury, or just a judge. Less-serious cases are heard by a magistrate. (per Justice Bell) stated that ‘necessary does not mean essential or indispensable, but reasonably necessary for the organisation’s functions or activities’.
An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.
Note that the PDPAct applies to personal information regardless of how it was collected (i.e. by manual or automatic means). Automated collection may occur through the use of technologies such as video surveillance, cookies, and website analytics.
Organisations that have the power to collect information compulsorily must make it clear that they have this power.
IPP 2: Use and Providing information to another person or institution as required by a contract or other legal process.
An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or for a related secondary purpose that a person would reasonably expect. In the case of sensitive information (see IPP 10, below), it must be directly related to the primary purpose of collection.
Generally, where the use or disclosure of personla information would not be reasonably expected, the law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities, or to investigate a suspected unlawful activity. However, if the information is collected compulsorily, the law that underpins the compulsory collection may limit the use and disclosure of the that information. Otherwise use and disclosure for a secondary purpose can only be by To agree to something being done, to approve an action or arrangement. See also informed consent..
IPP3: Data quality
Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date. This obligation arises when the information is collected and whenever it is used or disclosed.
IPP4: Data Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions.
Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.
IPP 5: Openness
IPP 6: Access and correction
Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the The right of any person to access documents held by government agencies, except documents excluded by legislation. Act 1982 (Vic) (‘FoI Act’)(see Chapter 12.5: Freedom of information law).
The right to access personal information under IPP 6 applies to organisations that are not covered by the FoI Act, such as private sector organisations that are contracted Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence. providers to the government.
IPP7: Unique identifiers
Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions, or by consent.
IPP 8: Anonymity
If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.
IPP9: Transborder data flows
An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the PDP Act, or in other limited circumstances. The privacy rights an individual has in Victoria remain, despite the information being transferred to another The authority of a court or tribunal to hear matters brought before it, based on some factor such as area or law, amount of money claimed, or geographic area..
IPP10: Sensitive information
An organisation can only collect sensitive information in restricted circumstances or with consent. ‘Sensitive information’ (defined in sch 1 PDP Act) includes information about an individual’s race or ethnicity, political views, religious and philosophical beliefs, sexual preferences, criminal record, or membership of a trade union, or a political or
Detailed guidelines to the IPPs are available at https://ovic.vic.gov.au/privacy/for-agencies/guidance-and-resources/guidelines.
Exemptions from the Victorian Information Privacy Principles and data security standards
The PDP Act exempts particular acts and practices from needing to comply with the IPPs. These particular acts and practices relate to the handling of personal information and specific categories of information. These exemptions apply to:
- Judicial and quasi-judicial functions of courts and tribunals (s 10). This exemption also applies to court registries and other court/tribunal staff carrying out their duties. The exemption does not apply to personal information collected for non-judicial functions (e.g. for the Money paid to a person to financially support them. When a couple has separated both parents have a duty to support their children, and a court can order a parent to make regular payments to support the children. Maintenance for a spouse is now less common, and must be applied for within 12 months of a divorce. It is usually covered in a final settlement of all property. of staff records and general administrative matters).
- Royal commissions, boards of inquiry and formal reviews (s 10A). This exemption only applies when personal information is collected in connection with the function of the Royal commission, board or review.
- Parliamentary committees (s 11). This exemption only applies when personal information is collected in connection with the function of a parliamentary committee.
- Publicly available information. This exemption applies to publications that are generally available to the public (e.g. a telephone directory). This exemption also includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); and archives within the meaning of the Property rights over creative works, such as books, music, art, sound recordings, films or broadcasts. Generally only the copyright owner, or someone who has their permission, can reproduce, publish, copy, perform or broadcast the works. Act 1968 (Cth) (s 12). Note that public registers are only partially exempt under this provision (s 12(2)): under section 20(2), organisations administering a public register must ‘so far as is reasonably practicable’ comply with the IPPs.
- Organisations subject to the Freedom of Information Act 1982 (Vic) (‘FoI Act (Vic)’). These organisations do not have to comply with IPP 6 if they are exempt from the FoI Act (Vic). This exemption clarifies that the PDP Act does not limit the operation of the FoI Act (Vic). However, private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6.
- Law enforcement agencies. A law enforcement agency is exempt from complying with some of the IPPs if non-compliance is necessary to carry out law enforcement activities. ‘Law enforcement agency’ is defined in section 3 of the PDP Act. Law enforcement agencies include a state police force, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the An officer of the court who is responsible for the enforcement of court orders., and the Independent Broad-based Anti-corruption Commission (IBAC). The exemption is only partial. The agency claiming the exemption must be actually carrying out a law enforcement function at the time of handling information. The exemption also does not apply to all the IPPs (e.g. IPP 3 (data quality) and IPP 4 (data security)). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary to carry out its community policing functions. In Smith v Victoria Police (General)  VCAT 654 – which dealt with the matter of the police releasing a mug-shot of a convicted person to a newspaper – VCAT held that ‘community policing’ was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives.
- Organisations granted a determination. Organisations granted a public interest A finalisation, especially a decision made by a court or tribunal to finalise (determine) a case. , or temporary public interest determination, or are A person or organisation directly involved in a court case. Parties include the plaintiff or applicant, the defendant, and any third party added to the action, but not independent witnesses. to an information usage arrangement are exempt from needing to comply with the IPPs specified in the determination.
- Information Sharing Entities (ISEs) and the ‘central information point’, as defined in the FVP Act, are exempt from certain IPPs and the equivalent HPPs in relation to the collection and disclosure of, and access to, personal information of a A person who commits a crime. See also offender. and Claimed but not proved. For example, the police can allege in court that a car was stolen, but they then have to prove it with evidence. If you say a person did something illegal you are making an allegation. Unless you can back it up, you will not be able to win a court case about it. perpetrator of family violence (see pt 5A FVP Act). For more information about the family violence sharing scheme, visit https://ovic.vic.gov.au.
The IPPs and any approved Guidelines setting out proper practice in an industry or occupation. For example, the franchising code of practice sets out rules for businesses operating under a franchise. Codes can be voluntary or statutory (required by legislation). give way to any other Act to the extent that they are inconsistent with the other Act. That is, where another Act expressly permits the use and disclosure of personal information, but this is not permitted under the IPPs, the other Act prevails.