Victorian Information Privacy Principles
Introduction to the Victorian Information Privacy Principles
The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980; updated 2013). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions.
With limited exemptions (see ss 10–12, 14, 15 PDP Act), Victorian public sector organisations must comply with the IPPs.
The Family Violence Protection Amendment (Information Sharing) Act 2017 (Vic) made key changes to the IPPs and the Health Privacy Principles (HPPs) (see ‘Health Records Act 2001 (Vic)’ in ‘Other Victorian privacy legislation‘). In particular, the Act removed the word ‘imminent’ from the ‘serious and imminent’ exceptions in IPP 2, 6 and 10, and in HPP 1 and 2, requiring that the threat need be only serious.
The Act also inserted Part 5A into the Family Violence Protection Act 2008 (Vic) (‘FVP Act’) and created a new scheme for information sharing.
A companion scheme, the Child Information Sharing Scheme was also established under Part 6A of the Child Wellbeing and Safety Act 2005 (Vic) to enable information sharing between certain authorised organisations to promote a child’s wellbeing or safety.
A summary of the Victorian Information Privacy Principles
The following is a summary of the IPPs (for the full text, see sch 1 PDP Act):
IPP 1: Collection
An organisation must only collect personal information that is necessary for the performance of its functions. In Jurecek v Director, Transport Safety Victoria  VSC 285, the Supreme Court (per Justice Bell) stated that ‘necessary does not mean essential or indispensable, but reasonably necessary for the organisation’s functions or activities’.
An organisation must advise individuals of the purpose for the collection of personal information, that they are entitled to access their personal information, and how to do this.
Note that the PDPAct applies to personal information regardless of how it was collected (i.e. by manual or automatic means). Automated collection may occur through the use of technologies such as video surveillance, cookies, and website analytics.
Organisations that have the power to collect information compulsorily must make it clear that they have this power.
IPP 2: Use and disclosure
An organisation can only use and disclose personal information in accordance with the primary purpose it was collected for or for a related secondary purpose that a person would reasonably expect. In the case of sensitive information (see IPP 10, below), it must be directly related to the primary purpose of collection.
Generally, where the use or disclosure of personla information would not be reasonably expected, the law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities, or to investigate a suspected unlawful activity. However, if the information is collected compulsorily, the law that underpins the compulsory collection may limit the use and disclosure of the that information. Otherwise use and disclosure for a secondary purpose can only be by consent.
IPP 3: Data quality
Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date. This obligation arises when the information is collected and whenever it is used or disclosed.
IPP 4: Data security
Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.
IPP 5: Openness
IPP 6: Access and correction
Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the Freedom of Information Act 1982 (Vic) (‘FoI Act’) (see Chapter 12.4: Freedom of information law).
The right to access personal information under IPP 6 applies to organisations that are not covered by the FoI Act, such as private sector organisations that are contracted service providers to the government.
IPP 7: Unique identifiers
Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for that organisation to carry out one of its functions, or by consent.
IPP 8: Anonymity
If it is lawful and feasible, organisations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.
IPP 9: Transborder data flows
An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the PDP Act, or in other limited circumstances. The privacy rights an individual has in Victoria remain, despite the information being transferred to another jurisdiction.
IPP 10: Sensitive information
An organisation can only collect sensitive information in restricted circumstances or with consent. ‘Sensitive information’ (defined in sch 1 PDP Act) includes information about an individual’s race or ethnicity, political views, religious and philosophical beliefs, sexual preferences, criminal record, or membership of a trade union, or a political or
Detailed guidelines to the IPPs are available on the Victorian Information Commissioner’s website.
Exemptions from the Victorian Information Privacy Principles and data security standards
The PDP Act exempts particular acts and practices from needing to comply with the IPPs. These particular acts and practices relate to the handling of personal information and specific categories of information.
These exemptions apply to:
- Judicial and quasi-judicial functions of courts and tribunals (s 10). This exemption also applies to court registries and other court/tribunal staff carrying out their duties. The exemption does not apply to personal information collected for non-judicial functions (e.g. for the maintenance of staff records and general administrative matters).
- Royal commissions, boards of inquiry and formal reviews (s 10A). This exemption only applies when personal information is collected in connection with the function of the Royal commission, board or review.
- Parliamentary committees (s 11). This exemption only applies when personal information is collected in connection with the function of a parliamentary committee.
- Publicly available information. This exemption applies to publications that are generally available to the public (e.g. a telephone directory). This exemption also includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); and archives within the meaning of the Copyright Act 1968 (Cth) (s 12). Note that public registers are only partially exempt under this provision (s 12(2)): under section 20(2), organisations administering a public register must ‘so far as is reasonably practicable’ comply with the IPPs.
- Organisations subject to the Freedom of Information Act 1982 (Vic) (‘FoI Act (Vic)’). These organisations do not have to comply with IPP 6 if they are exempt from the FoI Act (Vic). This exemption clarifies that the PDP Act does not limit the operation of the FoI Act (Vic). However, private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6.
- Law enforcement agencies. A law enforcement agency is exempt from complying with some of the IPPs if non-compliance is necessary to carry out law enforcement activities. ‘Law enforcement agency’ is defined in section 3 of the PDP Act. Law enforcement agencies include a state police force, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the sheriff, and the Independent Broad-based Anti-corruption Commission (IBAC). The exemption is only partial. The agency claiming the exemption must be carrying out a law enforcement function at the time of handling information. The exemption also does not apply to all the IPPs (e.g. IPP 3 (data quality) and IPP 4 (data security)). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary to carry out its community policing functions. In Smith v Victoria Police (General)  VCAT 654 – which dealt with the matter of the police releasing a mug-shot of a convicted person to a newspaper – VCAT held that ‘community policing’ was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives.
- Organisations granted a determination. Organisations granted a public interest determination, or temporary public interest determination, or are party to an information usage arrangement are exempt from needing to comply with the IPPs specified in the determination.
- Information Sharing Entities (ISEs) and the ‘central information point’, as defined in the FVP Act, are exempt from certain IPPs and the equivalent HPPs in relation to the collection and disclosure of, and access to, personal information of a perpetrator and alleged perpetrator of family violence (see pt 5A FVP Act). For more information about the family violence sharing scheme, visit the Victorian Information Commissioner’s website.
The IPPs and any approved Code of Practice give way to any other Act to the extent that they are inconsistent with the other Act. That is, where another Act expressly permits the use and disclosure of personal information, but this is not permitted under the IPPs, the other Act prevails.