The Privacy and Data Protection A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation. 2014 (Vic) (‘PDP Act’) commenced on 17 September 2014. The PDP Act repealed and replaced the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions. Act 2005 (Vic). The PDP Act also established the role of the Commissioner for Privacy and Data Protection (‘PDP Commissioner’).
The The right of any person to access documents held by government agencies, except documents excluded by legislation. A change made to a legal document or Act of parliament. (Office of the Victorian Information Commissioner) Act 2017 (Vic) (‘FoI Amendment Act 2017’) amended the PDP Act and replaced the PDP Commissioner role with the Victorian Information Commissioner (‘VI Commissioner’) and the Privacy and Data Protection Deputy Commissioner roles. These amendments took effect on 1 September 2017.
The PDP Act re-enacts the Information Privacy Principles (IPPs) in full; these were established by the Information Privacy Act 2000 (Vic). The IPPs (described more fully below) set out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information about individuals. There are some exceptions that are detailed below.
‘Personal information’ means information (whether true or not) or an opinion that is recorded in any form about an individual whose identity is apparent or whose identity can be reasonably ascertained from the information. In WL v La Trobe University (General)  VCAT 2592, the Victorian Civil and Administrative A body set up to hear and decide disputes, usually with less formality and less strict rules of evidence than in a court proceeding. (VCAT) rejected the respondent’s argument that the definition required a person’s identity to be ascertained from the information in question; VCAT accepted that the word ‘ascertained’ allowed extraneous Relevant or important. For example, material evidence is something that helps to prove an argument in a criminal case. to be used to identify a person. The definition of ‘personal information’ expressly excludes ‘health information’ to which the Health Records Act 2001 (Vic) applies (see ‘Health Records Act’, below).
The PDP Act applies to Victorian ‘public sector organisations’. This includes Victorian Government ministers and parliamentary secretaries, public sector agencies, Found in a statute of delegated legislation. For example, a statutory authority or body is aperson or organisation that has special powers given by parliament to do work for the public benefit. bodies and local councils (for the full list, see s 13 PDP Act). Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence. providers – including private sector organisations contracted to the Victorian Government – are also bound by the IPPs if there is an enforceable An agreement that the law will enforce. that requires this (s 17(4)). The objects of the PDP Act are:
- to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;
- to balance the public interest in promoting open access to public sector information with the public interest in protecting its security;
- to promote public awareness of the responsible handling of personal information in the public sector;
- to promote the responsible and transparent handling of personal information in the public sector;
- to promote responsible data security practices in the public sector.
Key features of the PDP Act, as amended by the FoI Amendment Act 2017, include:
- the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;
- conferring on the VI Commissioner the independent statutory office of the Victorian PDP Commissioner, with all the functions of the role, i.e. to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the PDP Act;
- the power of the VI Commissioner to make public interest determinations, information usage arrangements and to issue certificates that state an act or practice is consistent with the IPPs;
- the power of the VI Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;
- remedies for interferences with privacy, including correcting the breach, and apologising and compensating the individual concerned;
- provision for the registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and
- access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) rights do not apply (see Chapter 12.5: Freedom of information law).