The Privacy and Data Protection Act 2014 (Vic) (‘PDP Act’) commenced on 17 September 2014. The PDP Act repealed and replaced the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic). The PDP Act also established the role of the Commissioner for Privacy and Data Protection (‘PDP Commissioner’).
The Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (‘FoI Amendment Act 2017’) amended the PDP Act and replaced the PDP Commissioner role with the Victorian Information Commissioner (‘VI Commissioner’) and the Privacy and Data Protection Deputy Commissioner roles. These amendments took effect on 1 September 2017.
The PDP Act re-enacts the Information Privacy Principles (IPPs) in full; these were established by the Information Privacy Act 2000 (Vic). The IPPs set out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information about individuals. There are some exceptions that are detailed below.
‘Personal information’ means information (whether true or not) or an opinion that is recorded in any form about an individual whose identity is apparent or whose identity can be reasonably ascertained from the information.
In WL v La Trobe University (General)  VCAT 2592, the Victorian Civil and Administrative Tribunal (VCAT) rejected the respondent’s argument that the definition required a person’s identity to be ascertained from the information in question; VCAT accepted that the word ‘ascertained’ allowed extraneous material to be used to identify a person.
The definition of ‘personal information’ expressly excludes ‘health information’ to which the Health Records Act 2001 (Vic) applies (see ‘Health Records Act’ in ‘Other Victorian privacy legislation‘).
The PDP Act applies to Victorian ‘public sector organisations’. This includes Victorian Government ministers and parliamentary secretaries, public sector agencies, statutory bodies and local councils (for the full list, see s 13 PDP Act). Service providers – including private sector organisations contracted to the Victorian Government – are also bound by the IPPs if there is an enforceable contract that requires this (s 17(4)).
The objects of the PDP Act are:
- to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;
- to balance the public interest in promoting open access to public sector information with the public interest in protecting its security;
- to promote public awareness of the responsible handling of personal information in the public sector;
- to promote the responsible and transparent handling of personal information in the public sector;
- to promote responsible data security practices in the public sector.
Key features of the PDP Act, as amended by the FoI Amendment Act 2017, include:
- the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;
- conferring on the VI Commissioner the independent statutory office of the Victorian PDP Commissioner, with all the functions of the role, i.e. to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the PDP Act;
- the power of the VI Commissioner to make public interest determinations, information usage arrangements and to issue certificates that state an act or practice is consistent with the IPPs;
- the power of the VI Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;
- remedies for interferences with privacy, including correcting the breach, and apologising and compensating the individual concerned;
- provision for the registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and
- access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) rights do not apply (see Chapter 12.4: Freedom of information law).