Handling internal enquiries
Handling enquiries about your organisation’s privacy obligations is one of the key functions of your role as privacy officer. These enquiries will come primarily from colleagues within your organisation but may also come from members of the public.
Well-handled internal enquiries help your organisation meet its obligations under PDP Act and lower the risks of privacy breaches. Well-handled external enquiries can help resolve issues that could otherwise become complaints in the future.
For you to be able to perform this function well, it’s vital that other employees within your organisation are aware of the existence of your role as privacy officer and know how to contact you. Visit the ‘Raising awareness of your role‘ section of this toolkit for more information.
Common internal enquiries
Here you can find some examples of common internal enquiries that you may receive.
I want to collect personal information from individuals. Do I have privacy obligations?
Before you collect any personal information from an individual, you need to identify what you intend to achieve by collecting the information, and the function or activity of your organisation that this relates to. You should not collect more information than you need.
This is because your organisation has an obligation to only collect personal information where it is necessary for one or more of its functions or activities under IPP 1.1.
You should also consider whether it is possible for your organisation to fulfil the function or activity without identifying individuals. This is because your organisation has an obligation to allow individuals to interact with it anonymously wherever reasonably practicable under IPP 8.
If you have decided that it is necessary to collect certain personal information, you must make sure that you provide a collection notice to individuals at (or as soon as is reasonably practicable after) the time of collection. Visit the ‘Collection notices‘ section of this toolkit for more information.
Can I share personal information about an individual within the organisation?
Sharing personal information within your organisation is a ‘use’ under the PDP Act.
Before sharing personal information with others in your organisation, you need to be satisfied that it is being used for the same purpose as that for which it was collected; for a secondary purpose that an individual would reasonably expect; or in accordance with another exception under IPP 2.1.
You may like to share our IPP 2 – Pocket Guide with staff in your organisation to assist them to navigate this IPP.
Another organisation has asked for personal information about an individual. Can I share the information with them?
Sharing personal information with another organisation is a ‘disclosure’ under the PDP Act.
If you receive a request to share personal information with another organisation, you should ask the organisation to explain in writing why it is seeking the personal information. You may wish to ask the requesting organisation for its opinion about how disclosing the information would comply with IPP 2.1.
Although you might seek the view of the organisation requesting the information, it is your organisation that must decide whether the disclosure complies with IPP 2.1. If you aren’t satisfied, you aren’t obliged to share the personal information.
Do I need permission from an individual before I share their personal information?
No, consent is not the only basis on which personal information can be used and disclosed. The basic rule is that you do not need an individual’s permission to use or disclose their personal information if it is for the same purpose as that for which it was collected.
Consent is one of the exceptions to the rule. This means that, where an individual gives you consent to do so, you can use and disclose their personal information for a different purpose than that for which it was collected.
What do I do if I am asked to release or correct an individual’s personal information?
The Freedom of Information Act 1982 (Vic) (FOI Act) is the primary mechanism for access to and correction of information held by Victorian government agencies. If you receive a request for access or correction to an individual’s personal information, you should direct them to your freedom of information (FOI) officer.
OVIC encourages organisations to informally release documents in response to requests, however it may be appropriate to ask individuals to make a formal FOI request.
If the FOI Act doesn’t apply to your organisation, individuals may be able to seek access and correction under IPP 6. However, it is important to remember that IPP 6 only applies where the FOI Act does not.
Other common topics
OVIC has created specific guidance on a range of common topics.
Assistance from OVIC
OVIC’s Privacy Guidance team is available to help you respond to privacy enquiries; provide general privacy guidance; and point you to relevant IPPs and any existing guidance material. Visit the ‘Working with OVIC‘ section of this toolkit to find out more.