Introduction to these Guidelines
Under the Victorian Privacy and Data Protection Act 2014 (PDP Act), the Information Commissioner has the function of issuing guidelines for the Information Privacy Principles (IPPs). The IPPs outline the minimum standard for the collection, storage, handling, use and disclosure of personal information by Victorian public sector (VPS) organisations. The IPPs are relevant for all VPS organisations, as well as some private or community sector organisations where those organisations are carrying out functions under a State contract with a Victorian public sector organisation.1
These Guidelines are intended for individuals working with the IPPs under the PDP Act. They indicate how the Information Commissioner interprets and applies the IPPs, and the matters that the Information Commissioner may consider when advising organisations during consultations, dealing with complaints, or examining acts and practices or breaches during an investigation. They also provide guidance to organisations on the broad application of the IPPs, and how to embed privacy protections in their workplace culture and practices.
These Guidelines are not legally binding, and do not constitute legal advice about how an organisation must comply with the IPPs in specific circumstances. Ultimately, organisations must decide how to interpret and apply the IPPs in a manner that is consistent with the PDP Act. Organisations should consult their privacy officer or unit, or seek legal advice, as appropriate.
These Guidelines should be read together with the full text of the IPPs. In practice, the IPPs often interact. The application of the IPPs can differ depending on the context of the situation. Context is important, so organisations should apply the IPPs on a case by case basis.
Objects of the PDP Act and the Information Lifecycle
Organisations should apply the IPPs with the objects of the PDP Act in mind.2 They are:
- to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;
- to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; and
- to promote awareness of responsible personal information handling practices in the public sector; and
- to promote the responsible and transparent handling of personal information handling in the public sector; and
- to promote responsible data security practices in the public sector.
These objects, together with the IPPs, reflect four longstanding themes in privacy and data protection law and policy:3
- Openness and transparency: Individuals should be made aware of the information held about them and why it is held, and should be able to see it and correct it if necessary.
- Proportionality: Organisations should only collect personal information as necessary, and should minimise intrusion into privacy.
- Purpose limitation: Generally, personal information should be used only for the purpose for which it was collected.
- Individual participation: Individuals should have as much say as possible in what information about them is used for and who gets access to it.
The PDP Act and the IPPs imply some shift in control from the collectors and users of personal information to the sources and subjects of it. However, it is not a total shift. As the objects of the PDP Act outline, it is a balancing of various public interests.
The IPPs govern the collection, use, disclosure, and destruction of information throughout the information lifecycle. This is illustrated in the following diagram, which indicates where in that lifecycle each of the ten IPPs is most relevant.
When do the IPPs apply?
Which organisations are covered by the PDP Act?
Section 13 of the PDP Act provides a list of the categories of bodies and persons who are subject to Part 3 of the PDP Act and must comply with the IPPs. These are:
- Parliamentary Secretaries, including the Parliamentary Secretary of the Cabinet;
- public sector agencies, meaning public service bodies or public entities within the meaning of the Public Administration Act 2004 (this includes Victorian government departments);
- local councils;
- bodies established or appointed for a public purpose by or under an Act (such as Victorian public universities);
- bodies established or appointed for a public purpose by the Governor in Council, or a Minister, otherwise than under an Act;
- persons holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person appointed by the Governor in Council, or a Minister, otherwise than under an Act (such as the Victorian Ombudsman);
- courts or tribunals;
- Victoria Police;
- a contracted service provider, but only in relation to its provision of services under a State contract which contains a provision of a kind referred to in s 17(2) of the PDP Act; and
- any other body that is declared by an order published in the government Gazette to be an organisation covered under the PDP Act.
These categories of bodies and persons are ‘public sector organisations’ for the purpose of Part 3 of the PDP Act. The starting point for these organisations is that they need to act in accordance with the IPPs. However, there are several important exemptions which exclude categories of information held by these organisations, or some of their functions, from the coverage of the IPPs. These exemptions are discussed below in the section ‘When do the IPPs not apply?’
The remainder of this section discusses certain categories of organisations in more detail. Some of the categories discussed below are drawn from the above list, while others are classes of organisations about which OVIC frequently receives queries.
Public sector agencies
The IPPs apply to public sector agencies, which is defined in s 3 of the PDP Act to mean public service bodies or public entities within the meaning of the Public Administration Act 2004.
Public sector bodies are Departments, Administrative Offices, and the Victorian Public Sector Commission.
Public entities are defined in s 5 of the Public Administration Act 2004, and includes certain bodies that are established under an Act or the Corporations Act or by the Victorian government. Amongst other requirements, these bodies must have a public function to exercise on behalf of the State, or be wholly owned by the State. However, it does not include the types of bodies listed in s 5(1)(da)-(h), such as Parliamentary Committees or Royal Commissions.
Contracted service providers to Victorian government organisations
Contracted service providers (CSP) may be bound by the Information Privacy Principles (IPPs) contained in Part 3 of the PDP Act where a State contract contains a provision binding the CSP to the IPPs.
The CSP is then bound by the IPPs in the same way and to the same extent as the outsourcing public sector organisation.
If there is no such provision in the State contract, it is the responsibility of the outsourcing public sector organisation to ensure that the CSP upholds the relevant privacy obligations under the PDP Act.
The IPPs apply to an act or practice of a CSP when:
- there is a State contract between the CSP and the outsourcing government agency;
- that State contract contains a provision binding the CSP to the IPPs, drafted in accordance with s 17(2); and
- the relevant act or practice was undertaken for the purposes of the State contract.
A state contract means a contract between an organisation and a CSP under which services are provided by the CSP to the organisation in connection with the performance of the functions of the organisation.
CSPs to State government are not bound by the Commonwealth Privacy Act 1988 in relation to their conduct under a State contract. The Privacy Act 1988 (Cth) expressly gives way to State regulation of organisations providing services under a State contract. However, the other activities of the CSP may be regulated by the Privacy Act 1988 (Cth).
The fact that an organisation is ‘funded’ by Victorian government does not, of itself, make the organisation a CSP or the funding arrangement a ‘State contract’ for the purposes of the PDP Act. The services must be connected with the outsourcing government organisation’s functions and must be provided under a State contract. However, if a CSP carries out activities on behalf of an organisation, and the CSP is not bound by the IPPs itself, the organisation itself may be liable for any breach of the IPPs by the CSP.
Health service providers
Victorian public hospitals and health service providers have obligations under the PDP Act in relation to personal information that is not health-related, for example, staff records. Private hospitals and health service providers are not covered under the PDP Act unless they are carrying out services under a State contract not related to health (see above). The privacy of health information handled by both public and private health service providers is regulated under the Health Records Act 2001 (Vic), which is administered by the Health Complaints Commissioner. Private sector health providers may also be regulated under the Privacy Act 1988 (Cth).
State government schools are required to comply with the IPPs. However, independent or denominational schools do not. Typically, independent or denominational schools are subject to the Privacy Act 1988 (Cth).
Organisations ‘established by or under an Act’ for a ‘public purpose’
The term, ‘established by or under an Act’ for PDP Act purposes, means created under a Victorian Act. Organisations are not covered just because they are incorporated under a Victorian Act (such as the Associations Incorporation Act 1981) or subject to it in some way (such as a licensed motor car trader).
To determine whether a body was ‘established for a public purpose’, consider:
- the legislation that establishes the body;
- the organisation’s constitution or rules, if they have been referred to in the Act;
- where purposes were multiple or a mix of public and private purposes, whether the dominant purpose of establishing the organisation was public; and
- if more than one dominant purpose, whether one of them was a public purpose. Note ‘public purpose’ does not just mean ‘governmental’ purpose – it can be broader and pertains to the people of a community or locality.
When do the IPPs not apply?
There are limited exemptions to the Victorian government organisations that must comply with the IPPs. The PDP Act does not typically treat particular organisations as exempt. Rather, the Act exempts from protection particular functions of organisations or specific categories of information they hold. Exempt acts and practices, and categories of information, fall outside the protection of some or all of the IPPs. The more significant exemptions are outlined below.
Judicial and quasi-judicial functions of courts and tribunals
Section 10 of the PDP Act exempts courts and tribunals from compliance with the IPPs or any protective data security standard in respect of the exercise of judicial or quasi-judicial functions. The IPPs will still apply to personal information collected for other court and tribunal functions such as the maintenance of staff records, or general administrative matters.
‘Quasi-judicial’ means ‘court like’. It includes the actions of non-judicial bodies, such as administrative agencies exercising their functions and powers in a judicial manner. Various factors may be taken into account, including whether a proceeding’s purpose is to make a determination or finding concerning a matter, the truth of which is of public concern.
A statute which establishes a tribunal and regulates its procedures helps to determine whether a government body is a ‘tribunal’. A body does not need to be called a tribunal. Relevant matters include whether provision is made for its proceedings, for the calling of witnesses and receiving evidence on oath, for public hearings, legal representation, and immunity of decision makers from suit. In addition, the relevant statute will often describe the tribunal’s initiating mechanisms and the legal consequences of its determinations.
A court registry’s handling of its case records and other documents filed by parties for the purposes of proceedings are likely to be matters which relate to judicial functions and therefore be exempt from obligations under the PDP Act.
‘Judicial power’ was described by the Victorian Supreme Court in R v Debono:4
‘Judicial power involves, as a general rule, a decision settling for the future a question between identified parties as to the existence of a right or an obligation. In this regard, the process is generally an inquiry concerning the law as it is and the facts as they are, followed by an application of the law as determined to the facts as determined.’
‘Quasi-judicial proceedings’ were defined at a federal level in Mann v O’Neill as:
‘Proceedings of tribunals recognised by law and which act “in a manner similar to that in which a court of justice acts”’. An ‘overriding consideration relevant to the question of whether proceedings are quasi-judicial’ is whether a determination will emerge from the proceedings, the truth and justice of which is a matter of public concern.5
In Harrison v VBA,6 VCAT found that the then Building Practitioners Board (BPB) was a tribunal that had a quasi-judicial function because it:
- had an inquiry function concerning facts and law;
- applied the law; and
- made a determination affecting the obligations and rights of the parties involved.
VCAT also found that even though the employees exercising the quasi-judicial function worked for a related body (not the BPB), it was deemed that the employees were exercising the functions of the BPB.
Section 11 provides that nothing in the PDP Act, the IPPs or a protective data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of personal information by a Parliamentary Committee in the course of carrying out its functions.
Section 10A provides that nothing in the PDP Act, the IPPs or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Royal Commission, a Board of Inquiry or a Formal Review for the purposes of, or in connection with, the performance of its functions.
Personal information in documents subject to the Freedom of Information Act
Section 14 states that nothing in IPP 6 applies to personal information contained in documents subject to the FOI Act. Organisations subject to the FOI Act therefore do not need to comply with IPP 6.
For more information on the relationship between IPP 6 and the FOI Act, see the IPP 6 chapter of these Guidelines.
Law enforcement activities
Section 15 of the PDP Act provides that a law enforcement agency does not have to comply with IPPs 1.3 to 1.5, 2.1, 6.1 to 6.8, 7.1 to 7.4, 9.1 or 10.1 in certain circumstances. The law enforcement agency will not need to comply with these IPPs if it believes, on reasonable grounds, that non-compliance is reasonably necessary:
- for its own, or another law enforcement agency’s enforcement functions;
- for the enforcement of laws relating to the confiscation of the proceeds of crime;
- in connection with proceedings commenced in a court or tribunal; or
- in the case of Victoria Police, for the purposes of its community policing functions.
Certain bodies are defined in s 3 of the PDP Act as ‘law enforcement agencies’. They include, for example, a State police force and the Australian Federal Police, the Australian Crime Commission, the Commissioner of Corrections and the Business Licensing Authority. Also covered are agencies whose function is to:
- prevent, detect, investigate, or prosecute criminal offences or breaches of a law imposing a penalty or sanction for a breach
- manage property seized under laws relating to confiscation of proceeds of crime;
- execute or implement an order or decision of a court or tribunal; or
- protect the public revenue under a law administered by the law enforcement agency.
Organisations seeking to rely on this exemption must believe, with a reasonable basis for that belief, that non-compliance with the IPPs listed in s 15 is necessary in the particular circumstances. This means that law enforcement agencies do need to consider and adhere to the IPPs, except where doing so is incompatible with their law enforcement functions.
In Zeqaj v Victoria Police, VCAT Member Dea said:
‘the belief [that noncompliance is necessary] must not only be that the duty or task must be undertaken but that, in order to perform that duty or task, it is necessary not to first comply with the IPPs which would otherwise apply. The belief the noncompliance is necessary is linked not to the action [the law enforcement agency] intends to take, but to the IPPs would otherwise apply …
… in order for section 15 of the Privacy Act to apply, there must be evidence of a belief of the kind referred to having been formed’.7
For more information about this case, see Case Study 2-S (under the ‘Disclosure to relevant persons and authorities’ section) in the IPP 2 chapter of these Guidelines.
Family Violence Protection Act
Section 15A of the PDP Act contains exemptions from complying with certain IPPs for the purposes of information sharing under the Family Violence Protection Act 2008 (FVP Act).
Information Sharing Entities (ISEs)8 and the Central Information Point (CIP)9 are exempt from complying with IPPs 4 and 1.5 when collecting information about perpetrators (including alleged perpetrators). The purposes of these exceptions is to ensure that ISEs are not required to collect personal information directly from a perpetrator or alleged perpetrator, nor provide notice of collection where information about a perpetrator or alleged perpetrator has been collected from a third party. These changes recognise that it may not always be safe, reasonable or appropriate for practitioners to collect information directly from a perpetrator or alleged perpetrator.
The CIP is expressly exempt from IPP 6, meaning that the CIP is not required to provide access to or correct personal information and health information about an individual that the CIP has collected for the purposes of Part 5A of the FVP Act, which relates to information sharing. The CIP is designed to act as a conduit for information held by other ISEs, who are better placed to determine whether a request for access or correction could pose a risk of harm to victim survivors.
An ISE may refuse access to information under IPP 6 where a family violence risk has been established, if the individual making the request is a perpetrator or alleged perpetrator.10 This provides ISEs with a greater ability to ensure that victim survivors are not unduly exposed to increased risk by way of perpetrators accessing information about them.11 See IPP 6.7 for more information about providing reasons for denying access or refusal to correct personal information.
In addition to the above exceptions from the IPPs under the scheme, the Victorian Data Sharing Act 2017 makes an amendment to IPP 10.1(b), which allows entities to collect sensitive information where either authorised or required by law. In the context of family violence information sharing, this means that ISEs are not required to obtain consent from a perpetrator or alleged perpetrator before collecting sensitive information about them (such as criminal record information). ISEs are also not required to gain consent from any person before collecting sensitive information about them in relation to a child victim survivor.
For more information about information sharing under the FVP Act, refer to OVIC’s Family violence information sharing scheme and privacy law FAQs.
Child Wellbeing & Safety Act
Section 15B of the PDP Act contains exemptions from complying with certain IPPs for the purposes of information sharing under the Child Wellbeing and Safety Act 2005 (CWS Act).
ISEs are exempt from collecting information directly from the relevant individual under IPP 1.4 for the purposes of Part 6A of the CWS Act, which relates to information sharing. Child Link users are also exempt from IPP 1.4 when collecting personal information for the purposes of the Child Link Register.12 This means that ISEs and Child Link users are not required to collect personal information about a person directly from them, and can instead collect the information from another ISE.
ISEs are exempt from notifying individuals when personal information has been collected from another person under IPP 1.5 when collecting personal information for the purposes of Part 6A of the CWS Act, to the extent that compliance with IPP 1.5 would be contrary to the promotion of the wellbeing or safety of a child (to whom the information relates) – see s 15B(2) of the PDP Act. This exemption removes the obligation on ISEs to take reasonable steps to notify individuals that their personal information has been collected from another ISE.
Child Link users are exempt from IPP 1.5 where personal information is collected for the purposes of Part 7A of the CWS Act – see s 15B(3) of the PDP Act. This exemption also removes the requirement of Child Link users to notify individuals of indirect collection, where providing notice would be contrary to the promotion of a child’s wellbeing or safety.
ISEs may refuse to disclose confidential information under IPP 6, where an individual has requested access to their personal information, if they believe on reasonable grounds that access to the information would result in an increased safety risk to children.13 See IPP 6.7 for more information about providing reasons for denying access or refusal to correct personal information.
ISEs are exempt from IPP 10.1 when collecting sensitive information under Part 6A of the CWS Act. Concurrently, Child Link users are also exempt from IPP 10.1 when collecting sensitive information under Part 7A of the CWS Act.14 This means that sensitive information can be collected despite the restrictions under IPP 10.1.
When sharing information under Parts 6A and 7A of the CWS Act, the IPPs will not apply to the collection, use or disclosure of personal, sensitive or health information by an information sharing entity, to the extent that the IPP requires the consent of the person to whom the information relates.15 In practice, ISEs will not be required to obtain consent from any person prior to collecting information, including sensitive information under IPP 10.1, if they are sharing in accordance with the scheme.
It is important to note that the notice requirements under IPP 1.3 continues to apply to ISEs. When an ISE is collecting information directly from an individual, they are required to take reasonable steps to make the individual aware of particular matters at or before the time the information is collected, or as soon as practicable after.
For more information about information sharing under the CWS Act, refer to OVIC’s Child information sharing scheme and privacy law FAQs.
Section 12 of the PDP Act provides that nothing in the Act, the IPPs or a protective data security standard applies to personal information contained in a document that is:
- a generally available publication;
- kept in a library, gallery or museum for the purposes of reference, study or exhibition;
- a public record under the control of the Keeper of Public Records and available for public inspection in accordance with the Public Records Act 1973; or
- archives within the meaning of the Copyright Act 1968 (Cth).
A generally available publication is defined in s 3 of the PDP Act as ‘a publication (whether in paper or electronic form) that is generally available to members of the public and includes information held on a public register’. Whether information that is publicly-available can be considered to be part of a ‘generally available publication’ will depend upon the context in which the information appears. In the case of online information, the following factors can assist in determining whether information is in a ‘generally available publication’:
- the nature of the information
- the prominence of the web page on which it is located
- the likelihood of access by members of the public; and
- the steps needed to obtain that access.16
In Jurecek v Director, Transport Safety Victoria, the Supreme Court of Victoria found that an individual’s Facebook ‘chats’ and ‘posts’ did not constitute a ‘generally available publication’, even though it could be accessed via Facebook by anybody. Justice Bell said:
‘That information, otherwise personal, might be accessible on some Facebook by anybody does not necessarily mean that the information is a generally available publication; equally, that information, otherwise personal, might be accessible somewhere on the Internet by anyone does not necessarily mean that the information is a generally available publication …
Mere publication of information on Facebook or the Internet does not, in my view, necessarily make it a ‘generally available publication’.
Examples of ‘generally available publications’
Sentencing remarks published on Austlii’s website
In DNV v Department of Health and Human Services17 the Tribunal considered whether sentencing remarks published on Austlii’s website (that included the complainant’s name) were exempt from the PDP Act. It found that the name was contained in a ‘generally available publication’ at the time the complainant’s information was used and disclosed by Department. This finding was made despite subsequent pseudonymisation of the complainant’s name.
Public registers will usually be regarded as a ‘generally available publication’, 18 and subject to this exemption. However, s 12 does not wholly exclude information contained in public registers from privacy protection. Section 20(2) provides that public sector agencies and councils administering public registers must, so far as is reasonably practicable, not do an act or engage in a practice that would contravene an IPP in respect of any personal information handled. Essentially, the Act’s intention is for the IPPs to apply ‘so far as is reasonably practicable’ to personal information held on public registers. Such information is collected, often compulsorily, and held for particular purposes. The Act recognises that while public register information should be able to be used for the legitimate purposes for which it is collected, unrelated uses (which are not permitted by the IPPs) are generally treated as interferences with privacy.
The PDP Act provides a number of mechanisms allowing organisations to depart from the IPPs, or to clarify their operation. The relevant mechanisms under the PDP Act are:
- Public Interest Determinations (PID);
- Temporary Public Interest Determinations (TPID);
- Information Usage Arrangements (IUA); and
- certification of an act or practice.
Public Interest Determination and Temporary Public Interest Determinations
A Public Interest Determination (PID) and a Temporary Public Interest Determination (TPID) are a written determination by the Information Commissioner, which permits an act or practice that would otherwise have been a breach of the IPPs, while the PID or TPID is in place.
Information Usage Agreements
Information Usage Arrangements (IUA) can modify the application of IPPs or codes of practice or provide that the practice does not need to comply with them (except IPPs 4 and 6). IUAs can also permit handling personal information for the purposes of an information handling provision.
It is anticipated organisations will mostly seek approval of IUAs to allow personal information to be used or disclosed for a purpose or to entities that were not anticipated at the time the information was collected.
The Information Commissioner can certify that an act or practice is consistent with:
- an Information Privacy Principle; or
- an approved code of practice; or
- an information handling provision.19
Certification of an act or practice means the organisation that does an act or engages in a practice in good faith in accordance with the certification does not contravene the relevant IPP, approved code of practice or information handling provision.20
For more detailed information on flexibility mechanisms, refer to the Guidelines to Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certification.
- See also: Guidelines for outsourcing in the Victorian public sector Accompanying guide, OVIC, May 2017 https://ovic.vic.gov.au/resource/guidelines-for-outsourcing-in-the-victorian-public-sector-accompanying-guide/
- s 5, PDP Act.
- The IPPs, like many modern data protection and information privacy standards, can be traced in part at least to the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980).
-  VSC 350 at , citing R v Trade Practices Tribunal; Ex parte Tasmanian Breweries Pty Ltd (1970) 123 CLR 361 at 374.
- (1997) 145 ALR 682, 685-6.
- Harrison v Victorian Building Authority (Human Rights)  VCAT 1791 (11 November 2015) at .
- Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November2018) at  – .
- An ISE is defined under section 144D of the Family Violence Protection Act 2008 (FVP Act) to be a person or body prescribed, or a class of person or body prescribed, to be an information sharing entity. See the relevant section of the FVP Act for more information.
- The CIP is a secure statewide service that collates information relevant to family violence risk assessment and risk management.
- s144QA of the FVP Act
- Where it is safe to do so, an ISE may grant a request for access or correction under IPP 6 from a perpetrator (for example, where a person has been incorrectly identified as a perpetrator of family violence and wishes to correct any records accordingly). Where a perpetrator has been incorrectly identified and does not present a risk of committing family violence, their rights of access and correction will be the same as for any other person under the scheme. See page 114 of the Guidelines for more information.
- See s 46B of the CWS Act for further information about the Child Link Register. A Child Link User is a person who is authorised to access the Child Link Register as specified in Part 7A of the CWS Act.
- Section 41ZF of the CWS Act.
- Section 15B(4) of the PDP Act.
- Section 15B(5) of the PDP Act.
- Jurecek v Director, Transport Safety Victoria  VSC 285, Bell J at  – this was specifically looking at information contained on a website (Facebook)
- DNV v Department of Health and Human Services (Human Rights)  VCAT 1569
- See Taylor v Victorian Institute of Teaching (Human Rights)  VCAT 1290 (Human Rights)  VCAT 1290.
- s 55, PDP Act.
- s 55(4), PDP Act.