Frequently asked questions
The Privacy and Data Protection Act 2014 (Vic) (PDP Act) exists to protect the personal information held by Victorian government organisations. It governs the collection, handling, use, and disclosure of personal information in the Victorian public sector. The PDP Act is administered by the Office of the Victorian Information Commissioner.
Who does the PDP Act apply to?
- public sector agencies;
- local councils;
- courts or tribunals;
- Victoria Police (with some exceptions); and
- contracted service providers (in relation to the services they provide under a State contract).
Does the PDP Act apply to contracted service providers?
Contracted service providers (CSP) may be bound by the Information Privacy Principles (IPPs) contained in Part 3 of the PDP Act where a State contract contains a provision binding the CSP to the IPPs and any applicable code of practice.
The CSP is then bound by the IPPs in the same way and to the same extent as the outsourcing public sector organisation.
If there is no such provision in the State contract, it is the responsibility of the outsourcing public sector organisation to ensure that the CSP upholds the relevant privacy obligations under the PDP Act.
How can my organisation comply with the PDP Act?
- Ensuring that the organisation takes reasonable steps to provide individuals with a collection notice each time personal information is collected from them. This is a requirement under IPP 1.3. For more information about collection notices, see Privacy policies and collection notices.
- Ensuring that personal information is stored and handled securely. Security is an important part of good privacy, reflected in IPP 4. This includes taking steps to implement physical security, ICT security, personnel security, and information security practices. More information on the steps organisations can take to instil good security can be found in the document Guidelines to protecting the security of personal information: ‘Reasonable steps’ under Information Privacy Principles 4.1.
- Conducting a privacy impact assessment (PIA). A PIA is an important tool that can help organisations evaluate compliance with their privacy obligations, and identify any potential privacy risks and mitigation strategies. Further information about PIAs can be found on the Privacy Impact Assessments webpage.
- Ensuring employees are aware of their privacy obligations when handling personal information in the course of their work. Employees should also know where to seek help and guidance within the organisation if necessary. Having a Privacy Officer who can assist with providing advice is therefore valuable and important.
What is the role of a Privacy Officer?
The role of a Privacy Officer is to assist an organisation in complying with the PDP Act and the IPPs. They are the first point of contact within the organisation for all matters related to privacy and personal information.
Privacy Officers may also respond to privacy enquiries and complaints from employees within the organisation, and members of the public. Other responsibilities may include the development of policies around the management of personal information, training staff about privacy matters, assisting with PIAs, and engaging with our office in relation to complaints.
Privacy Officers have an important role to play in promoting an awareness of privacy within an organisation, and ensuring that the organisation upholds its privacy obligations.
We encourage all organisations to have a Privacy Officer.
Is there any scope to depart from compliance with one or more of the IPPs?
- Public Interest Determinations (PIDs)
- Temporary Public Interest Determinations (TPIDs)
- Information Usage Arrangements (IUAs)
My organisation has just discovered a privacy breach – what do we do now?
The important thing to remember is that we are here to help. We encourage voluntary data breach reporting to our office so that we can assist you to contain the breach, assess the impact and prevent similar breaches from occurring in the future. For further information on managing privacy breaches please visit the Responding to data breaches webpage, or contact us to discuss.
In some cases, Victorian public sector organisations may have mandatory breach reporting obligations to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme, such as where tax file number information is involved in a breach. For further information on this scheme please visit the OAIC’s website or see our factsheet on the NDB scheme.