Skip to Content

Frequently asked questions

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) exists to protect the personal information held by Victorian government organisations. It governs the collection, handling, use, and disclosure of personal information in the Victorian public sector. The PDP Act is administered by the Office of the Victorian Information Commissioner.

 

Part 3 of the PDP Act, which relates to information privacy, applies to Victorian public sector organisations, including:
  • public sector agencies;
  • Ministers;
  • local councils;
  • courts or tribunals;
  • Victoria Police (with some exceptions); and
  • contracted service providers (in relation to the services they provide under a State contract).
For a full list of public sector organisations to which Part 3 applies, see section 13 of the PDP Act.

Contracted service providers (CSP) may be bound by the Information Privacy Principles (IPPs) contained in Part 3 of the PDP Act where a State contract contains a provision binding the CSP to the IPPs and any applicable code of practice.

The CSP is then bound by the IPPs in the same way and to the same extent as the outsourcing public sector organisation.

If there is no such provision in the State contract, it is the responsibility of the outsourcing public sector organisation to ensure that the CSP upholds the relevant privacy obligations under the PDP Act.

For further information on outsourcing and privacy, please see the Guidelines for outsourcing in the Victorian public sector checklist and accompanying guide.

There are several ways that a Victorian public sector organisation can comply, or promote compliance, with the PDP Act, such as:
  • Having a privacy policy that details the organisation’s personal information management practices, and making that policy available to the public. This is a requirement under IPP 5. For more information about privacy policies, see Privacy policies and collection notices.
  • Ensuring that the organisation takes reasonable steps to provide individuals with a collection notice each time personal information is collected from them. This is a requirement under IPP 1.3. For more information about collection notices, see Privacy policies and collection notices.
  • Ensuring that personal information is stored and handled securely. Security is an important part of good privacy, reflected in IPP 4. This includes taking steps to implement physical security, ICT security, personnel security, and information security practices. More information on the steps organisations can take to instil good security can be found in the document Guidelines to protecting the security of personal information: ‘Reasonable steps’ under Information Privacy Principles 4.1.
  • Conducting a privacy impact assessment (PIA). A PIA is an important tool that can help organisations evaluate compliance with their privacy obligations, and identify any potential privacy risks and mitigation strategies. Further information about PIAs can be found on the Privacy Impact Assessments webpage.
  • Ensuring employees are aware of their privacy obligations when handling personal information in the course of their work. Employees should also know where to seek help and guidance within the organisation if necessary. Having a Privacy Officer who can assist with providing advice is therefore valuable and important.

The role of a Privacy Officer is to assist an organisation in complying with the PDP Act and the IPPs. They are the first point of contact within the organisation for all matters related to privacy and personal information.

Privacy Officers may also respond to privacy enquiries and complaints from employees within the organisation, and members of the public. Other responsibilities may include the development of policies around the management of personal information, training staff about privacy matters, assisting with PIAs, and engaging with our office in relation to complaints.

Privacy Officers have an important role to play in promoting an awareness of privacy within an organisation, and ensuring that the organisation upholds its privacy obligations.

We encourage all organisations to have a Privacy Officer.

There are some circumstances where the PDP Act permits an organisation to depart from the IPPs. Some IPPs contain exemptions that authorise organisations to depart from the relevant IPP in certain circumstances. For example, IPP 2 lists eight different instances where organisations are able to use or disclose personal information for purposes other than the primary purpose of collection.
The PDP Act also contains flexibility mechanisms, which permit an organisation to depart from the IPPs (except for IPP 4 and IPP 6) where the Information Commissioner believes there is a substantial public interest in doing so. These mechanisms are:
  • Public Interest Determinations (PIDs)
  • Temporary Public Interest Determinations (TPIDs)
  • Information Usage Arrangements (IUAs)

The important thing to remember is that we are here to help. We encourage voluntary data breach reporting to our office so that we can assist you to contain the breach, assess the impact and prevent similar breaches from occurring in the future. For further information on managing privacy breaches please visit the Responding to data breaches webpage, or contact us to discuss.

In some cases, Victorian public sector organisations may have mandatory breach reporting obligations to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme, such as where tax file number information is involved in a breach. For further information on this scheme please visit the OAIC’s website or see our factsheet on the NDB scheme.

Back to top

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

I'm interested in

You have Successfully Subscribed!