Skip to Content

Information Privacy Principles

The 10 Information Privacy Principles (IPPs) are the core of privacy law in Victoria, setting out the minimum standards for how Victorian public sector bodies should handle personal information. They are contained in Schedule 1 to the Privacy and Data Protection Act 2014.

With limited exceptions, all Victorian government organisations, contracted service providers and local councils must comply with these principles. Click on each IPP below to read a brief overview.

For more detailed guidance, case notes and examples, please refer to the Guidelines to the Information Privacy Principles.

You can download the short guide to the IPPs in everyday English here.

You can download a copy of the IPPs as they appear in Schedule 1 of the PDP Act here.

The Information Privacy Principles

An organisation can only collect personal information if it is necessary to fulfil one or more of its functions. It must collect information only by lawful and fair means, and not in an unreasonably intrusive way. It must provide notice of the collection, outlining matters such as the purpose of collection and how individuals can access the information. This is usually done by providing a Collection Notice, which should be consistent with an organisation’s Privacy Policy.

Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public.

Organisations must keep personal information accurate, complete and up to date. The accuracy of personal information should be verified at the time of collection, and periodically checked as long as it is used and disclosed by the organisation.

Organisations need to protect the personal information they hold from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed. For more information on what constitutes ‘reasonable steps’, please see the Guidelines to protecting the security of personal information: ‘Reasonable Steps’ under Information Privacy Principle 4.1.

Organisations must have clearly expressed policies on the way they manage personal information. Click here for information on drafting a Privacy Policy. Individuals can ask to view an organisation’s Privacy Policy.

Individuals have the right to seek access to their own personal information and to make corrections to it if necessary. An organisation may only refuse in limited circumstances that are detailed in the PDP Act, for example where disclosure might threaten the safety of an individual. The right to access and correction under IPP 6 will apply to organisations that are not covered by the Freedom of Information Act 1982.

A unique identifier is an identifier (usually a number) that is used for the purpose of identifying an individual. Use of unique identifiers is only allowed where an organisation can demonstrate that the assignment is necessary to carry out its functions efficiently. There are also restrictions on how organisations can adopt unique identifiers assigned to individuals by other organisations. Click here for further information on unique identifiers.

Where lawful and practicable, individuals should have the option of transacting with an organisation without identifying themselves.

If an individual’s personal information travels outside Victoria, the privacy protection should travel with it. Organisations can only transfer personal information outside Victoria in certain circumstances, for example, if the individual consents, or if the recipient of the personal information is subject to a law or binding scheme that is substantially similar to the Victorian IPPs.

The PDP Act places special restrictions on the collection of sensitive information. This includes racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices, and criminal record. Organisations can only collect sensitive information under certain circumstances.

Back to top

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

I'm interested in

You have Successfully Subscribed!