Information Privacy Principles
The 10 Information Privacy Principles (IPPs) are the core of privacy law in Victoria, setting out the minimum standards for how Victorian public sector bodies should handle personal information. They are contained in Schedule 1 to the Privacy and Data Protection Act 2014.
With limited exceptions, all Victorian government organisations, contracted service providers and local councils must comply with these principles. Click on each IPP below to read a brief overview.
For more detailed guidance, case notes and examples, please refer to the Guidelines to the Information Privacy Principles.
You can download the short guide to the IPPs in everyday English here.
You can download a copy of the IPPs as they appear in Schedule 1 of the PDP Act here.
The Information Privacy Principles
IPP 1 – Collection
IPP 2 – Use and Disclosure
Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public.
IPP 3 – Data Quality
Organisations must keep personal information accurate, complete and up to date. The accuracy of personal information should be verified at the time of collection, and periodically checked as long as it is used and disclosed by the organisation.
IPP 4 – Data Security
Organisations need to protect the personal information they hold from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed. For more information on what constitutes ‘reasonable steps’, please see the Guidelines to protecting the security of personal information: ‘Reasonable Steps’ under Information Privacy Principle 4.1.
IPP 5 – Openness
IPP 6 – Access and Correction
Individuals have the right to seek access to their own personal information and to make corrections to it if necessary. An organisation may only refuse in limited circumstances that are detailed in the PDP Act, for example where disclosure might threaten the safety of an individual. The right to access and correction under IPP 6 will apply to organisations that are not covered by the Freedom of Information Act 1982.
IPP 7 – Unique Identifiers
A unique identifier is an identifier (usually a number) that is used for the purpose of identifying an individual. Use of unique identifiers is only allowed where an organisation can demonstrate that the assignment is necessary to carry out its functions efficiently. There are also restrictions on how organisations can adopt unique identifiers assigned to individuals by other organisations. Click here for further information on unique identifiers.
IPP 8 – Anonymity
Where lawful and practicable, individuals should have the option of transacting with an organisation without identifying themselves.
IPP 9 – Transborder Data Flows
If an individual’s personal information travels outside Victoria, the privacy protection should travel with it. Organisations can only transfer personal information outside Victoria in certain circumstances, for example, if the individual consents, or if the recipient of the personal information is subject to a law or binding scheme that is substantially similar to the Victorian IPPs.
IPP 10 – Sensitive Information
The PDP Act places special restrictions on the collection of sensitive information. This includes racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices, and criminal record. Organisations can only collect sensitive information under certain circumstances.