Frequently asked questions
The Information Privacy Principles
What do the Information Privacy Principles say?
The (Information Privacy Principles) IPPs outline how Victorian public sector organisations can collect, manage, use and disclose personal information. Being principles, the IPPs operate at a high level, establishing a set of broad obligations that organisations must comply with, but in most cases not specifying the precise detail of how those obligations should be met. In very broad terms, they cover:
- when, how and from whom personal information can be collected (IPP 1);
- how personal information can be used and disclosed (IPP 2);
- what kinds of steps need to be taken to keep personal information accurate, up to date and secure (IPPs 3 and 4);
- your right to access and correct your personal information (IPP 6);
- when and how ‘unique identifiers’, which can facilitate data matching, are used to identify you (IPP 7);
- an individual having the option of transacting anonymously or using a pseudonym where practicable (IPP 8);
- ensuring that privacy protections are still maintained when personal information travels outside Victoria (IPP 9); and
- special protections for certain specified categories of information (IPP 10).
Who must comply with the Information Privacy Principles?
The Information Privacy Principles apply to all Victorian public sector organisations, including Victorian government departments, local councils, statutory offices, government schools, universities and TAFEs. The Privacy and Data Protection Act 2014 (Vic) can also apply to private or community sector organisations who are carrying out functions for or on behalf of a Victorian public sector organisation.
Who doesn’t have to comply with the Information Privacy Principles?
Individuals acting in their personal capacity do not have to comply with the Information Privacy Principles (IPPs). This is because the Privacy and Data Protection Act 2014 (Vic) (PDP Act) only applies to Victorian government organisations, local councils and contracted service providers to government or councils. Unless an individual is acting in an official capacity for an organisation that is covered by the PDP Act, they don’t have to comply.
Unless they are carrying out functions for or on behalf of a covered organisation, private organisations (such as insurance companies, banks, real estate agents and telecommunications providers) aren’t covered by the PDP Act, and so don’t need to comply with the IPPs. Similarly, Australian government agencies (such as Centrelink and the Tax Office) are not covered by the PDP Act and so don’t need to comply with the IPPs.
Note: Australian government agencies and private organisations may need to comply with the Privacy Act 1988 (Cth), which has its own set of privacy principles called the Australian Privacy Principles (APPs). The APPs are similar to the IPPs, but not the same. If you have questions about the APPs, or if you would like to make a complaint about an Australian government agency or a private organisation, you can contact the Office of the Australian Information Commissioner on 1300 363 992 or view their website for more information.
Can I make a complaint about the handling of my health information?
Yes, but not to this office. When organisations are handling health information, they must comply with the Health Privacy Principles, (HPPs) which are set out in the Health Records Act 2001 (Vic). The HPPs are similar to the IPPs, but not the same. If you have questions about the HPPs, or if you would like to make a complaint about the handling of health information, you can contact the Victorian Health Complaints Commissioner on 1300 582 113 or view their website for more information.
What is 'health information'?
Health information is defined in the Health Records Act 2001 (Vic) to mean any information about a person’s:
- physical, mental or psychological health;
- use and future use of health services;
- wishes regarding specific health services or treatments;
- personal information collected in relation to the provision of health services; or
- genetic information.
Examples of records containing health information include hospital admission forms, medical histories, test results, sick leave certificates, medication lists and more.
Making a privacy complaint
Do I need to complain to the organisation first?
If you have not attempted to resolve your complaint with the organisation directly, you should do this before making a complaint to us. All organisations should have a designated Privacy Officer who can receive your complaint and help you resolve it.
When you complain to an organisation, be sure to give them time to respond and remember to keep a copy of what you sent them. It’s best if you can outline:
- how you believe your privacy has been breached;
- the effect the breach has had on you; and
- what you would like the organisation to do in response to your complaint (see our guide to identifying realistic outcomes in privacy complaints).
If you’re having trouble making a complaint to an organisation, or if you’re not sure where to direct your complaint, contact us.
What if I’m not satisfied with the organisation’s response?
If an organisation does not respond to your privacy complaint within approximately 30 days, or you are unsatisfied with their response, you can then bring your complaint to us. This must be done in writing by completing our complaint form and sending it to us by post or email. If you would like to fill out our form in hardcopy and you don’t have a printer, let us know and we can send a form to you by post.
If you have difficulty completing the form or formulating your complaint, our staff are available to assist you.
Who can make a privacy complaint?
Ordinarily, you can only complain about an act that is a breach of your own privacy. Individuals can, however, appoint representatives to make their complaint on their behalf. A representative can be a lawyer, or they could be a family member or a friend.
Where a single act or practice has interfered with the privacy of two or more people, the Privacy and Data Protection Act 2014 (Vic) allows for a complaint to be made by one of those individuals on behalf of the whole group, but only with their consent.
Can a complaint be made by or on behalf of a minor?
There are special provisions in the Privacy and Data Protection Act 2014 (Vic) that allow for the making of complaints by and on behalf of minors. These allow minors to make complaints in their own name, or for complaints to be made on behalf of a minor by a parent, a chosen representative, or any other individual who the Information Commissioner is satisfied has a sufficient interest in the complaint. A minor who is capable of understanding the general nature and effect of choosing a representative may do so even if they are otherwise incapable of exercising powers.
Can a complaint be made by or on behalf of a person with a disability?
If a person is unable to complain because of a disability, the Privacy and Data Protection Act 2014 (Vic) Act allows for their complaint to be made by another individual authorised by that person. If a person with a disability is unable to authorise another individual, their complaint may be made by any other individual who the Information Commissioner is satisfied has a sufficient interest in the complaint.
Do I need a lawyer to make a privacy complaint?
No. Most people who bring complaints to us do not have lawyers. The conciliation process is designed to be accessible to anyone, and our staff will guide you through the process. However, it is important to remember that our staff must remain independent — they cannot represent you, or tell you what to do. If you want to seek legal advice you can do so at any time.
What happens if my complaint can’t be resolved?
If we don’t think that we can resolve your complaint through conciliation, we will write to you (and the organisation you complained about) to explain why. This might be because we decline to entertain your complaint for one of the reasons outlined above, or it might be because we have decided that conciliation is inappropriate or has failed. If we can’t resolve your complaint, you may choose:
- to have the matter referred to the Victorian Civil and Administrative Tribunal for hearing and determination, or
- not to pursue the matter further, or to pursue it through some other legal or political mechanism, rather than as a privacy complaint under the Privacy and Data Protection Act 2014 (Vic).
What is Conciliation?
Conciliation is a form of alternative dispute resolution, similar to mediation. Conciliation processes can vary in different contexts, but they usually involve an independent person with expert knowledge (the conciliator) helping the parties to identify and agree on a fair resolution of their dispute.
The conciliator does not adjudicate or otherwise determine the outcome of your dispute. However, if required, a conciliator may use their expert knowledge of the legislative context and apply the relevant provisions of the law to challenge positions or raise relevant issues for consideration. That means a conciliator might talk to the parties about the reasonableness of their demands and arguments, or provide an opinion on matters relevant to the dispute, such as the interpretation of the Information Privacy Principles or the prospects of the complaint succeeding if referred to the Victorian Civil and Administrative Tribunal (VCAT).
Conciliation is voluntary and facilitated by one of our staff members acting as the conciliator. Conciliation may be conducted indirectly, over the phone, or at a face-to-face meeting. One of the many advantages of conciliation is that it is confidential — any evidence of things said or done in conciliation is not admissible before VCAT or in other legal proceedings, unless you and the organisation agree.
Why conciliate privacy complaints?
Conciliation is the fastest, cheapest and easiest method of resolving privacy complaints. If we cant resolve your complaint through conciliation, the next step is to have the matter referred to the Victorian Civil and Administrative Tribunal (VCAT) for hearing. That process can be stressful and expensive for both parties.
That is why the Privacy and Data Protection Act 2014 (Vic) requires privacy complaints to come to us first, before they can be referred to VCAT. If the Information Commissioner is required to make all reasonable endeavours to conciliate the complaint where there is a chance the complaint can be resolved through conciliation.
Is conciliation like an investigation? Or a court or tribunal?
None of the above. Conciliation is more like a guided mediation than an investigation or a hearing before a court or tribunal. Though legal arguments or factual details may be relevant in a conciliation, they should not be the primary focus. The goal of conciliation is to try and resolve complaints, and parties don’t need to agree on every fact or issue in order to resolve a complaint.
What are the benefits of conciliation? Do I have to participate?
Conciliation is a voluntary process and you do not have to participate, though we would encourage you to consider it. Conciliation provides you with an opportunity to ‘have your say’ about what has happened in your complaint. It is also an opportunity to resolve your complaint without having to go through the time, stress and monetary costs of a hearing at the Victorian Civil and Administrative Tribunal.
If you do not want to participate, or have any concerns about the process, please discuss this with the Conciliator assigned to your complaint at the earliest possible stage.
What if conciliation is inappropriate?
If the Information Commissioner does not consider it reasonably possible that a complaint may be conciliated successfully, the parties will be notified and conciliation will not proceed.
Examples of this include:
- the parties indicate a refusal to participate in the process;
- the relationship between two parties is so poor that it makes resolution not reasonably possible; or
- any party displays unacceptable and/or threatening behaviour.
If this happens, the complainant may ask the Commissioner to refer the complaint to the Victorian Civil and Administrative Tribunal for hearing. A referral request must be in writing, and must be made within 60 days of receipt of notification that conciliation is inappropriate.
What does the Conciliator do?
The Conciliator (a staff member trained in alternative dispute resolution processes and the Privacy and Data Protection Act 2014 (Vic)) organises and chairs a discussion between the two parties to help each party put its point of view forward and come up with ways to resolve the dispute.
The Conciliator must remain impartial and independent, and cannot force either party to accept a particular outcome. However, the Conciliator can make suggestions on how to resolve the complaint, or provide their expert opinion on matters related to the dispute. For example, the Conciliator can discuss how the PDP Act works, how the Information Privacy Principles may apply in the circumstances, and how the Victorian Civil and Administrative Tribunal might approach the matter based on previous complaints.
What things can’t a Conciliator do?
The Conciliator cannot:
- make an individual or an organisation do something (or agree to something);
- provide legal advice to either party; or
- tell you what you should or should not do (for example, whether you should or should not accept an offer).
Complainants from non-English speaking backgrounds
As conciliation is an opportunity for both parties to discuss what has occurred and how to resolve a matter, it is important that you understand what is discussed and feel confident communicating during the process.
Please tell your conciliator if you have difficulty communicating in English or prefer to speak in a language other than English. We can arrange an interpreter at no cost to you. Interpreters are required to maintain confidentiality at all times.
What types of conciliation are there?
The Conciliator can conduct the conciliation process in two ways:
- Indirect – where negotiation occurs through the Conciliator (also referred to as ‘shuttle negotiation’). This is the most common form of conciliation conducted.
- Direct – the two parties meet (either in person or by telephone) together with the Conciliator to try and resolve the complaint.
The Conciliator will decide on the best approach to conciliation in each case. If you have any concerns or preferences as to the form of conciliation that is undertaken, you should discuss them with the Conciliator.
Are conciliations confidential?
Yes. We expect that all parties to a complaint treat information that is obtained in the course of conciliation in confidence. That is, we expect that such information is not used or disclosed for purposes outside of conciliation through this office.
Additionally, section 70 of the Privacy and Data Protection Act 2014 (Vic) states that evidence of things said or done in conciliation are not admissible before the tribunal or other legal proceedings, unless the parties agree. This means you can talk openly about the complaint in conciliation without being worried that what you say can be used against you later if the matter proceeds to the Victorian Civil and Administrative Tribunal. This extends to discussions, letters, telephone calls or things said and done in a meeting.
As far as practicable, we will also treat any information we receive during the course of a conciliation in confidence. In order to facilitate the conciliation process, we will give a high-level summary of each party’s respective position to the other party throughout the process, but we will not disclose any documents that a party submits to the other party without consent.
Nevertheless, conciliation works best whenever both parties actively engage in a constructive and open dialogue and we will often ask for consent to pass documents on to the other party.
If an agreement is reached, the parties can decide whether they want to make the agreement confidential.
What happens during a conciliation meeting?
Usually, a conciliation meeting starts with each party meeting with the conciliator separately, so that the Conciliator can explain the ground rules, and each party can ask questions about the process. A ‘joint session’ then occurs where both parties are given a chance to put their side of the complaint forward and discuss the matter in a respectful manner.
After this, the Conciliator will talk with each party separately in ‘private sessions’ to review what happened in the joint session and discuss ways to resolve the complaint.
The Conciliator may then conduct a shuttle negotiation between both parties, or bring both parties back together again in another joint session so that the parties can discuss ways of resolving the complaint directly.
Conciliation meetings are usually about three hours in length.
What should I talk about?
Conciliation is an opportunity to talk to the organisation directly about your complaint. It can be helpful if you can explain what effect the complaint has had on you. The organisation might know what happened, but not the impact it has had on you.
Conciliation is also an opportunity to ask questions and get to understand the issue from the organisation’s point of view. Organisations are expected to bring representatives who understand the factual issues and organisational processes that are involved in your complaint. This makes conciliation a good environment to ask questions, and hear why things might have been done in a particular way, or what an organisation is doing to fix a particular issue.
Can I bring a lawyer? / Should I bring a lawyer?
The conciliation process doesn’t require lawyers, but they can play a positive role in helping you prepare and participate in a conciliation process. For example, a lawyer might be able to assist you to understand and articulate how the law applies to your complaint, or to identify, prioritise and explore options for resolving your complaint.
A lawyer might also help you to understand your options if your complaint is not resolved through conciliation, including helping you understand the potential risks and benefits of pursuing your complaint at the Victorian Civil and Administrative Tribunal.
The Conciliator will decide whether it is appropriate for an advocate or lawyer to participate in conciliation, and what role they will play. This decision will be made on a case by case basis, in consultation with both parties and with a view to ensuring the conciliation process is fair, equitable and constructive.
If you would like to bring a lawyer, you should discuss this with the Conciliator at the earliest possible opportunity.
Can I bring a support person?
Yes, you can. A support person is someone who can attend a conciliation with you to provide support. They might help you to understand or process the issues in the dispute or simply help you feel more comfortable in a conciliation meeting. A support person should not advocate or talk on your behalf, but they can prompt you if you forget something you want to talk about.
support person should be someone you feel comfortable with, but who is not involved in the dispute. They may be a friend, relative, colleague teacher, social worker or other service provider. The OVIC conciliator may exclude a support person if their presence is unhelpful to the process of conciliation.
If you would like to bring a support person, you should discuss this with the Conciliator at the earliest possible opportunity.
How should I prepare for a conciliation meeting?
In preparing for a conciliation meeting, you should:
- Review your complaint and any response or correspondence that you have received from the organisation.
- Understand how the Information Privacy Principles (IPPs) apply to your complaint. You read more about the IPPs here. The Conciliator can also help you to understand how the IPPs might apply.
- Understand what might happen if the complaint can’t be resolved in conciliation. The Conciliator can explain this to you.
- Think about what you want to say to the organisation. During the conciliation you’ll have an opportunity to tell your story and explain how the interference with your privacy has affected you.
- If you have any documents you would like to discuss, or specific questions you would like answers to, it is a good idea to provide them to the Conciliator in advance so that they can provide them to the organisation and ensure they come prepared.
- Think about how you would like the complaint to be resolved and be prepared to explain why you think this is fair. Try to have a number of different options in mind, and think about how far you may be willing to compromise to resolve the complaint. Making a list in order of importance, is helpful. Try to be open to alternative solutions too — sometimes the parties to a complaint come up with new and creative ways of resolving their dispute during the course of the conciliation meeting. We have published a separate guide to identifying realistic outcomes in privacy complaints which can be viewed here.
- Consider getting advice from a lawyer, if you feel this is necessary. If you get advice from a lawyer you will need to pay for this yourself. You may be able to get free legal advice from a Community Legal Centre or industry group.
- Consider if you want to bring a support person or lawyer to the meeting, and if you do, discuss it with the Conciliator.
What if there is no agreement on the day?
If the Conciliator believes that it is possible the parties may reach agreement, he or she can adjourn the conciliation and arrange another meeting to continue the process, or continue the process indirectly, through the Conciliator.
Alternatively, if further attempts to conciliate the complaint are unlikely to be successful, the Commissioner will terminate the process and notify the parties that conciliation has ‘failed’.
What happens when an agreement is reached?
If agreement is reached, either party can request it be put in writing (within 30 days after agreement). This will generally be prepared by the Conciliator and sent to both parties for signature. The Commissioner certifies the agreement and provides a certified copy to each party. Any party can seek to have the agreement registered at the Victorian Civil and Administrative Tribunal (VCAT). If registered, the agreement becomes an order of VCAT.
What happens if an agreement cannot be reached?
If the parties cannot reach an agreement through conciliation, the Commissioner will notify both parties in writing that conciliation has failed.
If this happens, you may ask the Commissioner to refer your complaint to the Victorian Civil and Administrative Tribunal (VCAT) for hearing. Your referral request must be in writing and within 60 days from when you receive notification that conciliation has failed. We will generally have no involvement after referral of a complaint to VCAT and cannot assist you in preparation of legal documents before VCAT.