The PDP Act– a deep dive
Overview
It is crucial to your role that you have a thorough understanding of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) as it sets out your organisation’s privacy obligations. You can find an up-to-date version of the PDP Act online. Part 3 of the Act is particularly relevant as it relates to information privacy.
History
Information privacy law was first introduced in Victoria through the Information Privacy Act 2000 (Vic) (IP Act) which ushered in the 10 Information Privacy Principles (IPPs). It gave domestic effect to the human right to privacy under article 17 of the International Covenant on Civil and Political Rights (ICCPR), consistent with Australia’s international obligations.
The IPPs were adapted from the former National Privacy Principles under federal privacy legislation – the Privacy Act 1988 (Cth). Those, in turn, drew upon principles set out in the OECD’s ‘Guidelines governing the protection of privacy and transborder flows of personal data.’
The IP Act was replaced by the PDP Act which came into force on 3 September 2014. You may find it useful to look at some of the materials that set out the rationale for the IP Act and how it was designed to be interpreted from the Explanatory Memorandum and Second Reading Speech.
Purposes and Objects of the PDP Act
The PDP Act is designed to provide for the responsible handling of personal information in the Victorian public sector. It aims to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector.
Information Privacy Principles (IPPs) – the focal point
The 10 Information Privacy Principles (IPPs) are the focal point of the PDP Act from a privacy perspective. The IPPs cover ten aspects of the information-handling process.
Section 20 of the PDP Act states that when handling personal information, organisations must not do an act or engage in a practice that contravenes an IPP. Where an organisation does contravene an IPP, this will constitute an interference with privacy.
You can find the 10 IPPs at Schedule 1 of the PDP Act or you can refer to OVIC’s ‘Short guide to the IPPs’. OVIC’s ‘IPP Guidelines’ provide more detailed commentary on how each of the IPPs should be interpreted and applied.
When do the IPPs apply?
The IPPs apply where a public sector organisation handles personal information, unless an exception applies.
a. What is ‘personal information’?
The PDP Act regulates the handling of personal information. Section 3 of the PDP Act defines this as information about an individual who is identified or whose identity is reasonably ascertainable from that information. The information must be recorded. It does not matter whether the information is true or not; opinions are therefore included.
If you are unsure whether the information you are handling is ‘personal information’ check out OVIC’s Checklist for assessing whether information is personal information and whether Part 3 of the PDP Act applies.
b. Which organisations must comply with the IPPs?
Section 13 of the PDP Act defines the ‘public sector organisations’ that are required to handle personal information in accordance with the IPPs.
This includes VPS agencies (such as Departments), local Councils, Victoria Police, Ministers and other bodies and persons carrying out public functions.
However, it also includes some private entities – contracted service providers (CSPs) – but only where they are providing services under a State contract and the contract contains a clause specifying that the CSP will be directly bound by the IPPs. If there is no such clause, the outsourcing organisation will be responsible for any failure by the CSP to comply with the IPPs.
If you are a privacy officer at a VPS organisation or a potential CSP and you are unsure where different obligations and responsibilities lie under a State Contract, you should read OVIC’s IPP Guidelines: ‘Which organisations are covered by the PDP Act?’.
c. Do any of the exemptions apply?
There are nine exemptions set out in the PDP Act which, if they apply, may mean that the IPPs do not apply to your organisation in limited circumstances. They include where:
- your organisation is a Court or tribunal and carrying out a judicial or quasi-judicial function (section 10);
- your organisation is a Royal Commission, Board of Inquiry or Formal Review carrying out its function (section 10A);
- your organisation is a Parliamentary Committee carrying out its function (section 11);
- where the information in question is generally publicly available (section 12);
- the information is accessible under the Freedom of Information Act 1982 (Vic.) in which case IPP 6 will not apply (section 14);
- where your organisation is a law enforcement agency and satisfies the conditions in section 15 in which case certain IPPs will not apply;
- your organisation shares information under Part 5A or Part 5B of the Family Violence Protection Act 2008 (Vic.) (section 15A) in which case certain IPPs will not apply;
- your organisation shares information under Part 6A or Part 7A of the Child Wellbeing and Safety Act 2005 (Vic.) in which case certain IPPs will not apply (section 15B); or
- your organisation shares information under Part 6B of the Health Services Act 1988 (Vic.) in which case certain IPPs will not apply (section 15C).
For further information about these exemptions, check out OVIC’s detailed commentary in OVIC’s IPP Guidelines: ‘When do the IPPs not apply?’.
How should you interpret and apply the PDP Act and the IPPs?
The IPPs are principle-based and express general standards rather than detailed rules. This provides the IPPs with the flexibility to be adaptable to differing operating environments across the VPS and to changes to technology.
But it also means that you will often have to apply the broad principles to particular facts and circumstances that you come across in your role.
As well as consulting our IPP guidelines, the below sub-sections may assist you when interpreting and applying the IPPs as well as other aspects of the PDP Act in your role.
Remember the Purposes and Objects of the PDP Act
As well as the objects and purposes as stated in the PDP Act (covered above) you can find information about the PDP Act’s legislative objectives and intended application from the Explanatory Memorandum to the corresponding Bill as well Second Reading Speech before the Legislative Assembly of the Victorian Parliament.
Interpret the PDP Act and IPPs ‘beneficially’
The PDP Act is considered to be ‘beneficial legislation’. That is, it is a piece of human rights legislation which can be broadly viewed as conferring a benefit on individuals.
As such, where there is any ambiguity about how aspects of the PDP Act or IPPs should be interpreted, it should be construed to the benefit of the individuals whose rights are at stake.
Interpret the PDP Act alongside other laws relevant to your organisation
In your role you are likely to operate within the context of your organisation’s enabling legislation as well as numerous other pieces of legislation.
The PDP Act is designed to operate alongside other laws like these – to add privacy protections on top of them.
Section 6 of the PDP Act states that where a provision of the PDP Act is inconsistent with a provision in another Act, that other Act will override the PDP Act to the extent of the inconsistency.
However, as the Victorian Supreme Court has recognised, there is a strong presumption that the PDP Act and other Acts can be read harmoniously and can operate at the same time (see example 1 below). Section 6 should only come into play where this is not possible.
This may be the case, for example, where your legislation specifically states that you must deal with personal information in a specific way which may not otherwise have complied with the IPPs (see example 2 below).
Example 1
Section 18 of the Domestic Animals Act 1994 (Vic.) (DA Act) requires Councils to keep a register of all registered dogs. The DA Act does not stipulate what information Councils are required to record on this register.
If a Council collects, uses or discloses personal information that is excessive in the circumstances (e.g. the occupation, date of birth or gender of the dog owner) Council cannot rely on section 6 of the PDP Act to say that its obligations to have a public register of all registered dogs means that the IPPs do not apply.
This is because Council could comply with both the requirements of the DA Act and the IPPs by collecting, using and disclosing only that personal information which is necessary and proportionate to Council fulfilling its obligations under s 18 of the DA Act.
Example 2
IPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information where it is no longer needed for any purpose. Under the Public Records Act 1973 (Vic) (PR Act) and associated standards, public statutory bodies are required to retain public records for seven years after their collection.
These provisions should be read together. An organisation is not required to destroy or de-identify personal information while it is required to keep the information by the PR Act: the organisation still needs the information to meet its record keeping obligations. In other words, the organisation will need to keep a copy of the public record for at least 7 years. Only after 7 years will the organisation be required to make a decision about whether its continued retention is required for any legitimate purpose or can be destroyed or permanently de-identified in accordance with IPP 4.2.
However, the organisation will still need to handle the information contained in the public record in accordance with the other IPPs which are not affected by the inconsistency. For example, the organisation cannot try to disclose that information for a secondary purpose not authorised by IPP 2.1.
Privacy caselaw
The Victorian Civil and Administrative Tribunal (VCAT) and the Supreme Court of Victoria have made a number of decisions in relation to privacy complaints. These are useful in interpreting the PDP Act. Below you will find a list of some of the most pertinent decisions which you can click to view the full judgment.
- WL v La Trobe City University [2005] VCAT 2592;
- Ng v Department of Education [2005] VCAT 1054;
- Dodd v Department of Education and Training [2005] VCAT 2207;
- Whitfield v Greater Bendigo City Council [2005] VCAT 1756;
- Ogawa v University of Melbourne [2005] VCAT 197;
- CT v Medical Practitioners Board of Victoria [2005] VCAT 1810;
- Little v Melbourne City Council [2006] VCAT 2190;
- M v Department of Human Services [2009] VCAT 456;
- Caripis v Victoria Police [2012] VCAT 1472;
- Gao v Victoria Legal Aid [2012] VCAT 523;
- Taylor v Victorian Institute of Teaching [2013] VCAT 1290;
- Kudleck v Victoria University [2013] VCAT 1971;
- Roberts v Anglicare Victoria [2014] VCAT 1515;
- Matthews v CGU Workers Compensation [2014] VCAT 953;
- Jurecek v Director, Transport Safety Victoria [2016] VSC 285;
- TSJ v Department of Health and Human Services [2016] VCAT 687;
- Harrison v Victorian Building Authority [2017] VCAT 108;
- DNV v Department of Health and Human Services [2017] VCAT 1569;
- Zeqaj v Victoria Police [2018] VCAT 1733;
- Luke Polkinghorne v Warrnambool City Council [2018] VCAT 171;
- SET v Department of Health and Human Services [2019] VCAT 113;
- McLean v Racing Victoria Ltd [2019] VSC 690;
- Tucker v State Revenue Office [2020] VCAT 53;
- Kerig v Victoria University [2020] VCAT 469;
- WOS v Victoria Police [2021] VCAT 1540;
- Huang v Frankston City Council [2022] VCAT 24;
Other relevant aspects of the PDP Act
Codes of practice
Division 3 gives organisations flexibility in the way that they manage personal information. It provides organisations with the option of developing codes of practice to set standards for the way they handle personal information that differ from the IPPs.
The Codes must be at least as stringent as the requirements set out in the IPPs and must be approved by the Information Commissioner. To date, no organisations have applied to the Information Commissioner for approval of a Code of Conduct.
Flexibility mechanisms and certification
Division 5 and 6 provide a set of mechanisms in the form of public interest determinations and information usage agreements which permit organisations to depart from handling information in accordance with the IPPs in limited circumstances.
Division 7 empowers the Information Commissioner to certify an organisation’s information handling practices. This provides certainty to the interpretation and application of the IPPs to the organisation’s information handling practices.
You can find further information about the flexibility mechanisms and certification in OVIC’s Guidelines to Public Interest Determinations. Current flexibility mechanisms that the Information Commissioner has endorsed can also be found online.
Complaints
Division 8 establishes the mechanism under which individuals whose information privacy has been interfered with may seek redress. It also sets out OVIC’s functions and powers in handling privacy complaints. For further information about complaints, visit the ‘Handling complaints‘ section of this toolkit.
Enforcement
Division 9 and 10 provide the Information Commissioner with broad powers to assist the Commissioner in handling complaints under Division 8 and addressing serious contraventions of the IPPs. These powers include issuing a compliance notice and compelling the production of documents or attendance of a witness.
Further information about OVIC’s powers and how we use those powers is in our Regulatory Action Policy.