Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Privacy Policies

Victorian public sector organisations subject to Part 3 of the Privacy and Data Protection Act 2014 (PDP Act) are required to adhere to the Information Privacy Principles (IPPs). The IPPs set out the minimum standards for the handling of personal information in the Victorian public sector.

IPP 5 requires an organisation to have a document that clearly sets out its policies on the management of personal information, and to make it available to anyone that asks for it. This document is commonly referred to as a privacy policy.

WHAT IS A PRIVACY POLICY?

A privacy policy is a general statement about how an organisation manages personal information. It demonstrates the organisation’s commitment to privacy by explaining how it adheres to its privacy obligations.

In addition to meeting the requirements of IPP 5, other benefits of having a privacy policy include:

  • helping employees understand how personal information should be handled;
  • preventing the unnecessary collection or unlawful use or disclosure of information; and
  • promoting greater public confidence in the organisation’s handling of personal information.

In some cases, depending on the range and diversity of its core functions, an organisation may choose to produce more than one privacy policy. For example, a large department with a number of business units may have multiple privacy policies to cover the department’s distinct functions and information handling practices.

PRIVACY POLICIES AND COLLECTION NOTICES

Although they both inform individuals about how an organisation will manage their personal information, privacy policies and collection notices are different.

A privacy policy speaks about an organisation’s information management practices in a broad sense, whereas a collection notice outlines an organisation’s information handling practices for a specific purpose or activity.

For example, when collecting personal information from an individual who is registering their pet, a local council will provide the pet owner with notice about how it will handle that specific information. This is different to the council’s privacy policy, which will outline the council’s commitment to information management in a general sense.

For more information about collection notices, see OVIC’s Collection notices resource.

WHAT SHOULD A PRIVACY POLICY CONTAIN?

When drafting a privacy policy, it is important to look at the different ways that the organisation collects personal information, and how that information flows through the organisation.

A privacy policy should consider all the different ways that personal information may be collected – for example, via telephone, websites, or paper-based collection.

General privacy policies do not need to be technology specific, however organisations may wish to include specific sections, or create stand-alone policies, to reflect their use of particular technologies or programs.

For example, a privacy policy may reference an organisation’s collection of information from individuals who visit their website and contain a distinct section about how this information is handled; alternatively, organisations may choose to develop a separate website privacy policy.

Privacy policies should reflect an organisation’s own authorising environment and operational practices. As such, each organisation’s privacy policy will be different.

Organisations may choose to outline their information handling practices by reference to the IPPs. A privacy policy should not simply re-state each of the principles but demonstrate the steps that the organisation takes to adhere to each of the IPPs.

At a minimum, a privacy policy should include:

  • the identity of the organisation;
  • the organisation’s main functions and the types of personal information it generally collects to fulfil those functions;
  • how the organisation uses and shares the personal information it collects, including the types of third parties the information may be shared with;
  • whether collection of personal information is compulsory or optional (including referring to any relevant legislation that authorises the collection, use or disclosure of the information);
  • how the organisation securely stores and manages access to the personal information, and for how long it may be stored;
  • how privacy is protected if the information is transferred or stored outside Victoria;
  • the date and version of the policy; and
  • how an individual can contact the organisation, request access to the information held about them, or make a privacy complaint.

DRAFTING AN EFFECTIVE PRIVACY POLICY

The underlying principle of IPP 5 is transparency. It is therefore important that privacy policies are clear and easily understandable.

Some ways to ensure an effective privacy policy include:

  • use plain language – for example, short, clear sentences and familiar, plain English words;
  • avoid legal jargon or technical terminology;
  • be specific about the organisation’s functions and how it will use the personal information it holds – avoid using general ‘catch-all’ terms or replicating other organisations’ privacy policies;
  • provide sufficient information – having a concise privacy policy can be effective, however it also needs to contain enough detail to allow individuals to understand how their personal information will be handled; and
  • be user-friendly – avoid large slabs of text and consider organising the privacy policy into sections with clear headings.

LAYERING PRIVACY POLICIES

Where appropriate, an organisation may decide to ‘layer’ its privacy policy. This may involve, for example, providing a brief summary of the organisation’s privacy policy on a form, sign, or poster, and then referring, or providing a link to the full privacy policy. A layered approach informs individuals about the existence of the organisation’s privacy policy and allows them to seek further information if they wish.

HEALTH INFORMATION

Some organisations may collect and handle health information in addition to other personal information. However, this does not necessarily require two separate privacy policies. The Health Records Act 2001 contains Health Privacy Principles (HPPs) that are similar to the IPPs in the PDP Act. Organisations may prefer to develop one privacy policy that addresses the principles in both Acts. For more information about the HPPs, organisations should contact the Health Complaints Commissioner.

PUBLISHING A PRIVACY POLICY

There is no specific requirement under the PDP Act for organisations to publish a privacy policy –  only to make it available to anyone who asks for it. However, most organisations will find it practical and cost effective to publish their privacy policy so that individuals can easily find it.

UPDATING A PRIVACY POLICY

Privacy policies should be reviewed regularly and updated when necessary to reflect changes in legislation or information management practices.

When an organisation adopts a new program, system or technology, is assigned new functions, or undergoes a restructure, it is worthwhile re-visiting the privacy policy to ensure that it is still up to date and accurately reflects the flow of information through the organisation.

If an organisation begins to collect more information, or uses or discloses information in new ways, this should be immediately reflected in its privacy policy.

Back to top
Back to Top