Certifying an act or practice is consistent with the Information Privacy Principles
This resource provides an overview of certification under section 55 of Privacy and Data Protection Act 2014 (Vic) (PDP Act) and the process of making a request for certification to the Office of the Victorian Information Commissioner (OVIC).
What is certification?
Certification is a discretionary mechanism permitting either the Information Commissioner or Privacy and Data Protection Deputy Commissioner (the Commissioner) to certify that a specified act or practice of a Victorian public sector organisation is consistent with:
- an Information Privacy Principle (IPP) under the PDP Act;
- an approved code of practice under the PDP Act; or
- an information handling provision of another Act.
The term ‘information handling provision’ is defined in the PDP Act as a provision of an Act that permits the handling of personal information:
- as authorised or required by law or by or under an Act; or
- in circumstances or for purposes required by law or by or under an Act.1
Where the Commissioner certifies an act or practice of an organisation, a person who engages in that act or practice in good faith and in reliance of the certification does not contravene the relevant IPP, approved code of practice, or information handling provision of another Act.2
Considerations before requesting certification
Certification provides assurance to organisations where there is doubt as to the legality of a proposed act or practice and affords statutory protection to persons who act in good faith relying on the Commissioner’s certification while it remains in force.3
The Commissioner’s power to certify an act or practice of an organisation is discretionary. The Commissioner does not have to consider or certify an act or practice in every instance.
Circumstances that may influence the Commissioner’s decision to consider an application or certify an act or practice include:
- where an organisation has received legal advice and it remains unclear if an act or practice involving personal information complies with the IPPs, an approved code of practice or an information handling provision;
- there is a disagreement between organisations as to the correct interpretation of, or interaction between the IPPs, an approved code of practice or an information handling provision;
- where the act or practice under consideration involves personal information that impacts a class or classes of individuals rather than a specific individual or small number of individuals;
- there is a strong public interest in the organisation doing the act or practice; and
- any other circumstances the Commissioner deems certification to be appropriate or necessary.
What is the certification process?
Who can request certification?
One or more organisations subject to Part 3 of the PDP Act may make a request to the Commissioner to certify an act or practice. This includes all public sector agencies, councils, and statutory authorities.4
Consultation with OVIC
Organisations are encouraged to consult with OVIC before requesting certification. Contact firstname.lastname@example.org to arrange a meeting and discuss potential options.
How do I make a request?
A request should generally be accompanied by supporting documentation. This may include a copy of any legal advice received on the matter, a privacy impact assessment, and policy documents. The Commissioner may request other supporting materials to accompany the application.
Receipt of request
When the request is received, OVIC will make an initial assessment, provide an indicative timeframe, and if relevant, request further information in support of the request. Subject to receipt of any further information requested, the Commissioner will then make a decision.
Decision of the Commissioner
There is no legislative timeframe in which the Commissioner must make a decision on certification, however a request will be processed as quickly as possible. The time taken to make a decision can be impacted by the level of detail in the initial request and whether further information is required by the Commissioner in order to make a decision.
The Commissioner has discretion whether to consider or issue a certificate under section 55 of the PDP Act. If the Commissioner decides not to consider or issue a certificate, the Commissioner will notify the organisation.
In most cases, a certificate will detail the information contained in the request form. OVIC should be advised of any confidential or sensitive information contained in the request form. The Commissioner’s certificate will also set out the reasons for the decision, any findings on material questions of fact that led to the decision, and refer to any evidence or other material on which those findings are based.
Where a certificate is issued, it must be published on OVIC’s website.5
Is certification subject to review?
An individual or organisation whose interests are affected by a decision to issue a certificate may apply to the Victorian Civil and Administrative Tribunal (VCAT) for review of that decision.6 The Commissioner is party to the proceeding on a review.7 There is no review provision in respect of a decision to not issue a certificate.
Does certification expire?
The certificate will include an expiry date, unless it is inappropriate to do so in all the circumstances.8 The certificate remains in effect until any expiry date specified in the certificate, unless set aside by a court or VCAT.9
- Section 3 of the PDP Act.
- Section 55(4) of the PDP Act.
- Victoria, Parliamentary Debates, Legislative Assembly, 12 June 2014, 2108 (2nd Reading speech, Robert Clark, Attorney-General).
- See section 13 of the PDP Act to determine if an organisation is captured.
- Section 55(5) of the PDP Act.
- Section 56 of the PDP Act; Section 48 of the Victorian Civil and Administrative Tribunal Act 1998 (Vic).
- Section 56(2) of the PDP Act.
- Section 55(3) of the PDP Act.
- Section 55(2) of the PDP Act.