Modifying the application of the Information Privacy Principles
The Privacy and Data Protection Act 2014 (Vic) (PDP Act) contains mechanisms allowing the Information Commissioner (Commissioner) to permit Victorian public sector organisations to engage in acts or practices that breach the Information Privacy Principles (IPPs) or an approved code of practice.
These mechanisms are public interest determinations, temporary public interest determinations and information usage arrangements.
Broadly, each mechanism requires:
- an overarching public interest in the organisation engaging in the proposed acts or practices; and
- the overarching public interest substantially outweighs compliance with the IPPs or an approved code of practice.
Organisations should consult with the Office of the Victorian Information Commissioner (OVIC) before applying for any of the listed mechanisms. This will enable OVIC to consider whether one of the mechanisms is necessary, or whether some alternative act or practice could be pursued to avoid breaching the IPPs.
Applications must be published on OVIC’s website while under consideration, and remain published while in effect.
Contact policyteam@ovic.vic.gov.au to arrange a meeting and discuss potential options.
The PDP Act also contains a mechanism for certifying that an act or practice is consistent with an IPP, code of practice, or information handling provision. This mechanism can provide organisations with assurance that an act or practice is consistent with their obligations under the PDP Act. See OVIC’s guidance on certification for more information.
What is a public interest determination?
A public interest determination (PID) is a written determination made by the Commissioner permitting one or more organisations to engage in acts or practices that breach the IPPs or an approved code of practice.
There must be a public consultation process allowing submissions to be made by any person whose interests may be affected by the PID, before a PID can be granted.
A PID can be granted where the Commissioner is satisfied that the public interest in an organisation doing an act or engaging in a practice substantially outweighs the public interest in complying with specified IPPs or a code of practice.
A PID cannot be granted in relation to IPP 4 – Data Security or IPP 6 – Access and Correction.
When is a PID appropriate?
- The acts or practices involve a single organisation, or small number of organisations;
- The acts or practices that would breach an IPP or IPPs are limited in scope and easily defined; or
- There is a public interest in the acts or practices being undertaken.
What is a temporary public interest determination?
A temporary public interest determination (TPID) is a written determination made by the Commissioner permitting one or more organisations to engage in acts or practices that breach the IPPs or an approved code of practice.
A TPID is a near identical mechanism to a PID, but relevant where circumstances exist requiring a determination to be made urgently, for example, in an emergency or natural disaster.
Unlike a PID, no public consultation process is required before granting a TPID, due to the urgent circumstances. If granted, a TPID must include an expiry date of no later than 12 months from when it is granted.
A TPID can be granted where the Commissioner is satisfied that urgent circumstances exist and that the public interest in an organisation doing an act or engaging in a practice substantially outweighs the public interest in complying with specified IPPs or an approved code of practice.
A TPID cannot be granted in relation to IPP 4 – Data Security or IPP 6 – Access and Correction.
When is a TPID appropriate?
- The acts or practices involve a single organisation, or small number of organisations;
- The acts or practices that would breach an IPP or IPPs are limited in scope and easily defined;
- There is a public interest in the acts or practices being undertaken; or
- Urgent circumstances exist such that the application should be determined immediately.
What is an information usage arrangement?
An information usage arrangement (IUA) is a written arrangement approved by the Commissioner setting out acts or practices for handling personal information in relation to one or more public purposes.
An IUA can:
- modify the application of, or remove the need to comply with, specific IPPs (except IPP 4 – Data Security or IPP 6 – Access and Correction) or an approved code of practice; and
- permit the access, use, and disclosure of information for the purposes of an information handling provision contained in other legislation.
An IUA can be useful where an organisation or organisations want to collect, use, or disclose personal information for a purpose that is demonstrably in the public interest, but may not currently be permitted by law.
It may be an appropriate mechanism where the collection, use or disclosure of personal information is systemic or ongoing in nature. For example, an information sharing scheme between multiple organisations that is necessary to achieve a public purpose such as protecting a vulnerable group from harm.
When is an IUA appropriate?
- The acts or practices involve a single organisation, or an organisation and any number of the following:
- another organisation;
- a person or body that is an agency of the Commonwealth, or another State or Territory; or
- any other person or body, including a private sector body, whether or not located in Victoria.
- The acts or practices that would breach an IPP or IPPs might be:
- limited in scope and easily defined; or
- wide ranging and systemic.
- There is a demonstrable public interest in the acts or practices being undertaken.