Information usage arrangements
This resource provides an overview of information usage arrangements (IUAs), under Part 3, Division 6 of the Privacy and Data Protection Act 2014 (PDP Act), and the process of applying to the Office of the Victorian Information Commissioner (OVIC).
What is an information usage arrangement?
An IUA is a written arrangement approved by the Information Commissioner (the Commissioner) setting out acts or practices for handling personal information in relation to one or more public purposes that:
- modifies the application of a specified Information Privacy Principle (IPP) (other than IPPs 4 or 6) or an approved code of practice;
- provides that the practice does not need to comply with a specified IPP (other than IPPs 4 or 6) or an approved code of practice; or
- permits handling personal information for the purposes of an ‘information handling provision’.1
An IUA can be useful where an organisation or organisations want to collect, use, or disclose personal information (for example, information sharing between a broad range of organisations) for a public purpose that is not currently permitted by law.
For the Commissioner to approve an IUA, there must be a substantial public interest in handling personal information for the identified public purpose.
If an IUA permits acts or practices for handling personal information that modify or do not comply with an IPP, the parties to the IUA are not required to comply with that IPP in respect of those acts or practices.[endnote]PDP Act, section 51(1).[/efn_note]
If an IUA permits the handling of personal information for the purposes of an information handling provision, the handling of that personal information in accordance with the IUA is taken to be permitted for the purposes of that information handling provision.2
What is the meaning of ‘information handling provision’?
An ‘information handling provision’ is defined in the PDP Act as a provision of an Act that permits the handling of personal information:
- as authorised or required by law or by or under an Act; or
- in circumstances or for purposes required by law or by or under an Act.3
What is the meaning of ‘public purpose’?
An IUA can only be utilised in the context of an act or practice that is for a public purpose. A ‘public purpose’ is defined broadly to mean:
- compliance with a law;
- the performance of functions by a public sector agency or a Council, or an agency of the Commonwealth, another State or a Territory; or
- the provision of a service in the public interest to the public or a section of the public.4
This means that any proposed IUA should be grounded as being necessary to achieve one of the public purposes as described above.
What is the meaning of ‘public interest’?
There is no definition of ‘public interest’. Deciding what is in the public interest involves a case-by-case consideration of the relevant context and circumstances.
It is important to note that the interests of the government are distinct from those of the public.5 This distinction is important where an act or practice may allow an organisation to work more conveniently and efficiently if granted an IUA, but it is nonetheless not in the interests or to the benefit of the public.
The Commissioner will carefully distinguish between an act or practice that benefits an organisation as opposed to the public.
Weighing of opposing public interests
Determining where the ‘public interest’ lies for IUA is an exercise in weighing the public interest in one specified matter against the public interest in another specified matter.
The weighing of opposing public interests varies depending on whether an IUA is sought in respect to an IPP, approved code of practice or an information handling provision.
If the IUA seeks to modify the application of, or provide for, non-compliance with an IPP or approved code of practice, the Commissioner must be satisfied that the public interest in handling personal information as proposed by the IUA substantially outweighs the public interest in complying with the IPP.
If the IUA seeks to permit the handling of personal information under an information handling provision, the Commissioner must be satisfied that the public interest in permitting the handling of personal information under that information handling provision substantially outweighs the public interest in not permitting the handling of personal information under that information handling provision.
What is the meaning of ‘substantially outweighs’?
‘Substantially outweighs’ does not have a precise definition, however as it is used in a weighing exercise, the word ‘substantially’ should be interpreted as meaning ‘large, weighty or big’6 relative to the competing interest under consideration. There is no fixed standard of comparison.7
Consequently, once satisfied that there is a substantial difference between the weight of matters being compared, the Commissioner will decide how to balance the respective weights.
What is the approval process?
Who can apply for an IUA?
IUAs can consist of either a single party or multiple parties and the proposed IUA must be submitted by the ‘lead party’.8
If there is only one party, it must be a Victorian organisation to which section 13 of Part 3 of the PDP Act applies. Where there are multiple parties, at least one party must be a Victorian organisation to which section 13 of Part 3 of the PDP Act applies.
What is the meaning of ‘lead party’?
Under section 43 of the PDP Act, the ‘lead party’ in relation to an IUA means:
- if one organisation is a party to the IUA, that organisation; or
- if more than one organisation is party to the IUA, the organisation which has the agreement of the other parties to seek approval of the IUA.
Other parties to an IUA
In addition to an organisation captured by section 13 of Part 3 of the PDP Act, other parties to an IUA may include contracted service providers, a person or body that is an agency of the Commonwealth or another State or a Territory, or any other person or body (including a private sector body) whether or not located within Victoria.9
Consultation with the Commissioner
Organisations are encouraged to consult with OVIC before preparing and submitting any proposed IUA. This will enable OVIC to consider whether an IUA is necessary, or whether some alternative mechanism or practice could be pursued to avoid breaching an IPP or approved code of practice.
Contact OVIC via email at: email@example.com to arrange a meeting and discuss potential options.
How to apply
It is the responsibility of the organisations to prepare and submit the proposed IUA to the Commissioner. The proposed IUA must contain all the required information under section 45(3) of the PDP Act and should be prepared using OVIC’s IUA template.
The proposed IUA should be sent to firstname.lastname@example.org.
Where the proposed IUA is lacking the required information, the Commissioner will make recommendations for amendments the proposed IUA.
If relevant, a proposed IUA should also be accompanied by supporting documentation. This may include a copy of any legal advice received on the matter, a privacy impact assessment and policy documents. The Commissioner may request other supporting materials to accompany the proposed IUA as they see fit.
Consultation on the IUA
When the proposed IUA is received from the lead party, the Commissioner may direct each party to the IUA to consult with any person that they consider appropriate. The Commissioner may also consult with any person that they consider appropriate.10
Assessment of the IUA
If the IUA would modify or provide for non-compliance with an IPP or approved code of practice, the Commissioner must consider whether the public interest in handling personal information under the IUA would substantially outweigh the public interest in complying with the specified IPP or approved code of practice.11
If the IUA is for the purposes of an information handling provision, the Commissioner must consider whether the public interest in treating the handling of personal information as being permitted for the purposes of the information handling provision, would substantially outweigh the public interest in treating that handling of information as not being permitted for the purpose of the information handling provision.12
After assessing the proposed IUA, the Commissioner must issue a report.
The report may include the Commissioner’s consideration of the appropriateness of all aspects of the IUA, including the proposed parties to the IUA.
If the proposed IUA includes arrangements in respect of an information handling provision, the report must state whether, in the Commissioner’s opinion, the provision stated in the IUA is an information handling provision within the meaning of the PDP Act.
If the Commissioner is satisfied that the proposed IUA meets the public interest test, the Commissioner must issue a certificate to that effect.13 A copy of the certificate must then be sent to the relevant Ministers along with the Commissioner’s report.14
The Commissioner must refuse to issue a certificate if not satisfied of the relevant public interest matters set out above. If the Commissioner refuses to issue a certificate, they must give written notice to the lead party as soon as practicable.15 The proposed IUA is then taken to be refused on the day the lead party has been notified.
For an IUA to take effect it must be approved by the relevant Minister or Ministers.
An IUA cannot be approved by relevant Ministers unless the Commissioner has first prepared a report on the appropriateness of the IUA and issued a certificate in respect of it.
The Commissioner’s report and certificate must be sent to:
- the responsible Minister for each organisation that is a party to the arrangement; or
- the Minister responsible for the provision, if the arrangement authorises the handling of personal information for the purposes of an information handling provision.16
After receiving the Commissioner’s report and certificate, approval may be given:
- in the case of a single party, by the responsible Minister for that party; or
- in the case of multiple parties, by agreement of the responsible Ministers for each organisation that is party to the proposed IUA.
Where an IUA is approved, it must be published on the Commissioner’s website. However, exceptions to this requirement apply in respect of disclosing personal information and certain information that, if contained in a document, would be exempt under the Freedom of Information Act 1982 (Vic).
What are the reporting requirements?
The lead party to an approved IUA must report to the Commissioner about the IUA annually, and at any other time as requested by the Commissioner.17
The Commissioner must also report to any relevant Minister about an IUA on request of the Minister and may report at any other time.18
Can an IUA be amended?
The lead party may apply to the Commissioner for the approval of an amendment to an approved IUA.19
An amendment requires the same approval process as for the original IUA, with any necessary modifications in light of the amendments sought.
Can an IUA be revoked?
The relevant Minister must revoke the approval of an IUA if they become aware of, or following notification from the Commissioner that:
- the IUA modifies or provides for non-compliance with an IPP or approved code of practice and the Commissioner is no longer satisfied that the public interest in information handling under the arrangement substantially outweighs the public interest in complying with the IPP or approved code of practice; or
- the reasons for seeking approval of the IUA no longer apply.
The relevant Minister may also revoke the approval of an IUA on request of the Commissioner or any party to the IUA that is a Victorian organisation.20
Does an IUA expire?
An IUA may include an expiry date, or where one is not specified the proposed IUA must include reasons why an expiry date is not included.21 Noting this, the Commissioner will in most cases request an expiry date to be included in the IUA.
- PDP Act, section 45.
- PDP Act, section 51(2).
- PDP Act, Section 3.
- PDP Act, section 43.
- Re Bartlett and Department of Prime Minister and Cabinet (1987) 12 ALD 659.
- Tillmanns Butcheries Pty Ltd v AMIEU (1979) 42 FLR 331 (quoting Palser v Grinling  AC 291 at 317).
- See Pfennig v The Queen  HCA 7; (1995) 182 CLR 461 at 528; and HML v The Queen  HCA 16; (2008) 235 CLR 334 at 355 .
- PDP Act, section 43.
- PDP Act, section 46.
- PDP Act, section 47(2).
- PDP Act, sections 47(3) and 45(2)(d).
- PDP Act, section 47(4).
- PDP Act, section 49.
- PDP Act, section 50(1).
- PDP Act, section 49(4)-(5).
- PDP Act, section 50(1).
- PDP Act, section 54(1).
- PDP Act, section 54(3)-(4).
- PDP Act, section 52(1).
- PDP Act, section 53(2).
- PDP Act, Section 45(3).