Privacy law – an overview
There are three main pieces of privacy legislation that apply in Victoria. In any situation you deal with in your role, usually the starting point will be to work out which of these Acts applies.
The three Acts are:
- Privacy and Data Protection Act 2014 (Vic) (PDP Act)
- Health Records Act 2001 (Vic) (HR Act).
- In some circumstances: the Privacy Act 1988 (Cth) (Privacy Act)
Working out which Act applies will depend on the nature of the information you are dealing with and the nature of your organisation.
We have summarised the three Acts and when they apply below. You can also find a side-by-side comparison of the different obligations and principles contained in each by using our ‘Privacy Laws – quick reference guide‘.
Whilst you will refer to some of these more than others in your role, it is useful to have a good working knowledge of all three.
Privacy and Data Protection Act 2014
As the privacy officer of a VPS organisation, the PDP Act is likely to be the most relevant to your role.
It places obligations on Victorian public sector organisations (and certain contracted service providers) to handle personal information in accordance with 10 Information Privacy Principles (IPPs). An interesting aspect of the PDP Act is that it does not apply to health information.
The PDP Act is regulated by this Office and the resources in this toolkit are directed at the obligations within the PDP Act. Visit the next section ‘PDP Act – a deep dive’ for further information about the PDP Act and how to apply it.
Health Records Act 2001
The HR Act places obligations around the handling of health information by both public and private organisations (whether health service providers or not) in Victoria.
If your organisation handles health information, you should also become familiar with the HR Act and the 11 Health Privacy Principles (HPPs) that it contains.
The HR Act is regulated by the Health Complaints Commissioner and you can get further information by visiting their website.
Privacy Act 1988
The Privacy Act 1988 (Cth) (Privacy Act) is a Commonwealth Act which applies to Australian government agencies; private entities (companies, NGOs etc) with an annual turnover greater than $3 million; and some other entities in limited circumstances.
It requires that they handle personal and health information in accordance with 13 Australian Privacy Principles. It also includes a Notifiable Data Breach (NDB) scheme that requires eligible data breaches to be reported to the Office of the Australian Information Commissioner (OAIC).
As a Privacy Officer in the VPS, it is unlikely that your organisation will have obligations under the Privacy Act.
One very specific circumstance where you may have obligations under the Privacy Act is when your organisation handles Tax File Numbers (TFN) information. You can find out more information about general obligations relating to TFNs on the OAIC website.
Your contracted service providers may have obligations under the Privacy Act. However, when they are performing services for your organisation, they may be exempt from handling that information in accordance with the Privacy Act (see section 7B(5)).
You should therefore consider how to assign privacy responsibilities in your contract with your service providers. Visit the ‘Most common topics’ section of this toolkit for further information on contract service providers.
The Privacy Act is regulated by the OAIC and you can get further information by visiting their website.