Victorian public sector organisations subject to Part 3 of the Privacy and Data Protection Act 2014 (PDP Act) are required to adhere to the Information Privacy Principles (IPPs). The IPPs set out the minimum standards for the handling of personal information in the Victorian public sector.
- helping employees understand how personal information should be handled;
- preventing the unnecessary collection or unlawful use or disclosure of information; and
- promoting greater public confidence in the organisation’s handling of personal information.
PRIVACY POLICIES AND COLLECTION NOTICES
Although they both inform individuals about how an organisation will manage their personal information, privacy policies and collection notices are different.
For more information about collection notices, see OVIC’s Collection notices resource.
General privacy policies do not need to be technology specific, however organisations may wish to include specific sections, or create stand-alone policies, to reflect their use of particular technologies or programs.
- the identity of the organisation;
- the organisation’s main functions and the types of personal information it generally collects to fulfil those functions;
- how the organisation uses and shares the personal information it collects, including the types of third parties the information may be shared with;
- whether collection of personal information is compulsory or optional (including referring to any relevant legislation that authorises the collection, use or disclosure of the information);
- how the organisation securely stores and manages access to the personal information, and for how long it may be stored;
- how privacy is protected if the information is transferred or stored outside Victoria;
- the date and version of the policy; and
- how an individual can contact the organisation, request access to the information held about them, or make a privacy complaint.
The underlying principle of IPP 5 is transparency. It is therefore important that privacy policies are clear and easily understandable.
- use plain language – for example, short, clear sentences and familiar, plain English words;
- avoid legal jargon or technical terminology;
- be specific about the organisation’s functions and how it will use the personal information it holds – avoid using general ‘catch-all’ terms or replicating other organisations’ privacy policies;
LAYERING PRIVACY POLICIES
Privacy policies should be reviewed regularly and updated when necessary to reflect changes in legislation or information management practices.