Your privacy rights
In Victoria, you have privacy rights under the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
The PDP Act contains 10 Information Privacy Principles (IPPs) that outline how Victorian public sector organisations must handle your personal information.
However, the PDP Act does not apply to:
- health information; or
- how Commonwealth government agencies (e.g. Centrelink, the Australian Tax Office etc.) and private organisations (e.g. companies and charities) should handle your personal information.
Instead, these are covered by other privacy laws.
Under the PDP Act, personal information is information or an opinion about you where your identity is clear or where someone could reasonably work out that it related to you.
Personal information can include:
- your name;
- email address;
- postal address;
- phone number;
- photographs or surveillance footage of you;
- comments written about you; or
- your financial details.
To be considered personal information, the information or opinion must be recorded. It will be considered personal information regardless of whether it is true or not.
Some personal information is considered particularly sensitive, and these types of information are subject to higher protections under the PDP Act.
This includes information about your:
- race or ethnicity;
- political opinions;
- membership to a political association;
- philosophical beliefs;
- membership to a professional or trade association;
- membership to a trade union;
- sexual preferences or practices; or
- criminal record.
The PDP Act applies to Victorian government departments, Ministers, local councils, statutory offices, government schools, universities, and TAFEs.
The PDP Act also applies to private sector and not-for-profit organisations when they handle your personal information on behalf of a Victorian public sector organisation. We refer to these as contracted service providers.
In Victoria, you have rights over what information an organisation can collect from you.
You have the right to remain anonymous when dealing with an organisation, where possible.
If you contact an organisation to provide feedback you can choose not to provide your name or contact details.
You do not have to provide your personal information to an organisation if they do not need it to do their work.
If you are filling out a form to order a new bin from your Council and you are asked to provide your date of birth, you can choose not to provide this personal information.
Your personal information must be collected in a way that is fair and lawful.
If you have a conversation with an organisation that is going to be recorded, the organisation should tell you this at the start of the conversation.
Your personal information should be collected directly from you instead of from another person or organisation, where possible.
You have the right to know when and why your personal information is being collected. This is called notice of collection. When collecting your personal information, an organisation should tell you:
- who the organisation is and their contact information;
- why the information is being collected;
- who else the organisation discloses the information to;
- any law that requires the information be collected;
- the consequences if you do not provide all or part of the information; and
- that you can ask to gain access to the information.
When you sign up to a newsletter or fill out an application form to receive a service, the organisation should tell you if the information you provide will be given to any third parties or used for any other purposes.
You do not have to provide your sensitive information to an organisation unless one of the following applies:
- you consent to its collection;
- another law allows or requires it to be collected;
- it is necessary to lessen or prevent a serious threat to health or safety;
- it is relevant to ongoing or future legal proceedings; or
- it is necessary for research, statistics, or provision of welfare or education services funded by the government.
You generally do not have to provide organisations with information about your religion, political opinion or race.
In Victoria, you have rights over what an organisation can do with your information.
If your personal information has been collected for one reason, it should not be used or disclosed for a different reason.
If an organisation collects your personal information because you have made a complaint about one of its services, it should not use this information to send you marketing emails months later.
There are 8 specific exceptions to this rule. These apply where your information could be used or disclosed for the following reasons:
- for another related purpose that someone like you would expect;
- if you have given your consent. However, it is important to remember that consent is not the only basis on which information can be used or disclosed. The PDP Act also allows the use and disclosure of your personal information in some cases where you have not given consent;
- if it is necessary to lessen or prevent a serious threat to health or safety;
- if the organisation suspects unlawful activity has occurred and using or disclosing your personal information is necessary to investigate or report this activity;
- where another law allows or requires it;
- if it is necessary to assist a law enforcement agency;
- if it is necessary for research that will benefit the wider community, and the research will not be published in a way that identifies you; or
- if there is a request for your personal information from the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS).
In Victoria, you have the right to have your information handled securely.
Your personal information should be kept accurate, complete and up to date by public sector organisations.
If you have notified an organisation of a change to your contact details, that organisation should update and use your new contact details when contacting you.
Your personal information should be protected by the organisation that holds it.
Organisations should have policies and security measures in place to ensure your personal information can only be accessed by authorised individuals.
Your personal information should be permanently de-identified or destroyed when it is no longer needed or where no other law requires it to be kept.
Your personal information should not be transferred outside Victoria except in certain circumstances, such as if you have consented or if the organisation has taken steps to make sure the recipient will protect your privacy to a similar extent as Victorian privacy law.
In Victoria, you have the right to know how an organisation handles personal information.
You also have the right to request details of the types of personal information an organisation holds about you.
In Victoria, you have the right to access your personal information and to ask for inaccurate information about you to be amended under the Freedom of Information Act 1982 (Vic) (FOI Act).
The easiest way to do this is to contact the organisation you believe holds the documents you are seeking and informally ask for these documents. If the organisation does not provide them, you should make a formal FOI request to the organisation.
For more information on how to make an FOI request, watch our short video How to make an FOI request in Victoria
Under the PDP Act, you can access your personal information or amend incorrect information about yourself. However, the PDP Act will only apply to organisations that do not have to comply with the FOI Act (such as contracted service providers).
If a company is hired by a public sector organisation and asks to speak to you about your views on a local project, you have a right to gain access to the documents that contain your views. Although the company is not bound by the FOI Act, you have a right to apply for the information under the PDP Act.
If you have concerns about how an organisation has handled your personal information, you have the right to make a complaint.
If you believe that an organisation has breached your privacy rights, you should first make a complaint to the organisation’s Privacy Officer and try to resolve the issue.
If you aren’t satisfied with the way the organisation dealt with your concerns, you can make a complaint to OVIC and we will attempt to resolve it.
Personal information held by Commonwealth agencies and private organisations
The Privacy Act 1988 (Cth) is an Australian Commonwealth law that protects your personal information when it is handled by Commonwealth government organisations, like Centrelink or the Australian Tax Office. This law also protects your personal information when it is handled by certain private sector organisation, such as large retailers, banks, and telecommunications providers.
This law is administered by the Office of the Australian Information Commissioner (OAIC).
If you have concerns about the way your personal information has been handled by a Commonwealth government or private sector organisation, you can contact the OAIC for more information.
The Health Records Act 2001 (Vic) is a Victorian law that protects your health information when it is handled by public and private sector organisations in Victoria.
Under this law, health information is:
- information or an opinion about your physical, mental, or psychological health;
- information or an opinion about a disability; or
- any personal information that is collected from you while providing you with a health service – for example, if a hospital collects your name when you arrive at the emergency department for treatment.
This law is administered by the Office of the Health Complaints Commissioner (HCC).
If you have concerns about the way your health information has been handled by a public or private sector organisation, contact the HCC for more information.