Privacy and your rights

The right to personal privacy is limited. Information privacy was first protected by Commonwealth legislation, but it has expanded and now also includes state legislation. The Australian Privacy Principles set out broad principles that are binding on government agencies and large companies. Specific laws cover credit reporting and some other Commonwealth legislation. Complaints can be made to the Australian Information Commissioner. Victorian privacy legislation includes the Health Records Act 2001 (Vic) and the Human Rights and Responsibilities Charter.

Government and the individual

Taking a problem to an ombudsman

• Commonwealth Ombudsman
• Victorian Ombudsman

Privacy and your rights

• The right to privacy
• Privacy protection in Australia: The UNICCPR and common law
• Commonwealth privacy legislation: Privacy Act 1988 (Cth)
• Summary of the Australian Privacy Principles (APPs)
• Privacy and credit reporting
• Privacy protection in Australia: Other Commonwealth legislation and guidelines
• Complaints to the Information Commissioner
• Victorian privacy legislation: Privacy and Data Protection Act 2014
• Victorian Information Commissioner and Privacy and Data Protection Deputy Commissioner
• Victorian Information Privacy Principles
• Complaints to the Victorian Information Commissioner
• Other Victorian privacy legislation
• Other Victorian legislation related to privacy
• Privacy legislation in other jurisdictions
• Privacy and your rights: Contacts

Freedom of information law

• Commonwealth freedom of information legislation
• Commonwealth freedom of information: Accessing documents
• Commonwealth freedom of information: Outcomes of request and costs
• Commonwealth freedom of information: Access by others and complaints
• Victorian freedom of information legislation
• More information about freedom of information law
• Freedom of information law: Contacts

Complaints against Victoria Police

• Introduction to making a complaint against Victoria Police
• Police misconduct
• Professional Standards Command
• Independent Broad-based Anti-corruption Commission
• Collecting evidence
• Deciding whether or not to lodge a complaint against Victoria Police
• Timing your complaint against Victoria Police
• Where can complaints about Victoria Police be lodged?
• How to make a complaint about Victoria Police
• Investigation of complaints against Victoria Police
• Outcome of a complaint against Victoria Police
• Civil proceedings and claims for compensation
• Criminal charges against the police
• Complaints against Victoria Police: Contacts

Contributor

Senior Privacy Consultant, Salinger Privacy

Victorian privacy legislation: Privacy and Data Protection Act 2014

The Privacy and Data Protection Act 2014 (Vic) (‘PDP Act’) commenced on 17 September 2014. The PDP Act repealed and replaced the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic). The PDP Act also established the role of the Commissioner for Privacy and Data Protection (‘PDP Commissioner’).

The Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (‘FoI Amendment Act 2017’) amended the PDP Act and replaced the PDP Commissioner role with the Victorian Information Commissioner (‘VI Commissioner’) and the Privacy and Data Protection Deputy Commissioner roles. These amendments took effect on 1 September 2017.

The PDP Act re-enacts the Information Privacy Principles (IPPs) in full; these were established by the Information Privacy Act 2000 (Vic). The IPPs set out minimum enforceable standards with which the Victorian public sector must comply when collecting and handling personal information about individuals. There are some exceptions that are detailed below.

‘Personal information’ means information (whether true or not) or an opinion that is recorded in any form about an individual whose identity is apparent or whose identity can be reasonably ascertained from the information.

In WL v La Trobe University (General) [2005] VCAT 2592, the Victorian Civil and Administrative Tribunal (VCAT) rejected the respondent’s argument that the definition required a person’s identity to be ascertained from the information in question; VCAT accepted that the word ‘ascertained’ allowed extraneous material to be used to identify a person.

The definition of ‘personal information’ expressly excludes ‘health information’ to which the Health Records Act 2001 (Vic) applies (see ‘Health Records Act 2001 (Vic)’ in ‘Other Victorian privacy legislation‘).

The PDP Act applies to Victorian ‘public sector organisations’. This includes Victorian Government ministers and parliamentary secretaries, public sector agencies, statutory bodies and local councils (for the full list, see s 13 PDP Act). Service providers – including private sector organisations contracted to the Victorian Government – are also bound by the IPPs if there is an enforceable contract that requires this (s 17(4)).

The objects of the PDP Act are:

• to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;
• to balance the public interest in promoting open access to public sector information with the public interest in protecting its security;
• to promote public awareness of the responsible handling of personal information in the public sector;
• to promote the responsible and transparent handling of personal information in the public sector;
• to promote responsible data security practices in the public sector.

Key features of the PDP Act, as amended by the FoI Amendment Act 2017, include:

• the requirement for Victorian public sector organisations to handle personal information in accordance with the 10 IPPs;
• conferring on the VI Commissioner the independent statutory office of the Victorian PDP Commissioner, with all the functions of the role, i.e. to educate, advise, audit, enquire, monitor, consult, comment on privacy issues and independently receive and conciliate privacy complaints in accordance with the PDP Act;
• the power of the VI Commissioner to make public interest determinations, information usage arrangements and to issue certificates that state an act or practice is consistent with the IPPs;
• the power of the VI Commissioner to issue an enforceable compliance notice for serious or flagrant breach of one or more of the IPPs;
• remedies for interferences with privacy, including correcting the breach, and apologising and compensating the individual concerned;
• provision for the registration of codes of practice that must be at least as stringent as the IPPs but replace them for particular personal information handling practices (see pt 4); and
• access and correction rights for subjects of personal information, but only where the Freedom of Information Act 1982 (Vic) rights do not apply (see Chapter 12.4: Freedom of information law).