Privacy and your rights

The Victorian Information Privacy Principles (IPPs) are based on the Organisation for Economic Cooperation and Development’s (OECD’s) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The OECD guidelines form the basis of data protection (information privacy) principles in many jurisdictions. With limited exemptions (see ss 10–12, 14, 15 PDP Act), Victorian public sector organisations must comply with the IPPs. The following is a summary of the IPPs (for the full text, see sch 1 PDP Act):

• IPP 1: Collection An organisation must only collect personal infor­ mation that is necessary for the performance of its functions. In Jurecek v Director, Transport Safety Victoria [2016] VSC 285, the Supreme Court (per Justice Bell) stated that ‘necessary does not mean essential or indispensable, but reasonably necessary for the organisation’s functions or activities’. An organisation must take reasonable steps to advise individuals of the purpose of the collection, the usual disclosures, and a number of other matters outlined in the principle. Note that the PDP Act applies to personal information regardless of how it was collected (i.e. by manual or automatic means). Automated collection may occur through the use of technologies such as video surveillance, cookies, and website analytics. Organisations that have the power to collect information compulsorily must make it clear that they have this power.
• IPP 2: Use and disclosure An organisation can only use and disclose personal information for the primary purpose it was collected for, for a related secondary purpose that a person would reasonably expect, with consent, or for other purposes permitted under the principle. In the case of sensitive information (see IPP 10, below), the use or disclosure must be directly related to the primary purpose of collection. The law allows the use and disclosure authorised or required by another law, or for public interest purposes such as individual or public safety, research purposes, to assist in law enforcement activities, or to investigate a suspected unlawful activity. If the information is collected compulsorily, the law that underpins the compulsory collection may also limit the use and disclosure of that information, notwithstanding the operation of IPP 2.
• IPP 3: Data quality Organisations must take reasonable steps to ensure individuals’ personal information is accurate, complete and up-to-date. This obligation arises when the information is collected and whenever it is used or disclosed.
• IPP 4: Data security Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure. Personal information is to be permanently de-identified or destroyed when it is no longer needed for any purpose. Note that organisations subject to the Public Records Act 1973 (Vic) must comply with the provisions of that Act regarding the disposal of public records.
• IPP 5: Openness Organisations must produce a docu­ment that clearly expresses their policies on the management of personal information; this document is usually called a ‘privacy policy’. An organisation must pro­ vide their privacy policy to anyone who requests it.
• IPP 6: Access and correction Individuals have a right to seek access to their personal information and to make corrections, subject to limited exceptions (e.g. if access would threaten the life or health of an individual). Access and correction rights are mainly handled by the Freedom of Information Act 1982 (Vic) (‘FoI Act’) (see Chapter 12.3: Freedom of information law). The right to access personal information under IPP 6 applies to organisations that are not covered by the FoI Act, such as contracted government service providers.
• IPP 7: Unique identifiers Organisations cannot adopt or share unique identifiers (i.e. a number or other code associated with an individual’s name, such as a driver licence number) except in certain circumstances, such as where the adoption of a unique identifier is necessary for the organisation to carry out its functions, or where consent is given.
• IPP 8: Anonymity If it is lawful and feasible, organi­sations must give individuals the option of not identifying themselves (i.e. remaining anonymous) when they engage with the organisation.
• IPP 9: Transborder data flows An organisation may not transfer personal information outside Victoria unless the recipient of the information is subject to privacy standards that are similar to the PDP Act, or in other limited circumstances. The privacy rights an individual has in Victoria remain, despite the information being transferred to another jurisdiction.
• IPP 10: Sensitive information An organisation can only collect sensitive information in restricted circumstances or with consent. ‘Sensitive information’ (defined in sch 1 PDP Act) includes information about an individual’s race or ethnicity, political views, religious and philosophical beliefs, sexual preferences, criminal record, or membership of a trade union, or a political or professional association. Detailed guidelines on the IPPs are available at www. ovic.vic.gov.au/privacy/resources-for-organisations/ guidelines-to-the-information-privacy-principles/.

The PDP Act exempts particular information handling acts and practices, and the handling of specific categories of personal information, from compliance with the IPPs. These exemptions apply to:

• Judicial and quasi-judicial functions of courts and tribunals (s 10). This exemption also applies to court registries and other court/tribunal staff carrying out their duties. The exemption does not apply to personal information collected for non-judicial functions (e.g. for the maintenance of staff records and general administrative matters).
• Royal commissions, boards of inquiry and formal reviews (s 10A). This exemption only applies when personal information is collected in connection with the function of a Royal commission, board or review.
• Parliamentary committees (s 11). This exemption applies when personal information is collected in connection with the function of a parliamentary committee.
• Publicly available information. This exemption applies to publications that are generally available to the public (e.g. telephone directories). This exemption includes documents kept in libraries, galleries and museums for research; public records under the control of the Keeper of the Public Records and available for public inspection under the Public Records Act 1973 (Vic); and archives within the meaning of the Copyright Act 1968 (Cth) (s 12). Public registers are only partially exempt under this provision (s 12(2)): under section 20(2), organisations administering a public register must ‘so far as is reasonably practicable’ comply with the IPPs.
• Organisations subject to the Freedom of Information Act 1982 (Vic) (‘FoI Act (Vic)’). These organisations do not have to comply with IPP 6 if they are exempt from the FoI Act (Vic). This exemption clarifies that the PDP Act does not limit the operation of the FoI Act (Vic). Private sector organisations contracted to provide services on the government’s behalf are not subject to the FoI Act (Vic) and have to comply with IPP 6.
• Law enforcement agencies. These agencies are exempt from complying with some of the IPPs if non-compliance is necessary to carry out law enforcement activities. ‘Law enforcement agency’ is defined in the PDP Act (s 3). Law enforcement agencies include state police forces, the Australian Federal Police, the Commissioner for Corrections, agencies carrying out correctional services, the sheriff, and the Independent Broad- based Anti-corruption Commission (IBAC). The exemption is only partial. The agency claiming the exemption must be carrying out a law enforcement function at the time of handling information. The exemption does not apply to all the IPPs (e.g. IPP 3 (data quality) and IPP 4 (data security)). In addition to the law enforcement exemption, Victoria Police is also exempt if non-compliance is necessary to carry out its community policing functions. In Smith v Victoria Police (General) [2005] VCAT 654 – which dealt with the matter of the police releasing a mugshot of a convicted person to a newspaper – VCAT held that ‘community policing’ was not limited to activities such as notifying next of kin of a death or investigating missing persons, but could also include activities directed toward community engagement in policing initiatives.
• Organisations granted a deter­ mination. Organisations granted a public interest determination, or temporary public interest determination, or are party to an information usage arrangement are exempt from needing to comply with the IPPs specified in the determination.
• Information Sharing Entities (ISEs) and the ‘central information point’, as defined in the Family Violence Protection Act 2008 (Vic) (‘FVP Act’), are exempt from certain IPPs and the equivalent Health Privacy Principles (‘HPPs’) in the Health Records Act 2001 (Vic) in relation to the collection and disclosure of, and access to, personal information of a perpetrator and alleged perpetrator of family violence (see pt 5A FVP Act). For more information about the family violence sharing scheme, visit www.ovic.vic.gov.au. The IPPs and any approved Code of Practice give way to any other Act to the extent that they are inconsistent with the other Act. That is, where another Act expressly permits the use and disclosure of personal information, but this is not permitted under the IPPs, the other Act prevails.