Privacy and your rights

The VI Commissioner’s functions include:

• to promote IPP understanding and acceptance;
• to educate people about information privacy;
• to make public statements about any matter affecting personal privacy;
• to make reports and recommendations about information privacy;
• to receive complaints and facilitate conciliation of those complaints in accordance with the PDP Act relating to alleged breaches of the IPPs by Victorian public sector organisations;
• to audit records of personal information to ensure they are kept in accordance with the IPPs or an approved Code of Practice;
• to conduct investigations and issue compliance notices if it appears a public sector organisation has committed a serious or flagrant breach of the IPPs, a Code of Practice, or an approved information usage arrangement; or if a breach has occurred five or more times in the last two years;
• to produce guidelines on developing Codes of Practice under the PDP Act and to assess codes submitted for approval;
• to advise government on legislation and policies affecting privacy; and
• to monitor developments in data processing and computer technology. The VI Commissioner can delegate certain powers and functions to the PDP Deputy Commissioner. The VI Commissioner has the power to make a public interest determination (PID) or a temporary public interest determination (TPID) that permits an organisation to contravene a specified IPP (except IPP 4 or 6) or an approved Code of Practice if the public interest in doing so substantially outweighs the public interest in complying with the IPP or Code of Practice (pt 3 div 5 PDP Act). A PID and TPID can be disallowed by parliament. If an organisation wishes to handle personal information in a way that does not comply with one of the IPPs (other than IPP 4 or 6), or with an approved Code of Practice – and the manner of handling the information is not expressly permitted under the PDP Act (or another Act) – the organisation can form an information usage agreement with the relevant parties. This agreement must be approved by the VI Commissioner. Information usage agreements can be revoked (see pt 3 div 6 PDP Act). Also, organisations that are party to the arrangements must report to the VI Commissioner at least annually (see pt 3 div 6). The VI Commissioner can also certify that an act or practice is consistent with the IPPs – or with an approved Code of Practice or information handling provision – and that a person who acts in good faith in accordance with that certificate does not contravene the PDP Act. An individual or organisation whose interests are affected by the certificate can apply to VCAT for a review (pt 3 div 7). For detailed information about public interest determinations, information usage arrangements and certifications, see Guidelines to public interest determinations, temporary public interest determinations, information usage arrangements and certification (available at https://ovic.vic.gov.au/wp-content/ uploads/2018/07/Guidelines_to_Public_Interest_ Determinations.pdf). The VI Commissioner also has several functions under the PDP Act in relation to protective data security and law enforcement data security under Part 4 of the PDP Act. While data security obligations are incorporated into IPP 4, these are additional obligations that the PDP Act requires of the Victorian public sector and law enforcement agencies. Part 4 does not apply to local councils, universities, public hospitals and public health services. The type of information that is the subject of these functions includes, but is not limited to, personal information. In February 2020, the VI Commissioner published the Victorian Protective Data Security Framework (Version 2.0), which provides direction to the Victorian public sector on their data security obligations. For more information about these functions, the standards and the framework, see www.ovic.vic.gov.au.