In Victoria, you have privacy rights under the Privacy and Data Protection Act 2014 (Vic) (PDP Act). Show
The PDP Act contains 10 Information Privacy Principles (IPPs) that outline how Victorian public sector organisations must handle your personal information. However, the PDP Act does not apply to: Instead, these are covered by other privacy laws. What is personal information?Under the PDP Act, personal information is information or an opinion about you where your identity is clear or where someone could reasonably work out that it related to you. Personal information can include:
To be considered personal information, the information or opinion must be recorded. It will be considered personal information regardless of whether it is true or not. Some personal information is considered particularly sensitive, and these types of information are subject to higher protections under the PDP Act. This includes information about your:
Which organisations have to comply with the PDP Act?The PDP Act applies to Victorian government departments, Ministers, local councils, statutory offices, government schools, universities, and TAFEs. The PDP Act also applies to private sector and not-for-profit organisations when they handle your personal information on behalf of a Victorian public sector organisation. We refer to these as contracted service providers. Your rights when an organisation asks for your informationIn Victoria, you have rights over what information an organisation can collect from you. You have the right to remain anonymous when dealing with an organisation, where possible.
Example If you contact an organisation to provide feedback you can choose not to provide your name or contact details. You do not have to provide your personal information to an organisation if they do not need it to do their work.
Example If you are filling out a form to order a new bin from your Council and you are asked to provide your date of birth, you can choose not to provide this personal information. Your personal information must be collected in a way that is fair and lawful.
Example If you have a conversation with an organisation that is going to be recorded, the organisation should tell you this at the start of the conversation. Your personal information should be collected directly from you instead of from another person or organisation, where possible. You have the right to know when and why your personal information is being collected. This is called notice of collection. When collecting your personal information, an organisation should tell you:
Example When you sign up to a newsletter or fill out an application form to receive a service, the organisation should tell you if the information you provide will be given to any third parties or used for any other purposes. You do not have to provide your sensitive information to an organisation unless one of the following applies:
Example You generally do not have to provide organisations with information about your religion, political opinion or race. Your rights over what an organisation can do with your informationIn Victoria, you have rights over what an organisation can do with your information. If your personal information has been collected for one reason, it should not be used or disclosed for a different reason.
Example If an organisation collects your personal information because you have made a complaint about one of its services, it should not use this information to send you marketing emails months later. There are 8 specific exceptions to this rule. These apply where your information could be used or disclosed for the following reasons:
Your right to have your information handled securelyIn Victoria, you have the right to have your information handled securely. Your personal information should be kept accurate, complete and up to date by public sector organisations.
Example If you have notified an organisation of a change to your contact details, that organisation should update and use your new contact details when contacting you. Your personal information should be protected by the organisation that holds it.
Example Organisations should have policies and security measures in place to ensure your personal information can only be accessed by authorised individuals. Your personal information should be permanently de-identified or destroyed when it is no longer needed or where no other law requires it to be kept. Your personal information should not be transferred outside Victoria except in certain circumstances, such as if you have consented or if the organisation has taken steps to make sure the recipient will protect your privacy to a similar extent as Victorian privacy law. Your right to know how an organisation handles personal informationIn Victoria, you have the right to know how an organisation handles personal information. You have a right to view an organisation’s written policy about how it manages personal information. This is usually called a privacy policy. You also have the right to request details of the types of personal information an organisation holds about you. Your right to access and amend personal informationIn Victoria, you have the right to access your personal information and to ask for inaccurate information about you to be amended under the Freedom of Information Act 1982 (Vic) (FOI Act). The easiest way to do this is to contact the organisation you believe holds the documents you are seeking and informally ask for these documents. If the organisation does not provide them, you should make a formal FOI request to the organisation. For more information on how to make an FOI request, watch our short video How to make an FOI request in Victoria Under the PDP Act, you can access your personal information or amend incorrect information about yourself. However, the PDP Act will only apply to organisations that do not have to comply with the FOI Act (such as contracted service providers).
Example If a company is hired by a public sector organisation and asks to speak to you about your views on a local project, you have a right to gain access to the documents that contain your views. Although the company is not bound by the FOI Act, you have a right to apply for the information under the PDP Act. Your right to make a privacy complaintIf you have concerns about how an organisation has handled your personal information, you have the right to make a complaint. If you believe that an organisation has breached your privacy rights, you should first make a complaint to the organisation’s Privacy Officer and try to resolve the issue. If you aren’t satisfied with the way the organisation dealt with your concerns, you can make a complaint to OVIC and we will attempt to resolve it. Other privacy rightsPersonal information held by Commonwealth agencies and private organisationsThe Privacy Act 1988 (Cth) is an Australian Commonwealth law that protects your personal information when it is handled by Commonwealth government organisations, like Centrelink or the Australian Tax Office. This law also protects your personal information when it is handled by certain private sector organisation, such as large retailers, banks, and telecommunications providers. This law is administered by the Office of the Australian Information Commissioner (OAIC). If you have concerns about the way your personal information has been handled by a Commonwealth government or private sector organisation, you can contact the OAIC for more information. Health informationThe Health Records Act 2001 (Vic) is a Victorian law that protects your health information when it is handled by public and private sector organisations in Victoria. Under this law, health information is:
This law is administered by the Office of the Health Complaints Commissioner (HCC). If you have concerns about the way your health information has been handled by a public or private sector organisation, contact the HCC for more information. |