April 2020 – D21/6827

ovic.vic.gov.au | [email protected] | 1300 006 842

YOUR PRIVACY RIGHTS

In Victoria, you have privacy rights under the Privacy and Data Protection Act 2014 (Vic) (PDP Act).

The PDP Act contains 10 Information Privacy Principles (IPPs) that outline how Victorian public sector
organisations must handle your personal information.

However, the PDP Act does not apply to:

 health information; or

 how Commonwealth government agencies (e.g. Centrelink, the Australian Tax Office etc.) and private
organisations (e.g. companies and charities) should handle your personal information.

Instead, these are covered by other privacy laws.

WHAT IS PERSONAL INFORMATION?

Under the PDP Act, personal information is information or an opinion about you where your identity is clear
or where someone could reasonably work out that it related to you.

Personal information can include:

 your name;

 email address;

 postal address;

 phone number;

 signature;

 fingerprint;

 photographs or surveillance footage of you;

 comments written about you; or

 your financial details.

To be considered personal information, the information or opinion must be recorded. It will be considered
personal information regardless of whether it is true or not.

Some personal information is considered particularly sensitive, and these types of information are subject
to higher protections under the PDP Act.

Freedom of Information | Privacy | Data Protection 1 of

This includes information about your:

 race or ethnicity;

 political opinions;

 membership to a political association;

 religion;

 philosophical beliefs;

 membership to a professional or trade association;

 membership to a trade union;

 sexual preferences or practices; or

 criminal record.

WHICH ORGANISATIONS HAVE TO COMPLY WITH THE PDP ACT?

The PDP Act applies to Victorian government departments, Ministers, local councils, statutory offices,
government schools, universities, and TAFEs.

The PDP Act also applies to private sector and not-for-profit organisations when they handle your personal
information on behalf of a Victorian public sector organisation. We refer to these as contracted service
providers.

YOUR RIGHTS WHEN AN ORGANISATION ASKS FOR YOUR INFORMATION

In Victoria, you have rights over what information an organisation can collect from you.

You have the right to remain anonymous when dealing with an organisation, where possible.

Example - If you contact an organisation to provide feedback you can choose not to provide
your name or contact details.

You do not have to provide your personal information to an organisation if they do not need it to do their
work.

Example - If you are filling out a form to order a new bin from your Council and you are
asked to provide your date of birth, you can choose not to provide this personal
information.

Your personal information must be collected in a way that is fair and lawful.

Example - If you have a conversation with an organisation that is going to be recorded, the
organisation should tell you this at the start of the conversation.

Freedom of Information | Privacy | Data Protection 2 of

Your personal information should be collected directly from you instead of from another person or
organisation, where possible.

You have the right to know when and why your personal information is being collected. This is called notice
of collection. When collecting your personal information, an organisation should tell you:

 who the organisation is and their contact information;

 why the information is being collected;

 who else the organisation discloses the information to;

 any law that requires the information be collected;

 the consequences if you do not provide all or part of the information; and

 that you can ask to gain access to the information.

Example - When you sign up to a newsletter or fill out an application form to receive a
service, the organisation should tell you if the information you provide will be given to any
third parties or used for any other purposes.

You do not have to provide your sensitive information to an organisation unless one of the following
applies:

 you consent to its collection;

 another law allows or requires it to be collected;

 it is necessary to lessen or prevent a serious threat to health or safety;

 it is relevant to ongoing or future legal proceedings; or

 it is necessary for research, statistics, or provision of welfare or education services funded by the
government.

Example - You generally do not have to provide organisations with information about your
religion, political opinion or race.

YOUR RIGHTS OVER WHAT AN ORGANISATION CAN DO WITH YOUR

INFORMATION
In Victoria, you have rights over what an organisation can do with your information.

If your personal information has been collected for one reason, it should not be used or disclosed for a
different reason.

Example - If an organisation collects your personal information because you have made a
complaint about one of its services, it should not use this information to send you
marketing emails months later.

Freedom of Information | Privacy | Data Protection 3 of

There are 8 specific exceptions to this rule. These apply where your information could be used or disclosed
for the following reasons:

1. for another related purpose that someone like you would reasonably expect;

2. if you have given your consent. However, it is important to remember that consent is not the only basis
on which information can be used or disclosed. The PDP Act also allows the use and disclosure of your
personal information in some cases where you have not given consent;

3. if it is necessary to lessen or prevent a serious threat to health or safety;

4. if the organisation suspects unlawful activity has occurred and using or disclosing your personal
information is necessary to investigate or report this activity;

5. where another law allows or requires it;

6. if it is necessary to assist a law enforcement agency;

7. if it is necessary for research that will benefit the wider community, and the research will not be
published in a way that identifies you; or

8. if there is a request for your personal information from the Australian Security Intelligence Organisation
(ASIO) or the Australian Secret Intelligence Service (ASIS).

YOUR RIGHT TO HAVE YOUR INFORMATION HANDLED SECURELY

In Victoria, you have the right to have your information handled securely.

Your personal information should be kept accurate, complete and up to date by public sector organisations.

Example - If you have notified an organisation of a change to your contact details, that
organisation should update and use your new contact details when contacting you.

Your personal information should be protected by the organisation that holds it.

Example - Organisations should have policies and security measures in place to ensure your
personal information can only be accessed by authorised individuals.

Your personal information should be permanently de-identified or destroyed when it is no longer needed
or where no other law requires it to be kept.

Your personal information should not be transferred outside Victoria except in certain circumstances, such
as if you have consented or if the organisation has taken steps to make sure the recipient will protect your
privacy to a similar extent as Victorian privacy law.

YOUR RIGHT TO KNOW HOW AN ORGANISATION HANDLES PERSONAL

INFORMATION
In Victoria, you have the right to know how an organisation handles personal information.

You have a right to view an organisation’s written policy about how it manages personal information. This is

Freedom of Information | Privacy | Data Protection 4 of

usually called a privacy policy.

You also have the right to request details of the types of personal information an organisation holds about
you.

YOUR RIGHT TO ACCESS AND AMEND PERSONAL INFORMATION

In Victoria, you have the right to access your personal information and to ask for inaccurate information
about you to be amended under the Freedom of Information Act 1982 (Vic) (FOI Act).

The easiest way to do this is to contact the organisation you believe holds the documents you are seeking
and informally ask for these documents. If the organisation does not provide them, you should make a
formal FOI request to the organisation.

For more information on how to make an FOI request, watch our short video How to make an FOI request
in Victoria.

Under the PDP Act, you can access your personal information or amend incorrect information about
yourself. However, the PDP Act will only apply to organisations that do not have to comply with the FOI Act
(such as contracted service providers).

Example - If a company is hired by a public sector organisation and asks to speak to you
about your views on a local project, you have a right to gain access to the documents that
contain your views. Although the company is not bound by the FOI Act, you have a right to
apply for the information under the PDP Act.

YOUR RIGHT TO MAKE A PRIVACY COMPLAINT

If you have concerns about how an organisation has handled your personal information, you have the right
to make a complaint.

If you believe that an organisation has breached your privacy rights, you should first make a complaint to
the organisation’s Privacy Officer and try to resolve the issue.

If you aren’t satisfied with the way the organisation dealt with your concerns, you can make a complaint to
OVIC and we will attempt to resolve it.

OTHER PRIVACY RIGHTS

Personal information held by Commonwealth agencies and private organisations

The Privacy Act 1988 (Cth) is an Australian Commonwealth law that protects your personal information
when it is handled by Commonwealth government organisations, like Centrelink or the Australian Tax
Office. This law also protects your personal information when it is handled by certain private sector
organisation, such as large retailers, banks, and telecommunications providers.

This law is administered by the Office of the Australian Information Commissioner (OAIC).

If you have concerns about the way your personal information has been handled by a Commonwealth
government or private sector organisation, you can contact the OAIC for more information.

Freedom of Information | Privacy | Data Protection 5 of

Health information

The Health Records Act 2001 (Vic) is a Victorian law that protects your health information when it is
handled by public and private sector organisations in Victoria.

Under this law, health information is:

 information or an opinion about your physical, mental, or psychological health;

 information or an opinion about a disability; or

 any personal information that is collected from you while providing you with a health service – for
example, if a hospital collects your name when you arrive at the emergency department for treatment.

This law is administered by the Office of the Health Complaints Commissioner (HCC).

If you have concerns about the way your health information has been handled by a public or private sector
organisation, contact the HCC for more information.

Disclaimer: The information in this document is general in nature and does not constitute legal advice.

Freedom of Information | Privacy | Data Protection 6 of