In Victoria, public sector organisations are under specific duties when it comes to managing personal information.
The Privacy and Data Protection Act 2014 (Vic) (“PDPA”) contains 10 Information Privacy Principles (IPPs), which set standards that must be followed when collecting certain personal information.
Which organisations must adhere to the IPPs?
Public sector organisations in Victoria must follow the requirements set by the IPPs. This includes:
- Victorian government departments and agencies;
- Local councils; and
- Non-government organisations that operate under a contract with the State Government.
For example, government schools, universities, and TAFEs are all subject to the IPPs. The IPPs and other privacy laws under the PDPA are administered and regulated by the Office of the Victorian Information Commissioner.
What happens when an organisation breaches its obligations under the PDPA?
Breach of the IPPs and other privacy laws under the PDPA can come at a significant cost, ranging from the costs of defending a complaint to compensation that must be paid.
Does your organisation’s staff understand their responsibilities under the PDPA? Online compliance training specifically tailored to the Victorian Privacy principles may be an effective way of minimising the risk of breach for all staff across an organisation.
The 10 IPPs: A summary
The IPPs are complex and subject organisations to various obligations. Below is a summary to provide guidance on the basic framework of the principles. However, this is simply an outline. It is important that organisations have an in-depth understanding of the IPPs and their corresponding obligations.
Principle 1: Collection
When collecting personal information from individuals, you must inform them that it is being collected, why it is being collected, who that information might be passed on to, and that they have the right to ask what information you have about them.
Principle 2: Use and Disclosure
You must not collect personal information unless it is required for your business activities and you must not use it for any other purpose than that which it was collected for.
Principle 3: Data Quality
You must ensure the information you collect is accurate, complete and current.
Principle 4: Data Security
You must ensure the information is protected from loss, misuse and unauthorised disclosure.
Principle 5: Openness
You must have a company policy on your information handling procedures, which is available for public scrutiny.
Principle 6: Access and Correction
An individual can request access to their personal information which must be provided if requested.
Principle 7: Identifiers
You must not use or disclose an identifier (personal identity information such as a tax file number, Medicare number etc) assigned by a Commonwealth government agency.
Principle 8: Anonymity
You must allow individuals to interact anonymously if they wish to do so, provided it is legal and practical.
Principle 9: Transborder Data Flows
You can only transfer personal information outside Australia if you know the country you are sending it to has appropriate privacy protection laws.
Principle 10: Sensitive Information
The penalties for non-compliance with privacy legislation range from significant fines to imprisonment. Your business could also suffer loss of reputation and damage to your brand.
Where to from here?
Online compliance training can provide an effective method for ensuring that all employees within an organisation understand their responsibilities under applicable Privacy laws, including the IPPs. This can allow businesses to customise their requirements to a learning management system, and track the progress of staff in different areas of privacy knowledge.
What other privacy laws might apply to my organisation?
There is some overlap between the IPPs in Victoria, and the Australian Privacy Principles (APPs), which are national privacy laws. Although Victorian Government bodies are bound by the IPPs, differences between the IPPs and the APPs may need to be considered when dealing with a Commonwealth body or a private sector organisation subject to the APPs.