{"id":"privacy-and-data-protection-act-2014","name":"Privacy and Data Protection Act 2014","slug":"privacy-and-data-protection-act-2014","collection":"act","jurisdiction":"vic","status":"in_force","isInForce":true,"actNumber":null,"makingDate":null,"administeringDepartment":null,"currentVersion":{"id":173308,"registerId":"vic-privacy-and-data-protection-act-2014-current","compilationNumber":null,"startDate":"2026-04-05","status":"InForce","reasons":null,"registeredAt":null},"sections":[{"sectionNumber":"Sch 3","sectionType":"schedule","heading":"Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 158","content":"Schedule 3—Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 158\n\n═══════════════\n\nEndnotes 163\n\n1 General information 163\n\n2 Table of Amendments 165\n\n3 Explanatory details 169\n\n**Version No.** **032**\n\n**Privacy and Data Protection Act 2014**\n\n**No. 60 of 2014**\n\nVersion incorporating amendments as at \n\n**The Parliament of Victoria enacts:**\n\n","sortOrder":0},{"sectionNumber":"Part 1","sectionType":"part","heading":"Preliminary","content":"Part 1—Preliminary\n\n","sortOrder":1},{"sectionNumber":"1","sectionType":"section","heading":"Purposes","content":"\t1 Purposes\n\nThe purposes of this Act are—\n\n(a) to provide for responsible collection and handling of personal information in the Victorian public sector; and\n\n(b) to provide remedies for interferences with the information privacy of an individual; and\n\n(c) to establish a protective data security regime for the Victorian public sector; and\n\n(d) to establish a regime for monitoring and assuring public sector data security; and\n\nS. 1(e) substituted by No. 20/2017 s. 78.\n\n(e) to provide for the appointment of the Privacy and Data Protection Deputy Commissioner; and\n\n(f) to repeal the **Information Privacy \nAct 2000** and the **Commissioner for Law Enforcement Data Security Act 2005** and make consequential amendments to other Acts.\n\n","sortOrder":2},{"sectionNumber":"2","sectionType":"section","heading":"Commencement","content":"\t2 Commencement\n\n(1) Subject to this section, this Act comes into operation on a day or days to be proclaimed.\n\n(2) Division 1 of Part 9 comes into operation on the later of—\n\n(a) the day after the day on which this Act receives the Royal Assent; and\n\n(b) the day on which section 278 of the **Victoria Police Act 2013** comes into operation.\n\n(3) Division 2 of Part 9 comes into operation on the later of—\n\n(a) the day after the day on which this Act receives the Royal Assent; and\n\n(b) the day on which section 157 of the **Legal Profession Uniform Law Application Act 2014** comes into operation.\n\n(4) If a provision of this Act (other than a provision referred to in subsection (2) or (3)) does not come into operation before 9 December 2014, it comes into operation on that day.\n\n","sortOrder":3},{"sectionNumber":"3","sectionType":"section","heading":"Definitions","content":"\t3 Definitions\n\nIn this Act—\n\n***applicable code of practice***, in relation to an organisation, means an approved code of practice by which the organisation is bound;\n\n***approved code of practice*** means a code of practice approved under Division 3 of Part 3 as amended and in operation for the time being;\n\n***approved information usage arrangement*** means an information usage arrangement approved under Division 6 of Part 3;\n\nS. 3 def. of *authorised legal representative* inserted by No. 11/2021 s. 164.\n\n***authorised legal representative*** of a person means an Australian legal practitioner who has been instructed by a person to receive documents on the person's behalf;\n\n***body*** means body (whether incorporated or not);\n\nS. 3 def. of *Chief Commis-sioner of Police* amended by No. 60/2014 s. 129(a).\n\n***Chief Commissioner of Police*** means the Chief Commissioner of Police appointed under section 17 of the **Victoria Police Act 2013**;\n\n***Chief Statistician*** means the person employed as the Chief Statistician under section 4 of the **Crime Statistics Act 2014**;\n\n***child*** means a person under the age of 18 years;\n\nS. 3 def. of *Commis-sioner* repealed by No. 20/2017 s. 79(b).\n\n***Commonwealth-regulated organisation*** means an agency within the meaning of the Privacy Act 1988 of the Commonwealth and to which that Act applies;\n\n***consent*** means express consent or implied consent;\n\n***contracted service provider*** means a person or body who provides services under a State contract;\n\n***correct***, in relation to personal information, means alter that information by way of amendment, deletion or addition;\n\nS. 3 def. of *Council* amended by No. 9/2020 s. 390(Sch. 1 item 80).\n\n***Council*** has the same meaning as in the **Local Government Act 2020**;\n\n***crime statistics data*** means—\n\n(a) any law enforcement data obtained by the Chief Statistician from the Chief Commissioner of Police under section 7 of the **Crime Statistics Act 2014**; or\n\n(b) any information derived from data referred to in paragraph (a) by the Chief Statistician or an employee or consultant referred to in section 6 of the **Crime Statistics Act 2014** in the performance of functions under that Act, other than information published by the Chief Statistician under section 5(1)(a) of that Act;\n\n***crime statistics data system*** means a database kept by the Chief Statistician (whether in computerised or other form and however described) containing crime statistics data;\n\n***current certificate*** means a certificate issued under section 55(1) that has not expired or been set aside;\n\n***data security standards*** means—\n\n(a) protective data security standards; or\n\n(b) law enforcement data security standards;\n\n***de-identified***, in relation to personal information, means personal information that no longer relates to an identifiable individual or an individual who can be reasonably identified;\n\n***enactment*** means an Act or a Commonwealth Act or an instrument of a legislative character made under an Act or a Commonwealth Act;\n\n***Federal Privacy Commissioner*** means the Privacy Commissioner appointed under the Australian Information Commissioner Act 2010 of the Commonwealth;\n\n***generally available publication*** means a publication (whether in paper or electronic form) that is generally available to members of the public and includes information held on a public register;\n\n***handling***, in relation to personal information, means collection, holding, management, use, disclosure or transfer of personal information;\n\n***IBAC*** means the Independent Broad-based Anti-corruption Commission established under section 12 of the **Independent Broad-based Anti-corruption Commission Act 2011**;\n\n***illness*** means a physical, mental or emotional illness, and includes a suspected illness;\n\nS. 3 def. of *Information Commis-sioner* inserted by No. 20/2017 s. 79(a).\n\n***Information Commissioner*** means the Information Commissioner appointed under section 6C of the **Freedom of Information Act 1982**;\n\n***information handling provision*** means a provision of an Act that permits handling of personal information—\n\n(a) as authorised or required by law or by or under an Act; or\n\n(b) in circumstances or for purposes required by law or by or under an Act;\n\n***Information Privacy Principle*** means any of the Information Privacy Principles set out in Schedule 1;\n\n***information usage arrangement*** has the meaning given by section 45;\n\nS. 3 def. of *Integrity Oversight Victoria* inserted by No. 31/2024 s. 113(Sch. 1 item 26.1(a)).\n\n***Integrity Oversight Victoria*** has the same meaning as in the **Integrity Oversight Victoria Act 2011**;\n\n***IPP*** means Information Privacy Principle;\n\nS. 3 def. of *law enforcement agency* amended by Nos 60/2014 s. 129(b), 29/2016 s. 111, 57/2017 s. 50, 27/2018 s. 362, 31/2024 ss 51, 113(Sch. 1 item 26.1(b)).\n\n***law enforcement agency*** means—\n\n(a) Victoria Police; or\n\n(b) the police force or police service of another State or a Territory; or\n\n(c) the Australian Federal Police; or\n\n(d) the Australian Crime Commission established under section 7 of the Australian Crime Commission Act 2002 of the Commonwealth; or\n\n(e) the Commissioner appointed under section 8A of the **Corrections Act 1986**; or\n\n(ea) the Director, Fines Victoria employed under section 4 of the **Fines Reform Act 2014**;\n\n(f) the Business Licensing Authority established under Part 2 of the **Business Licensing Authority Act 1998**; or\n\n(g) a commission established by a law of Victoria or the Commonwealth or of any other State or a Territory with the function of investigating matters relating to criminal activity generally or of a specified class or classes; or\n\n(h) the Chief Examiner and Examiners appointed under Part 3 of the **Major Crime (Investigative Powers) Act 2004**; or\n\n(i) the IBAC; or\n\n(j) the sheriff within the meaning of the **Sheriff Act 2009**; or\n\n(k) Integrity Oversight Victoria; or\n\n(l) the Adult Parole Board established by section 61 of the **Corrections Act 1986**; or\n\n(la) the Post Sentence Authority continued in existence by section 290 of the **Serious Offenders Act 2018**; or\n\n(m) the Youth Parole Board within the meaning of the **Children, Youth and Families Act 2005**; or\n\n(ma) the Victorian Legal Services Board within the meaning of the **Legal Profession Uniform Law Application Act 2014**; or\n\n(mb) the Victorian Legal Services Commissioner within the meaning of the **Legal Profession Uniform Law Application Act 2014**; or\n\n(n) an agency responsible for the performance of functions or activities directed to—\n\n(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction for a breach; or\n\n(ii) the management of property seized or restrained under laws relating to the confiscation of the proceeds of crime or the enforcement of such laws, or of orders made under such laws; or\n\n(o) an agency responsible for the execution or implementation of an order or decision made by a court or tribunal; or\n\n(p) an agency that provides correctional services, including a contractor within the meaning of the **Corrections Act 1986**, or a subcontractor of that contractor, but only in relation to a function or duty or the exercise of a power conferred on it by or under that Act; or\n\n(q) an agency responsible for the protection of the public revenue under a law administered by it;\n\nS. 3 def. of *law enforcement data* \namended by No. 60/2014 s. 129(c).\n\n***law enforcement data*** means any information obtained, received or held by Victoria Police—\n\n(a) for the purpose of one or more of its, or any other law enforcement agency's law enforcement functions or activities; or\n\n(b) for the enforcement of laws relating to the confiscation of the proceeds of crime; or\n\n(c) in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or\n\n(d) for the purposes of its community policing functions;\n\nS. 3 def. of *law enforcement data security standards* amended by No. 20/2017 s. 106(1)(a).\n\n***law enforcement data security standards*** means the standards issued, amended or reissued by the Information Commissioner under section 92;\n\nS. 3 def. of *law enforcement data* *system* amended by No. 60/2014 s. 129(d).\n\n***law enforcement data system*** means a database kept by Victoria Police (whether in computerised or other form and however described) containing law enforcement data;\n\nS. 3 def. of *legal practitioner* inserted by No. 20/2017 s. 79(a).\n\n***legal practitioner*** means an Australian legal practitioner;\n\nS. 3 def. of *member of staff* inserted by No. 20/2017 s. 79(a).\n\n***member of staff***, of the Office of the Victorian Information Commissioner, means a person employed or engaged under section 6Q of the **Freedom of Information Act 1982**;\n\nS. 3 def. of *notice to produce or attend* inserted by No. 20/2017 s. 79(a).\n\n***notice to produce or attend*** means a notice issued under section 68 or 79, and includes a notice as varied under section 83B;\n\nS. 3 def. of *Office of the Victorian Information Commis-sioner* inserted by No. 20/2017 s. 79(a).\n\n***Office of the Victorian Information Commissioner*** means the Office of the Victorian Information Commissioner established under the **Freedom of Information Act 1982**;\n\n***organisation*** means a person or body to which Part 3 applies under section 13;\n\n***parent***, in relation to a child, includes—\n\n(a) the father and mother of the child; and\n\n(b) the spouse of the father or mother of the child; and\n\n(c) the domestic partner of the father or mother of the child; and\n\n(d) a person who has custody of the child; and\n\n(e) a person whose name is entered as the parent of the child in the register of births in the Register maintained by the Registrar of Births, Deaths and Marriages under Part 7 of the **Births, Deaths and Marriages Registration Act 1996**; and\n\n(f) a person who acknowledges that they are the parent of the child by an instrument of the kind described in section 8(2) or (2A) of the **Status of Children Act 1974**; and\n\n(g) a person in respect of whom a court has made a declaration or a finding or order that the person is the parent of the child;\n\n***personal information*** means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the **Health Records Act 2001** applies;\n\n***personal privacy*** means privacy of personal information;\n\nS. 3 def. of *Privacy and Data Protection Deputy Commis-sioner* inserted by No. 20/2017 s. 79(a).\n\n***Privacy and Data Protection Deputy Commissioner*** means the Privacy and Data Protection Deputy Commissioner appointed under section 8H;\n\n***protective data security plan*** means a plan prepared under section 89;\n\nS. 3 def. of *protective data security standards* amended by No. 20/2017 s. 106(1)(b).\n\n***protective data security standards*** means the standards issued by the Information Commissioner under section 86 or amended or reissued under section 87;\n\n***public interest determination*** means a determination made under section 31;\n\n***public register*** means a document held by a public sector agency or a Council and open to inspection by members of the public (whether or not on payment of a fee) under an Act or regulation (other than the **Freedom of Information Act 1982** or the **Public Records Act 1973**) containing information that—\n\n(a) a person or body was required or permitted to give to that public sector agency or Council under an Act or regulation; and\n\n(b) would be personal information if the document were not a generally available publication;\n\n***public sector agency*** means a public service body or a public entity within the meaning of the **Public Administration Act 2004**;\n\n***public sector body Head*** has the meaning given in the **Public Administration Act 2004**;\n\n***public sector data*** means any information (including personal information) obtained, received or held by an agency or body to which Part 4 applies, whether or not the agency or body obtained, received or holds that information in connection with the functions of that agency or body;\n\n***public sector data system*** includes—\n\n(a) information technology for storage of public sector data, including hardware and software; and\n\n(b) non-electronic means for storage of public sector data; and\n\n(c) procedures for dealing with public sector data, including by use of information technology and non-electronic means;\n\n***public service body Head*** has the meaning given in the **Public Administration Act 2004**;\n\n***State contract*** means a contract between an organisation, or a person, agency or body to which Part 4 or 5 of this Act applies, and another person or body (whether or not this Act or a Part of this Act applies to the person or body) under which services are provided to one party (the ***outsourcing party***) by the other party (the ***contracted service provider***) in connection with the performance of the functions of the outsourcing party, including services that the outsourcing party provides to other persons or bodies;\n\n***temporary public interest determination*** means a temporary public interest determination made under section 39;\n\n***third party***, in relation to personal information, means a person or body other than the organisation holding the information and the individual to whom the information relates;\n\nS. 3 def. of *Victorian Inspectorate* repealed by No. 31/2024 s. 113(Sch. 1 item 26.1(c)).\n\n***Victorian protective data security framework*** means the Victorian protective data security framework developed under section 85.\n\n","sortOrder":4},{"sectionNumber":"4","sectionType":"section","heading":"Interpretation","content":"\t4 Interpretation\n\n(1) For the purposes of this Act, an organisation holds personal information if the information is contained in a document that is in the possession or under the control of the organisation, whether alone or jointly with other persons or bodies, irrespective of where the document is situated, whether in or outside Victoria.\n\n(2) If a provision of this Act refers to an IPP by a number, the reference is a reference to the IPP designated by that number.\n\n(3) A reference in this Act to a contracted service provider is a reference to a person or body in the capacity of contracted service provider and includes a reference to a subcontractor of the contracted service provider (or of another such subcontractor) for the purposes (whether direct or indirect) of the State contract.\n\n(4) Without limiting section 37(a) of the **Interpretation of Legislation Act 1984**, a reference in this Act to an organisation using a neuter pronoun includes a reference to an organisation that is an individual, unless the contrary intention appears.\n\n","sortOrder":5},{"sectionNumber":"5","sectionType":"section","heading":"Objects","content":"\t5 Objects\n\nThe objects of this Act are—\n\n(a) to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector; and\n\n(b) to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; and\n\n(c) to promote awareness of responsible personal information handling practices in the public sector; and\n\n(d) to promote the responsible and transparent handling of personal information in the public sector; and\n\n(e) to promote responsible data security practices in the public sector.\n\n","sortOrder":6},{"sectionNumber":"6","sectionType":"section","heading":"Relationship of this Act to other laws","content":"\t6 Relationship of this Act to other laws\n\n(1) If a provision made by or under this Act (other than Division 5, 6 or 7 of Part 3) relating to an Information Privacy Principle or applicable code of practice is inconsistent with a provision made by or under any other Act, that other provision prevails and the provision made by or under this Act is (to the extent of the inconsistency) of no force or effect.\n\n(2) Without limiting subsection (1), nothing in this Act affects the operation of the **Freedom of Information Act 1982** or any right, privilege, obligation or liability conferred or imposed under that Act or any exemption arising under that Act.\n\n","sortOrder":7},{"sectionNumber":"7","sectionType":"section","heading":"Rights and liabilities","content":"\t7 Rights and liabilities\n\n(1) Nothing in this Act—\n\n(a) gives rise to any civil cause of action; or\n\n(b) without limiting paragraph (a), operates to create in any person any legal right enforceable in a court or tribunal—\n\notherwise than in accordance with the procedures set out in this Act.\n\n(2) A contravention of this Act does not create any criminal liability except to the extent expressly provided by this Act.\n\n","sortOrder":8},{"sectionNumber":"8","sectionType":"section","heading":"Act binds the Crown","content":"\t8 Act binds the Crown\n\n(1) This Act binds the Crown in right of Victoria and, so far as the legislative power of the Parliament permits, the Crown in all its other capacities.\n\n(2) Nothing in this Act makes the Crown in any of its capacities liable to be prosecuted for an offence.\n\nPt 1A (Headings and ss 8A–8P) inserted by No. 20/2017 s. 80.\n\n","sortOrder":9},{"sectionNumber":"Part 1A","sectionType":"part","heading":"Functions, powers of Information Commissioner and appointment of Privacy and Data Protection Deputy Commissioner","content":"Part 1A—Functions, powers of Information Commissioner and appointment of Privacy and Data Protection Deputy Commissioner\n\n","sortOrder":10},{"sectionNumber":"Div 1","sectionType":"division","heading":"Performance of functions","content":"Division 1—Performance of functions\n\nS. 8A inserted by No. 20/2017 s. 80.\n\n","sortOrder":11},{"sectionNumber":"8A","sectionType":"section","heading":"Functions of Information Commissioner","content":"\t8A Functions of Information Commissioner\n\n(1) The Information Commissioner has the following functions—\n\n(a) functions relating to information privacy set out in section 8C;\n\n(b) functions relating to protective data security and law enforcement data security set out in section 8D;\n\n(c) functions conferred on the Information Commissioner by or under this Act;\n\n(d) functions conferred on the Information Commissioner by or under any other Act.\n\n(2) The Information Commissioner must have regard to the objects of this Act in the performance of the Commissioner's functions and the exercise of the Commissioner's powers under this Act.\n\n(3) Except where expressly provided in this Act, the Information Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Information Commissioner's duties and functions and the exercise of the Information Commissioner's powers.\n\nS. 8B inserted by No. 20/2017 s. 80.\n\n","sortOrder":12},{"sectionNumber":"8B","sectionType":"section","heading":"Functions of Privacy and Data Protection Deputy Commissioner","content":"\t8B Functions of Privacy and Data Protection Deputy Commissioner\n\n(1) The Privacy and Data Protection Deputy Commissioner has the following functions—\n\n(a) functions relating to information privacy set out in section 8C(2);\n\n(b) functions relating to protective data security and law enforcement data security set out in section 8D(2);\n\n(c) any function conferred by the Information Commissioner on the Deputy Commissioner by authorisation under section 8F;\n\n(d) any other function conferred on the Information Commissioner by or under this Act, except*—*\n\n(i) a function of the Information Commissioner referred to in section 8A(1)(d); or\n\n(ii) a function of the Information Commissioner referred to in section 8C(1) or 8D(1); or\n\n(iii) a function of the Information Commissioner referred to in \nsection 8F; or\n\n(iv) a function of the Information Commissioner referred to in section 8O; or\n\n(v) issuing directions under section 8P; or\n\n(vi) making reports under section 116.\n\n(2) The Privacy and Data Protection Deputy Commissioner must have regard to the objects of this Act in the performance of the Deputy Commissioner's functions and the exercise of the Deputy Commissioner's powers under this Act.\n\n(3) Except where expressly provided in this \nAct, the Privacy and Data Protection Deputy Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Deputy Commissioner's duties and functions and the exercise of the Deputy Commissioner's powers.\n\nS. 8C inserted by No. 20/2017 s. 80.\n\n","sortOrder":13},{"sectionNumber":"8C","sectionType":"section","heading":"Information privacy functions","content":"\t8C Information privacy functions\n\n(1) The Information Commissioner has the following functions in relation to information privacy—\n\n(a) in accordance with Division 3 of Part 3, to undertake activities relating to the development and approval of codes of practice;\n\n(b) to develop and publish model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;\n\n(c) to make public interest determinations and temporary public interest determinations in accordance with Division 5 of Part 3;\n\n(d) to approve information usage arrangements in accordance with Division 6 of Part 3;\n\n(e) to examine and assess any proposed legislation that would require or authorise acts or practices of an organisation that may, in the absence of the legislation, be interferences with the privacy of an individual or that may otherwise have an adverse effect on the privacy of an individual, and to report to the Minister the results of the examination and assessment;\n\n(f) to make public statements in relation to any matter affecting personal privacy or the privacy of any class of individual;\n\n(g) to issue guidelines and other materials in relation to the Information Privacy Principles and information usage arrangements;\n\n(h) to undertake reviews of any matters relating to information privacy, as requested by the Minister;\n\n(i) to make reports or recommendations in relation to information privacy as provided for by section 111.\n\n(2) The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to information privacy—\n\n(a) to promote understanding and acceptance of the Information Privacy Principles and of the objects of those Principles;\n\n(b) to examine the practice of an organisation with respect to personal information maintained by that organisation for the purpose of ascertaining whether or not the information is maintained according to the Information Privacy Principles or any applicable code of practice;\n\n(c) to issue certificates under Division 7 of Part 3;\n\n(d) subject to this Act—\n\n(i) to receive complaints about an act or practice of an organisation; and\n\n(ii) if appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the complaint;\n\n(e) to issue compliance notices under Division 9 of Part 3 and to carry out an investigation for that purpose;\n\n(f) to conduct or commission audits of records of personal information maintained by an organisation for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles or any applicable code of practice;\n\n(g) to consult and cooperate with persons and bodies concerned with information privacy;\n\n(h) to undertake research in relation to matters relating to information privacy.\n\nS. 8D inserted by No. 20/2017 s. 80.\n\n","sortOrder":14},{"sectionNumber":"8D","sectionType":"section","heading":"Protective data security and law enforcement data security functions","content":"\t8D Protective data security and law enforcement data security functions\n\n(1) The Information Commissioner has the following functions in relation to protective data security and law enforcement data security—\n\n(a) to issue protective data security standards and law enforcement data security standards;\n\n(b) to develop the Victorian protective data security framework;\n\n(c) to issue guidelines and other materials in relation to protective data security standards;\n\n(d) to undertake reviews of any matters relating to protective data security, as requested by the Minister;\n\n(e) to undertake reviews of any matters relating to law enforcement data security and crime statistics data security, as requested by the Minister;\n\n(f) to make reports or recommendations in relation to data security as provided for by section 111.\n\n(2) The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to protective data security and law enforcement data security—\n\n(a) to promote the uptake of protective data security standards by the public sector;\n\n(b) to conduct monitoring and assurance activities, including audits, to ascertain compliance with data security standards;\n\n(c) to refer findings of monitoring and assurance activities, including audits, to an appropriate person or body for further action;\n\n(d) to undertake research in relation to matters relating to protective data security and law enforcement data security relevant to the public sector, particularly relating to information and communications technology;\n\n(e) to retain copies of protective data security plans.\n\nS. 8E inserted by No. 20/2017 s. 80.\n\n","sortOrder":15},{"sectionNumber":"8E","sectionType":"section","heading":"Performance of concurrent functions","content":"\t8E Performance of concurrent functions\n\nIf a function may be performed by the Information Commissioner and the Privacy and Data Protection Deputy Commissioner, that function may be performed by—\n\n(a) the Information Commissioner; or\n\n(b) the Privacy and Data Protection Deputy Commissioner; or\n\n(c) the Information Commissioner and the Privacy and Data Protection Deputy Commissioner.\n\nS. 8F inserted by No. 20/2017 s. 80.\n\n","sortOrder":16},{"sectionNumber":"8F","sectionType":"section","heading":"Information Commissioner may confer functions on Privacy and Data Protection Deputy Commissioner","content":"\t8F Information Commissioner may confer functions on Privacy and Data Protection Deputy Commissioner\n\n(1) The Information Commissioner may in writing authorise the Privacy and Data Protection Deputy Commissioner to perform any of the following functions of the Information Commissioner, as specified in the authorisation—\n\n(a) to undertake activities in relation to the development or approval of a specified code of practice;\n\n(b) to develop and publish specified model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;\n\n(c) to make a specified public interest determination or a specified temporary public interest determination in accordance with Division 5 of Part 3;\n\n(d) to approve a specified information usage arrangement;\n\n(e) to issue a specified protective data security standard or a specified law enforcement data standard;\n\n(f) to review or amend the Victorian protective data security framework, as specified;\n\n(g) to issue guidelines and other materials in relation to a specified protective data security standard.\n\n(2) The Information Commissioner may at any time in writing revoke an authorisation under this section, and on that revocation may continue and complete any action commenced under the authorisation by the Privacy and Data Protection Deputy Commissioner.\n\nS. 8G inserted by No. 20/2017 s. 80.\n\n","sortOrder":17},{"sectionNumber":"8G","sectionType":"section","heading":"General powers of Information Commissioner and Privacy and Data Protection Deputy Commissioner","content":"\t8G General powers of Information Commissioner and Privacy and Data Protection Deputy Commissioner\n\n(1) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Information Commissioner's functions.\n\n(2) The Privacy and Data Protection Deputy Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Deputy Commissioner's functions.\n\n","sortOrder":18},{"sectionNumber":"Div 2","sectionType":"division","heading":"Privacy and Data Protection Deputy Commissioner","content":"Division 2—Privacy and Data Protection Deputy Commissioner\n\nS. 8H inserted by No. 20/2017 s. 80.\n\n","sortOrder":19},{"sectionNumber":"8H","sectionType":"section","heading":"Appointment of Privacy and Data Protection Deputy Commissioner","content":"\t8H Appointment of Privacy and Data Protection Deputy Commissioner\n\n(1) The Governor in Council may appoint an eligible person as the Privacy and Data Protection Deputy Commissioner.\n\n(2) A person is not eligible for appointment \nas the Privacy and Data Protection Deputy Commissioner if the person is—\n\n(a) a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or\n\n(b) a member of a council.\n\n(3) A person may hold office as Privacy and Data Protection Deputy Commissioner for not more than 2 terms (whether consecutive terms or otherwise).\n\nS. 8I inserted by No. 20/2017 s. 80.\n\n","sortOrder":20},{"sectionNumber":"8I","sectionType":"section","heading":"Terms and conditions of appointment of Privacy and Data Protection Deputy Commissioner","content":"\t8I Terms and conditions of appointment of Privacy and Data Protection Deputy Commissioner\n\n(1) The appointment of the Privacy and Data Protection Deputy Commissioner is to be for the period, not exceeding 5 years, set out in the instrument of appointment.\n\n(2) Subject to this Part, the Privacy and Data Protection Deputy Commissioner holds office on the terms and conditions determined by the Governor in Council.\n\n(3) Subject to section 8H(3), the Privacy and Data Protection Deputy Commissioner may be reappointed.\n\n(4) The Privacy and Data Protection Deputy Commissioner is entitled to leave of absence as determined by the Governor in Council.\n\n(5) The Privacy and Data Protection Deputy Commissioner must not directly or indirectly engage in paid employment outside the duties of the relevant office.\n\nS. 8J inserted by No. 20/2017 s. 80.\n\n","sortOrder":21},{"sectionNumber":"8J","sectionType":"section","heading":"Remuneration","content":"\t8J Remuneration\n\nThe Privacy and Data Protection Deputy Commissioner is entitled to be paid the remuneration and allowances that are determined by the Governor in Council.\n\nS. 8K inserted by No. 20/2017 s. 80.\n\n","sortOrder":22},{"sectionNumber":"8K","sectionType":"section","heading":"Vacancy and resignation of Privacy and Data Protection Deputy Commissioner","content":"\t8K Vacancy and resignation of Privacy and Data Protection Deputy Commissioner\n\n(1) The Privacy and Data Protection Deputy Commissioner ceases to hold office if the office holder—\n\n(a) resigns by notice in writing delivered to the Minister; or\n\n(b) becomes an insolvent under administration; or\n\n(c) is convicted of an indictable offence or an offence that, if committed in Victoria, would be an indictable offence; or\n\n(d) nominates for election for the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or\n\n(e) nominates for election as a member of a council; or\n\n(f) is removed from office under section 8L.\n\n(2) The Privacy and Data Protection Deputy Commissioner's resignation under subsection (1)(a) takes effect on—\n\n(a) the day on which it is received by the Minister; or\n\n(b) if a later day is specified in the notice, on that day.\n\nS. 8L inserted by No. 20/2017 s. 80.\n\n","sortOrder":23},{"sectionNumber":"8L","sectionType":"section","heading":"Suspension and removal from office","content":"\t8L Suspension and removal from office\n\n(1) The Governor in Council, on the recommendation of the Minister, may suspend or remove the Privacy and Data Protection Deputy Commissioner from office on any of the following grounds—\n\n(a) misconduct;\n\n(b) neglect of duty;\n\n(c) inability to perform the duties of the office;\n\n(d) any other ground on which the Governor in Council is satisfied that the Privacy and Data Protection Deputy Commissioner should not hold office.\n\n(2) If the Privacy and Data Protection Deputy Commissioner is removed from office, the Minister must cause a full statement of the grounds for removal to be presented to each House of Parliament within 10 sitting days of that House after the removal.\n\nS. 8M inserted by No. 20/2017 s. 80.\n\n","sortOrder":24},{"sectionNumber":"8M","sectionType":"section","heading":"Acting Privacy and Data Protection Deputy Commissioner","content":"\t8M Acting Privacy and Data Protection Deputy Commissioner\n\n(1) The Governor in Council, on the recommendation of the Minister, may appoint an eligible person to act as the Privacy and Data Protection Deputy Commissioner—\n\n(a) during a vacancy in the office of the Deputy Commissioner; or\n\n(b) during any period, or all periods, when the Deputy Commissioner is absent from duty or from the State or, for another reason, cannot perform the functions of the office.\n\n(2) A person is not eligible for appointment to \nact as the Privacy and Data Protection Deputy Commissioner if the person is—\n\n(a) a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or\n\n(b) a member of a council.\n\n(3) An appointment under subsection (1) is for the period, not exceeding 12 months, set out in the instrument of appointment.\n\n(4) The Governor in Council, on the recommendation of the Minister, may at any time remove the acting Privacy and Data Protection Deputy Commissioner from office.\n\n(5) While a person is acting in the office of the Privacy and Data Protection Deputy Commissioner, the person—\n\n(a) has, and may exercise, all the powers and must perform all the duties of that office under this Act and any other Act; and\n\n(b) is entitled to be paid the remuneration and allowances that the Privacy and Data Protection Deputy Commissioner would have been entitled to for performing those duties.\n\nS. 8N inserted by No. 20/2017 s. 80.\n\n","sortOrder":25},{"sectionNumber":"8N","sectionType":"section","heading":"Validity of acts and decisions","content":"\t8N Validity of acts and decisions\n\nAn act or decision of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner is not invalid only because—\n\n(a) of a defect or irregularity in or in connection with the appointment of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner; or\n\n(b) in the case of an acting Privacy and Data Protection Deputy Commissioner, the occasion for so acting had not arisen or had ceased.\n\n","sortOrder":26},{"sectionNumber":"Div 3","sectionType":"division","heading":"General","content":"Division 3—General\n\nS. 8O inserted by No. 20/2017 s. 80.\n\n","sortOrder":27},{"sectionNumber":"8O","sectionType":"section","heading":"Delegation","content":"\t8O Delegation\n\n(1) The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner any of the Information Commissioner's functions and powers under this Act except this power of delegation.\n\n(2) The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or any member of staff of the Office of the Victorian Information Commissioner a function or power relating to information privacy, protective data security or law enforcement data security conferred on the Information Commissioner by or under any other Act.\n\n(3) With the written consent of the Information Commissioner, the Privacy and Data Protection Deputy Commissioner may by instrument delegate to a member of staff any of the Deputy Commissioner's functions and powers (including any function or power delegated under subsection (1)) except this power of delegation.\n\nS. 8P inserted by No. 20/2017 s. 80.\n\n","sortOrder":28},{"sectionNumber":"8P","sectionType":"section","heading":"Directions","content":"\t8P Directions\n\nThe Information Commissioner may issue directions to the Privacy and Data Protection Deputy Commissioner or to any member of staff of the Office of the Victorian Information Commissioner for the purposes of this Act in relation to the performance of functions under this Act other than in relation to the following—\n\n(a) certifying consistency of an act or practice under section 55; or\n\n(b) the conciliation of a complaint under Subdivision 3 of Division 8 of Part 3.\n\n","sortOrder":29},{"sectionNumber":"Part 2","sectionType":"part","heading":"Application of this Act","content":"Part 2—Application of this Act\n\n","sortOrder":30},{"sectionNumber":"9","sectionType":"section","heading":"Definition","content":"\t9 Definition\n\nIn this Part, ***information*** means—\n\n(a) personal information; or\n\n(b) public sector data; or\n\n(c) law enforcement data; or\n\n(d) crime statistics data.\n\n","sortOrder":31},{"sectionNumber":"10","sectionType":"section","heading":"Courts, tribunals etc.","content":"\t10 Courts, tribunals etc.\n\nNothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information—\n\n(a) in relation to its or the holder's judicial or quasi-judicial functions, by—\n\n(i) a court or tribunal; or\n\n(ii) the holder of a judicial or quasi-judicial office or other office pertaining to a court or tribunal in their capacity as the holder of that office; or\n\n(b) in relation to those matters which relate to the judicial or quasi-judicial functions of the court or tribunal, by—\n\n(i) a registry or other office of a court or tribunal; or\n\n(ii) the staff of such a registry or other office in their capacity as members of that staff.\n\nS. 10A inserted by No. 67/2014 s. 147(Sch. 2 item 28).\n\n","sortOrder":32},{"sectionNumber":"10A","sectionType":"section","heading":"Royal Commissions etc.","content":"\t10A Royal Commissions etc.\n\n(1) Nothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Royal Commission, a Board of Inquiry or a Formal Review for the purposes of, or in connection with, the performance of its functions.\n\n***Board of Inquiry*** has the same meaning as in the **Inquiries Act 2014**;\n\n***Formal Review*** has the same meaning as in the **Inquiries Act 2014**;\n\n***Royal Commission*** means—\n\n(a) a Royal Commission established under the **Inquiries Act 2014**; or\n\n(b) a Royal Commission established under the prerogative of the Crown.\n\n","sortOrder":33},{"sectionNumber":"11","sectionType":"section","heading":"Parliamentary Committees","content":"\t11 Parliamentary Committees\n\n(1) Nothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Parliamentary Committee in the course of carrying out its functions as a Parliamentary Committee.\n\n***Parliamentary Committee*** means—\n\n(a) a Joint Investigatory Committee, or the House Committee, within the meaning of the **Parliamentary Committees Act 2003**; or\n\n(b) a committee of the Legislative Council or the Legislative Assembly.\n\n","sortOrder":34},{"sectionNumber":"12","sectionType":"section","heading":"Publicly-available information","content":"\t12 Publicly-available information\n\n(1) Nothing in this Act or in any Information Privacy Principle or any data security standard applies to any information contained in a document that is—\n\n(a) a generally available publication; or\n\n(b) kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or\n\n(c) a public record under the control of the Keeper of Public Records that is available for public inspection in accordance with the **Public Records Act 1973**; or\n\n(d) archives within the meaning of the Copyright Act 1968 of the Commonwealth.\n\n(2) Subsection (1) does not take away from section 20(2) which imposes duties on a public sector agency or a Council in administering a public register.\n\nPart 3—Information privacy\n\nDivision 1—Application of this Part\n\n\t13 Public sector organisations to which this Part applies\n\n(1) Subject to subsection (2), this Part applies to the following—\n\n(a) a Minister;\n\n(b) a Parliamentary Secretary, including the Parliamentary Secretary of the Cabinet;\n\n(c) a public sector agency;\n\n(d) a Council;\n\n(e) a body established or appointed for a public purpose by or under an Act;\n\n(f) a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act;\n\n(g) a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act;\n\n(h) a court or tribunal;\n\nS. 13(1)(i) substituted by No. 21/2015 s. 3(Sch. 1 item 41.1).\n\n(i) Victoria Police;\n\n(j) a contracted service provider, but only in relation to its provision of services under a State contract which contains a provision of a kind referred to in section 17(2);\n\n(k) any other body that is declared, or to the extent that it is declared, by an Order under subsection (3)(a) to be an organisation for the purposes of this subsection.\n\n(2) This Part does not apply to a person or body referred to in subsection (1) that is—\n\n(a) a Commonwealth-regulated organisation; or\n\n(b) declared, or to the extent that it is declared, by an Order under subsection (3)(b) not to be an organisation for the purposes of subsection (1)(e), (f) or (g).\n\n(3) The Governor in Council may, on the recommendation of the Minister, by Order published in the Government Gazette—\n\n(a) declare a body to be, either wholly or to the extent specified in the Order, an organisation for the purposes of subsection (1); or\n\n(b) declare a body referred to in subsection (1)(e) or (f), or a person holding an office or position referred to in subsection (1)(g), not to be an organisation for the purposes of that subsection, either wholly or to the extent specified in the Order.\n\n(4) The Minister may only recommend to the Governor in Council the making of an Order under subsection (3)(b) in respect of a body or person if satisfied that—\n\n(a) another scheme (whether contained in an enactment or given legislative force by an enactment) would apply to the collection, holding, management, use, disclosure and transfer by that body or person of personal information if that person or body were not an organisation for the purposes of subsection (1), either wholly or to the extent specified in the Order; and\n\n(b) the collection, holding, management, use, disclosure and transfer by that body or person of personal information is more appropriately governed by that other scheme.\n\n","sortOrder":35},{"sectionNumber":"14","sectionType":"section","heading":"Exemption—Freedom of Information Act 1982","content":"\t14 Exemption—Freedom of Information Act 1982\n\n(1) Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if—\n\n(a) the document is a document of an agency within the meaning of the **Freedom of Information Act 1982**; and\n\n(b) access can only be granted to the document or information, or the information can only be corrected, in accordance with that Act.\n\n(2) Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if—\n\n(a) the document is an official document of a Minister within the meaning of the **Freedom of Information Act 1982**; and\n\n(b) access can only be granted to the document or information, or the information can only be corrected, in accordance with that Act.\n\n(3) Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if access would not be granted to the document under the **Freedom of Information Act 1982** because of section 5(3), 6 or 6AA of that Act.\n\n","sortOrder":36},{"sectionNumber":"15","sectionType":"section","heading":"Exemption—law enforcement","content":"\t15 Exemption—law enforcement\n\nIt is not necessary for a law enforcement agency to comply with IPP 1.3 to 1.5, 2.1, 6.1 to 6.8, 7.1 to 7.4, 9.1 or 10.1 if it believes on reasonable grounds that the noncompliance is necessary—\n\n(a) for the purposes of one or more of its, or any other law enforcement agency's, law enforcement functions or activities; or\n\n(b) for the enforcement of laws relating to the confiscation of the proceeds of crime; or\n\n(c) in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or\n\nS. 15(d) amended by No. 21/2015 s. 3(Sch. 1 item 41.2).\n\n(d) in the case of Victoria Police, for the purposes of its community policing functions.\n\nS. 15A inserted by No. 23/2017 s. 20 (as amended by No. 60/2017 s. 35).\n\n","sortOrder":37},{"sectionNumber":"15A","sectionType":"section","heading":"Exemption—information sharing under the Family Violence Protection Act 2008","content":"\t15A Exemption—information sharing under the Family Violence Protection Act 2008\n\n(1) Nothing in IPP 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.4 or 1.5 or prescribing how IPP 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an information sharing entity for the purposes of Part 5A of the **Family Violence Protection Act 2008** about a person of concern, or a person who is alleged to pose a risk of committing family violence.\n\nS. 15A(1A) inserted by No. 11/2018 s. 43(1).\n\n(1A) Nothing in IPP 1.3, 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.3, 1.4 or 1.5 or prescribing how IPP 1.3, 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an authorised Hub entity for the purposes of Part 5B of the **Family Violence Protection Act 2008**.\n\n(4) Nothing in IPP 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.4 or 1.5 or prescribing how IPP 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information about an individual by the Central Information Point for the purposes of Part 5A of the **Family Violence Protection Act 2008**.\n\n(5) Nothing in IPP 6, or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with, applies to personal information about an individual held by the Central Information Point for the purposes of Part 5A of the **Family Violence Protection Act 2008**.\n\n(7) In this section—\n\nS. 15A(7) \ndef. of *authorised Hub entity* inserted by No. 11/2018 s. 43(2).\n\n***authorised Hub entity*** has the meaning given in the **Family Violence Protection Act 2008**;\n\n***Central Information Point*** has the meaning given in section 144O of the **Family Violence Protection Act 2008**;\n\n***family violence*** has the meaning given in the **Family Violence Protection Act 2008**;\n\n***information sharing entity*** has the meaning given in the **Family Violence Protection Act 2008**;\n\n***person of concern*** has the meaning given in section 144B of the **Family Violence Protection Act 2008**.\n\nS. 15B inserted by No. 11/2018 s. 31.\n\n","sortOrder":38},{"sectionNumber":"15B","sectionType":"section","heading":"Exemption—information sharing under the Child Wellbeing and Safety Act 2005","content":"\t15B Exemption—information sharing under the Child Wellbeing and Safety Act 2005\n\n(1) Nothing in IPP 1.4, or any applicable code of practice modifying the application of IPP 1.4 or prescribing how IPP 1.4 is to be applied or complied with, applies to the collection of personal information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the **Child Wellbeing and Safety Act 2005**, or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act.\n\n(2) Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the **Child Wellbeing and Safety Act 2005**, to the extent that the application of, or compliance with, IPP 1.5 would be contrary to the promotion of the wellbeing or safety of a child to whom the information relates.\n\n(3) Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of the **Child Wellbeing and Safety Act 2005**.\n\n(4) Nothing in IPP 10.1, or any applicable code of practice modifying the application of IPP 10.1 or prescribing how IPP 10.1 is to be applied or complied with, applies to the collection, use or disclosure of sensitive information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the **Child Wellbeing and Safety Act 2005,** or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act.\n\nS. 15B(5) amended by No. 30/2019 s. 19.\n\n(5) Nothing in an IPP, or any applicable code of practice modifying the application of an IPP or prescribing how an IPP is to be applied or complied with, applies to the collection, use or disclosure of personal or sensitive information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the **Child Wellbeing and Safety Act 2005**, or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act, to the extent that the IPP requires the consent of the person to whom the information relates for the collection, use or disclosure of that information.\n\n(6) In this section—\n\n***Child Link user*** has the same meaning as in the **Child Wellbeing and Safety Act 2005**;\n\n***information sharing entity*** has the same meaning as in the **Child Wellbeing and Safety Act 2005**;\n\n***restricted information sharing entity*** has the same meaning as in the **Child Wellbeing and Safety Act 2005**.\n\nS. 15C inserted by No. 34/2019 s. 87.\n\n","sortOrder":39},{"sectionNumber":"15C","sectionType":"section","heading":"Exemption—information sharing for quality and safety purposes under the Health Services Act 1988","content":"\t15C Exemption—information sharing for quality and safety purposes under the Health Services Act 1988\n\n(1) Nothing in IPP 1.4, or any applicable code of practice modifying the application of IPP 1.4 or prescribing how IPP 1.4 is to be applied or complied with, applies to the collection of personal information for the purposes of Part 6B of the **Health Services Act 1988** by any of the following—\n\n(a) the Secretary to the Department of Health and Human Services;\n\n(b) a quality and safety body;\n\n(c) a health service entity;\n\n(d) a special adviser.\n\n(2) Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information for the purposes of Part 6B of the **Health Services Act 1988** by any of the following—\n\n(a) the Secretary to the Department of Health and Human Services;\n\n(b) a quality and safety body;\n\n(c) a health service entity;\n\n(d) a special adviser.\n\n(3) Nothing in an IPP, or any applicable code of practice modifying the application of an IPP or prescribing how an IPP is to be applied or complied with, applies to the collection of personal or sensitive information for the purposes of Part 6B of the **Health Services Act 1988** by—\n\n(a) the Secretary; or\n\n(b) a quality and safety body; or\n\n(c) a health service entity; or\n\n(d) a special adviser—\n\nto the extent that the IPP requires the consent of the person to whom the information relates for the collection of that information.\n\n***health service entity*** has the same meaning as in section 134V of the **Health Services Act 1988**;\n\n***quality and safety body*** has the same meaning as in section 134V of the **Health Services Act 1988**;\n\n***special adviser*** has the same meaning as in section 134V of the **Health Services Act 1988**.\n\nS. 15D inserted by No. 47/2021 s. 28.\n\n","sortOrder":40},{"sectionNumber":"15D","sectionType":"section","heading":"Information sharing under Division 6 of Part 4A of Terrorism (Community Protection) Act 2003","content":"\t15D Information sharing under Division 6 of Part 4A of Terrorism (Community Protection) Act 2003\n\n(1) Nothing in IPP 1.3, 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.3, 1.4 or 1.5 or prescribing how IPP 1.3, 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an authorised discloser in accordance with Division 6 of Part 4A of the **Terrorism (Community Protection) Act 2003**.\n\n(2) Nothing in IPP 2, or any applicable code of practice modifying the application of IPP 2 or prescribing how IPP 2 is to be applied or complied with, applies to the use or disclosure, for the purposes of Part 4A of the **Terrorism (Community Protection) Act 2003**, of personal information that an authorised discloser has had disclosed to them in accordance with Division 6 of that Part.\n\n(3) Nothing in IPP 6, or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with, applies to personal information that an authorised discloser has had disclosed to them in accordance with Division 6 of Part 4A of the **Terrorism (Community Protection) Act 2003**.\n\n***authorised discloser*** has the same meaning as it has in Division 6 of Part 4A of the **Terrorism (Community Protection) Act 2003**.\n\n**Note**\n\nSee section 22EJ of that Act.\n\n","sortOrder":41},{"sectionNumber":"16","sectionType":"section","heading":"What is an interference with privacy of an individual?","content":"\t16 What is an interference with privacy of an individual?\n\nFor the purposes of this Act, an act done or practice engaged in by an organisation is an interference with the privacy of an individual if, and only if, the act or practice is contrary to, or inconsistent with—\n\n(a) an Information Privacy Principle or an applicable code of practice; or\n\n(b) a public interest determination or a temporary public interest determination; or\n\n(c) an approved information usage arrangement; or\n\n(d) a current certificate.\n\n","sortOrder":42},{"sectionNumber":"17","sectionType":"section","heading":"Effect of outsourcing","content":"\t17 Effect of outsourcing\n\n(1) Subject to this section, the status or effect for the purposes of this Act (other than Part 4) of an act or practice is not affected by the existence or operation of a State contract.\n\n(2) A State contract may provide for the contracted service provider to be bound by the Information Privacy Principles and any applicable code of practice with respect to any act done, or practice engaged in, by the contracted service provider for the purposes of the State contract in the same way and to the same extent as the outsourcing party would have been bound by them in respect of that act or practice had it been directly done or engaged in by the outsourcing party.\n\n(3) If a provision of a kind referred to in subsection (2) is in force under a State contract, the Information Privacy Principles and any applicable code of practice apply to an act done, or practice engaged in, by the contracted service provider in the same way and to the same extent as they would have applied to the outsourcing party in respect of that act or practice had it been directly done or engaged in by the outsourcing party.\n\n(4) An act or practice that is an interference with the privacy of an individual done or engaged in by a contracted service provider for the purposes of the State contract must, for the purposes of this Act (other than Part 4) and any applicable code of practice, be taken to have been done or engaged in by the outsourcing party as well as the contracted service provider unless—\n\n(a) the outsourcing party establishes that a provision of a kind referred to in subsection (2) was in force under the State contract at the relevant time in relation to the act or practice; and\n\n(b) the Information Privacy Principle or applicable code of practice to which the act or practice is contrary, or with which it is inconsistent, is capable of being enforced against the contracted service provider in accordance with the procedures set out in this Act.\n\n(5) Section 118(1) does not apply to an act done or practice engaged in by a contracted service provider acting within the scope of a State contract.\n\nDivision 2—Information Privacy Principles\n\n","sortOrder":43},{"sectionNumber":"18","sectionType":"section","heading":"Information Privacy Principles","content":"\t18 Information Privacy Principles\n\n(1) The Information Privacy Principles are set out in Schedule 1.\n\nS. 18(2) amended by No. 23/2017 s. 21.\n\n(2) Nothing in any Information Privacy Principle affects the operation or extent of any exemption arising under Part 2 or section 14, 15 or 15A and those Principles must be construed accordingly.\n\n","sortOrder":44},{"sectionNumber":"19","sectionType":"section","heading":"Application of Information Privacy Principles","content":"\t19 Application of Information Privacy Principles\n\nThe Information Privacy Principles apply in relation to all personal information, whether collected by the organisation before or after the commencement of this section.\n\n","sortOrder":45},{"sectionNumber":"20","sectionType":"section","heading":"Organisations to comply with Information Privacy Principles","content":"\t20 Organisations to comply with Information Privacy Principles\n\n(1) An organisation must not do an act, or engage in a practice, that contravenes an Information Privacy Principle in respect of personal information collected, held, managed, used, disclosed or transferred by it.\n\n(2) A public sector agency or a Council must, in administering a public register, so far as is reasonably practicable, not do an act or engage in a practice that would contravene an Information Privacy Principle in respect of information collected, held, managed, used, disclosed or transferred by it in connection with the administration of the public register if that information were personal information.\n\n(3) Subsections (1) and (2) do not apply if the act or practice is permitted under—\n\n(a) a public interest determination; or\n\n(b) a temporary public interest determination; or\n\n(c) an approved information usage arrangement.\n\nDivision 3—Codes of practice\n\n","sortOrder":46},{"sectionNumber":"21","sectionType":"section","heading":"Codes of practice","content":"\t21 Codes of practice\n\n(1) An organisation may discharge its duty to comply with an Information Privacy Principle in respect of personal information collected, held, managed, used, disclosed or transferred by it by complying with a code of practice approved under this Division and binding on the organisation.\n\n(2) A code of practice may—\n\n(a) modify the application of any one or more of the Information Privacy Principles by prescribing standards, whether or not in substitution for any Information Privacy Principle, that are at least as stringent as the standards prescribed by the Information Privacy Principle; or\n\n(b) prescribe how any one or more of the Information Privacy Principles are to be applied or complied with.\n\n(3) A code of practice may apply in relation to any one or more of the following—\n\n(a) any specified information or class of information;\n\n(b) any specified organisation or class of organisation;\n\n(c) any specified activity or class of activity;\n\n(d) any specified industry, profession or calling or class of industry, profession or calling.\n\n(4) A code of practice may also—\n\n(a) impose controls on an organisation that matches data for the purpose of producing or verifying information about an identifiable individual; or\n\n(b) in relation to charging—\n\n(i) set guidelines to be followed in determining charges; or\n\n(ii) prescribe circumstances in which no charge may be imposed; or\n\n(c) prescribe—\n\n(i) procedures for dealing with complaints alleging a contravention of the code, including the appointment of an independent code administrator to whom complaints may be made; or\n\n(ii) remedies available where a complaint is substantiated; or\n\nS. 21(4)(d) amended by No. 20/2017 s. 106(5).\n\n(d) provide for the review of the code by the Information Commissioner; or\n\n(e) provide for the expiry of the code.\n\n(5) Subsection (1) applies also to a public sector agency or a Council in seeking to discharge its duty to comply, so far as is reasonably practicable, with an Information Privacy Principle in relation to a public register as imposed by section 20(2) and this Part has effect accordingly.\n\n","sortOrder":47},{"sectionNumber":"22","sectionType":"section","heading":"Process for approval of code of practice or code amendment","content":"\t22 Process for approval of code of practice or code amendment\n\nS. 22(1) amended by No. 20/2017 s. 106(6)(a).\n\n(1) An organisation may seek approval of a code of practice, or of an amendment to an approved code of practice, by submitting the code or amendment to the Information Commissioner.\n\nS. 22(2) amended by No. 20/2017 s. 106(6)(a).\n\n(2) The Governor in Council, on the recommendation of the Minister acting on the advice received from the Information Commissioner under subsection (3), may by notice published in the Government Gazette approve a code of practice or an amendment to an approved code of practice.\n\nS. 22(3) amended by No. 20/2017 s. 106(6).\n\n(3) The Information Commissioner may advise the Minister to recommend to the Governor in Council that a code of practice, or an amendment to an approved code of practice, be approved if in the Information Commissioner's opinion—\n\n(a) the code or amendment is consistent with the objects of this Act in relation to the personal information to which the code applies; and\n\n(b) the code prescribes standards that are at least as stringent as the standards prescribed by the Information Privacy Principles; and\n\n(c) the code specifies—\n\n(i) the organisations bound (either wholly or to a limited extent) by the code; or\n\n(ii) a way of determining the organisations that are, or will be, bound (either wholly or to a limited extent) by the code; and\n\n(d) only organisations that consent to be bound by the code are, or will be, bound by the code.\n\nS. 22(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) Before deciding whether or not to advise the Minister to recommend approval of a code of practice or of an amendment to an approved code of practice, the Information Commissioner—\n\nS. 22(4)(a) amended by No. 20/2017 s. 106(6)(a).\n\n(a) may consult any person or body that the Information Commissioner considers it appropriate to consult; and\n\n(b) must have regard to the extent to which members of the public have been given an opportunity to comment on the code or amendment.\n\n(5) A code of practice or an amendment to an approved code of practice comes into operation at the beginning of—\n\n(a) the day on which the notice of approval under subsection (2) is published in the Government Gazette; or\n\n(b) any later day stated in the notice as the day on which the code or amendment comes into operation.\n\n","sortOrder":48},{"sectionNumber":"23","sectionType":"section","heading":"Organisations bound by code of practice","content":"\t23 Organisations bound by code of practice\n\n(1) An approved code of practice binds—\n\n(a) any organisation—\n\n(i) that sought approval of it; or\n\n(ii) that consents to be bound by the approved code; and\n\nS. 23(1)(b) amended by No. 20/2017 s. 106(6)(a).\n\n(b) any organisation that, by written notice given to the Information Commissioner, states that it intends to be bound by the approved code of practice as it is then in operation and that is capable of applying to the organisation.\n\n(2) A notice under subsection (1)(b) may indicate an intention that the organisation be bound by the approved code of practice—\n\n(a) generally; or\n\n(b) only in respect of specified information or a specified class of information collected, held, managed, used, disclosed or transferred by it; or\n\n(c) only in respect of any specified activity or class of activity.\n\nS. 23(3) amended by No. 20/2017 s. 106(6)(a).\n\n(3) A notice under subsection (1)(b) has no effect unless the Information Commissioner approves it.\n\nS. 23(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) The Information Commissioner may approve a notice under subsection (1)(b) if satisfied that the approved code of practice is capable of applying to the organisation to the extent set out in the notice.\n\n(5) An organisation is bound by an approved code of practice—\n\n(a) in the case of an organisation referred to in subsection (1)(a), on and after the coming into operation of the code; and\n\n(b) in the case of an organisation referred to in subsection (1)(b), on and after the later of—\n\n(i) the date stated in the notice as the date on and after which the organisation will be bound by the code; or\n\nS. 23(5)(b)(ii) amended by No. 20/2017 s. 106(6)(b).\n\n(ii) the date on which the organisation is notified of the Information Commissioner's approval of the notice.\n\nS. 23(6) amended by No. 20/2017 s. 106(6)(a).\n\n(6) An organisation bound by an approved code of practice may, by written notice given to the Information Commissioner, state that it intends to cease to be bound by that code.\n\n(7) An organisation ceases to be bound by an approved code of practice on and after the date of the notice under subsection (6) or any later date stated in that notice as the date on and after which the organisation will cease to be bound by the code.\n\n","sortOrder":49},{"sectionNumber":"24","sectionType":"section","heading":"Effect of approved code","content":"\t24 Effect of approved code\n\n(1) If an approved code of practice is in operation and binding on an organisation, an act done, or practice engaged in, by the organisation that contravenes the code, is, for the purposes of this Act, taken to be a contravention of an Information Privacy Principle and may be dealt with as provided by that code and this Act.\n\n(2) Subsection (1) has effect whether or not that \nact or practice would otherwise contravene any Information Privacy Principle.\n\n","sortOrder":50},{"sectionNumber":"25","sectionType":"section","heading":"Codes of practice register","content":"\t25 Codes of practice register\n\nS. 25(1) amended by No. 20/2017 s. 106(2).\n\n(1) The Information Commissioner must cause a register of all approved codes of practice to be established and maintained.\n\nS. 25(2) amended by No. 20/2017 s. 106(2).\n\n(2) The Information Commissioner may determine the form of the register.\n\n(3) A person may during business hours—\n\n(a) inspect the register and any documents that form part of it; or\n\n(b) on the payment of any prescribed fee, obtain a copy of any entry in, or document forming part of, the register.\n\n","sortOrder":51},{"sectionNumber":"26","sectionType":"section","heading":"Revocation of approval","content":"\t26 Revocation of approval\n\nS. 26(1) amended by No. 20/2017 s. 106(6)(a).\n\n(1) The Governor in Council, on the recommendation of the Minister acting on advice received from the Information Commissioner under subsection (2), may by notice published in the Government Gazette revoke the approval of a code of practice or of an amendment to an approved code of practice.\n\nS. 26(2) amended by No. 20/2017 s. 106(6)(a).\n\n(2) The Information Commissioner may advise the Minister to recommend to the Governor in Council that a code of practice, or an amendment to an approved code of practice, be revoked.\n\nS. 26(3) amended by No. 20/2017 s. 106(6).\n\n(3) The Information Commissioner may act under subsection (2) on the Information Commissioner's own initiative or on an application for revocation made by an individual or organisation.\n\nS. 26(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) Before deciding whether or not to advise the Minister to recommend revocation of the approval of a code of practice or of an amendment to an approved code of practice, the Information Commissioner—\n\nS. 26(4)(a) amended by No. 20/2017 s. 106(6)(a).\n\n(a) must consult the organisation that sought approval of the code or amendment and may consult any other person or body that the Information Commissioner considers it appropriate to consult; and\n\n(b) must have regard to the extent to which members of the public have been given an opportunity to comment on the proposed revocation.\n\n(5) An approved code of practice or approved amendment ceases to be in operation at the beginning of—\n\n(a) the day on which the notice of revocation under subsection (1) is published in the Government Gazette; or\n\n(b) any later day stated in that notice as the day on which the code or amendment ceases to be in operation.\n\n","sortOrder":52},{"sectionNumber":"27","sectionType":"section","heading":"Effect of revocation of approval or amendment or expiry of approved code","content":"\t27 Effect of revocation of approval or amendment or expiry of approved code\n\n(1) The revocation of the approval of a code of practice or of an amendment to an approved code of practice, or the expiry of an approved code of practice, or the ceasing of an organisation to be bound by an approved code of practice, does not—\n\n(a) revive anything not in force or existing at the time at which the revocation, expiry or cessation becomes operative; or\n\n(b) affect the previous operation of the code or anything duly done or suffered under, or in relation to, the code; or\n\n(c) affect any right, privilege, obligation or liability acquired, accrued or incurred under, or in relation to, the code; or\n\n(d) affect any penalty incurred in respect of any contravention of the code or in respect of any offence against section 82(1) committed in relation to a compliance notice issued because of any contravention of the code; or\n\n(e) affect any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation, liability or penalty referred to in paragraphs (c) and (d).\n\n(2) Any investigation, legal proceeding or remedy referred to in subsection (1)(e) may be commenced, continued or enforced, and any penalty may be imposed, as if the code or amendment had not been revoked or the code had not expired or the organisation had not ceased to be bound by the code.\n\n(3) Subject to subsection (1), if an amendment to an approved code of practice is revoked, as from the beginning of the day on which the amendment ceases to be in operation, the code takes effect as if it had not been amended.\n\n(4) Nothing in this section prevents the application to an organisation of an Information Privacy Principle (without any modification) on and after the day on which an applicable code of practice, that modified the application of that Information Privacy Principle, ceases to be in operation.\n\n","sortOrder":53},{"sectionNumber":"Div 4","sectionType":"division","heading":"Capacity to consent or make a request or exercise right of access","content":"Division 4—Capacity to consent or make a request or exercise right of access\n\n","sortOrder":54},{"sectionNumber":"28","sectionType":"section","heading":"Capacity to consent or make a request or exercise right of access","content":"\t28 Capacity to consent or make a request or exercise right of access\n\n(1) If an Information Privacy Principle or an applicable code of practice requires the consent of an individual to the collection, holding, management, use or disclosure of personal information or to the transfer of personal information to someone who is outside Victoria, an authorised representative of the individual may give that consent if—\n\n(a) the individual is incapable of giving consent; and\n\n(b) the consent is reasonably necessary for the lawful performance of functions or duties or exercise of powers in respect of the individual by the authorised representative.\n\n(2) If an Information Privacy Principle or an applicable code of practice empowers an individual to request access to, or the correction of, personal information or confers on an individual a right of access to personal information, the power to make that request, or that right of access, may be exercised—\n\nS. 28(2)(a) substituted by No. 64/2016 s. 16.\n\n(a) by—\n\n(i) the individual personally, except if the individual is a child who is incapable of making the request; or\n\nS. 28(2)(a)(ii) amended by No. 13/2019 s. 221(Sch. 1 item 39.1).\n\n(ii) a supportive attorney acting under a supportive attorney appointment, within the meaning of the **Powers of Attorney Act 2014**; or\n\nS. 28(2)(a)(iii) inserted by No. 13/2019 s. 221(Sch. 1 item 39.2).\n\n(iii) a supportive administrator acting under a supportive administration order within the meaning of the **Guardianship and Administration Act 2019**; or\n\nS. 28(2)(a)(iv) inserted by No. 13/2019 s. 221(Sch. 1 item 39.2).\n\n(iv) a supportive guardian acting under a supportive guardianship order within the meaning of the **Guardianship and Administration Act 2019**; and\n\n(b) by an authorised representative of the individual if—\n\n(i) the individual is incapable of making the request or exercising the right of access; and\n\n(ii) the personal information to be accessed is reasonably necessary for the lawful performance of functions or duties or exercise of powers in respect of the individual by the authorised representative.\n\n(3) For the purposes of subsections (1) and (2), an individual is incapable of giving consent, making the request or exercising the right of access if the individual is incapable (despite the provision of reasonable assistance by another individual) by reason of age, injury, disease, senility, illness, disability, physical impairment or mental disorder of—\n\n(a) understanding the general nature and effect of giving the consent, making the request or exercising the right of access (as the case requires); or\n\n(b) communicating the consent or refusal of consent, making the request or personally exercising the right of access (as the case requires).\n\n(4) An authorised representative of an individual must not give consent or request access to, or the correction of, personal information if the authorised representative knows or believes that the consent or request does not accord with the wishes expressed, and not changed or withdrawn, by the individual before the individual became incapable of giving consent or requesting access and any purported consent given or request made in those circumstances is of no effect.\n\n(5) An organisation may refuse a request by an authorised representative of an individual for access to the personal information of the individual if the organisation reasonably believes that access by the authorised representative may endanger the individual.\n\n(6) In this section—\n\nS. 28(6) def. of *authorised representative* amended by Nos 69/2016 s. 158, 13/2019 s. 221(Sch. 1 item 39.3).\n\n***authorised representative***, in relation to an individual—\n\n(a) means a person who is—\n\n(i) a guardian of the individual; or\n\n(ii) an attorney for the individual under an enduring power of attorney; or\n\n(iii) a medical treatment decision maker for the individual within the meaning of the **Medical Treatment Planning and Decisions Act 2016**; or\n\n(iiia) a support person for the individual within the meaning of the **Medical Treatment Planning and Decisions Act 2016**; or\n\n(iv) an administrator within the meaning of the **Guardianship and Administration Act 2019**; or\n\n(v) a parent of an individual, if the individual is a child; or\n\n(vi) otherwise empowered under law to perform any functions or duties or exercise powers as an agent of or in the best interests of the individual; and\n\n(b) does not include a person acting as an authorised representative of the individual if that acting is inconsistent with an order made by a court or tribunal;\n\n***disability*** has the same meaning as in the **Disability Act 2006**.\n\nDivision 5—Public interest determinations and temporary public interest determinations\n\nSubdivision 1—Public interest determinations\n\n\t29 Public interest determination\n\nS. 29(1) amended by No. 20/2017 s. 106(2).\n\n(1) An organisation may apply to the Information Commissioner, in writing, for a determination that—\n\n(a) an act or a practice of an organisation contravenes or may contravene a specified Information Privacy Principle (other than IPP 4 or 6) or an approved code of practice; and\n\n(b) the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in complying with that Information Privacy Principle or approved code of practice.\n\n(2) The application for a public interest determination must specify—\n\n(a) the act or practice to which the determination would apply; and\n\n(b) the relevant Information Privacy Principle or approved code of practice; and\n\n(c) the reasons for the organisation seeking the determination.\n\n(3) A public interest determination must not be made in respect of IPP 4 or 6.\n\nS. 29(4) amended by No. 20/2017 s. 106(2).\n\n(4) On receipt of the application, the Information Commissioner must publish, as the Information Commissioner thinks fit, a notice—\n\n(a) stating that the application has been received; and\n\n(b) inviting persons whose interests would be affected by the determination to make submissions in relation to the application; and\n\n(c) stating a time period for making submissions in relation to the application.\n\nS. 29(5) amended by No. 20/2017 s. 106(2).\n\n(5) The Information Commissioner must prepare a draft determination and send a copy to the applicant and each person who has made a submission under subsection (4).\n\nS. 29(6) amended by No. 20/2017 s. 106(2).\n\n(6) The Information Commissioner may invite the applicant and any person who has made a submission under subsection (4) to attend a conference about the draft determination.\n\n","sortOrder":55},{"sectionNumber":"30","sectionType":"section","heading":"Application taken to be application for temporary public interest determination on request","content":"\t30 Application taken to be application for temporary public interest determination on request\n\nS. 30(1) amended by No. 20/2017 s. 106(2).\n\n(1) On request of the applicant, the Information Commissioner may first deal with an application under section 29 as if it were an application for a temporary public interest determination.\n\nS. 30(2) amended by No. 20/2017 s. 106(2).\n\n(2) If the Information Commissioner deals with the application as if it were an application for a temporary public interest determination—\n\n(a) for the purposes of Subdivision 2, the application is taken to have been made under section 38; and\n\nS. 30(2)(b) amended by No. 20/2017 s. 106(2).\n\n(b) the Information Commissioner may continue to consider the application under this Subdivision, whether or not a temporary public interest determination is made.\n\nS. 31 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":56},{"sectionNumber":"31","sectionType":"section","heading":"Information Commissioner may make public interest determination","content":"\t31 Information Commissioner may make public interest determination\n\nS. 31(1) amended by No. 20/2017 s. 106(7)(a).\n\n(1) The Information Commissioner may make a public interest determination on application under section 29 if satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in complying with the specified Information Privacy Principle or approved code of practice.\n\nS. 31(2) amended by No. 20/2017 s. 106(7)(a).\n\n(2) In deciding whether to make a public interest determination, the Information Commissioner must have regard to—\n\n(a) whether not permitting the organisation to do the act or engage in the practice would be in the public interest; and\n\n(b) the objects of this Act; and\n\n(c) any submissions received under section 29; and\n\nS. 31(2)(d) amended by No. 20/2017 s. 106(7)(a).\n\n(d) any matters raised before the Information Commissioner in a conference under section 29.\n\n(3) A public interest determination must include a statement of reasons for making the determination.\n\nS. 31(4) amended by No. 20/2017 s. 106(7)(a).\n\n(4) A public interest determination must be published on the Internet site of the Information Commissioner.\n\nS. 32 amended by No. 20/2017 s. 106(5).\n\n","sortOrder":57},{"sectionNumber":"32","sectionType":"section","heading":"Effect of public interest determination","content":"\t32 Effect of public interest determination\n\nIf the Information Commissioner makes a public interest determination, the organisation is not required to comply with the specified Information Privacy Principle or approved code of practice to the extent specified in the determination in doing the act or engaging in the practice.\n\n","sortOrder":58},{"sectionNumber":"33","sectionType":"section","heading":"Duration of public interest determination","content":"\t33 Duration of public interest determination\n\nA public interest determination has effect on and after the day of publication until the earliest of the following—\n\n(a) the expiry date (if any) specified in the determination;\n\n(b) the determination is revoked under section 35;\n\n(c) the determination is disallowed by the Parliament or a House of the Parliament.\n\n","sortOrder":59},{"sectionNumber":"34","sectionType":"section","heading":"Amendment of public interest determination","content":"\t34 Amendment of public interest determination\n\nS. 34(1) amended by No. 20/2017 s. 106(5).\n\n(1) The organisation may apply to the Information Commissioner for the approval of an amendment to the public interest determination.\n\n(2) Sections 29(2) to (6), 31, 32 and 33 apply to an application under subsection (1)—\n\n(a) as if a reference to a public interest determination were a reference to the amendment in respect of which approval is sought; and\n\n","sortOrder":60},{"sectionNumber":"35","sectionType":"section","heading":"Revocation of public interest determination","content":"\t35 Revocation of public interest determination\n\nS. 35(1) amended by No. 20/2017 s. 106(2).\n\n(1) The Information Commissioner must revoke a public interest determination if satisfied that—\n\n(a) the public interest in the organisation doing the act or engaging in the practice no longer substantially outweighs the public interest in complying with the Information Privacy Principle or approved code of practice specified in the determination; or\n\n(b) the reasons set out in the application for the determination no longer apply.\n\nS. 35(2) amended by No. 20/2017 s. 106(2).\n\n(2) Before revoking a public interest determination, the Information Commissioner must give the organisation written notice stating—\n\nS. 35(2)(a) amended by No. 20/2017 s. 106(2).\n\n(a) that the Information Commissioner intends to revoke the determination; and\n\n(b) the reasons for the intended revocation; and\n\n(c) that the organisation may make a submission as to why the determination should not be revoked.\n\nS. 35(3) amended by No. 20/2017 s. 106(2).\n\n(3) The Information Commissioner must consider any submission received under subsection (2)(c) within the period stated in the notice before revoking the public interest determination.\n\n","sortOrder":61},{"sectionNumber":"36","sectionType":"section","heading":"Reporting and review","content":"\t36 Reporting and review\n\nS. 36(1) amended by No. 20/2017 s. 106(2).\n\n(1) An organisation that is subject to a public interest determination of more than 12 months' duration must report to the Information Commissioner—\n\n(a) annually; and\n\nS. 36(1)(b) amended by No. 20/2017 s. 106(2).\n\n(b) at any other time, as requested by the Information Commissioner.\n\nS. 36(2) amended by No. 20/2017 s. 106(2).\n\n(2) Within 60 days after receiving a report under subsection (1), the Information Commissioner must review the public interest determination and consider whether to revoke or amend it.\n\n","sortOrder":62},{"sectionNumber":"Subdiv 2","sectionType":"subdivision","heading":"Temporary public interest determinations","content":"\tSubdivision 2—Temporary public interest determinations\n\nS. 37 amended by No. 20/2017 s. 106(5).\n\n","sortOrder":63},{"sectionNumber":"37","sectionType":"section","heading":"Temporary public interest determination","content":"\t37 Temporary public interest determination\n\nThe Information Commissioner may make a temporary public interest determination for a period not exceeding 12 months if circumstances require that a determination be made urgently.\n\n","sortOrder":64},{"sectionNumber":"38","sectionType":"section","heading":"Application for temporary public interest determination","content":"\t38 Application for temporary public interest determination\n\nS. 38(1) amended by No. 20/2017 s. 106(2).\n\n(1) An organisation may apply to the Information Commissioner, in writing, for a temporary public interest determination.\n\n(2) The application must specify—\n\n(a) the act or practice to which the determination would apply; and\n\n(b) the relevant Information Privacy Principle or approved code of practice; and\n\n(c) the reasons for the organisation seeking the determination, and why the determination is required urgently.\n\n(3) An application for a temporary public interest determination cannot be made in respect of IPP 4 or 6.\n\nS. 38(4) amended by No. 20/2017 s. 106(2).\n\n(4) On receipt of the application, the Information Commissioner must publish, as the Information Commissioner thinks fit, a notice stating that the application has been received.\n\nS. 39 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":65},{"sectionNumber":"39","sectionType":"section","heading":"Information Commissioner may make temporary public interest determination","content":"\t39 Information Commissioner may make temporary public interest determination\n\nS. 39(1) amended by No. 20/2017 s. 106(7)(a).\n\n(1) The Information Commissioner may make a temporary public interest determination on an application under section 38 if satisfied that—\n\n(a) the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in complying with the relevant Information Privacy Principle or approved code of practice; and\n\n(b) the application raises matters that require that a determination be made urgently.\n\nS. 39(2) amended by No. 20/2017 s. 106(7)(a).\n\n(2) In deciding whether to make a temporary public interest determination, the Information Commissioner must have regard to—\n\n(a) whether not permitting the organisation to do the act or engage in the practice is in the public interest; and\n\n(b) the objects of this Act.\n\n(3) A temporary public interest determination must not be made in respect of IPP 4 or 6.\n\n(4) A temporary public interest determination must include a statement of reasons for making the determination.\n\n(5) A temporary public interest determination must specify the date of expiry of the determination which must not be more than 12 months after the determination is published under subsection (6).\n\nS. 39(6) amended by No. 20/2017 s. 106(7)(a).\n\n(6) A temporary public interest determination must be published on the Internet site of the Information Commissioner.\n\n","sortOrder":66},{"sectionNumber":"40","sectionType":"section","heading":"Duration of temporary public interest determination","content":"\t40 Duration of temporary public interest determination\n\nA temporary public interest determination has effect on and after the day of publication until the earliest of the following—\n\n(a) the expiry date specified in the determination;\n\n(b) the determination is revoked under section 41;\n\n(c) the determination is disallowed by the Parliament or a House of the Parliament;\n\n(d) if a public interest determination is made, the day that determination takes effect.\n\n","sortOrder":67},{"sectionNumber":"41","sectionType":"section","heading":"Revocation of temporary public interest determination","content":"\t41 Revocation of temporary public interest determination\n\nS. 41(1) amended by No. 20/2017 s. 106(2).\n\n(1) The Information Commissioner must revoke a temporary public interest determination if satisfied that—\n\n(a) the public interest in the organisation doing the act or engaging in the practice no longer substantially outweighs the public interest in complying with the Information Privacy Principle or approved code of practice specified in the determination; or\n\n(b) the reasons set out in the application for the determination no longer apply.\n\nS. 41(2) amended by No. 20/2017 s. 106(2).\n\n(2) Before revoking a temporary public interest determination, the Information Commissioner must give the organisation a written notice stating—\n\nS. 41(2)(a) amended by No. 20/2017 s. 106(2).\n\n(a) that the Information Commissioner intends to revoke the determination; and\n\n(b) the reasons for the intended revocation; and\n\n(c) that the organisation may make a submission as to why the determination should not be revoked.\n\nS. 41(3) amended by No. 20/2017 s. 106(2).\n\n(3) The Information Commissioner must consider any submission received under subsection (2)(c) within the period stated in the notice, before revoking the temporary public interest determination.\n\n","sortOrder":68},{"sectionNumber":"Subdiv 3","sectionType":"subdivision","heading":"Disallowance of determinations","content":"Subdivision 3—Disallowance of determinations\n\n","sortOrder":69},{"sectionNumber":"42","sectionType":"section","heading":"Disallowance of determinations","content":"\t42 Disallowance of determinations\n\n(1) A public interest determination or temporary public interest determination is subject to disallowance by the Parliament.\n\n(2) Section 15 and Part 5 of the **Subordinate Legislation Act 1994** apply for the purposes of subsection (1) as though—\n\n(a) a determination were a statutory rule (within the meaning of that Act); and\n\nS. 42(2)(b) amended by No. 20/2017 s. 106(8).\n\n(b) notice of the making of the statutory rule had been published in the Government Gazette when the determination was published on the Internet site of the Office of the Victorian Information Commissioner.\n\n","sortOrder":70},{"sectionNumber":"Div 6","sectionType":"division","heading":"Information usage arrangements","content":"Division 6—Information usage arrangements\n\n","sortOrder":71},{"sectionNumber":"43","sectionType":"section","heading":"Definitions","content":"\t43 Definitions\n\nIn this Division—\n\n***adverse action*** means any action that may adversely affect the rights, benefits, privileges, obligations or interests of a specific individual;\n\n***lead party***, in relation to an information usage arrangement, means—\n\n(a) if one organisation is a party to the information usage arrangement, that organisation; or\n\n(b) if more than one organisation is a party to the information usage arrangement—\n\n(i) the organisation which has the agreement of the other parties to seek approval under section 47; or\n\n(ii) if the arrangement is amended, the organisation which has the agreement of the other parties to seek approval of a further amendment under section 52;\n\n***public purpose*** means—\n\n(a) compliance with a law; or\n\n(b) the performance of functions by a public sector agency or a Council, or an agency of the Commonwealth, another State or a Territory; or\n\n(c) the provision of a service in the public interest to the public or a section of the public;\n\n***relevant Minister***, in relation to an approved information usage arrangement, means each responsible Minister who approved the arrangement under section 50(2)(a) or (b).\n\n","sortOrder":72},{"sectionNumber":"44","sectionType":"section","heading":"Approval of arrangement not required if information use otherwise permitted","content":"\t44 Approval of arrangement not required if information use otherwise permitted\n\nTo avoid doubt, nothing in this Division requires an organisation to seek approval of an information usage arrangement if the collection, holding, management, use, disclosure or transfer of personal information is expressly permitted by or under this Act or another enactment.\n\n","sortOrder":73},{"sectionNumber":"45","sectionType":"section","heading":"Meaning of *information usage arrangement*","content":"\t45 Meaning of *information usage arrangement*\n\n(1) In this Division, an ***information usage arrangement*** is an arrangement that—\n\n(a) sets out acts or practices for handling personal information to be undertaken in relation to one or more public purposes; and\n\n(b) for any of those acts or practices, does any one or more of the following—\n\n(i) modifies the application of a specified Information Privacy Principle (other than IPP 4 or 6) or an approved code of practice;\n\n(ii) provides that the practice does not need to comply with a specified Information Privacy Principle (other than IPP 4 or 6) or an approved code of practice;\n\n(iii) permits handling personal information for the purposes of an information handling provision.\n\n(2) An information usage arrangement must—\n\n(a) specify the parties to the arrangement; and\n\n**Note**\n\nSee section 46 as to who can be a party to an information usage arrangement.\n\n(b) specify the personal information or type of personal information to be handled under the arrangement; and\n\n(c) describe how the arrangement would facilitate one or more public purposes; and\n\n(d) if handling personal information under the arrangement modifies or provides for noncompliance with an Information Privacy Principle or an approved code of practice—\n\n(i) identify the Information Privacy Principle or approved code of practice; and\n\n(ii) state how the Information Privacy Principle or approved code of practice would be modified or not complied with; and\n\n(e) if the arrangement would be for the purposes of an information handling provision—\n\n(i) identify the provision; and\n\n(ii) describe the effect of the provision; and\n\n(f) for every party to the arrangement—\n\n(i) describe the personal information or type of personal information that the party could disclose or transfer to other parties to the arrangement; and\n\n(ii) state the manner in which a party could use personal information, including whether a party could disclose that information to another person or body and in what circumstances; and\n\n(g) for every organisation that is a party to the arrangement—\n\n(i) state adverse actions that an organisation could reasonably be expected to take as a result of handling personal information under the arrangement; and\n\n(ii) specify the procedure that an organisation must follow before taking adverse action as a result of handling of personal information under the arrangement.\n\n(3) An information usage arrangement may include an expiry date. However, if an information usage arrangement does not do so, it must include the reason why it does not do so.\n\n","sortOrder":74},{"sectionNumber":"46","sectionType":"section","heading":"Parties to an information usage arrangement","content":"\t46 Parties to an information usage arrangement\n\nThe parties specified in an information usage arrangement may only be—\n\n(a) in the case of a single party, an organisation (other than a contracted service provider); and\n\n(b) otherwise, an organisation (other than a contracted service provider) and one or more of the following—\n\n(i) another organisation;\n\n (ii) a person or body that is an agency of the Commonwealth, another State or a Territory;\n\n(iii) any other person or body (including a private sector body) that is not an organisation, whether or not located within Victoria.\n\nS. 47 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":75},{"sectionNumber":"47","sectionType":"section","heading":"Information Commissioner to consider information usage arrangement","content":"\t47 Information Commissioner to consider information usage arrangement\n\nS. 47(1) amended by No. 20/2017 s. 106(2).\n\n(1) A lead party may apply for approval of an information usage arrangement by submitting to the Information Commissioner an information usage arrangement.\n\nS. 47(2) amended by No. 20/2017 s. 106(2).\n\n(2) The Information Commissioner may—\n\nS. 47(2)(a) amended by No. 20/2017 s. 106(2).\n\n(a) direct each organisation that is a party to the information usage arrangement to consult with any person that the Information Commissioner considers appropriate; and\n\nS. 47(2)(b) amended by No. 20/2017 s. 106(2).\n\n(b) consult any person that the Information Commissioner considers appropriate.\n\nS. 47(3) amended by No. 20/2017 s. 106(2).\n\n(3) If the arrangement would modify the application of, or provide for noncompliance with, a specified Information Privacy Principle or an approved code of practice, the Information Commissioner must consider whether the public interest in handling personal information under the information usage arrangement in the way specified under section 45(2)(d) would substantially outweigh the public interest in complying with the specified Information Privacy Principle or approved code of practice.\n\nS. 47(4) amended by No. 20/2017 s. 106(2).\n\n(4) If the arrangement is for the purposes of an information handling provision, the Information Commissioner must consider whether the public interest in treating the handling of personal information as being permitted for the purpose of the information handling provision would substantially outweigh the public interest in treating that handling of information as not being permitted for the purpose of the information handling provision.\n\nS. 48 (Heading) amended by No. 20/2017 s. 106(4).\n\n","sortOrder":76},{"sectionNumber":"48","sectionType":"section","heading":"Information Commissioner's report","content":"\t48 Information Commissioner's report\n\nS. 48(1) amended by No. 20/2017 s. 106(9)(a).\n\n(1) The Information Commissioner must issue a report about the information usage arrangement in respect of which approval has been sought under section 47.\n\nS. 48(2) amended by No. 20/2017 s. 106(9)(b).\n\n(2) The Information Commissioner's report may consider the appropriateness of all aspects of the information usage arrangement, including the parties.\n\nS. 48(3) amended by No. 20/2017 s. 106(9)(b).\n\n(3) If the information usage arrangement is for the purposes of an information handling provision, the Information Commissioner's report must state whether, in the Information Commissioner's opinion, the provision stated under section 45(2)(e) is an information handling provision.\n\nS. 49 (Heading) amended by No. 20/2017 s. 106(4).\n\n","sortOrder":77},{"sectionNumber":"49","sectionType":"section","heading":"Information Commissioner's certificate","content":"\t49 Information Commissioner's certificate\n\nS. 49(1) amended by No. 20/2017 s. 106(2).\n\n(1) If—\n\n(a) an application is made under section 47 for approval of an information usage arrangement; and\n\n(b) the arrangement would modify the application of, or provide for non‑compliance with, a specified Information Privacy Principle or an approved code of practice; and\n\nS. 49(1)(c) amended by No. 20/2017 s. 106(2).\n\n(c) the Information Commissioner is satisfied that the public interest in handling personal information under the information usage arrangement in the way specified under section 45(2)(d) would substantially outweigh the public interest in complying with the specified Information Privacy Principle or approved code of practice—\n\nthe Information Commissioner must issue a certificate to that effect in respect of the information usage arrangement.\n\nS. 49(2) amended by No. 20/2017 s. 106(2).\n\n(2) If—\n\n(a) an application is made under section 47 for approval of an information usage arrangement for the purposes of an information handling provision; and\n\nS. 49(2)(b) amended by No. 20/2017 s. 106(2).\n\n(b) the Information Commissioner is satisfied that the public interest in treating the handling of personal information as being permitted for the purpose of the information handling provision would substantially outweigh the public interest in treating that handling of information as not being permitted for the purpose of the information handling provision—\n\nthe Information Commissioner must issue a certificate to that effect in respect of the information usage arrangement.\n\n(3) A certificate may apply to matters in both subsections (1) and (2).\n\nS. 49(4) amended by No. 20/2017 s. 106(2).\n\n(4) The Information Commissioner may refuse to issue a certificate in respect of an information usage arrangement if the Information Commissioner considers that a public interest determination would be more appropriate in the circumstances.\n\nS. 49(5) amended by No. 20/2017 s. 106(2).\n\n(5) The Information Commissioner must refuse to issue a certificate in respect of an information usage arrangement if the Information Commissioner is not satisfied of the matters set out in section 47(3) or (4) or both, as applicable.\n\nS. 49(6) amended by No. 20/2017 s. 106(2).\n\n(6) The Information Commissioner must give written notice to the lead party as soon as practicable of a refusal under subsection (4) or (5).\n\n(7) An application for approval under section 47 is taken to be refused on the day the lead party is notified in accordance with subsection (6).\n\n","sortOrder":78},{"sectionNumber":"50","sectionType":"section","heading":"Ministerial approval of information usage arrangement","content":"\t50 Ministerial approval of information usage arrangement\n\nS. 50(1) amended by No. 20/2017 s. 106(7)(a).\n\n(1) The Information Commissioner must send a report issued under section 48 and a copy of any certificate issued under section 49 in relation to an information usage arrangement to—\n\n(a) the responsible Minister for each organisation that is a party to the arrangement; and\n\n(b) if the arrangement authorises the handling of personal information for the purposes of an information handling provision, the responsible Minister for that provision.\n\nS. 50(2) amended by No. 20/2017 s. 106(7)(a).\n\n(2) After receiving the report and a certificate from the Information Commissioner, the information usage arrangement may be approved—\n\n(a) in the case of a single party, by the responsible Minister for the lead party; or\n\n(b) otherwise, by agreement of the responsible Ministers for each organisation that is a party to the arrangement.\n\nS. 50(3) amended by No. 20/2017 s. 106(7)(a).\n\n(3) An information usage arrangement cannot be approved under this section unless the Information Commissioner has issued a certificate in relation to the arrangement.\n\nS. 50(4) amended by No. 20/2017 s. 106(7)(a).\n\n(4) Subject to subsection (5), the Information Commissioner must cause an approved information usage arrangement to be published on the Internet site of the Information Commissioner.\n\nS. 50(5) amended by No. 20/2017 s. 106(7)(a).\n\n(5) The Information Commissioner is not required to publish any part of an approved information usage arrangement that would disclose—\n\n(a) personal information; or\n\nS. 50(5)(b) amended by No. 20/2017 s. 81.\n\n(b) information that, if contained in a document, would make that document an exempt document under section 29(b), 29A, 31, 31A or 34 of the **Freedom of Information Act 1982**.\n\n","sortOrder":79},{"sectionNumber":"51","sectionType":"section","heading":"Effect of approved information usage arrangement","content":"\t51 Effect of approved information usage arrangement\n\nS. 51(1) amended by No. 20/2017 s. 106(10).\n\n(1) If an approved information usage arrangement provides for acts and practices for handling personal information that modify or do not comply with an Information Privacy Principle (other than IPP 4 or 6) or approved code of practice specified in the Information Commissioner's certificate issued under section 49, the parties to the arrangement are not required to comply with the Information Privacy Principle or approved code of practice in respect of those acts or practices to the extent specified in the certificate.\n\n(2) If an approved information usage arrangement provides for the handling of personal information for the purposes of an information handling provision, the handling of that information in accordance with the arrangement is taken to be permitted for the purposes of that provision.\n\n","sortOrder":80},{"sectionNumber":"52","sectionType":"section","heading":"Amendment of approved information usage arrangement","content":"\t52 Amendment of approved information usage arrangement\n\nS. 52(1) amended by No. 20/2017 s. 106(5).\n\n(1) The lead party to an approved information usage arrangement may apply to the Information Commissioner for the approval of an amendment to the arrangement.\n\n(2) Sections 47(2), (3) and (4), 48, 49, 50 and 51 apply to an application under subsection (1)—\n\n(a) as if a reference to an information usage arrangement were a reference to the amendment in respect of which approval is sought; and\n\n","sortOrder":81},{"sectionNumber":"53","sectionType":"section","heading":"Revocation of approval of information usage arrangement","content":"\t53 Revocation of approval of information usage arrangement\n\n(1) The relevant Minister must revoke the approval of an information usage arrangement if the relevant Minister—\n\nS. 53(1)(a) amended by No. 20/2017 s. 106(2).\n\n(a) is notified by the Information Commissioner that any ground set out in subsection (3)(a) exists; or\n\n(b) becomes aware that a ground set out in subsection (3)(b) exists.\n\nS. 53(2) amended by No. 20/2017 s. 106(2).\n\n(2) The relevant Minister may revoke the approval of an information usage arrangement on request of the Information Commissioner or any party that is an organisation.\n\n(3) The grounds for revocation under subsection (1) are—\n\nS. 53(3)(a) amended by No. 20/2017 s. 106(2).\n\n(a) if the information usage arrangement modifies or provides for noncompliance with a specified Information Privacy Principle or approved code of practice, the Information Commissioner is no longer satisfied that the public interest in information handling under the arrangement substantially outweighs the public interest in complying with the Information Privacy Principles; or\n\n(b) the reasons in the application for approval of the information usage arrangement no longer apply.\n\nS. 53(4) amended by No. 20/2017 s. 106(2).\n\n(4) The Information Commissioner must give written notice to the parties to the information usage arrangement before notifying the Minister of the existence of a ground for revocation set out in subsection (3)(a).\n\n(5) The relevant Minister must give written notice to the parties to the information usage arrangement before revoking the arrangement on a ground set out in subsection (3)(b).\n\n","sortOrder":82},{"sectionNumber":"54","sectionType":"section","heading":"Reporting requirements for approved information usage arrangements","content":"\t54 Reporting requirements for approved information usage arrangements\n\nS. 54(1) amended by No. 20/2017 s. 106(2).\n\n(1) The lead party to an approved information usage arrangement must report to the Information Commissioner about the arrangement—\n\n(a) annually; and\n\nS. 54(1)(b) amended by No. 20/2017 s. 106(2).\n\n(b) at any other time, as requested by the Information Commissioner.\n\nS. 54(2) amended by No. 20/2017 s. 106(2).\n\n(2) The content and timing of a report under subsection (1)(a) must be consistent with any guidelines published by the Information Commissioner.\n\nS. 54(3) amended by No. 20/2017 s. 106(2).\n\n(3) The Information Commissioner, on request of a relevant Minister, must report to the relevant Minister about an approved information usage arrangement.\n\nS. 54(4) amended by No. 20/2017 s. 106(2).\n\n(4) The Information Commissioner may report to a relevant Minister about an approved information usage arrangement at any time.\n\n","sortOrder":83},{"sectionNumber":"Div 7","sectionType":"division","heading":"Certification","content":"Division 7—Certification\n\nS. 55 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":84},{"sectionNumber":"55","sectionType":"section","heading":"Information Commissioner may certify consistency of act or practice","content":"\t55 Information Commissioner may certify consistency of act or practice\n\nS. 55(1) amended by No. 20/2017 s. 106(11)(a).\n\n(1) The Information Commissioner may certify that a specified act or practice of an organisation is consistent with—\n\n(a) an Information Privacy Principle; or\n\n(b) an approved code of practice; or\n\n(c) an information handling provision.\n\n(2) The certificate remains in effect until any expiry date specified in the certificate, unless it is earlier set aside by a court or VCAT.\n\n(3) The certificate must include an expiry date, unless it is inappropriate to do so in all the circumstances.\n\n(4) A person who does an act or engages in a practice in good faith in accordance with a current certificate does not contravene the relevant Information Privacy Principle or approved code of practice or the relevant information handling provision (as the case requires).\n\nS. 55(5) amended by No. 20/2017 s. 106(11)(b).\n\n(5) A certificate under this section must be published on the Internet site of the Office of the Victorian Information Commissioner.\n\n","sortOrder":85},{"sectionNumber":"56","sectionType":"section","heading":"Review of decision to issue certificate","content":"\t56 Review of decision to issue certificate\n\n(1) An individual or organisation whose interests are affected by the decision to issue the certificate under section 55(1) may apply to VCAT for review of the decision.\n\nS. 56(2) amended by No. 20/2017 s. 106(5).\n\n(2) The Information Commissioner is a party to a proceeding on a review under this section.\n\nDivision 8—Information privacy complaints\n\nSubdivision 1—Making a complaint\n\n\t57 Complaints\n\nS. 57(1) amended by No. 20/2017 s. 106(12)(a).\n\n(1) An individual in respect of whom personal information is, or has at any time been, held by an organisation may complain to the Information Commissioner, in writing, about an act or practice that may be an interference with the privacy of the individual.\n\n(2) A complaint relating to an Information Privacy Principle or an applicable code of practice may be made under subsection (1) if—\n\n(a) there is no applicable code of practice in relation to the holding of the information by the organisation; or\n\n(b) there is an applicable code of practice in relation to the holding of the information by the organisation but that code does not provide for the appointment of a code administrator to whom complaints may be made; or\n\n(c) there is an applicable code of practice in relation to the holding of the information by the organisation that provides for the appointment of a code administrator and—\n\n(i) not less than 45 days before complaining under subsection (1) the individual complained to the code administrator in accordance with the procedures set out in that code; and\n\n(ii) the individual has received no response or a response that the individual considers to be inadequate.\n\n(3) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals with their consent.\n\nS. 57(4) amended by No. 20/2017 s. 106(12)(a).\n\n(4) It is the duty of employees in the office of the Information Commissioner to provide appropriate assistance to an individual who wishes to make a complaint and requires assistance to formulate the complaint.\n\n(5) The complaint must specify the respondent to the complaint.\n\n(6) The respondent to a complaint is—\n\n(a) if the organisation represents the Crown, the State; or\n\n(b) if the organisation does not represent the Crown and—\n\n(i) is a legal person, the organisation; or\n\n(ii) is an unincorporated body, the members of the committee of management of the organisation.\n\n(7) A failure to comply with subsection (5) does not render the complaint, or any step taken in relation to it, a nullity.\n\nS. 58 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":86},{"sectionNumber":"58","sectionType":"section","heading":"Complaint referred to Information Commissioner","content":"\t58 Complaint referred to Information Commissioner\n\nS. 58(1) amended by No. 20/2017 s. 106(5).\n\n(1) The Information Commissioner may treat a complaint referred to the Commissioner by the Ombudsman under section 16I of the **Ombudsman Act 1973** as if it were a complaint made under section 57(1).\n\nS. 58(2) repealed by No. 20/2017 s. 82.\n\n","sortOrder":87},{"sectionNumber":"59","sectionType":"section","heading":"Complaints by minors","content":"\t59 Complaints by minors\n\n(1) A complaint may be made—\n\n(a) by a child; or\n\n(b) on behalf of a child by—\n\n(i) a parent of the child; or\n\n(ii) any other individual chosen by the child or by a parent of the child; or\n\nS. 59(1)(b)(iii) amended by No. 20/2017 s. 106(5).\n\n(iii) any other individual who, in the opinion of the Information Commissioner, has a sufficient interest in the subject matter of the complaint.\n\n(2) A child who is capable of understanding the general nature and effect of choosing an individual to make a complaint on the child's behalf may do so even if the child is otherwise incapable of exercising powers.\n\n","sortOrder":88},{"sectionNumber":"60","sectionType":"section","heading":"Complaints by people with a disability","content":"\t60 Complaints by people with a disability\n\n(1) If an individual is unable to complain because of a disability, a complaint may be made on behalf of that individual by—\n\n(a) another individual authorised by that individual to complain on the individual's behalf; or\n\nS. 60(1)(b) amended by No. 20/2017 s. 106(5).\n\n(b) if that individual is unable to authorise another individual, any other individual on the individual's behalf who, in the opinion of the Information Commissioner, has a sufficient interest in the subject matter of the complaint.\n\n***disability*** has the same meaning as in the **Equal Opportunity Act 2010**.\n\nSubdivision 2—Procedure after a complaint is made\n\nS. 61 (Heading) amended by No. 20/2017 s. 106(3).\n\nS. 61 amended by No. 20/2017 s. 106(5).\n\n","sortOrder":89},{"sectionNumber":"61","sectionType":"section","heading":"Information Commissioner must notify respondent","content":"\t61 Information Commissioner must notify respondent\n\nThe Information Commissioner must notify the respondent in writing of the complaint as soon as practicable after receiving it.\n\nS. 62 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":90},{"sectionNumber":"62","sectionType":"section","heading":"Circumstances in which Information Commissioner may decline to entertain complaint","content":"\t62 Circumstances in which Information Commissioner may decline to entertain complaint\n\nS. 62(1) amended by No. 20/2017 s. 106(13)(a).\n\n(1) The Information Commissioner may decline to entertain a complaint made under section 57(1) by notifying the complainant and the respondent in writing to that effect within 90 days after the day on which the complaint was lodged if the Information Commissioner considers that—\n\n(a) the act or practice about which the complaint has been made is not an interference with the privacy of an individual; or\n\n(b) the act or practice is subject to an applicable code of practice and all appropriate mechanisms for seeking redress available under that code have not been exhausted; or\n\nS. 62(1)(c) amended by No. 20/2017 s. 106(13)(a).\n\n(c) although a complaint has been made to the Information Commissioner about the act or practice, the complainant has not complained to the respondent; or\n\nS. 62(1)(d) amended by No. 20/2017 s. 106(13)(a).\n\n(d) the complaint to the Information Commissioner was made more than 45 days after the complainant became aware of the act or practice; or\n\n(e) the complaint is frivolous, vexatious, misconceived or lacking in substance; or\n\nS. 62(1)(ea) inserted by No. 31/2024 s. 52.\n\n(ea) the complainant has failed to co‑operate with the Information Commissioner without reasonable excuse; or\n\n(f) the act or practice is the subject of an application under another enactment and the subject matter of the complaint has been, or is being, dealt with adequately under that enactment; or\n\n(g) the act or practice could be made the subject of an application under another enactment for a more appropriate remedy; or\n\n(h) the complainant has complained to the respondent about the act or practice and either—\n\n(i) the respondent has dealt, or is dealing, adequately with the complaint; or\n\n(ii) the respondent has not yet had an adequate opportunity to deal with the complaint; or\n\n(i) the complaint was made under section 60, on behalf of a child or a person with a disability, by an individual who has an insufficient interest in the subject matter of the complaint.\n\nS. 62(2) amended by Nos 21/2015 s. 3(Sch. 1 item 41.3), 20/2017 s. 106(13)(a).\n\n(2) A notice under subsection (1) must state that the complainant, by notice in writing given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 62(3) amended by No. 20/2017 s. 106(13)(a).\n\n(3) Before declining to entertain a complaint, the Information Commissioner may, by notice in writing, invite any person—\n\nS. 62(3)(a) amended by No. 20/2017 s. 106 \n(13)(a).\n\n(a) to attend before the Information Commissioner, or an employee in the office of the Information Commissioner, for the purpose of discussing the subject matter of the complaint; or\n\n(b) to produce any documents specified in the notice.\n\nS. 62(4) amended by Nos 21/2015 s. 3(Sch. 1 item 41.3), 20/2017 s. 106 \n(13)(a)(b).\n\n(4) Within 60 days after receiving the Information Commissioner's notice declining to entertain a complaint, the complainant, by notice in writing given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 62(5) amended by No. 20/2017 s. 106(13)(a).\n\n(5) The Information Commissioner must comply with a notice under subsection (4).\n\nS. 62(6) amended by No. 20/2017 s. 106(13)(a).\n\n(6) If the complainant does not notify the Information Commissioner under subsection (4), the Information Commissioner may dismiss the complaint.\n\nS. 62(7) amended by No. 20/2017 s. 106(13)(a).\n\n(7) As soon as possible after a dismissal under subsection (6), the Information Commissioner must, by written notice, notify the complainant and the respondent of the dismissal.\n\n(8) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section.\n\nS. 63 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":91},{"sectionNumber":"63","sectionType":"section","heading":"Information Commissioner may refer complaint","content":"\t63 Information Commissioner may refer complaint\n\nS. 63(1) amended by No. 20/2017 s. 106(14).\n\n(1) The Information Commissioner may refer a complaint if the Information Commissioner considers that the complaint could be the subject of a complaint to—\n\n(a) the Federal Privacy Commissioner under the Privacy Act 1988 of the Commonwealth; or\n\n(b) the Disability Services Commissioner under the **Disability Act 2006**; or\n\nS. 63(1)(c) repealed by No. 20/2017 s. 83(1).\n\n(d) the Ombudsman under the **Ombudsman Act 1973**; or\n\nS. 63(1)(e) amended by No. 22/2016 s. 240.\n\n(e) the Health Complaints Commissioner under the **Health Records Act 2001**; or\n\n(f) the Commission for Children and Young People under the **Commission for Children and Young People Act 2012**; or\n\nS. 63(1)(g) amended by Nos 39/2022 s. 853, 31/2024 s. 53.\n\n(g) the Mental Health and Wellbeing Commission under the **Mental Health and Wellbeing Act 2022**.\n\nS. 63(1A) inserted by No. 20/2017 s. 83(2).\n\n(1A) The Information Commissioner may decide to deal with a complaint as if it were a complaint made under the **Freedom of Information Act 1982** if the Information Commissioner considers that the complaint could be dealt with more effectively or appropriately under that Act.\n\nS. 63(2) amended by No. 20/2017 ss 83(3), 106(14)(a).\n\n(2) The Information Commissioner must notify the complainant and the respondent in writing of the referral or decision under subsection (1A).\n\nS. 63(3) amended by No. 20/2017 s. 83(4).\n\n(3) A complainant may take no further action under this Act in relation to the subject matter of a complaint referred under this section or dealt with under the **Freedom of Information Act 1982**.\n\nS. 64 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":92},{"sectionNumber":"64","sectionType":"section","heading":"Information Commissioner may dismiss stale complaint","content":"\t64 Information Commissioner may dismiss stale complaint\n\nS. 64(1) amended by No. 20/2017 s. 106(2).\n\n(1) The Information Commissioner may dismiss a complaint if the Information Commissioner has had no substantive response from the complainant in the period of 90 days following a request by the Information Commissioner for a response in relation to the complaint.\n\nS. 64(2) amended by No. 20/2017 s. 106(2).\n\n(2) As soon as possible after a dismissal under subsection (1), the Information Commissioner must, by notice in writing, notify the complainant and the respondent of the dismissal.\n\n(3) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section.\n\n","sortOrder":93},{"sectionNumber":"65","sectionType":"section","heading":"Minister may refer a complaint direct to VCAT","content":"\t65 Minister may refer a complaint direct to VCAT\n\nS. 65(1) amended by Nos 20/2017 s. 106(5), 31/2024 s. 54.\n\n(1) If the Minister considers that the subject matter of a complaint raises an issue of important public policy, the Minister may refer the complaint directly to VCAT for hearing under Subdivision 5, whether or not the Information Commissioner has considered it or the complaint is in the process of informal resolution or is being conciliated.\n\n(2) The Minister is not a party to a proceeding on a complaint referred to VCAT under subsection (1) unless joined by VCAT.\n\nS. 65A inserted by No. 31/2024 s. 55.\n\n","sortOrder":94},{"sectionNumber":"65A","sectionType":"section","heading":"Preliminary inquiries and consultation","content":"\t65A Preliminary inquiries and consultation\n\nThe Information Commissioner may do any of the following to determine whether a complaint can be resolved informally—\n\n(a) conduct preliminary inquiries into the complaint;\n\n(b) consult with the respondent to the complaint and the complainant.\n\nS. 65B inserted by No. 31/2024 s. 55.\n\n","sortOrder":95},{"sectionNumber":"65B","sectionType":"section","heading":"Informal resolution","content":"\t65B Informal resolution\n\n(1) If the Information Commissioner determines that it is reasonably possible to resolve a complaint informally, the Information Commissioner must take reasonable steps to resolve the complaint.\n\n(2) If the complaint is resolved informally, the Information Commissioner must record the outcome in writing.\n\n(3) A complainant may take no further action under this Act in relation to the subject matter of a complaint that is resolved informally.\n\n","sortOrder":96},{"sectionNumber":"66","sectionType":"section","heading":"What happens if conciliation is inappropriate?","content":"\t66 What happens if conciliation is inappropriate?\n\nS. 66(1) amended by No. 20/2017 s. 106(6)(a).\n\n(1) If the Information Commissioner does not consider it reasonably possible that a complaint may be conciliated successfully under Subdivision 3, the Information Commissioner must notify the complainant and the respondent in writing.\n\nS. 66(2) amended by No. 20/2017 s. 106(6)(a).\n\n(2) A notice under subsection (1) must state that the complainant, by notice in writing given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 66(3) amended by No. 20/2017 s. 106(6).\n\n(3) Within 60 days after receiving the Information Commissioner's notice under subsection (1), the complainant, by notice in writing given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 66(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) The Information Commissioner must comply with a notice under subsection (3).\n\nS. 66(5) amended by No. 20/2017 s. 106(6)(a).\n\n(5) If the complainant does not notify the Information Commissioner under subsection (3), the Information Commissioner may dismiss the complaint.\n\nS. 66(6) amended by No. 20/2017 s. 106(6)(a).\n\n(6) As soon as possible after a dismissal under subsection (5), the Information Commissioner must, by written notice, notify the complainant and the respondent of the dismissal.\n\n(7) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section.\n\nSubdivision 3—Conciliation of complaints\n\n","sortOrder":97},{"sectionNumber":"67","sectionType":"section","heading":"Conciliation process","content":"\t67 Conciliation process\n\nS. 67(1) amended by Nos 20/2017 s. 106(2), 31/2024 s. 56.\n\n(1) If the complaint cannot be resolved informally and the Information Commissioner considers it reasonably possible that a complaint may be conciliated successfully, the Information Commissioner must make all reasonable endeavours to conciliate the complaint.\n\n(2) Subsection (1) does not apply to a complaint—\n\nS. 67(2)(a) amended by No. 20/2017 s. 106(2).\n\n(a) that the Information Commissioner has declined to entertain under section 62, referred under section 63 or dismissed under section 64; or\n\n(b) that the Minister has referred to VCAT under section 65.\n\nS. 67(3) amended by No. 20/2017 s. 106(2).\n\n(3) The Information Commissioner may require a party to attend a conciliation either personally or by a representative who has authority to settle the matter on behalf of the party.\n\nS. 68 substituted by No. 20/2017 s. 84.\n\n","sortOrder":98},{"sectionNumber":"68","sectionType":"section","heading":"Information Commissioner may issue notice to produce or attend","content":"\t68 Information Commissioner may issue notice to produce or attend\n\nIf the Information Commissioner has reason to believe that a person has information or a document relevant to a conciliation under this Subdivision, the Information Commissioner may serve a notice to produce or attend on the person, in accordance with Division 10.\n\n","sortOrder":99},{"sectionNumber":"69","sectionType":"section","heading":"Conciliation agreements","content":"\t69 Conciliation agreements\n\n(1) If, following conciliation, the parties to the complaint reach agreement with respect to the subject matter of the complaint—\n\nS. 69(1)(a) amended by No. 20/2017 s. 106(2).\n\n(a) at the request of any party made within 30 days after agreement is reached, a written record of the conciliation agreement is to be prepared by the parties or the Information Commissioner; and\n\nS. 69(1)(b) amended by No. 20/2017 s. 106(2).\n\n(b) the record must be signed by or on behalf of each party and certified by the Information Commissioner; and\n\nS. 69(1)(c) amended by No. 20/2017 s. 106(2).\n\n(c) the Information Commissioner must give each party a copy of the signed and certified record.\n\n(2) Any party, after notifying in writing the other party, may lodge a copy of the signed and certified record with VCAT for registration.\n\n(3) Subject to subsection (4), VCAT must register the record and give a certified copy of the registered record to each party.\n\n(4) If VCAT, constituted by a presidential member, considers that it may not be practicable to enforce, or to supervise compliance with, a conciliation agreement, VCAT may refuse to register the record of the agreement.\n\n(5) On registration, the record must be taken to be an order of VCAT in accordance with its terms and may be enforced accordingly.\n\n(6) The refusal of VCAT to register the record of a conciliation agreement does not affect the validity of the agreement.\n\n","sortOrder":100},{"sectionNumber":"70","sectionType":"section","heading":"Evidence of conciliation is inadmissible","content":"\t70 Evidence of conciliation is inadmissible\n\nEvidence of anything said or done in the course of a conciliation is not admissible in proceedings before VCAT or any other legal proceedings relating to the subject matter of the complaint, unless all parties to the conciliation otherwise agree.\n\n","sortOrder":101},{"sectionNumber":"71","sectionType":"section","heading":"What happens if conciliation fails?","content":"\t71 What happens if conciliation fails?\n\nS. 71(1) amended by No. 20/2017 s. 106(6)(a).\n\n(1) If the Information Commissioner has attempted unsuccessfully to conciliate a complaint, the Information Commissioner must notify the complainant and the respondent in writing.\n\nS. 71(2) amended by No. 20/2017 s. 106(6)(a).\n\n(2) A notice under subsection (1) must state that the complainant, by written notice given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 71(3) amended by No. 20/2017 s. 106(6).\n\n(3) Within 60 days after receiving the Information Commissioner's notice under subsection (1), the complainant, by notice in writing given to the Information Commissioner, may require the Information Commissioner to refer the complaint to VCAT for hearing under Subdivision 5.\n\nS. 71(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) The Information Commissioner must comply with a notice under subsection (3).\n\nS. 71(5) amended by No. 20/2017 s. 106(6)(a).\n\n(5) If the complainant does not notify the Information Commissioner under subsection (3), the Information Commissioner may dismiss the complaint.\n\nS. 71(6) amended by No. 20/2017 s. 106(6)(a).\n\n(6) As soon as possible after a dismissal under subsection (5), the Information Commissioner must, by written notice, notify the complainant and the respondent of the dismissal.\n\n(7) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section.\n\n","sortOrder":102},{"sectionNumber":"Subdiv 4","sectionType":"subdivision","heading":"Interim orders","content":"Subdivision 4—Interim orders\n\n","sortOrder":103},{"sectionNumber":"72","sectionType":"section","heading":"VCAT may make interim orders before hearing","content":"\t72 VCAT may make interim orders before hearing\n\nS. 72(1) amended by No. 20/2017 s. 106(5).\n\n(1) A complainant or a respondent or the Information Commissioner may apply to VCAT for an interim order to prevent any party to the complaint from acting in a manner prejudicial to negotiations or conciliation or to any decision or order VCAT might subsequently make.\n\n(2) An application may be made under subsection (1) at any time before the complaint is referred to VCAT.\n\n(3) In making an interim order, VCAT must have regard to—\n\n(a) whether or not the complainant has established a prima facie case with respect to the complaint; and\n\n(b) any possible detriment or advantage to the public interest in making the order; and\n\n(c) any possible detriment to the complainant's or the respondent's case if the order is not made.\n\n(4) An interim order applies for the period, not exceeding 28 days, specified in it and may be extended from time to time by VCAT.\n\n(5) The party against whom the interim order is sought is a party to the proceeding on an application under subsection (1).\n\n(6) In making an interim order, VCAT—\n\n(a) may require any undertaking as to costs or damages that it considers appropriate; and\n\n(b) may make provision for the lifting of the order if specified conditions are met.\n\n(7) VCAT may assess any costs or damages referred to in subsection (6)(a).\n\n(8) Nothing in this section affects or takes away from VCAT's power under section 123 of the **Victorian Civil and Administrative Tribunal Act 1998** to make orders of an interim nature in a proceeding in VCAT in respect of a complaint.\n\n","sortOrder":104},{"sectionNumber":"Subdiv 5","sectionType":"subdivision","heading":"Jurisdiction of VCAT","content":"Subdivision 5—Jurisdiction of VCAT\n\n","sortOrder":105},{"sectionNumber":"73","sectionType":"section","heading":"When may VCAT hear a complaint?","content":"\t73 When may VCAT hear a complaint?\n\n(1) VCAT may hear any of the following—\n\nS. 73(1)(a) amended by No. 20/2017 s. 106(5).\n\n(a) a complaint referred to it by the Information Commissioner under section 62, 66 or 71;\n\n(b) a complaint referred to it by the Minister under section 65.\n\n(2) VCAT also has the jurisdiction conferred by section 72.\n\nS. 73(3) amended by No. 20/2017 s. 85.\n\n(3) If a certificate has been given in respect of a document under section 83J(2), the powers of VCAT—\n\n(a) do not extend to reviewing the decision to give the certificate; and\n\n(b) are limited to determining whether a document has been properly classified as an exempt document of a kind referred \nto in section 28(1) of the **Freedom of Information Act 1982**.\n\n","sortOrder":106},{"sectionNumber":"74","sectionType":"section","heading":"Who are the parties to a proceeding?","content":"\t74 Who are the parties to a proceeding?\n\n(1) The complainant and the respondent are parties to a proceeding in respect of a complaint referred to in section 73(1).\n\nS. 74(2) amended by No. 20/2017 s. 106(5).\n\n(2) The Information Commissioner is not a party to a proceeding in respect of a complaint referred to in section 73(1)(a) unless joined by VCAT.\n\n","sortOrder":107},{"sectionNumber":"75","sectionType":"section","heading":"Time limits for complaints referred by the Minister","content":"\t75 Time limits for complaints referred by the Minister\n\n(1) VCAT must commence hearing a complaint within 30 days after its referral to VCAT if the complaint was referred to it by the Minister under section 65.\n\n(2) VCAT, constituted by a presidential member, may extend the period of 30 days under subsection (1) by one further period of not more than 30 days.\n\n","sortOrder":108},{"sectionNumber":"76","sectionType":"section","heading":"Inspection of exempt documents by VCAT","content":"\t76 Inspection of exempt documents by VCAT\n\n(1) Subject to subsection (2) and to any order made by VCAT under section 51(2) of the **Victorian Civil and Administrative Tribunal Act 1998**, VCAT must do all things necessary to ensure that—\n\n(a) any document produced to VCAT in proceedings under this Act that is claimed to be an exempt document of a kind referred to in section 28(1) of the **Freedom of Information Act 1982**, or the contents of that document, is not disclosed to any person other than—\n\n(i) a member of VCAT as constituted for the proceedings; or\n\n(ii) a member of the staff of VCAT in the course of the performance of the member's duties as a member of that staff; and\n\n(b) the document is returned to the respondent at the conclusion of the proceedings.\n\n(2) VCAT may make such orders as it thinks necessary having regard to the nature of the proceedings.\n\nS. 76(3) amended by No. 60/2014 s. 137.\n\n(3) If the applicant is represented by an Australian legal practitioner, orders under subsection (2) may include an order that the contents of a document produced to VCAT that is claimed to be an exempt document be disclosed to that practitioner.\n\n(4) In making an order under subsection (2), VCAT must be guided by the principle that the contents of a document that is claimed to be an exempt document should not normally be disclosed except in accordance with an order of VCAT under section 51(2) of the **Victorian Civil and Administrative Tribunal Act 1998**.\n\n(5) If a complaint under section 73 relates to a document or part of a document in relation to which disclosure has been refused on the grounds specified in section 28 of the **Freedom of Information Act 1982**, VCAT may, if it regards it as appropriate to do so, announce its findings in terms which neither confirm nor deny the existence of the document in question.\n\n","sortOrder":109},{"sectionNumber":"77","sectionType":"section","heading":"What may VCAT decide?","content":"\t77 What may VCAT decide?\n\n(1) After hearing the evidence and representations that the parties to a complaint desire to adduce or make, VCAT may—\n\n(a) find the complaint or any part of it proven and make any one or more of the following orders—\n\n(i) an order restraining the respondent, or the organisation of which the respondents are members of the committee of management, from repeating or continuing any act or practice the subject of the complaint which VCAT has found to constitute an interference with the privacy of an individual;\n\n(ii) an order that the respondent perform or carry out any reasonable act or course of conduct to redress any loss or damage suffered by the complainant, including injury to the complainant's feelings or humiliation suffered by the complainant, by reason of the act or practice the subject of the complaint;\n\n(iii) an order that the complainant is entitled to a specified amount, not exceeding $100 000, by way of compensation for any loss or damage suffered by the complainant, including injury to the complainant's feelings or humiliation suffered by the complainant, by reason of the act or practice the subject of the complaint;\n\n(iv) if the act or practice the subject of the complaint is subject to an approved code of practice, an order that the code administrator take specified steps in the matter, which may include using conciliation or mediation, securing an apology or undertaking as to future conduct from the respondent or the payment of compensation, not exceeding $100 000, by the respondent; or\n\n(b) find the complaint or any part of it proven but decline to take any further action in the matter; or\n\n(c) find the complaint or any part of it not proven and make an order that the complaint or part be dismissed; or\n\n(d) in any case, make an order that the complainant is entitled to a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with the making of the complaint and the proceedings held in respect of it under this Act.\n\n(2) In an order under subsection (1)(a)(i) or (ii) arising out of a breach of IPP 6.5 or 6.6, VCAT may include an order that—\n\n(a) an organisation or respondent make an appropriate correction to the personal information; or\n\n(b) an organisation or respondent attach to the record of personal information a statement provided by the complainant of a correction sought by the complainant.\n\nS. 77(3) amended by No. 20/2017 s. 106(2).\n\n(3) If an order of VCAT relates to a public register, the Information Commissioner must, as soon as practicable after its making, report the order to the Minister responsible for the public sector agency or Council that administers that public register.\n\nS. 77(4) amended by No. 20/2017 s. 106(2).\n\n(4) The Information Commissioner may include in a report under subsection (3) recommendations in relation to any matter that concerns the need for, or the desirability of, legislative or administrative action in the interests of personal privacy.\n\n","sortOrder":110},{"sectionNumber":"Div 9","sectionType":"division","heading":"Enforcement of Information Privacy Principles and approved information usage arrangements","content":"Division 9—Enforcement of Information Privacy Principles and approved information usage arrangements\n\n","sortOrder":111},{"sectionNumber":"78","sectionType":"section","heading":"Compliance notice","content":"\t78 Compliance notice\n\nS. 78(1) amended by No. 20/2017 s. 106(6)(a).\n\n(1) The Information Commissioner may serve a compliance notice on an organisation, if it appears to the Information Commissioner that—\n\n(a) the organisation has done an act or engaged in a practice in contravention of an Information Privacy Principle (including an act or practice that is in contravention of an applicable code of practice) or an approved information usage arrangement; and\n\n(b) the act or practice—\n\n(i) constitutes a serious or flagrant contravention; or\n\n(ii) is of a kind that has been done or engaged in by the organisation on at least 5 separate occasions within the previous 2 years.\n\n(2) A compliance notice requires the organisation to take specified action within a specified period for the purpose of ensuring compliance with the Information Privacy Principle, applicable code of practice or approved information usage arrangement.\n\nS. 78(3) amended by No. 20/2017 s. 106(6)(a).\n\n(3) If the Information Commissioner is satisfied, on the application of an organisation on which a compliance notice is served, that it is not reasonably possible to take the action specified in the notice within the period specified in the notice, the Information Commissioner may extend the period specified in the notice on the organisation giving the Information Commissioner an undertaking to take the specified action within the extended period.\n\nS. 78(4) amended by No. 20/2017 s. 106(6)(a).\n\n(4) The Information Commissioner may only extend a period under subsection (3) if an application for the extension is made before the period specified in the notice expires.\n\nS. 78(5) amended by No. 20/2017 s. 106(6).\n\n(5) The Information Commissioner may act under subsection (1) on the Information Commissioner's own initiative or on an application by an individual who was a complainant under Division 8.\n\nS. 78(6) amended by No. 20/2017 s. 106(6)(a).\n\n(6) In deciding whether or not to serve a compliance notice, the Information Commissioner may have regard to the extent to which the organisation has complied with a decision of VCAT under Subdivision 5 of Division 8.\n\nS. 78(7) inserted by No. 11/2021 s. 165.\n\n(7) A compliance notice must be served in accordance with section 83C.\n\nS. 79 substituted by No. 20/2017 s. 86.\n\n","sortOrder":112},{"sectionNumber":"79","sectionType":"section","heading":"Power to compel production of documents or attendance of witness","content":"\t79 Power to compel production of documents or attendance of witness\n\nIf the Information Commissioner reasonably believes that a person has information or a document relevant to a decision to serve a compliance notice under section 78(1), the Information Commissioner may serve a notice to produce or attend on the person in accordance with Division 10.\n\nSs 80, 81 repealed by No. 20/2017 s. 87.\n\n","sortOrder":113},{"sectionNumber":"82","sectionType":"section","heading":"Offence not to comply with compliance notice","content":"\t82 Offence not to comply with compliance notice\n\n(1) An organisation must comply with a compliance notice served on it under section 78(1) that is in effect.\n\nPenalty: 600 penalty units, in the case of an individual;\n\n3000 penalty units, in the case of a body corporate.\n\n(2) A compliance notice served under section 78(1) does not take effect until the latest of the following—\n\n(a) the expiry of the period specified in the notice;\n\n(b) the expiry of any extended period fixed under section 78(3);\n\n(c) the expiry of the period within which an application for review of the decision to serve the notice may be made to VCAT under section 83(1);\n\nS. 82(2)(d) amended by No. 20/2017 s. 106(5).\n\n(d) if an application is made under section 83(1) for review of the decision to serve the notice, the review has been determined in favour of the Information Commissioner.\n\n(3) An offence against subsection (1) is an indictable offence.\n\n","sortOrder":114},{"sectionNumber":"83","sectionType":"section","heading":"Application for review","content":"\t83 Application for review\n\nS. 83(1) amended by No. 20/2017 s. 106(2).\n\n(1) An individual or organisation whose interests are affected by a decision of the Information Commissioner under section 78(1) to serve a compliance notice may apply to VCAT for review of the decision.\n\n(2) An application for review must be made within 28 days after the later of—\n\n(a) the day on which the decision is made; or\n\n(b) if, under the **Victorian Civil and Administrative Tribunal Act 1998**, the individual or organisation requests a statement of reasons for the decision, the day on which the statement of reasons is given to the individual or organisation or the individual or organisation is informed under section 46(5) of that Act that a statement of reasons will not be given.\n\nS. 83(3) amended by No. 20/2017 s. 106(2).\n\n(3) The Information Commissioner is a party to a proceeding on a review under this section.\n\nPt 3 Div. 10 (Heading and ss 83A–83K) inserted by No. 20/2017 s. 88.\n\n","sortOrder":115},{"sectionNumber":"Div 10","sectionType":"division","heading":"Notices to produce or attend","content":"Division 10—Notices to produce or attend\n\nS. 83A inserted by No. 20/2017 s. 88.\n\n","sortOrder":116},{"sectionNumber":"83A","sectionType":"section","heading":"Notice to produce or attend","content":"\t83A Notice to produce or attend\n\n(1) A notice to produce or attend may require a person—\n\n(a) to produce a specified document to the Information Commissioner by or before a specified time and in a specified manner; or\n\n(b) to attend at a specified time and place on a specified date to produce documents to the Information Commissioner; or\n\n(c) to attend an examination before the Information Commissioner to give evidence and to produce documents at a specified time and place on a specified date; or\n\n(d) to attend the Information Commissioner \nat a specified time and place to produce a specified document.\n\nS. 83A(1A) inserted by No. 11/2021 s. 166.\n\n(1A) A notice to produce or attend may specify that attendance required under the notice is to be by means of audio visual link or audio link and in a specified manner.\n\nS. 83A(1B) inserted by No. 11/2021 s. 166.\n\n(1B) A notice that provides for attendance as described in subsection (1A)—\n\n(a) need not specify a place for attendance; and\n\n(b) if any documents are to be produced, may specify that those documents are to be produced by secure electronic means and in a specified manner.\n\n(2) A notice under subsection (1) must contain the following information—\n\n(a) a statement that—\n\n(i) failure to comply with the notice without reasonable excuse may be an offence; and\n\n(ii) includes the maximum penalty for that offence;\n\n(b) examples of what may constitute a reasonable excuse for failing to comply with the notice.\n\nS. 83B inserted by No. 20/2017 s. 88.\n\n","sortOrder":117},{"sectionNumber":"83B","sectionType":"section","heading":"Variation or revocation of a notice to produce or attend","content":"\t83B Variation or revocation of a notice to produce or attend\n\n(1) The Information Commissioner, by further written notice served on a person, may at any time vary or revoke a notice to produce or attend served on the person.\n\n(2) A notice varying or revoking a notice to produce or attend must be served in accordance with section 83C.\n\nS. 83C inserted by No. 20/2017 s. 88.\n\n","sortOrder":118},{"sectionNumber":"83C","sectionType":"section","heading":"Service of notice to produce documents or to attend","content":"\t83C Service of notice to produce documents or to attend\n\n(1) Subject to subsection (2), a notice to produce or attend must be served at a reasonable time, being not less than 7 days before the date on which the person is required to attend or otherwise comply with the notice.\n\n(2) The Information Commissioner may serve a notice to attend requiring immediate attendance by a person if—\n\n(a) the Information Commissioner considers on reasonable grounds that a delay in the person's attendance is likely to result in—\n\n(i) evidence being lost or destroyed; or\n\n(ii) the commission of an offence; or\n\n(iii) the escape of the person on whom the notice is served; or\n\n(iv) serious prejudice to the purpose for which the notice was issued; or\n\n(b) the person on whom the notice is served consents to immediate attendance.\n\nS. 83C(3) amended by No. 11/2021 s. 167(1)(a).\n\n(3) A notice to produce or attend directed to a natural person must be served by serving a copy of the notice on the person personally or in accordance with subsection (3A).\n\nS. 83C(3A) inserted by No. 11/2021 s. 167(2).\n\n(3A) A document that must be served personally on a person may be served on a natural person by—\n\n(a) sending by registered post a copy of the document addressed to that person at the person's last known place of residence or business; or\n\n(b) delivering a copy of the document to the person by means of electronic communication that is confirmed as having been received by the person; or\n\n(c) sending by registered post a copy of the document, addressed to the person's authorised legal representative, to the place of business of the person's authorised legal representative; or\n\n(d) leaving a copy of the document for that person—\n\n(i) at the place of business of the person's authorised legal representative; and\n\n(ii) with a person who apparently works there and who is apparently not less than 18 years of age; or\n\n(e) delivering a copy of the document, addressed to the person's authorised legal representative, to the person's authorised legal representative personally; or\n\n(f) delivering a copy of the document to the person's authorised legal representative by means of an electronic communication that is confirmed as having been received by the person's authorised legal representative.\n\nS. 83C(4) amended by No. 11/2021 s. 167(1)(b).\n\n(4) A notice to produce or attend directed to a body corporate must be served by leaving a copy of the notice at the registered office or principal place of business of the body corporate with a person apparently employed at that office or place and who is apparently at least 18 years of age or in accordance with subsection (4A).\n\nS. 83C(4A) inserted by No. 11/2021 s. 167(3).\n\n(4A) A document that must be served on a body corporate may be served by—\n\n(a) sending by registered post a copy of the document addressed to that body corporate at the registered office or principal place of business of the body corporate; or\n\n(b) delivering a copy of the document to the body corporate by means of an electronic communication that is confirmed as having been received by the body corporate.\n\nS. 83C(4B) inserted by No. 11/2021 s. 167(3).\n\n(4B) For the purposes of subsection (3) or (3A), a person may deliver a copy of a document to another person personally by placing a copy of the document on a surface in the presence of that other person.\n\nS. 83C(4C) inserted by No. 11/2021 s. 167(3).\n\n(4C) For the purposes of subsections (3A)(b) and (f) and (4A)(b), the receipt of a document may be confirmed by any form of electronic communication.\n\n(5) Subsection (4) is in addition to, and not in derogation of, sections 109X and 601CX of the Corporations Act.\n\nS. 83D (Heading) amended by No. 31/2024 s. 113(Sch. 1 item 26.2).\n\nS. 83D inserted by No. 20/2017 s. 88, amended by No. 31/2024 s. 57 (ILA s. 39B(1)).\n\n","sortOrder":119},{"sectionNumber":"83D","sectionType":"section","heading":"Office of the Information Commissioner to report to Integrity Oversight Victoria on issue of notice to produce or attend","content":"\t83D Office of the Information Commissioner to report to Integrity Oversight Victoria on issue of notice to produce or attend\n\nS. 83D(1) amended by No. 31/2024 s. 113(Sch. 1 item 26.3).\n\n(1) Within 3 days after the issue of a notice to produce or attend, the Information Commissioner must give a written report to Integrity Oversight Victoria specifying—\n\n(a) the name of the person to whom the notice relates; and\n\n(b) the reasons why the notice was issued.\n\nS. 83D(2) inserted by No. 31/2024 s. 57, amended by No. 31/2024 s. 113(Sch. 1 item 26.3).\n\n(2) Within 3 days after the issue of a notice under section 83B varying or revoking a notice to produce or attend, the Information Commissioner must give a written report to Integrity Oversight Victoria specifying—\n\n(a) the notice to produce or attend to which the variation or revocation relates; and\n\n(b) the reasons why the notice to produce or attend was varied or revoked; and\n\n(c) in the case of a variation, the nature of the variation.\n\nS. 83E inserted by No. 20/2017 s. 88.\n\n","sortOrder":120},{"sectionNumber":"83E","sectionType":"section","heading":"Power to take evidence on oath or affirmation","content":"\t83E Power to take evidence on oath or affirmation\n\n(1) The Information Commissioner may require a person attending an examination, in accordance with a notice to attend, to give evidence on oath or affirmation.\n\n(2) The Information Commissioner, or a person authorised to do so by the Commissioner, may administer an oath or affirmation to a person for the purposes of subsection (1).\n\n(3) A person must not, without reasonable excuse, refuse or fail to take an oath or make an affirmation when required to do so by the Information Commissioner under subsection (1).\n\n(4) A person does not commit an offence against subsection (3) unless, before the person is required to take the oath or make the affirmation, the Information Commissioner informs the person that refusal or failure to do so without reasonable excuse is an offence.\n\nS. 83F inserted by No. 20/2017 s. 88, amended by No. 11/2021 s. 168 (ILA s. 39B(1)).\n\n","sortOrder":121},{"sectionNumber":"83F","sectionType":"section","heading":"Legal advice and representation","content":"\t83F Legal advice and representation\n\n(1) A person may seek legal advice, and be represented by a legal practitioner in relation to—\n\n(a) a notice to produce or attend that is directed to the person and the notice relates to—\n\n(i) a conciliation conducted by the Information Commissioner; or\n\n(ii) the issue of a compliance notice by the Information Commissioner; or\n\n(b) the person's rights, liabilities, obligations and privileges in relation to the notice to produce or attend.\n\nS. 83F(2) inserted by No. 11/2021 s. 168.\n\n(2) For the purposes of this section, a legal practitioner may represent a person by means of audio visual link or audio link.\n\nS. 83G inserted by No. 20/2017 s. 88.\n\n","sortOrder":122},{"sectionNumber":"83G","sectionType":"section","heading":"Protection of legal practitioners and persons—notice to produce or attend","content":"\t83G Protection of legal practitioners and persons—notice to produce or attend\n\n(1) A legal practitioner representing the person who is served with a notice to produce or attend has the same protection and immunity as a legal practitioner has in representing a party in a proceeding in the Supreme Court.\n\n(2) A person who is served with a notice to produce or attend has the same protection and immunity as a witness has in a proceeding in the Supreme Court.\n\nS. 83GA inserted by No. 2/2019 s. 145.\n\n\t83GA Audio or video recording of examination\n\n(1) This section applies if a person is required under this Part to attend an examination before the Information Commissioner.\n\n(2) The Information Commissioner must ensure that an audio or video recording of the examination is made.\n\n(3) Subject to subsection (4), evidence of anything said by the person during the examination is inadmissible as evidence against any person in any proceeding before a court or tribunal unless—\n\n(a) an audio or video recording of the examination is made; and\n\n(b) the audio or video recording is available to be tendered in evidence.\n\n(4) A court may admit evidence of anything said by the person during the examination that is otherwise inadmissible because of subsection (3) if the court is satisfied that there are exceptional circumstances that justify the admission of the evidence.\n\n(5) Unless the Information Commissioner considers on reasonable grounds that doing so may prejudice the dealing of a complaint under this Act, the Information Commissioner must provide the person attending the examination with a copy of—\n\n(a) the audio or video recording; and\n\n(b) any transcript created.\n\n(6) If the Information Commissioner determines not to provide the person with a copy of the audio or video recording and any transcript in accordance with subsection (5), the Information Commissioner must allow the person to listen to or view the recording of the person's evidence at the premises of the Information Commissioner at any reasonable time.\n\nS. 83GA(7) amended by No. 31/2024 s. 113(Sch. 1 item 26.4).\n\n(7) As soon as possible after the examination, the Information Commissioner must provide Integrity Oversight Victoria with a copy of the audio or video recording and any transcript of the examination.\n\nS. 83H inserted by No. 20/2017 s. 88.\n\n","sortOrder":123},{"sectionNumber":"83H","sectionType":"section","heading":"Failure to comply with notice to produce or attend","content":"\t83H Failure to comply with notice to produce or attend\n\nA person who is served with a notice to produce or attend, must not, without reasonable excuse, refuse or fail to comply with a requirement set out in the notice—\n\n(a) to attend before the Information Commissioner; or\n\n(b) to give information; or\n\n(c) to answer a question or produce a document.\n\nS. 83I inserted by No. 20/2017 s. 88.\n\n","sortOrder":124},{"sectionNumber":"83I","sectionType":"section","heading":"Reasonable excuse—self-incrimination","content":"\t83I Reasonable excuse—self-incrimination\n\nWithout limiting what is a reasonable excuse for the purposes of section 83H, it is a reasonable excuse to refuse or fail to comply with a requirement of the notice if the giving of the information or production of the document may tend to incriminate the person.\n\nS. 83J inserted by No. 20/2017 s. 88.\n\n","sortOrder":125},{"sectionNumber":"83J","sectionType":"section","heading":"Reasonable excuse—cabinet documents and legal professional privilege","content":"\t83J Reasonable excuse—cabinet documents and legal professional privilege\n\n(1) Without limiting what is a reasonable excuse for the purposes of section 83H, it is a reasonable excuse for a person to refuse or fail to comply with a requirement of the notice if—\n\n(a) the information or document—\n\n(i) is an exempt document under section 28 of the **Freedom of Information Act 1982**; or\n\n(ii) is information that if included in a document would make that document an exempt document under that section 28; or\n\n(b) the information or document is subject to legal professional privilege or client legal privilege.\n\n(2) The Secretary to the Department of Premier and Cabinet may certify that information or a document described in subsection (1)(a)—\n\n(a) in the case of information, is information which, if included in a document, would make the document an exempt document \nof a kind referred to in section 28(1) of the **Freedom of Information Act 1982**;\n\n(b) in the case of a document, is or, if it existed, would be an exempt document of a kind referred to in section 28(1) of the **Freedom of Information Act 1982**.\n\nS. 83K inserted by No. 20/2017 s. 88.\n\n","sortOrder":126},{"sectionNumber":"83K","sectionType":"section","heading":"Statutory secrecy not a reasonable excuse","content":"\t83K Statutory secrecy not a reasonable excuse\n\n(1) It is not a reasonable excuse for a person to refuse or fail to comply with the notice as a result of—\n\n(a) any obligation imposed on that person, by any enactment or rule of law, to maintain secrecy in relation to the production of the document or information or the answer to a question; or\n\n(b) any restriction imposed on that person, by any enactment or rule of law, that prohibits the disclosure of the document, information or the answer to a question.\n\n(2) Nothing in this section affects the operation of—\n\n(a) Part 7 of the **Protected Disclosure Act 2012**; or\n\n(b) Division 3 of Part 2 of the **Independent Broad-based Anti‑corruption Commission Act 2011**.\n\nS. 83L inserted by No. 11/2021 s. 169.\n\n","sortOrder":127},{"sectionNumber":"83L","sectionType":"section","heading":"Act applies equally to attendance in person or by audio or audio visual link","content":"\t83L Act applies equally to attendance in person or by audio or audio visual link\n\n(1) Except as otherwise provided in this Part, a provision of this Act that applies in relation to attendance of a person required under a notice under section 83A applies in relation to attendance by audio visual link or audio link in the same way that it applies in relation to attendance in person.\n\n(2) Except as otherwise provided in this Part, a provision of this Act that applies in relation to production of documents required under a notice under section 83A applies in relation to production of documents by secure electronic means in the same way that it applies in relation to production of documents in person.\n\nPart 4—Protective data security\n\nDivision 1—Application of Part\n\n\t84 Application of Part\n\n(1) Subject to subsection (2), this Part applies to—\n\n(a) a public sector agency; and\n\n(b) a body that is a special body, within the meaning of section 6 of the **Public Administration Act 2004**; and\n\n(c) a body declared under subsection (3) to be a body to which this Part applies.\n\n(2) This Part does not apply to the following—\n\n(a) a Council;\n\n(b) a university within the meaning of the **Education and Training Reform Act 2006**;\n\n(c) a body to which, or to the governing body of which, the government of another jurisdiction, or a person appointed or body established under the law of another jurisdiction, has the right to appoint a member, irrespective of how that right arises;\n\n(d) a public hospital within the meaning of the **Health Services Act 1988**;\n\n(e) a public health service within the meaning of the **Health Services Act 1988**;\n\n(f) a multi-purpose service within the meaning of the **Health Services Act 1988**;\n\n(g) an ambulance service, within the meaning of the **Ambulance Services Act 1986**.\n\n(3) The Governor in Council, by Order published in the Government Gazette, may declare a body to be a body to which this Part applies.\n\nDivision 2—Protective data security framework\n\nS. 85 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":128},{"sectionNumber":"85","sectionType":"section","heading":"Information Commissioner to develop Victorian protective data security framework","content":"\t85 Information Commissioner to develop Victorian protective data security framework\n\nS. 85(1) amended by No. 20/2017 s. 106(5).\n\n(1) The Information Commissioner must develop the Victorian protective data security framework for monitoring and assuring the security of public sector data.\n\nS. 85(1A) inserted by No. 20/2017 s. 89.\n\n(1A) The Information Commissioner may from time to time review or amend the Victorian protective data security framework.\n\n(2) The Victorian protective data security framework must be as consistent as possible with standards relating to information security (including international standards) prescribed for the purposes of this section.\n\nDivision 3—Protective data security standards\n\nS. 86 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":129},{"sectionNumber":"86","sectionType":"section","heading":"Information Commissioner may issue protective data security standards","content":"\t86 Information Commissioner may issue protective data security standards\n\nS. 86(1) amended by Nos 20/2017 s. 106(2), 31/2024 s. 58(1).\n\n(1) The Information Commissioner may issue standards, consistent with the Victorian protective data security framework, for the confidentiality, integrity and availability of public sector data and access to public sector data (***protective data security standards***).\n\nS. 86(2) amended by No. 20/2017 s. 106(2).\n\n(2) The Information Commissioner may issue—\n\n(a) protective data security standards that apply to any agency or body referred to in section 84(1) (***general protective data security standards***); or\n\n(b) protective data security standards (***customised*** ***protective data security standards****)* that apply—\n\n(i) to a specified agency or body referred to in section 84(1) and all information handled by that agency or body; or\n\n(ii) to one or more specified agencies or bodies referred to in section 84(1) and to—\n\n(A) any specified information or class of information handled by those agencies or bodies; or\n\n(B) any specified activity or class of activity of those agencies or bodies.\n\n(3) If a general protective data security standard issued is inconsistent with a customised protective data security standard, the customised protective data security standard prevails to the extent of the inconsistency.\n\nS. 86(4) amended by No. 20/2017 s. 106(2), substituted by No. 31/2024 s. 58(2).\n\n(4) The Information Commissioner must not issue a protective data security standard unless it has been agreed to by the Minister.\n\n","sortOrder":130},{"sectionNumber":"87","sectionType":"section","heading":"Amendment, revocation or reissue of standards","content":"\t87 Amendment, revocation or reissue of standards\n\nS. 87(1) amended by No. 20/2017 s. 106(5).\n\n(1) The Information Commissioner may amend, revoke or reissue a protective data security standard.\n\n(2) For the purpose of subsection (1), section 86 applies—\n\n(a) as if a reference to the issue of a protective data security standard were a reference to the amendment, revocation or reissue of a protective data security standard (as the case requires); and\n\n","sortOrder":131},{"sectionNumber":"88","sectionType":"section","heading":"Compliance with protective data security standards","content":"\t88 Compliance with protective data security standards\n\n(1) A public sector body Head for an agency or a body to which this Part applies must ensure that the agency or body does not do an act or engage in a practice that contravenes a protective data security standard, in respect of—\n\n(a) public sector data collected, held, managed, used, disclosed or transferred by it; and\n\n(b) public sector data systems kept by it.\n\n(2) A public sector body Head for an agency or a body to which this Part applies must ensure that a contracted service provider of the agency or body does not do an act or engage in a practice that contravenes a protective data security standard in respect of public sector data collected, held, used, managed, disclosed or transferred by the contracted service provider for the agency or body.\n\nDivision 4—Protective data security plans\n\n","sortOrder":132},{"sectionNumber":"89","sectionType":"section","heading":"Protective data security plans","content":"\t89 Protective data security plans\n\n(1) Within 2 years after the issue of protective data security standards applying to an agency or body to which this Part applies, the public sector body Head must ensure that—\n\n(a) a security risk profile assessment is undertaken for the agency or body; and\n\n(b) a protective data security plan is developed for the agency or body that addresses the protective data security standards applicable to that agency or body.\n\n(2) A security risk profile assessment of an agency or body must include an assessment of any contracted service provider of the agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.\n\n(3) A protective data security plan developed for an agency or body must address compliance by any contracted service provider of the agency or body with the protective data security standards applicable to that agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.\n\n(4) A public sector body Head must ensure that the protective data security plan prepared under this section is reviewed—\n\n(a) if there is a significant change in the operating environment or the security risks relevant to the agency or body; or\n\n(b) otherwise, every 2 years.\n\nS. 89(5) amended by No. 20/2017 s. 106(5).\n\n(5) A public sector body Head for the agency or body must ensure that a copy of the protective data security plan is given to the Information Commissioner.\n\nS. 90 amended by No. 31/2024 s. 59.\n\n","sortOrder":133},{"sectionNumber":"90","sectionType":"section","heading":"Exemption—Freedom of Information Act 1982","content":"\t90 Exemption—Freedom of Information Act 1982\n\nThe **Freedom of Information Act 1982** does not apply to a protective data security plan or a security risk profile assessment undertaken for the purposes of section 89.\n\n","sortOrder":134},{"sectionNumber":"Part 5","sectionType":"part","heading":"Law enforcement data security","content":"Part 5—Law enforcement data security\n\n","sortOrder":135},{"sectionNumber":"91","sectionType":"section","heading":"Application of Part","content":"\t91 Application of Part\n\nThis Part applies to—\n\nS. 91(a) substituted by No. 60/2014 s. 132.\n\n(a) Victoria Police; and\n\n(b) the Chief Statistician; and\n\n(c) an employee or consultant employed or engaged under section 6 of the **Crime Statistics Act 2014**.\n\nS. 92 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":136},{"sectionNumber":"92","sectionType":"section","heading":"Information Commissioner may issue law enforcement data security standards","content":"\t92 Information Commissioner may issue law enforcement data security standards\n\nS. 92(1) amended by No. 20/2017 s. 106(15).\n\n(1) The Information Commissioner may issue standards for—\n\n(a) the security and integrity of law enforcement data systems and crime statistics data systems; and\n\n(b) access to, and release of, law enforcement data and crime statistics data, including, but not limited to, the release of law enforcement data and crime statistics data to members of the public.\n\nS. 92(2) amended by No. 20/2017 s. 106(15).\n\n(2) The Information Commissioner must consult with the Chief Commissioner of Police in developing law enforcement data security standards.\n\nS. 92(3) amended by No. 20/2017 s. 106(15).\n\n(3) The Information Commissioner must consult with the Chief Statistician in developing law enforcement data security standards in relation to crime statistics data and crime statistics data systems.\n\nS. 92(4) amended by No. 20/2017 s. 106(15).\n\n(4) The Information Commissioner may amend, revoke and reissue law enforcement security standards in accordance with subsection (2) \nor (3), as the case requires.\n\n","sortOrder":137},{"sectionNumber":"93","sectionType":"section","heading":"Inconsistency with protective data security standards","content":"\t93 Inconsistency with protective data security standards\n\nIf a law enforcement data security standard is inconsistent with a protective data security standard, the law enforcement security standard prevails to the extent of the inconsistency.\n\n","sortOrder":138},{"sectionNumber":"94","sectionType":"section","heading":"Compliance with law enforcement data security standards","content":"\t94 Compliance with law enforcement data security standards\n\nS. 94(1) amended by No. 60/2014 s. 133.\n\n(1) Victoria Police must not do an act or engage in a practice that contravenes a law enforcement data security standard, in respect of—\n\n(a) law enforcement data collected, held, used, managed, disclosed or transferred by it; or\n\n(b) law enforcement data systems kept by it.\n\n(2) A person referred to in section 91(b) or (c) must not do an act or engage in a practice that contravenes a law enforcement data security standard, in respect of—\n\n(a) crime statistics data collected, held, used, managed, disclosed or transferred by the person; or\n\n(b) crime statistics data systems kept by the person.\n\nPt 6 (Heading) substituted by No. 20/2017 s. 90.\n\n","sortOrder":139},{"sectionNumber":"Part 6","sectionType":"part","heading":"General powers of Information Commissioner","content":"Part 6—General powers of Information Commissioner\n\nPt 6 Div. 1 (Heading and ss 95–102) repealed by No. 20/2017 s. 91.\n\nPt 6 Div. 2 (Heading) substituted as Pt 6 Div. 1 (Heading) by No. 20/2017 s. 92.\n\nDivision 1—General powers of Information Commissioner\n\nS. 103 repealed by No. 20/2017 s. 93.\n\nS. 104 repealed by No. 20/2017 s. 94.\n\nS. 105 repealed by No. 20/2017 s. 95.\n\nS. 106 (Heading) amended by No. 20/2017 s. 106(3).\n\nS. 106 amended by No. 20/2017 ss 96, 106(6).\n\n","sortOrder":140},{"sectionNumber":"106","sectionType":"section","heading":"Information Commissioner may require access to data and data systems from public sector body Heads","content":"\t106 Information Commissioner may require access to data and data systems from public sector body Heads\n\nThe Information Commissioner may require the relevant public sector body Head to give the Information Commissioner free and full access at all reasonable times to the following as is necessary to enable the Information Commissioner to perform the Information Commissioner's functions under section 8D(1)(d) and (2)(b)—\n\n(a) any public sector data (including any document on which such data is recorded); or\n\n(b) any public sector organisation's data system.\n\nS. 107 (Heading) amended by No. 20/2017 s. 106(16).\n\n","sortOrder":141},{"sectionNumber":"107","sectionType":"section","heading":"Information Commissioner may require access to data and data systems from Chief Commissioner of Police","content":"\t107 Information Commissioner may require access to data and data systems from Chief Commissioner of Police\n\nS. 107(1) amended by No. 20/2017 ss 97, 106(17).\n\n(1) The Information Commissioner may require the Chief Commissioner of Police to give the Information Commissioner free and full access at all reasonable times to the following as is necessary to enable the Information Commissioner to perform the Information Commissioner's functions under section 8D(1)(e) and (2)(b)—\n\n(a) any law enforcement data (including any document on which such data is recorded); or\n\n(b) the Victoria Police law enforcement data system.\n\nS. 107(2) amended by No. 20/2017 s. 106(17)(b).\n\n(2) The Chief Commissioner of Police may refuse to comply with a requirement of the Information Commissioner under subsection (1) if the Chief Commissioner considers that giving access to law enforcement data or a law enforcement data system would, or would be reasonably likely to—\n\n(a) prejudice the investigation of a breach or possible breach of the law or prejudice the enforcement or proper administration of the law in a particular instance; or\n\n(b) prejudice the fair trial of a person or the impartial adjudication of a particular case or disclose data that is of such a nature that it would be privileged from production in legal proceedings on the ground of legal professional privilege or client legal privilege; or\n\n(c) disclose, or enable a person to ascertain, the identity of a confidential source of information in relation to the enforcement or administration of the law; or\n\n(d) endanger the lives or physical safety of persons engaged in or in connection with law enforcement or persons who have provided confidential information in relation to the enforcement or administration of the law.\n\nS. 107(3) amended by No. 60/2014 s. 134(1).\n\n(3) Section 19 of the **Victoria Police Act 2013** does not apply to any power, discretion, function, authority or duty of the Chief Commissioner of Police under this section.\n\nNote to s. 107(3) repealed by No. 60/2014 s. 134(2).\n\nS. 107(4) inserted by No. 60/2014 s. 134(3).\n\n(4) A police officer who is a Deputy Commissioner appointed under section 21 of the **Victoria Police Act 2013** may exercise the powers and perform the functions of the Chief Commissioner of Police under this section as if the Deputy Commissioner were the Chief Commissioner of Police.\n\nS. 108 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":142},{"sectionNumber":"108","sectionType":"section","heading":"Information Commissioner may request access to crime statistics data","content":"\t108 Information Commissioner may request access to crime statistics data\n\nS. 108(1) amended by No. 20/2017 ss 98, 106(6).\n\n(1) The Information Commissioner may require the Chief Statistician to give the Information Commissioner free and full access at all reasonable times to any crime statistics data (including any document on which crime statistics data is recorded) or any crime statistics data system as is necessary to enable the Information Commissioner to perform the Information Commissioner's functions under section 8D(1)(e) and (2)(b).\n\nS. 108(2) amended by No. 20/2017 s. 106(6)(a).\n\n(2) Subject to subsection (3), the Chief Statistician must comply with a requirement of the Information Commissioner under this section.\n\nS. 108(3) amended by No. 20/2017 s. 106(6)(a).\n\n(3) The Chief Statistician may refuse to comply with a requirement of the Information Commissioner under this section if the Chief Statistician considers that giving access to that data or system would, or would be reasonably likely to—\n\n(a) prejudice the investigation of a breach or possible breach of the law or prejudice the enforcement or proper administration of the law in a particular instance; or\n\n(b) prejudice the fair trial of a person or the impartial adjudication of a particular case or disclose data that is of such a nature that it would be privileged from production in legal proceedings on the ground of legal professional privilege or client legal privilege; or\n\n(c) disclose, or enable a person to ascertain, the identity of a confidential source of information in relation to the enforcement or administration of the law; or\n\n(d) endanger the lives or physical safety of persons engaged in or in connection with law enforcement or persons who have provided confidential information in relation to the enforcement or administration of the law.\n\nS. 109 (Heading) amended by No. 20/2017 s. 106(3).\n\nS. 109 amended by No. 20/2017 s. 106(5).\n\n","sortOrder":143},{"sectionNumber":"109","sectionType":"section","heading":"Information Commissioner may copy or take extracts from data","content":"\t109 Information Commissioner may copy or take extracts from data\n\nDespite anything to the contrary in any other Act (other than the **Charter of Human Rights and Responsibilities Act 2006**) or law, the Information Commissioner may make copies of, or take extracts from, any data or document accessed under section 106, 107 or 108.\n\nS. 110 amended by No. 20/2017 s. 106(18).\n\n","sortOrder":144},{"sectionNumber":"110","sectionType":"section","heading":"Public sector body Heads to provide assistance","content":"\t110 Public sector body Heads to provide assistance\n\nThe Information Commissioner may request a public sector body Head to provide any assistance that the Information Commissioner reasonably considers appropriate to perform the Information Commissioner's functions under this Act relating to protective data security and law enforcement data security.\n\n","sortOrder":145},{"sectionNumber":"111","sectionType":"section","heading":"Reports to the Minister and other reports","content":"\t111 Reports to the Minister and other reports\n\nS. 111(1) amended by No. 20/2017 s. 106(19).\n\n(1) At the request of the Minister, the Information Commissioner must report to the Minister on any matter relating to the Information Commissioner's information privacy, protective data security, law enforcement data security or crime statistics data security functions.\n\n(2) The Minister may cause a copy of a report referred to in subsection (1) to be laid before each House of the Parliament.\n\nS. 111(3) amended by No. 20/2017 s. 106(19)(a).\n\n(3) The Information Commissioner may publish, in the public interest, reports and recommendations—\n\nS. 111(3)(a) amended by No. 20/2017 s. 106(19)(a).\n\n(a) relating to any act or practice that the Information Commissioner considers to be an interference with the privacy of an individual; or\n\nS. 111(3)(b) amended by No. 20/2017 s. 106(19)(b).\n\n(b) generally relating to the Information Commissioner's functions under this Act.\n\nS. 111(4) amended by No. 20/2017 s. 106(19)(a).\n\n(4) The Information Commissioner may publish a report under subsection (3) whether or not the matters to be dealt with in the report have been the subject of a report to the Minister.\n\n","sortOrder":146},{"sectionNumber":"112","sectionType":"section","heading":"Disclosure during course of compliance audit—data security","content":"\t112 Disclosure during course of compliance audit—data security\n\nS. 112(1) amended by No. 20/2017 s. 106(2).\n\n(1) At any time during the conduct of a compliance audit of a person, agency or body to which Part 4 or 5 applies, the Information Commissioner may give written information to a person or body referred to in subsection (2) concerning any matter that the Information Commissioner considers requires urgent investigation or attention.\n\n(2) For the purpose of subsection (1), the following persons and bodies are specified—\n\n(a) the IBAC;\n\nS. 112(2)(b) amended by No. 31/2024 s. 113(Sch. 1 item 26.5).\n\n(b) Integrity Oversight Victoria;\n\n(c) the Ombudsman;\n\n(d) the Chief Commissioner of Police;\n\n(e) the Director of Public Prosecutions;\n\n(f) a prescribed person or body.\n\nS. 112(3) amended by No. 20/2017 s. 106(2).\n\n(3) If the Information Commissioner gives information under this section, the Information Commissioner must—\n\n(a) notify the Premier and the responsible Minister for the person, agency or body; and\n\nS. 112(3)(b) amended by No. 20/2017 s. 106(2).\n\n(b) include a statement in the audit report that the Information Commissioner has given information to a person or body under this section during the conduct of the audit.\n\n","sortOrder":147},{"sectionNumber":"113","sectionType":"section","heading":"Disclosure to the IBAC","content":"\t113 Disclosure to the IBAC\n\nS. 113(1) amended by No. 20/2017 s. 106(2).\n\n(1) The Information Commissioner may disclose any information obtained or received in the course or as a result of the exercise of the functions of the Information Commissioner under this Act, if it is information relevant to the performance of functions or duties by the IBAC.\n\nS. 113(2) amended by No. 20/2017 s. 106(2).\n\n(2) The Information Commissioner must notify the relevant public sector body Head of any disclosure made under subsection (1).\n\nPt 6 Div. 3 (Heading) substituted as Pt 6 Div. 2 (Heading) by No. 20/2017 s. 99.\n\nDivision 2—Reporting\n\nS. 114 repealed by No. 20/2017 s. 100.\n\nS. 115 repealed by No. 20/2017 s. 101.\n\nS. 116 amended by No. 20/2017 s. 106(20), substituted by No. 31/2024 s. 60.\n\n","sortOrder":148},{"sectionNumber":"116","sectionType":"section","heading":"Report on performance and exercise of powers","content":"\t116 Report on performance and exercise of powers\n\nIn its report of operations for a financial year under Part 7 of the **Financial Management Act 1994**, the Information Commissioner must include a report on the performance and exercise of the Information Commissioner's functions and powers under this Act during the relevant year.\n\n","sortOrder":149},{"sectionNumber":"Part 7","sectionType":"part","heading":"General","content":"Part 7—General\n\n","sortOrder":150},{"sectionNumber":"117","sectionType":"section","heading":"Protection from liability","content":"\t117 Protection from liability\n\n(1) A person is not personally liable for any loss, damage or injury suffered by another person by reason only that the person—\n\nS. 117(1)(a) amended by No. 20/2017 s. 106(2).\n\n(a) produces a document, or gives any information or evidence, to the Information Commissioner under this Act; or\n\nS. 117(1)(b) amended by No. 20/2017 s. 106(2).\n\n(b) gives the Information Commissioner access to any public sector data, law enforcement data or crime statistics data or any public sector organisation's data system, law enforcement data system or crime statistics data system under this Act.\n\n(2) A person who lodges a complaint under section 57(1) is not personally liable for any loss, damage or injury suffered by another person by reason only of the lodging of the complaint.\n\n(3) Subsection (4) applies if—\n\n(a) a person has been provided by an organisation with access to personal information; and\n\n(b) either—\n\n(i) the access was required by IPP 6 or an applicable code of practice; or\n\n(ii) the organisation, or an employee or agent of the organisation acting within the scope of the employee's or agent's actual or apparent authority, believed in good faith that the access was required by IPP 6 or an applicable code of practice.\n\n(4) The provision of access to personal information in the circumstances referred to in subsection (3)—\n\n(a) is not to be regarded as making the organisation, or any employee or agent of the organisation, liable for defamation or breach of confidence or guilty of a criminal offence by reason only of the provision of access; or\n\n(b) is not to be regarded as making any person who provided the personal information to the organisation liable for defamation or breach of confidence in respect of any publication involved in, or resulting from, the provision of access by reason only of the provision of access; or\n\n(c) must not be taken for the purpose of the law relating to defamation or breach of confidence to constitute an authorisation or approval of the publication of the information by the person who is provided with access to the information.\n\n(5) An organisation is not in breach of the Information Privacy Principles or an applicable code of practice by reason only of—\n\n(a) collecting, holding, managing, using, disclosing or transferring personal information; or\n\n(b) providing access to personal information; or\n\n(c) correcting personal information—\n\nof an individual in response to a consent or request by an authorised representative whose consent or request is void by virtue of section 28(4).\n\n","sortOrder":151},{"sectionNumber":"118","sectionType":"section","heading":"Employees and agents","content":"\t118 Employees and agents\n\n(1) Any act done or practice engaged in on behalf of an organisation, or a person, agency or body to which Part 4 or 5 applies by an employee or agent of the organisation, person, agency or body acting within the scope of the employee's or agent's actual or apparent authority is to be taken, for the purposes of this Act including a prosecution for an offence against this Act, to have been done or engaged in by the organisation, person, agency or body and not by the employee or agent unless the organisation, person, agency or body establishes that it took reasonable precautions and exercised due diligence to avoid the act being done or the practice being engaged in by its employee or agent.\n\n(2) If, for the purpose of investigating a complaint or a proceeding for an offence against this Act, it is necessary to establish the state of mind of an organisation, person, agency or body, in relation to a particular act or practice, it is sufficient to show—\n\n(a) that the act was done or practice engaged in by an employee or agent of the organisation, person, agency or body, acting within the scope of the employee's or agent's actual or apparent authority; and\n\n(b) that the employee or agent had that state of mind.\n\nS. 118(3) substituted by No. 60/2014 s. 135.\n\n(3) For the purposes of this section, each of the following is an employee of Victoria Police—\n\n(a) the Chief Commissioner of Police;\n\n(b) a Deputy Commissioner within the meaning of the **Victoria Police Act 2013**;\n\n(c) an Assistant Commissioner within the meaning of the **Victoria Police Act 2013**;\n\n(d) another police officer within the meaning of the **Victoria Police Act 2013**;\n\n(e) a special constable within the meaning of the **Victoria Police Act 2013**;\n\n(f) a police reservist within the meaning of the **Victoria Police Act 2013**;\n\n(g) a protective services officer within the meaning of the **Victoria Police Act 2013**.\n\n","sortOrder":152},{"sectionNumber":"119","sectionType":"section","heading":"Fees for access","content":"\t119 Fees for access\n\nAn organisation may charge an individual the prescribed fee (if any) for providing access to personal information under this Act.\n\n","sortOrder":153},{"sectionNumber":"120","sectionType":"section","heading":"Secrecy","content":"\t120 Secrecy\n\nS. 120(1) substituted by No. 20/2017 s. 102(1).\n\n(1) This section applies to a person who is or has been—\n\n(a) the Information Commissioner; or\n\n(b) the Privacy and Data Protection Deputy Commissioner; or\n\n(c) an acting Information Commissioner or Privacy and Data Protection Deputy Commissioner; or\n\n(d) a member of staff of the Office of the Victorian Information Commissioner; or\n\n(e) a former Commissioner, acting former Commissioner or an employee of the former Commissioner; or\n\n(f) a person to whom a former secrecy provision applied.\n\nS. 120(2) amended by No. 20/2017 s. 102(2).\n\n(2) A person to whom this section applies must not, either directly or indirectly, make a record of, disclose or communicate to any person any information about an individual or organisation obtained or received in the course of performing functions or duties or exercising powers under this Act or a former Act except as provided in subsection (3).\n\nPenalty: 240 penalty units, or imprisonment for 2 years or both.\n\n(3) A person to whom this section applies may make a record, disclosure or communication referred to in subsection (2) if—\n\n(a) it is necessary to do so for the purposes of, or in connection with, the performance of a function or duty or the exercise of a power under this Act or a former Act; or\n\n(b) the individual or organisation to whom the information relates gives written consent to the making of the record, disclosure or communication.\n\nS. 120(4) def. of *former Act* amended by No. 20/2017 s. 102(3)(a).\n\n***former Act*** means either of the following as in force immediately before its repeal—\n\n(a) the **Commissioner for Law Enforcement Data Security Act 2005**;\n\n(b) the **Information Privacy Act 2000**;\n\nS. 120(4) def. of *former Commis-sioner* inserted by No. 20/2017 s. 102(3)(b).\n\n***former Commissioner*** means a person appointed as Commissioner for Privacy and Data Protection;\n\nS. 120(4) def. of *former secrecy provision* inserted by No. 20/2017 s. 102(3)(b).\n\n***former secrecy provision*** means—\n\n(a) section 67 of the **Information Privacy Act** **2000**, as in force immediately before its repeal; or\n\n(b) section 15 of the **Commissioner for Law Enforcement Data Security Act 2005** as in force immediately before its repeal.\n\nS. 121 (Heading) amended by No. 20/2017 s. 106(3).\n\n","sortOrder":154},{"sectionNumber":"121","sectionType":"section","heading":"Information Commissioner to give notice before certain disclosures","content":"\t121 Information Commissioner to give notice before certain disclosures\n\nS. 121(1) amended by Nos 20/2017 s. 106(21), 2/2019 s. 209.\n\n(1) Before disclosing or communicating to any person, other than a member of staff \nof the Office of the Victorian Information Commissioner, any information given to the Information Commissioner pursuant to a prescribed requirement (including information contained in a document required to be produced to the Information Commissioner), the Information Commissioner must—\n\n(a) notify the person from whom the information was obtained of the proposal to disclose or communicate that information; and\n\n(b) give that person a reasonable opportunity to object to the disclosure or communication.\n\n(2) In this section, ***prescribed requirement*** means a requirement made under—\n\n(a) Subdivision 3 of Division 8 of Part 3; or\n\n(b) Part 6; or\n\n(c) Division 3 of Part 5 of the **Information Privacy Act 2000** as in force immediately before its repeal.\n\nS. 122 substituted by No. 20/2017 s. 103.\n\n","sortOrder":155},{"sectionNumber":"122","sectionType":"section","heading":"Offence to obstruct, mislead or provide false information","content":"\t122 Offence to obstruct, mislead or provide false information\n\n(1) A person must not, without reasonable excuse, wilfully obstruct, hinder or resist the Information Commissioner, the Privacy and Data Protection Deputy Commissioner, a delegate of the Information Commissioner or the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner, in—\n\n(a) performing, or attempting to perform, a function or duty under this Act; or\n\n(b) exercising, or attempting to exercise, a power under this Act.\n\n(2) A person must not, without reasonable excuse, provide information or make a statement to the Information Commissioner, the Privacy and Data Protection Deputy Commissioner, a delegate of the Information Commissioner or the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner knowing that it is false or misleading in a material particular.\n\n(3) A person must not, without reasonable excuse, mislead or attempt to mislead the Information Commissioner, the Privacy and Data Protection Deputy Commissioner, a delegate of the Information Commissioner or the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner.\n\n","sortOrder":156},{"sectionNumber":"123","sectionType":"section","heading":"Offences by organisations or bodies","content":"\t123 Offences by organisations or bodies\n\nIf this Act provides that an organisation or \nbody is guilty of an offence, that reference to an organisation or body must, if the organisation or body is unincorporated, be read as a reference to each member of the committee of management of the organisation or body.\n\n","sortOrder":157},{"sectionNumber":"124","sectionType":"section","heading":"Prosecutions","content":"\t124 Prosecutions\n\n(1) A proceeding for an offence against this Act may only be commenced by—\n\nS. 124(1)(a) substituted by No. 60/2014 s. 136.\n\n(a) a police officer within the meaning of the **Victoria Police Act 2013**; or\n\nS. 124(1)(b) amended by No. 20/2017 s. 106(2).\n\n(b) the Information Commissioner; or\n\nS. 124(1)(c) amended by No. 20/2017 s. 106(2).\n\n(c) a person authorised to do so, either generally or in a particular case, by the Information Commissioner.\n\n(2) In a proceeding for an offence against this Act it must be presumed, in the absence of evidence to the contrary, that the person bringing the proceeding was authorised to bring it.\n\n","sortOrder":158},{"sectionNumber":"125","sectionType":"section","heading":"Regulations","content":"\t125 Regulations\n\n(1) The Governor in Council may make regulations for or with respect to any matter or thing required or permitted by this Act to be prescribed or necessary to be prescribed to give effect to this Act.\n\n(2) Without limiting subsection (1), the regulations may prescribe fees for providing access to personal information under this Act.\n\n(3) The regulations—\n\n(a) may be of general or limited application; and\n\n(b) may differ according to differences in time, place or circumstances; and\n\n(c) may leave any matter to be determined by the Minister; and\n\n(d) may apply, adopt or incorporate any matter contained in any document, code, standard, rule, specification or method, formulated, issued, prescribed or published by any person whether—\n\n(i) wholly or partially or as amended by the regulations; or\n\n(ii) formulated, issued, prescribed or published at the time the regulations are made or at any time before then; or\n\n(iii) as formulated, issued, prescribed or published from time to time.\n\n","sortOrder":159},{"sectionNumber":"Part 8","sectionType":"part","heading":"Repeal of Acts and transitional and savings provisions","content":"Part 8—Repeal of Acts and transitional and savings provisions\n\n","sortOrder":160},{"sectionNumber":"126","sectionType":"section","heading":"Repeal of Information Privacy Act 2000","content":"\t126 Repeal of Information Privacy Act 2000\n\nThe **Information Privacy Act 2000** is **repealed**.\n\n","sortOrder":161},{"sectionNumber":"127","sectionType":"section","heading":"Repeal of Commissioner for Law Enforcement Data Security Act 2005","content":"\t127 Repeal of Commissioner for Law Enforcement Data Security Act 2005\n\nThe **Commissioner for Law Enforcement Data Security Act 2005** is **repealed**.\n\n","sortOrder":162},{"sectionNumber":"128","sectionType":"section","heading":"Transitional and savings provisions","content":"\t128 Transitional and savings provisions\n\n","sortOrder":163},{"sectionNumber":"Sch 2","sectionType":"schedule","heading":"has effect.","content":"Schedule 2 has effect.\n\nNew s. 129 inserted by No. 20/2017 s. 104.\n\n","sortOrder":164},{"sectionNumber":"129","sectionType":"section","heading":"Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017","content":"\t129 Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017\n\nSchedule 3 has effect.\n\nNew s. 130 inserted by No. 11/2021 s. 170, repealed by No. 60/2014 s. 130(4).\n\nPt 9 (Heading and \nss 129–141) repealed by No. 60/2014 s. 141.\n\nSchedules\n\nSchedule 1––The Information Privacy Principles\n\nIn these Principles—\n\nSch. 1 def. of *sensitive information* amended by No. 31/2024 s. 61.\n\n***sensitive information*** means information or an opinion about an individual's—\n\n(a) racial or ethnic origin; or\n\n(b) political opinions; or\n\n(c) membership of a political association; or\n\n(d) religious beliefs or affiliations; or\n\n(e) philosophical beliefs; or\n\n(f) membership of a professional or trade association; or\n\n(g) membership of a trade union; or\n\n(h) sexual orientation or practices; or\n\n(i) criminal record—\n\nthat is also personal information;\n\nSch. 1 def. of *unique identifier* amended by No. 60/2017 s. 34(1).\n\n***unique identifier*** means an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name and does not include an identifier within the meaning of the **Health Records Act 2001**.\n\n\t1 Principle 1—Collection\n\n1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.\n\n1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.\n\n1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of—\n\n(a) the identity of the organisation and how to contact it; and\n\n(b) the fact that the individual is able to gain access to the information; and\n\n(c) the purposes for which the information is collected; and\n\n(d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and\n\n(e) any law that requires the particular information to be collected; and\n\n(f) the main consequences (if any) for the individual if all or part of the information is not provided.\n\n1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.\n\n1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.\n\n\t2 Principle 2—Use and Disclosure\n\n2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—\n\n(a) both of the following apply—\n\n(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;\n\n(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or\n\n(b) the individual has consented to the use or disclosure; or\n\n(c) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual—\n\n(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and\n\n(ii) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information; or\n\n(d) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent—\n\nSch. 1 cl. 2.1(d)(i) amended by No. 23/2017 s. 22(1).\n\n(i) a serious threat to an individual's life, health, safety or welfare; or\n\n(ii) a serious threat to public health, public safety or public welfare; or\n\n(e) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or\n\n(f) the use or disclosure is required or authorised by or under law; or\n\n(g) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency—\n\n(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;\n\n(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;\n\n(iii) the protection of the public revenue;\n\n(iv) the prevention, detection, investigation or remedying of seriously improper conduct;\n\n(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or\n\n(h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the organisation to disclose the personal information and—\n\n(i) the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and\n\n(ii) an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be connected with the performance by ASIO or ASIS (as the case requires) of its functions.\n\n2.2 If an organisation uses or discloses personal information under IPP 2.1(g), it must make a written note of the use or disclosure.\n\n\t3 Principle 3—Data Quality\n\n3.1 An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.\n\n\t4 Principle 4—Data Security\n\n4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.\n\n4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.\n\n\t5 Principle 5—Openness\n\n5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.\n\n5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.\n\n\t6 Principle 6—Access and Correction\n\n6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that—\n\nSch. 1 cl. 6.1(a) amended by No. 23/2017 s. 22(2).\n\n(a) providing access would pose a serious threat to the life or health of any individual; or\n\n(b) providing access would have an unreasonable impact on the privacy of other individuals; or\n\n(c) the request for access is frivolous or vexatious; or\n\n(d) the information relates to existing legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings; or\n\n(e) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or\n\n(f) providing access would be unlawful; or\n\n(g) denying access is required or authorised by or under law; or\n\n(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or\n\n(i) providing access would be likely to prejudice—\n\n(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; or\n\n(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or\n\n(iii) the protection of public revenue; or\n\n(iv) the prevention, detection, investigation or remedying of seriously improper conduct; or\n\n(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders—\n\nby or on behalf of a law enforcement agency; or\n\n(j) ASIO, ASIS or a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.\n\n6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.\n\n6.3 If the organisation is not required to provide the individual with access to the information because of one or more of IPP 6.1(a) to (j) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.\n\n6.4 If an organisation charges for providing access to personal information, the organisation—\n\n(a) must advise an individual who requests access to personal information that the organisation will provide access on the payment of the prescribed fee; and\n\n(b) may refuse access to the personal information until the fee is paid.\n\n6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date.\n\n6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation must take reasonable steps to do so.\n\n6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.\n\n6.8 If an individual requests access to, or the correction of, personal information held by an organisation, the organisation must—\n\n(a) provide access, or reasons for the denial of access; or\n\n(b) correct the personal information, or provide reasons for the refusal to correct the personal information; or\n\n(c) provide reasons for the delay in responding to the request for access to or for the correction of personal information—\n\nas soon as practicable, but no later than 45 days after receiving the request.\n\n\t7 Principle 7—Unique Identifiers\n\n7.1 An organisation must not assign unique identifiers to individuals unless the assignment of unique identifiers is necessary to enable the organisation to carry out any of its functions efficiently.\n\n7.2 An organisation must not adopt as its own unique identifier of an individual a unique identifier of the individual that has been assigned by another organisation unless—\n\n(a) it is necessary to enable the organisation to carry out any of its functions efficiently; or\n\n(b) it has obtained the consent of the individual to the use of the unique identifier; or\n\n(c) it is an outsourcing organisation adopting the unique identifier created by a contracted service provider in the performance of its obligations to the organisation under a State contract.\n\n7.3 An organisation must not use or disclose a unique identifier assigned to an individual by another organisation unless—\n\n(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the other organisation; or\n\n(b) one or more of IPP 2.1(d) to (g) applies to the use or disclosure; or\n\n(c) it has obtained the consent of the individual to the use or disclosure.\n\n7.4 An organisation must not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned.\n\n\t8 Principle 8—Anonymity\n\n8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.\n\n\t9 Principle 9—Transborder Data Flows\n\n9.1 An organisation may transfer personal information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if—\n\n(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Information Privacy Principles; or\n\n(b) the individual consents to the transfer; or\n\n(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of precontractual measures taken in response to the individual's request; or\n\n(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or\n\n(e) all of the following apply—\n\n(i) the transfer is for the benefit of the individual;\n\n(ii) it is impracticable to obtain the consent of the individual to that transfer;\n\n(iii) if it were practicable to obtain that consent, the individual would be likely to give it; or\n\n(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.\n\n\t10 Principle 10—Sensitive Information\n\n10.1 An organisation must not collect sensitive information about an individual unless—\n\n(a) the individual has consented; or\n\nSch. 1 cl. 10.1(b) amended by No. 60/2017 s. 34(2).\n\n(b) the collection is required or authorised under law; or\n\nSch. 1 cl. 10.1(c) amended by No. 23/2017 s. 22(3).\n\n(c) the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual whom the information concerns—\n\n(i) is physically or legally incapable of giving consent to the collection; or\n\n(ii) physically cannot communicate consent to the collection; or\n\n(d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.\n\n10.2 Despite IPP 10.1, an organisation may collect sensitive information about an individual if—\n\n(a) the collection—\n\n(i) is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or\n\n(ii) is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and\n\n(b) there is no reasonably practicable alternative to collecting the information for that purpose; and\n\n(c) it is impracticable for the organisation to seek the individual's consent to the collection.\n\nSchedule 2––Transitional and savings provisions\n\n\t1 Definitions\n\nIn this Schedule—\n\n***commencement day*** means the day on which Part 8 comes into operation;\n\n***Commissioner for Law Enforcement Data Security*** means the Commissioner for Law Enforcement Data Security appointed under section 5 of the **Commissioner for Law Enforcement Data Security Act 2005** as in force immediately before the commencement day;\n\n***former Commissioner*** means—\n\n(a) the Commissioner for Law Enforcement Data Security; or\n\n(b) the Privacy Commissioner;\n\n***old Act*** means—\n\n(a) the **Commissioner for Law Enforcement Data Security Act 2005**; or\n\n(b) the **Information Privacy Act 2000**;\n\n***Privacy Commissioner*** means the Privacy Commissioner appointed under section 50 of the **Information Privacy Act 2000** as in force immediately before the commencement day.\n\n\t2 General transitional provisions\n\n(1) This Schedule does not affect or take away from the **Interpretation of Legislation Act 1984**.\n\n(2) If a repealed provision of an old Act continues to apply by force of this Schedule, the following provisions also continue to apply in relation to that provision—\n\n(a) any other repealed provisions of the old Act necessary to give effect to that provision;\n\n(b) any regulations made under the old Act for the purposes of that provision.\n\n(3) Without limiting subclause (1), in declaring that certain provisions of the new Act are to be treated as re-enacting with modifications certain provisions of the **Information Privacy Act 2000**, this Schedule must not be taken to limit the operation of any provision of the **Interpretation of Legislation Act 1984** relating to the re‑enactment.\n\n(4) This Schedule applies despite anything to the contrary in any other provision of the new Act.\n\n\t3 Superseded reference\n\n(1) On and from the commencement day, a reference to an old Act in any Act or in any instrument made under any Act or in any other document of any kind, must be read as a reference to this Act unless the context otherwise requires.\n\n(2) In this clause, a reference to any Act does not include a reference to this Act or a provision of an old Act continued by this Act.\n\n\t4 Re-enacted provisions—Information Privacy Act 2000\n\nA provision or provisions of the **Information Privacy Act 2000** specified in Column 1 of the Table are taken to be re-enacted (with modifications) by the provision or provisions of this Act appearing opposite in Column 2 of the Table.\n\n| *Old provision* | *New provision* |\n| Section 14(1) and (2) | Section 18 |\n| Section 15(2) | Section 19 |\n| Section 16(1) and (4) | Section 20 |\n| Section 18 | Section 21 |\n| Section 19 | Section 22 |\n| Section 20 | Section 23 |\n| Section 21 | Section 24 |\n| Section 22 | Section 25 |\n| Section 23 | Section 26 |\n| Section 24 | Section 27 |\n| Section 25 | Section 57 |\n| Section 26 | Section 58 |\n| Section 27 | Sections 59 and 60 |\n| Section 28 | Section 61 |\n| Section 29 (except subsection (3)) | Section 62 |\n| Sections 29(3), 34A, 34B, 34C and 34D | Section 63 |\n| Section 30 | Section 64 |\n| Section 31 | Section 65 |\n| Section 32 | Section 66 |\n| Section 33 | Section 67 |\n| Section 34 | Section 68 |\n| Section 35 | Section 69 |\n| Section 36 | Section 70 |\n| Section 37 | Section 71 |\n| Section 38 | Section 72 |\n| Section 39 | Section 73 |\n| Section 40 | Section 74 |\n| Section 41 | Section 75 |\n| Section 42 | Section 76 |\n| Section 43 | Section 77 |\n| Section 44 | Section 78 |\n| Section 45 | Section 79 |\n| Section 46 | Section 80 |\n| Section 47 | Section 81 |\n| Section 48 | Section 82 |\n| Section 49 | Section 83 |\n| Section 64 | Section 28 |\n| Section 65 | Section 122 |\n| Section 66 | Section 117 |\n| Section 68 | Section 118 |\n| Section 69 | Section 119 |\n| Schedule 1 | Schedule 1 |\n\n\t5 Office of Privacy Commissioner abolished\n\n(a) the office of the Privacy Commissioner is abolished and the person holding that office and any person acting in that office go out of office; and\n\n(b) all rights, property and assets that, immediately before that day, were vested in the office of the Privacy Commissioner are, by force of this section, vested in the office of the Commissioner; and\n\n(c) all debts, liabilities and obligations of the office of the Privacy Commissioner existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the new Commissioner; and\n\n(d) the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Privacy Commissioner was a party immediately before that day; and\n\n(e) the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Privacy Commissioner as a party and in force immediately before that day.\n\n\t6 Office of Commissioner for Law Enforcement Data Security abolished\n\n(a) the office of the Commissioner for Law Enforcement Data Security is abolished and the person holding that office and any person acting in that office go out of office; and\n\n(b) all rights, property and assets that, immediately before that day, were vested in the office of the Commissioner for Law Enforcement Data Security are, by force of this section, vested in the office of the Commissioner; and\n\n(c) all debts, liabilities and obligations of the office of the Commissioner for Law Enforcement Data Security existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the Commissioner; and\n\n(d) the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Commissioner for Law Enforcement Data Security was a party immediately before that day; and\n\n(e) the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Commissioner for Law Enforcement Data Security as a party and in force immediately before that day.\n\n\t7 References to former Commissioner\n\nOn the commencement day any reference to a former Commissioner in any Act (other than this Act) or in any rule, regulation, order, agreement, instrument, deed or other document (by whatever named called or however described) must, so far as it relates to any period on or after that day and if not inconsistent with the context or subject-matter, be construed as a reference to the Commissioner.\n\n\t8 Staff of Privacy Commissioner and Commissioner for Law Enforcement Data Security\n\nOn the commencement day, any staff employed under Part 3 of the **Public Administration Act 2004** immediately before the commencement day by a former Commissioner are taken to be employed by the Commissioner under section 114 of this Act.\n\n\t9 Offences\n\nOn and after the commencement day, the Commissioner may commence or continue a prosecution for an offence committed under the **Information Privacy Act 2000** or the **Commissioner for Law Enforcement Data Security Act 2005**.\n\n\t10 Annual reports under Information Privacy Act 2000 for reporting periods which end before commencement day\n\n(b) the Privacy Commissioner has not prepared a report of operations referred to in section 62 of the **Information Privacy Act 2000** for that reporting period before that day.\n\n(2) On and after the commencement day, the Commissioner must, for the reporting period, prepare a report of operations under Part 7 of the **Financial Management Act 1994** which includes the information required by section 62 of the **Information Privacy Act 2000**.\n\n(3) Section 62 of the **Information Privacy Act 2000** applies for the purposes of subclause (2) as if that section had not been repealed.\n\n\t11 Annual reports under Information Privacy Act 2000 for reporting periods that end on or after commencement day\n\n(1) This clause applies if a reporting period ends on or after the commencement day.\n\n(2) On and after the commencement day, the Commissioner must, for the reporting period, prepare a report which includes the information required by section 62 of the **Information Privacy Act 2000** and include that report as part of the Commissioner's first report after the end of the reporting period under section 116.\n\n(3) Section 62 of the **Information Privacy Act 2000** applies for the purposes of subclause (2) as if that section had not been repealed.\n\n\t12 Approved codes of practice\n\n(1) On the commencement day, an approved code of practice under the **Information Privacy Act 2000** that was in operation immediately before that day, is taken to be an approved code of practice under this Act.\n\n(2) On the commencement day, the register of approved codes of practice kept under section 22 of the **Information Privacy Act 2000** is taken to be the register established under section 25 of this Act.\n\n","sortOrder":165},{"sectionNumber":"13","sectionType":"section","heading":"Complaints and compliance notices","content":"\t13 Complaints and compliance notices\n\n(1) This Act applies to a complaint made but not declined, referred or finally determined under the **Information Privacy Act 2000** before the commencement day as if the complaint had been made under section 58 of this Act.\n\n(2) This Act applies to a compliance notice served under section 44 of the **Information Privacy Act 2000** but not set aside before the commencement day as if the compliance notice had been served under section 78 of this Act.\n\n\t14 Annual reports under Commissioner for Law Enforcement Data Security Act 2005 for reporting periods which end before commencement day\n\n(b) the Commissioner for Law Enforcement Data Security has not made a report to the Minister under section 17 of the **Commissioner for Law Enforcement Data Security Act 2005** for that reporting period before that day.\n\n(2) On and after the commencement day, the Commissioner must, for the reporting period, make a report to the Minister under section 17 of the **Commissioner for Law Enforcement Data Security Act 2005**.\n\n(3) Section 17 of the **Commissioner for Law Enforcement Data Security Act 2005** applies for the purposes of subclause (2) as if that section had not been repealed.\n\n\t15 Annual reports under Commissioner for Law Enforcement Data Security Act 2005 for reporting periods which end on or after commencement day\n\n(1) This clause applies if a reporting period ends on or after the commencement day.\n\n(2) On and after the commencement day, the Commissioner must, for the reporting period, make a report to the Minister under section 17 of the **Commissioner for Law Enforcement Data Security Act 2005** and include that report as part of the Commissioner's first report after the end of the reporting period under section 116.\n\n(3) Section 17 of the **Commissioner for Law Enforcement Data Security Act 2005** applies for the purposes of subclause (2) as if that section had not been repealed.\n\n\t16 Annual reports under Commissioner for Law Enforcement Data Security Act 2005 that have not been laid before Parliament\n\n(a) a report has been made to the Minister under section 17 of the **Commissioner for Law Enforcement Data Security Act 2005** before the commencement day; and\n\n(b) that report has not been laid before each House of Parliament in accordance with that section before that day.\n\n(2) Despite the repeal of section 17 of the **Commissioner for Law Enforcement Data Security Act 2005**, subsection (2) of that section continues to apply in respect of that report.\n\nSch. 3 repealed by No. 60/2014 s. 141, new Sch. 3 inserted by No. 20/2017 s. 105.\n\nSchedule 3—Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017\n\n\t1 Definition\n\nIn this Schedule—\n\n***commencement day*** means the day on which Part 3 of the **Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017** comes into operation.\n\n\t2 Office of Commissioner for Privacy and Data Protection abolished\n\n(a) the office of the Commissioner for Privacy and Data Protection is abolished and the person holding that office and any person acting in that office go out of office; and\n\n(b) all rights, property and assets that, immediately before that day, were vested in the office of the Commissioner for Privacy and Data Protection are, by force of this clause, vested in the Office of the Victorian Information Commissioner; and\n\n(c) all debts, liabilities and obligations of the office of the Commissioner for Privacy and Data Protection existing immediately before that day become, by force of this clause, debts, liabilities and obligations of the Office of the Victorian Information Commissioner; and\n\n(d) the Information Commissioner is, by force of this clause, substituted as a party to any proceeding pending in any court or tribunal to which the Commissioner for Privacy and Data Protection was a party immediately before that day; and\n\n(e) the Information Commissioner is, by force of this clause, substituted as a party to any arrangement or contract entered into by or on behalf of the Commissioner for Privacy and Data Protection as a party and in force immediately before that day.\n\n\t3 References to Commissioner for Privacy and Data Protection\n\nOn the commencement day any reference to the Commissioner for Privacy and Data Protection in any Act (other than this Act) or in any rule, regulation, order, agreement, instrument, deed or other document (by whatever name called or however described) must, so far as it relates to any period on or after that day and if not inconsistent with the context or subject matter, be construed as a reference to the Information Commissioner, in the Information Commissioner's capacity under this Act.\n\n\t4 Staff\n\nOn the commencement day, any staff employed under Part 3 of the **Public Administration** **Act 2004** immediately before the commencement day by the Commissioner for Privacy and Data Protection are taken to be employed by the Information Commissioner under section 6Q of the **Freedom of Information Act 1982**.\n\n\t5 Codes of practice\n\nThis Act as in force on and after the commencement day applies to any application to approve a code of practice or amend an approved code of practice that was received but not approved before the commencement day.\n\n\t6 Public interest determinations\n\nThis Act as in force on and after the commencement day applies to any application for a public interest determination or a temporary public interest determination that was received but not determined before the commencement day.\n\n\t7 Information usage arrangements\n\nThis Act as in force on and after the commencement day applies in relation to any application to approve an information usage arrangement or amend an approved information usage arrangement that was received but not approved before the commencement day and anything done under this Act as in force before the commencement day in relation to that application has effect for that purpose.\n\n\t8 Complaints\n\nThis Act as in force immediately before the commencement day continues to apply in relation to any complaint made under Division 8 of Part 3 but not determined before the commencement day as if any reference to the Commissioner for Privacy and Data Protection were a reference to the Information Commissioner.\n\n\t9 Compliance notices\n\nThis Act as in force immediately before the commencement day continues to apply in relation to a written notice given before the commencement day under section 79, as in force immediately before its substitution, as if any reference to the Commissioner for Privacy and Data Protection were a reference to the Information Commissioner.\n\n\t10 Protective data security standards\n\nThe Information Commissioner may amend, revoke or reissue in accordance with section 87 a protective data security standard issued and in force before the commencement day.\n\n\t11 Law enforcement data security standards\n\nThe Information Commissioner may amend, revoke or reissue in accordance with section 92 a law enforcement data security standard issued and in force before the commencement day.\n\n\t12 Reports for reporting periods which end before commencement day\n\n(b) the Commissioner for Privacy and Data Protection has not prepared an annual report referred to in section 116 for that reporting period before that day.\n\n(2) On and after the commencement day, the Information Commissioner must prepare an annual report for the reporting period in accordance with section 116.\n\n(3) The annual report may be prepared as a composite report with the report prepared under clause 14 of Schedule 1 to the **Freedom of Information Act 1982**.\n\n\t13 Annual reports for reporting periods which end on or after the commencement day\n\n(1) This clause applies if a reporting period ends \non or after the commencement day.\n\n(2) On and after the commencement day, the Information Commissioner must prepare a report in accordance with section 116 for the part of the reporting period occurring before the commencement day and include that report in the Information Commissioner's first report under that section after the end of the reporting period.\n\n(3) In this clause—\n\n\t14 Report to Minister\n\n(1) This clause applies if the Commissioner for Privacy and Data Protection has not prepared a report requested under section 111 before the commencement day.\n\n(2) On and after the commencement day, the Information Commissioner must prepare the report in accordance with section 111 as in force before the commencement day.\n\n═══════════════\n\nEndnotes\n\n1 General information\n\nSee [www.legislation.vic.gov.au](http://www.legislation.vic.gov.au) for Victorian Bills, Acts and current Versions of legislation and up-to-date legislative information.\n\n *Minister's second reading speech—*\n\n *Legislative Assembly: 12 June 2014*\n\n *Legislative Council: 7 August 2014*\n\nThe long title for the Bill for this Act was \"A Bill for an Act to provide for responsible collection and handling of personal information in the Victorian public sector, to establish a protective data security regime, to repeal the **Information Privacy Act 2000** and the **Commissioner for Law Enforcement Data Security Act 2005**, to make consequential amendments to other Acts and for other purposes.\"\n\nThe **Privacy and Data Protection Act 2014** was assented to on 2 September 2014 and came into operation as follows:\n\nSections 129–136 on 3 September 2014: section 2(2); sections 1–128, \n138–141 on 17 September 2014: Special Gazette (No. 317) 16 September 2014 page 1; section 137 on 1 July 2015: section 2(3).\n\nINTERPRETATION OF LEGISLATION ACT 1984 (ILA)\n\nStyle changes\n\nSection 54A of the ILA authorises the making of the style changes set out in Schedule 1 to that Act.\n\nReferences to ILA s. 39B\n\nSidenotes which cite ILA s. 39B refer to section 39B of the ILA which provides that where an undivided section or clause of a Schedule is amended by the insertion of one or more subsections or subclauses, the original section or clause becomes subsection or subclause (1) and is amended by the insertion of the expression \"(1)\" at the beginning of the original section or clause.\n\nInterpretation\n\nAs from 1 January 2001, amendments to section 36 of the ILA have the following effects:\n\n• Headings\n\nAll headings included in an Act which is passed on or after 1 January 2001 form part of that Act. Any heading inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, forms part of that Act. This includes headings to Parts, Divisions or Subdivisions in a Schedule; sections; clauses; items; tables; columns; examples; diagrams; notes or forms. See section 36(1A)(2A).\n\n• Examples, diagrams or notes\n\nAll examples, diagrams or notes included in an Act which is passed on or after 1 January 2001 form part of that Act. Any examples, diagrams or notes inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, form part of that Act. See section 36(3A).\n\n• Punctuation\n\nAll punctuation included in an Act which is passed on or after 1 January 2001 forms part of that Act. Any punctuation inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, forms part of that Act. See section 36(3B).\n\n• Provision numbers\n\nAll provision numbers included in an Act form part of that Act, whether inserted in the Act before, on or after 1 January 2001. Provision numbers include section numbers, subsection numbers, paragraphs and subparagraphs. See section 36(3C).\n\n• Location of \"legislative items\"\n\nA \"legislative item\" is a penalty, an example or a note. As from 13 October 2004, a legislative item relating to a provision of an Act is taken to be at the foot of that provision even if it is preceded or followed by another legislative item that relates to that provision. For example, if a penalty at the foot of a provision is followed by a note, both of these legislative items will be regarded as being at the foot of that provision. See section 36B.\n\n• Other material\n\nAny explanatory memorandum, table of provisions, endnotes, index and other material printed after the Endnotes does not form part of an Act. \nSee section 36(3)(3D)(3E).\n\n2 Table of Amendments\n\nThis publication incorporates amendments made to the **Privacy and Data Protection Act 2014** by Acts and subordinate instruments.\n\n–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––\n\n**Privacy and Data Protection Act 2014, No. 60/2014**\n\n| Assent Date: | 2.9.14 |\n| Commencement Date: | Ss 129–136 on 3.9.14: s. 2(2); s. 141 on 17.9.14: Special Gazette (No. 317) 16.9.14 p. 1; s. 137 on 1.7.15: s. 2(3); s. 130(4) inserted on 26.4.21 by No. 11/2021 s. 170: s. 2(2) |\n| Note: | S. 141 repealed Pt 9 (ss 129–141) and Sch. 3 on 9.12.15; s. 130(4) repealed s. 130 on 26.4.23 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Inquiries Act 2014, No. 67/2014**\n\n| Assent Date: | 23.9.14 |\n| Commencement Date: | S. 147(Sch. 2 item 28) on 15.10.14: Special Gazette (No. 364) 14.10.14 p. 2 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Statute Law Revision Act 2015, No. 21/2015**\n\n| Assent Date: | 16.6.15 |\n| Commencement Date: | S. 3(Sch. 1 item 41) on 1.8.15: s. 2(1) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Health Complaints Act 2016, No. 22/2016**\n\n| Assent Date: | 3.5.16 |\n| Commencement Date: | S. 240 on 1.2.17: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Fines Reform and Infringements Acts Amendment Act 2016, No. 29/2016**\n\n| Assent Date: | 31.5.16 |\n| Commencement Date: | S. 111 on 31.12.17: s. 2(5) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Powers of Attorney Amendment Act 2016, No. 64/2016**\n\n| Assent Date: | 15.11.16 |\n| Commencement Date: | S. 16 on 1.5.17: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Medical Treatment Planning and Decisions Act 2016, No. 69/2016**\n\n| Assent Date: | 29.11.16 |\n| Commencement Date: | S. 158 on 12.3.18: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017, No. 20/2017**\n\n| *Assent Date:* | 16.5.17 |\n| *Commencement Date:* | Ss 78–106 on 1.9.17: s. 2(3) |\n| *Current State:* | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Family Violence Protection Amendment (Information Sharing) Act 2017, No. 23/2017** (as amended by No. 60/2017)\n\n| Assent Date: | 14.6.17 |\n| Commencement Date: | Ss 20–22 on 26.2.18: Special Gazette (No. 40) 6.2.18 p. 1 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Serious Sex Offenders (Detention and Supervision) Amendment (Governance) Act 2017, No. 57/2017**\n\n| Assent Date: | 8.11.17 |\n| Commencement Date: | S. 50 on 27.2.18: Special Gazette (No. 49) 13.2.18 p. 1 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Victorian Data Sharing Act 2017, No. 60/2017**\n\n| Assent Date: | 5.12.17 |\n| Commencement Date: | S. 34 on 6.12.17: s. 2 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Children Legislation Amendment (Information Sharing) Act 2018, No. 11/2018**\n\n| *Assent Date:* | 10.4.18 |\n| *Commencement Date:* | S. 43 on 11.4.18: Special Gazette (No. 164) 10.4.18
p. 1; s. 31 on 27.9.18: Special Gazette (No. 405) 4.9.18 p. 1 |\n| *Current State:* | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Serious Offenders Act 2018, No. 27/2018**\n\n| Assent Date: | 26.6.18 |\n| Commencement Date: | S. 362 on 3.9.18: Special Gazette (No. 356) 31.7.18 p. 1 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Integrity and Accountability Legislation Amendment (Public Interest Disclosures, Oversight and Independence) Act 2019, No. 2/2019**\n\n| *Assent Date:* | 5.3.19 |\n| *Commencement Date:* | S. 209 on 6.3.19: s. 2(1); s. 145 on 1.1.20: s. 2(3) |\n| *Current State:* | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Guardianship and Administration Act 2019, No. 13/2019**\n\n| Assent Date: | 4.6.19 |\n| Commencement Date: | S. 221(Sch. 1 item 39) on 1.3.20: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Children Legislation Amendment Act 2019, No. 30/2019**\n\n| Assent Date: | 17.9.19 |\n| Commencement Date: | S. 19 on 18.9.19: s. 2(1) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Health Legislation Amendment and Repeal Act 2019, No. 34/2019**\n\n| Assent Date: | 22.10.19 |\n| Commencement Date: | S. 87 on 27.8.20: s. 2(3) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Local Government Act 2020, No. 9/2020**\n\n| Assent Date: | 24.3.20 |\n| Commencement Date: | S. 390(Sch. 1 item 80) on 6.4.20: Special Gazette (No. 150) 24.3.20 p. 1 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Justice Legislation Amendment (System Enhancements and Other Matters) Act 2021, No. 11/2021**\n\n| Assent Date: | 23.3.21 |\n| Commencement Date: | Ss 164–170 on 26.4.21: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Terrorism (Community Protection) Amendment Act 2021, No. 47/2021**\n\n| Assent Date: | 3.11.21 |\n| Commencement Date: | S. 28 on 2.9.22: s. 2(3) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Mental Health and Wellbeing Act 2022, No. 39/2022**\n\n| Assent Date: | 6.9.22 |\n| Commencement Date: | S. 853 on 1.9.23: s. 2(2) |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n**Justice Legislation Amendment (Integrity, Defamation and Other Matters) Act 2024, No. 31/2024**\n\n| Assent Date: | 10.9.24 |\n| Commencement Date: | Ss 51–61 on 11.9.24: s. 2(1); s. 113(Sch. 1 item 26) on 10.2.25: Special Gazette (No. 648) 26.11.24 p. 1 |\n| Current State: | This information relates only to the provision/s amending the **Privacy and Data Protection Act 2014** |\n\n–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––\n\n3 Explanatory details\n\nNo entries at date of publication.","sortOrder":166}],"analysis":{"flash_summary":{"complexity_score":8,"scope_assessment":{"changed":true,"description":"Yes. The Act consolidates and replaces the earlier Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005 (s.1(f); ss.126–127) and extends the statutory architecture beyond classical information privacy to include a protective data security regime and law‑enforcement data security standards (ss.85–92). It establishes a single Information Commissioner role with expanded functions (ss.8A; 8D) and introduces new administrative instruments (protective data security standards, protective data security plans, customised standards, information usage arrangements and certificates) and processes that did not exist in the same form under the repealed Acts (Parts 3–5; Divs.6–7). Mechanically, this broadens regulatory scope from privacy oversight alone to a combined privacy + data‑security regulatory regime with additional compliance, reporting and approval obligations on public sector Heads and, in defined circumstances, on contracted service providers (ss.88–89; s.17)."},"complexity_factors":["Large scope combining information privacy and protective + law‑enforcement data security (Parts 3–5; Schedule 1)","Extensive cross‑references and carve‑outs to other statutes and specialised information‑sharing schemes (ss.14–15D; multiple external Acts cited)","Multiple approval and exception pathways (codes of practice, public interest determinations, temporary determinations, information usage arrangements, certificates) with differing procedures and decision‑makers (Divs.3–7)","Significant administrative discretion vested in the Information Commissioner, with delegation and ministerial interfaces (ss.8A–8G; 8O; 86(4))","Detailed procedural enforcement machinery including coercive notices, power to access and copy data systems, and tribunal review rights (Div.10; ss.106–109; ss.78–83)","Separate but overlapping standards and plans regimes for protective data security and law‑enforcement data security with precedence rules (ss.86–94)","Transitional provisions and repeal of earlier Acts with staff and asset transfers that affect continuity and interpretation (Part 8; Schedule 2–3)","Varied remedies and sanctions (administrative reporting, compliance notices, penalties, VCAT compensation up to $100,000) and limits on civil/private causes of action (ss.7; 77; 82)"],"plain_english_summary":"### What this law does (mechanically)\n\n- Replaces earlier Victorian privacy and law‑enforcement data laws and creates a single legislative scheme for the Victorian public sector dealing with both information privacy and data security (see s.1(f); ss.126–127). \n- Sets out binding Information Privacy Principles (IPPs) that public sector organisations must follow for collecting, holding, using, disclosing and correcting personal information (Schedule 1; ss.18–20). \n- Establishes an Office of the Information Commissioner with powers to approve codes of practice, issue standards and certificates, hear and conciliate complaints, conduct audits and issue compliance notices (ss.8A, 21–26, 55–56, Div.8, ss.78–83). \n- Creates a separate protective data security framework for public sector data, and a law‑enforcement data security regime for Victoria Police and specified bodies; the Information Commissioner issues data security standards and must develop a protective data security framework (Part 4, ss.85–90; Part 5, ss.91–94). \n- Provides mechanisms for departures from IPPs where the public interest justifies it: public interest determinations and temporary public interest determinations (ss.29–41), and approval processes for multi‑party information usage arrangements (ss.45–54). \n- Gives the Commissioner investigatory powers (notices to produce or attend, ability to access data and data systems, power to copy or take extracts) and enforcement tools (compliance notices, VCAT oversight, penalties) (Div.10 ss.83A–83L; ss.106–109; ss.78–83; s.82). \n- Preserves specified exemptions and carve‑outs (for Freedom of Information matters, law enforcement purposes and other statutory information‑sharing schemes) (ss.14, 15, 15A–15D).\n\n### Who it affects\n\n- Primary targets are Ministers, public sector agencies, councils and other bodies declared to be public‑sector organisations (s.13). \n- Victoria Police and certain crime statistics functions are subject to the law‑enforcement data security rules (s.91). \n- Contracted service providers are brought into scope only insofar as State contracts bind them to comply with IPPs or the standards (s.13(1)(j); s.17; s.89(2)–(3)). \n- Individuals gain a statutory complaints process to the Information Commissioner and potential remedies in VCAT, including monetary compensation up to $100,000 (ss.57; 73–77).\n\n### Why it matters (official rationale and what that implies mechanically)\n\n- The Act’s stated purposes are to require responsible collection and handling of personal information in the Victorian public sector, provide remedies for privacy interferences, and establish protective data security and monitoring regimes (s.1(a)–(d)). \n- Mechanically, those aims are pursued by: setting enforceable IPPs (Schedule 1); creating regulatory instruments (codes, standards, certificates) that can modify or replace how IPPs apply to particular organisations or information (ss.21–26; 86; 55); and by granting the Commissioner audit, investigation and enforcement powers (ss.78–83; ss.106–109). \n\n### Practical tests against costs, incentives and trade‑offs (source‑grounded)\n\n- Who pays: compliance costs fall mainly on public sector bodies and public sector body Heads who must ensure compliance with data security standards and prepare protective data security plans (ss.86; 88; 89). Contracted service providers must comply to the extent the State contract requires it (s.17(2)–(4); s.89(2)–(3)). The Office of the Information Commissioner bears administrative costs of standards, approvals, audits and complaint handling (ss.8A; 85; 111). \n- Who decides: the Information Commissioner has broad discretionary authority to develop standards, approve codes and certificates, conduct audits and issue compliance notices (ss.8A; 8G; 21–26; 55; 78). Ministers and the Governor in Council retain roles in approving or revoking codes, appointing the Deputy Commissioner and (in many cases) approving information usage arrangements and standards (ss.22–26; 8H–8M; 50; 86(4)). \n- Incentives created: the Act provides formal routes to lawfully depart from IPPs (public interest determinations ss.29–36; information usage arrangements ss.45–54; certificates s.55). Organisations therefore have an incentive to seek administrative approvals where compliance with an IPP would impede an intended activity. Those approvals require the Commissioner’s assessments and, for some instruments, ministerial sign‑off (ss.47–50; 49). \n- Compliance burden and reporting: organisations subject to an approved information usage arrangement or public interest determination have ongoing reporting duties (ss.36; 54). Public sector body Heads must do risk assessments and prepare protective data security plans within two years of standards being issued, and review them regularly (s.89). \n- Bureaucratic discretion and checks: the Commissioner’s powers are wide (s.8G; s.106) but many significant outcomes require publication, a statement of reasons, consultation steps, and in some cases Ministerial agreement (ss.29(4)–(6); 31(3)–(4); 50; 86(4); 55(3)–(5)). Judicial or tribunal oversight exists (VCAT review of certificates and complaints; ss.56; 73–77; 83). \n- Implementation risks and operational frictions: the Commissioner can require access to agency and police data systems (ss.106–108) but the Chief Commissioner of Police and the Chief Statistician may refuse on specified law‑enforcement or safety grounds (ss.107(2); 108(3)). Those carve‑outs create potential coordination, timing or evidence‑access issues during audits or investigations. \n- Concentrated benefits, diffuse costs and regulatory opportunity: approval mechanisms (public interest determinations, information usage arrangements, customised standards) grant particular organisations or projects permission to depart from standard privacy protections (ss.29; 45–51; 86(2)). The Act therefore concentrates benefits in applicants and places the compliance and monitoring costs across the public sector generally, with the Commissioner and Ministers making the approval determinations (ss.47–50; 86(4)). The statutory process requires publication and statements of reasons (ss.31(3)–(4); 50(4)–(5)), which creates a public record of the departures. \n- Limits on private enforcement and remedies: the Act specifies that it creates no new civil cause of action except via the procedures in the Act (s.7(1)); remedies for individuals are delivered through the Commissioner’s complaint processes and VCAT (Div.8; ss.73–77). That channels disputes into the administrative and tribunal mechanisms the Act establishes.\n\n### Key operational points to watch (source citations)\n\n- IPPs and codes are the baseline obligations; approved codes or certificates can substitute or modify those obligations for consenting organisations (Schedule 1; ss.21–26; 55). \n- Data security is governed separately from privacy IPPs: the Commissioner issues protective and law‑enforcement data security standards and bodies must comply (ss.85–94). \n- The Commissioner has investigatory powers including coercive notices and access to systems (Div.10; ss.106–109); some law‑enforcement exemptions allow refusal by police or statisticians on safety or privilege grounds (ss.107(2);108(3)). \n- Remedies for individuals use the Information Commissioner’s complaint, conciliation and VCAT escalation processes; VCAT may award compensation and order remedial action up to statutory limits (ss.57; 67–71; 73–77; s.77(1)(a)(iii)).\n"},"summary":{"complexity_score":6,"scope_assessment":{"changed":true,"description":"The Act consolidated and replaced the earlier Information Privacy Act 2000 and parts of other legislation, representing a broader scope than a simple privacy update. Over time, amendments have expanded its reach — particularly around data security obligations and the powers of the Information Commissioner — beyond what was originally contemplated when the Act was first passed."},"complexity_factors":["Multiple sets of principles (Information Privacy Principles and Public Interest Determinations) that interact with each other","Interplay between Victorian law and the federal Privacy Act 1988, requiring understanding of which law applies in which context","Exemptions and exceptions are numerous — different rules apply to health information, law enforcement, and certain agencies","Complaints and enforcement process involves multiple stages and bodies (Commissioner, VCAT tribunal)","Provisions extending obligations to private sector contractors acting on behalf of government add complexity","The Act has been amended multiple times since 2014, meaning the consolidated version requires careful reading to understand current state of law","Technical definitions of key terms like 'personal information' and 'sensitive information' carry significant legal weight"],"plain_english_summary":"## Privacy and Data Protection Act 2014 (Victoria)\n\nThis is Victoria's main law governing how **government agencies** (like state departments, councils, and public bodies) must handle your personal information.\n\n### What it does:\n- Sets out **rules ('Information Privacy Principles')** that Victorian government agencies must follow when they collect, store, use, and share your personal information\n- Gives you the right to **access and correct** personal information that government agencies hold about you\n- Creates a framework for **data security** — agencies must protect your information from misuse, loss, or unauthorised access\n- Establishes the **Victorian Information Commissioner** as an independent watchdog who can investigate complaints and enforce the rules\n- Allows you to **make a complaint** if you believe a government agency has mishandled your personal information\n\n### Who it affects:\n- **Ordinary Victorians** — you have rights around your personal data held by the state government\n- **Victorian public sector employees and agencies** — they must follow strict rules or face consequences\n- **Contractors working for government** — they can also be bound by these obligations\n\n### Why it matters:\n- Protects your privacy from government overreach or negligence\n- Gives you real legal remedies if your information is mishandled\n- **Does NOT generally cover private businesses** — those are covered by the federal Privacy Act 1988\n\n### Key limitation:\nThis law primarily covers the **Victorian public sector**, not private companies (with some exceptions for organisations contracted to government)."},"kimi_summary":{"_metrics":{"source":"grok-batch-everything"},"content_quality":"ok","complexity_score":8,"scope_assessment":{"changed":true,"description":"The legislation has grown significantly beyond the original intent of the repealed Information Privacy Act 2000 by incorporating a full protective data security regime for all public sector data (Part 4), law enforcement and crime statistics data standards (Part 5), information usage arrangements that can modify IPPs for public purposes (Div 6 of Part 3), multiple targeted information sharing exemptions across family violence, child safety, health and terrorism laws (ss 15A–15D), expanded Commissioner functions including audits and framework development (ss 8C–8D), and detailed compliance and enforcement tools, transforming it from a privacy principles statute into a comprehensive public sector data governance and security framework."},"complexity_factors":["Extensive definitions in s 3 (over 60 defined terms, many cross-referencing other Acts such as the Public Administration Act 2004, Freedom of Information Act 1982, Victoria Police Act 2013 and others)","Multi-layered Part 3 with 10 Divisions covering application, IPPs in Schedule 1, codes of practice (Div 3), capacity to consent (Div 4), public interest determinations (Div 5), information usage arrangements (Div 6), certification (Div 7), complaints processes involving preliminary inquiries, informal resolution, conciliation, VCAT hearings and enforcement via compliance notices (Div 8–9)","Nested exemptions in ss 14–15D for FOI, law enforcement functions, family violence information sharing under the Family Violence Protection Act 2008, child wellbeing under the Child Wellbeing and Safety Act 2005, health quality and safety under the Health Services Act 1988, and terrorism provisions","Detailed procedural rules in Divisions 8–10 of Part 3 for notices to produce or attend (ss 83A–83L), including self-incrimination, cabinet documents, legal professional privilege and reporting to Integrity Oversight Victoria","Separate but interacting regimes in Parts 4 and 5 for protective data security standards and plans (ss 85–90) and law enforcement data security standards (ss 92–94), with mandatory plans within two years (s 89)","Part 1A functions and powers of the Information Commissioner and Deputy Commissioner, including delegation (s 8O), directions (s 8P) and concurrent functions (s 8E), plus general powers in Part 6 requiring access to data systems (ss 106–110)","Transitional and savings provisions in Schedules 2 and 3, plus interaction rules in s 6 and outsourcing effects in s 17"],"plain_english_summary":"**Protecting personal information and securing public data in Victoria**\n\nThe **Privacy and Data Protection Act 2014** sets clear rules for how Victorian government agencies, councils, ministers, Victoria Police and certain contractors must collect, use, store, share and protect people's personal information. It contains ten Information Privacy Principles (detailed in Schedule 1) that organisations must follow. These cover collecting information only when necessary and fairly (IPP 1), using or sharing it only for the original purpose or with consent or in specific public interest cases (IPP 2), keeping it accurate and secure (IPPs 3–4), being open about what information is held (IPP 5), giving people access and correction rights (IPP 6), rules on unique identifiers (IPP 7), offering anonymity where possible (IPP 8), restricting overseas transfers (IPP 9) and extra protections for sensitive information like racial origin or criminal records (IPP 10).\n\nThe Act creates a complaints system where individuals can raise concerns with the Information Commissioner, who can investigate, conciliate or refer matters to the Victorian Civil and Administrative Tribunal (VCAT) for orders including compensation up to $100,000 (see Part 3, Division 8–9). It also allows codes of practice, public interest determinations and approved information usage arrangements that can modify how the principles apply when public interest justifies it.\n\nBeyond privacy, the Act establishes a protective data security framework (Part 4) requiring public sector bodies to follow standards for data confidentiality, integrity and availability, prepare security plans and undergo risk assessments. A separate regime applies to law enforcement data held by Victoria Police and crime statistics data (Part 5). The Information Commissioner develops standards, monitors compliance, conducts audits and can issue notices or reports. The law aims to balance open access to government information with privacy and security, giving individuals rights while imposing duties on organisations to handle data responsibly. It binds the Crown and applies to outsourced services in many cases."}},"importantCases":[],"_links":{"self":"/api/acts/privacy-and-data-protection-act-2014","history":"/api/acts/privacy-and-data-protection-act-2014/history","analysis":"/api/acts/privacy-and-data-protection-act-2014/analysis","conflicts":"/api/acts/privacy-and-data-protection-act-2014/conflicts","importantCases":"/api/acts/privacy-and-data-protection-act-2014/important-cases","documents":"/api/acts/privacy-and-data-protection-act-2014/documents"}}