Privacy and Data Protection Act 2014

The Act primarily affects public sector organisations as defined and listed in s 13(1). This includes Ministers, Parliamentary Secretaries, public sector agencies (public service bodies or public entities under the Public Administration Act 2004), Councils (as defined in the Local Government Act 2020), bodies established for a public purpose by or under an Act or by the Governor in Council or a Minister, persons holding statutory offices (other than Members of Parliament), courts and tribunals (subject to s 10), Victoria Police, and contracted service providers but only in relation to services under a State contract containing privacy provisions (s 13(1)(j)). Any other body may be declared an organisation by Governor in Council Order (s 13(3)(a)).

Public sector body Heads, defined by reference to the Public Administration Act 2004, bear specific duties. They must ensure compliance with protective data security standards (s 88(1)–(2)), prepare protective data security plans (s 89), and provide assistance and access to data and systems when required by the Information Commissioner (s 110). For law enforcement data, the Chief Commissioner of Police and the Chief Statistician (under the Crime Statistics Act 2014) together with their employees and consultants are directly bound (ss 91, 94).

The Information Commissioner (appointed under the Freedom of Information Act 1982) and the Privacy and Data Protection Deputy Commissioner (appointed under s 8H) are central. The Commissioner performs functions relating to information privacy (s 8C), protective and law enforcement data security (s 8D), codes of practice, public interest determinations, information usage arrangements, guidelines, audits, complaints, compliance notices and reporting. The Deputy may perform concurrent functions (s 8E) or functions conferred by authorisation (s 8F), but certain core functions remain with the Commissioner (s 8B(1)). Members of staff of the Office of the Victorian Information Commissioner may receive delegations (s 8O).

Individuals are affected as data subjects. Any individual in respect of whom personal information is or has been held may make a complaint about an interference with privacy (s 57(1)). Children and persons with a disability may complain personally or through parents, guardians, attorneys, administrators or other authorised representatives (ss 59–60, 28). Authorised representatives may consent or request access where the individual lacks capacity (s 28(1)–(2)), subject to safeguards against acting against known wishes (s 28(4)) or where access would endanger the individual (s 28(5)).

Contracted service providers under State contracts are affected where the contract binds them to IPPs and codes (s 17(2)–(3)). An act or practice by the provider is taken to be that of the outsourcing party unless the contract contains the relevant provision and the principle is enforceable against the provider (s 17(4)). Subcontractors are included in the definition (s 4(3)).

Law enforcement agencies listed in the expanded definition in s 3 (including Victoria Police, interstate police, Australian Federal Police, Australian Crime Commission, Corrections, Fines Victoria, Business Licensing Authority, IBAC, sheriff, Integrity Oversight Victoria, parole boards, and agencies performing prevention, detection, investigation or punishment functions) benefit from the exemption in s 15 for specified IPPs where noncompliance is necessary for law enforcement functions, proceeds of crime enforcement, court proceedings or community policing.

Bodies and persons exempted by Order under s 13(3)(b) or otherwise outside the application provisions (Commonwealth-regulated organisations, courts in judicial functions, Royal Commissions, parliamentary committees) are not directly bound. However, public registers must still be administered consistently with IPPs so far as reasonably practicable (s 20(2)).

The Crown is bound in all capacities (s 8(1)) but cannot be prosecuted (s 8(2)). Organisations and bodies can commit offences through employees or agents acting within actual or apparent authority unless reasonable precautions and due diligence were exercised (s 118(1)–(2)). For Victoria Police, specific personnel including the Chief Commissioner, Deputy Commissioners, Assistant Commissioners, police officers, special constables, reservists and protective services officers are deemed employees for this purpose (s 118(3)).

The legislation therefore casts a wide net across the Victorian public sector while carving out judicial, parliamentary and certain other functions, with targeted obligations on Heads, Commissioners, individuals as complainants or representatives, and contracted parties.

(Word count for this section: 512)

Key duties fall on organisations and public sector body Heads. Under s 20(1), organisations must not contravene an IPP. Public sector agencies and Councils must administer public registers consistently with IPPs so far as reasonably practicable (s 20(2)). Compliance with an approved code discharges the duty (s 21(1)). Where a code, public interest determination, temporary public interest determination or approved information usage arrangement applies, the organisation is relieved to the extent specified (ss 24, 32, 51).

Public sector body Heads must ensure compliance with protective data security standards for public sector data and data systems (s 88(1)) and for contracted service providers (s 88(2)). They must complete a security risk profile assessment and develop a protective data security plan within two years of standards being issued (s 89(1)), review the plan on significant changes or every two years (s 89(4)), and provide a copy to the Information Commissioner (s 89(5)). Similar compliance duties apply to Victoria Police and the Chief Statistician for law enforcement data security standards (s 94).

The Information Commissioner has duties to develop the Victorian protective data security framework (s 85), issue standards (ss 86, 92), promote uptake and conduct monitoring and assurance activities including audits (s 8D(2)), examine proposed legislation for privacy impacts (s 8C(1)(e)), issue guidelines (ss 8C(1)(g), 8D(1)(c)), and report (s 116). When performing functions, regard must be had to the objects in s 5 (ss 8A(2), 8B(2)).

Rights of individuals are prominent. IPP 6 confers rights to access and correction, subject to exceptions in cl 6.1. Requests may be made by the individual, a supportive attorney, supportive administrator, supportive guardian or authorised representative (s 28(2)). Where capacity is lacking, an authorised representative (guardian, enduring attorney, medical treatment decision maker, parent of a child or other empowered person) may act (s 28(1), (6)). Individuals may complain about interferences with privacy (s 57(1)), including on behalf of others with consent (s 57(3)) or for children and persons with disability (ss 59–60). Complaints may proceed to conciliation or VCAT, where orders for restraint, redress, compensation or reimbursement of expenses are available (s 77).

Organisations must provide access or reasons for denial, correct information or attach statements of correction, and respond within 45 days (IPP 6.7–6.8 in Schedule 1). They must take reasonable steps to provide notice at collection (IPP 1.3–1.5), ensure accuracy (IPP 3), protect security (IPP 4.1), destroy or de-identify when no longer needed (IPP 4.2), be open about practices (IPP 5), and respect anonymity where lawful and practicable (IPP 8).

For sensitive information, collection is restricted unless consent, required or authorised by law, necessary to prevent serious threat where the individual cannot consent or communicate, or for legal claims (IPP 10.1). Additional grounds exist for government funded targeted welfare or educational services research (IPP 10.2).

Parties to approved information usage arrangements gain the right to handle information in the agreed manner without breaching modified IPPs or information handling provisions (s 51). Organisations subject to public interest determinations or temporary determinations may lawfully perform the otherwise contravening act or practice (ss 32, 39).

Respondents to complaints have rights to notification (s 61), to participate in conciliation (s 67), to make submissions before decline or dismissal (s 62), and to VCAT review of certain decisions including compliance notices (s 83). Legal professional privilege, self-incrimination and cabinet immunity provide reasonable excuses for non-compliance with notices to produce or attend (ss 83I–83J).

The Act creates no general civil cause of action (s 7(1)) but channels remedies through its complaint and VCAT mechanisms. Criminal liability arises only for specific offences: failure to comply with a compliance notice (s 82), obstruction or providing false information (s 122), and offences by organisations or bodies (s 123). Prosecutions may be brought only by police, the Information Commissioner or authorised persons (s 124).

These duties and rights are balanced by the objects in s 5: balancing free flow of information with privacy protection, open access with security, and promoting awareness, responsible handling and data security practices.

(Word count for this section: 478)

Enforcement is primarily administrative and tribunal-based rather than criminal. The central mechanism is the compliance notice under s 78(1). The Information Commissioner may serve such a notice where an organisation has contravened an IPP (including via a code) or an approved information usage arrangement, and the contravention is serious or flagrant or has occurred on at least five separate occasions in the previous two years. The notice requires specified action within a specified period to ensure compliance (s 78(2)). Extension of time is possible on undertaking (s 78(3)–(4)). Service must follow s 83C (s 78(7)).

Failure to comply with a compliance notice that has taken effect is an indictable offence carrying 600 penalty units for an individual or 3000 penalty units for a body corporate (s 82(1)). The notice does not take effect until the period for compliance expires, any extension expires, the review period under s 83 expires, or any VCAT review is determined in the Commissioner's favour (s 82(2)).

Notices to produce or attend under Division 10 (ss 83A–83L) support both conciliation and compliance notice decisions. A person served must not, without reasonable excuse, refuse or fail to attend, give information, answer questions or produce documents (s 83H), with a penalty of 60 penalty units. Reasonable excuses expressly include self-incrimination (s 83I), cabinet documents and legal professional privilege (s 83J), but statutory secrecy is not a reasonable excuse (s 83K). Audio or video recording of examinations is mandatory (s 83GA), with inadmissibility protections unless exceptional circumstances exist (s 83GA(3)–(4)). Legal practitioners and persons served have Supreme Court witness protections (s 83G). Reports must be made to Integrity Oversight Victoria within three days of issue, variation or revocation (s 83D).

Complaint outcomes at VCAT can include compensation up to $100,000 for loss or damage including injury to feelings or humiliation (s 77(1)(a)(iii)), orders restraining repetition of the interfering act or practice, orders for redress or specific corrective action, and reimbursement of complaint-related expenses (s 77(1)(d)). Where a code applies, orders may direct the code administrator (s 77(1)(a)(iv)). Interim orders are available to preserve the status quo (s 72).

Offences also exist for obstructing, hindering or resisting the Commissioner, Deputy, delegate or staff in performing functions (s 122(1)), providing false or misleading information or statements (s 122(2)), or attempting to mislead (s 122(3)), each carrying 60 penalty units. Secrecy offences under s 120 attract 240 penalty units or two years imprisonment or both for unauthorised recording, disclosure or communication of information obtained in the course of functions, with exceptions for performance of duties or consent (s 120(3)).

Organisations or unincorporated bodies are liable for offences committed by employees or agents within actual or apparent authority unless reasonable precautions and due diligence were shown (s 118(1)). Where state of mind must be proven, the employee's or agent's state of mind suffices (s 118(2)). For Victoria Police, a broad range of personnel are deemed employees (s 118(3)).

VCAT review is available for decisions to issue compliance notices (s 83), decisions to issue certificates under s 55 (s 56), and disallowance of determinations does not apply as they are subject to parliamentary disallowance under s 42 applying the Subordinate Legislation Act 1994. The Commissioner must report on performance and exercise of powers annually in the report of operations under the Financial Management Act 1994 (s 116).

Protection from liability in s 117 shields persons producing documents or giving information or evidence to the Commissioner, and lodgers of complaints, from civil or criminal consequences for good faith actions. Provision of access under IPP 6 in good faith does not create liability for defamation, breach of confidence or criminal offence (s 117(3)–(4)).

The regime emphasises proportionate administrative enforcement through notices, conciliation, audit, reporting and targeted criminal sanctions for serious non-compliance or obstruction, with VCAT providing independent merits review and remedial orders.

(Word count for this section: 461)

The Act is expressly subordinate in certain respects. Section 6(1) provides that if a provision of the Act (other than Divisions 5, 6 or 7 of Part 3) relating to an IPP or applicable code is inconsistent with another Act, the other provision prevails. Nothing affects the operation of the Freedom of Information Act 1982 or rights, privileges, obligations or exemptions under it (s 6(2)). IPP 6 (access and correction) does not apply where access or correction can only be obtained under the FOI Act or where access would be refused under specified exemption provisions of that Act (s 14).

Law enforcement agencies are exempt from complying with specified IPPs (1.3–1.5, 2.1, 6.1–6.8, 7.1, 10.1) if noncompliance is necessary for law enforcement functions, proceeds of crime enforcement, court proceedings or (for Victoria Police) community policing (s 15). Specific exemptions exist for information sharing under the Family Violence Protection Act 2008 (s 15A), Child Wellbeing and Safety Act 2005 (s 15B), Health Services Act 1988 quality and safety purposes (s 15C) and terrorism community protection provisions (s 15D). These exemptions modify or disapply IPPs 1.3–1.5, 2, 6, 10 and consent requirements to the extent necessary for the statutory schemes.

The Health Records Act 2001 prevails for health information; personal information under this Act excludes information to which that Act applies (definition in s 3). Courts, tribunals, Royal Commissions, Boards of Inquiry, Formal Reviews and parliamentary committees are exempt for judicial, quasi-judicial or inquiry functions (ss 10, 10A, 11). Publicly available information, library, gallery, museum, public records and copyright archives are outside the Act (s 12), though public register administration remains subject to s 20(2).

The Act interacts with the Public Administration Act 2004 through definitions of public sector agency, public sector body Head and public service body Head. Local Government Act 2020 defines Council. Victoria Police Act 2013 defines Chief Commissioner and various personnel for employee status under s 118(3) and law enforcement data. Crime Statistics Act 2014 defines Chief Statistician, crime statistics data and systems.

Information usage arrangements can rely on information handling provisions in other enactments (definition in s 3 and s 45(1)(b)(iii)). Public interest determinations and temporary determinations cannot apply to IPP 4 or 6 (ss 29(3), 38(3), 39(3)).

The Charter of Human Rights and Responsibilities Act 2006 is preserved; nothing in the Act limits Charter rights, and data access powers under ss 106–109 are expressed to operate despite other laws other than the Charter (s 109).

Transitional provisions in Schedules 2 and 3 preserve certain actions under the repealed Information Privacy Act 2000 and Commissioner for Law Enforcement Data Security Act 2005, treat approved codes and registers as continuing, and apply this Act to pending complaints and notices. The Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 transitional provisions in Schedule 3 transfer functions, staff, property and pending matters to the Information Commissioner.

VCAT jurisdiction under the Victorian Civil and Administrative Tribunal Act 1998 is engaged for hearings, interim orders (s 72, cross-referencing s 123 of that Act), registration of conciliation agreements (s 69), review of certificates (s 56) and review of compliance notices (s 83). Inspection of exempt documents by VCAT is regulated (s 76) with reference to s 51(2) of the VCAT Act and FOI Act s 28(1) exemptions.

The Independent Broad-based Anti-corruption Commission Act 2011, Ombudsman Act 1973, Protected Disclosure Act 2012 and Integrity Oversight Victoria Act 2011 are engaged through referral powers (s 63), disclosure powers (ss 112–113) and reporting obligations (s 83D). Legal Profession Uniform Law Application Act 2014 defines certain legal services bodies included in law enforcement agencies.

In operation, the Act therefore sits within a web of information, privacy, health, law enforcement, public administration and anti-corruption legislation, yielding to specific statutory schemes while providing overarching principles and security obligations.

(Word count for this section: 389)

Amendments since enactment have refined exemptions, strengthened oversight, integrated the Information Commissioner framework, expanded information sharing gateways and updated procedural powers. The Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 inserted Part 1A (ss 8A–8P), restructured Commissioner functions (ss 8C–8D), replaced references to the former Commissioner for Privacy and Data Protection with the Information Commissioner, transferred staff and property (Schedule 3), and adjusted reporting (s 116). These changes centralised oversight of privacy, FOI and data security within one office to improve coordination and efficiency, as reflected in the new functions for developing frameworks, issuing standards, conducting audits and concurrent performance with the Deputy (ss 8E–8F).

Family violence and child safety amendments inserted ss 15A and 15B to exempt specified IPPs for collection, use and disclosure under the Family Violence Protection Act 2008 Part 5A and 5B and the Child Wellbeing and Safety Act 2005 Parts 6A and 7A. These exemptions extend to information sharing entities, restricted information sharing entities, authorised Hub entities, Central Information Point, Child Link users and the Secretary to the Department of Education and Training. The changes facilitate information sharing to protect victims of family violence and promote child wellbeing and safety, overriding consent and notice requirements where necessary (s 15B(5)).

Health Services Act 1988 amendments in s 15C created parallel exemptions for quality and safety bodies, health service entities, the Secretary to the Department of Health and Human Services and special advisers under Part 6B, again disapplying consent where required for collection of personal or sensitive information.

Terrorism (Community Protection) Act 2003 amendments via s 15D exempt authorised disclosers from IPP 1.3–1.5, 2 and 6 for collection, use and disclosure under Division 6 of Part 4A. These targeted exemptions reflect a policy of prioritising public safety, violence prevention, child protection, health quality and counter-terrorism over strict privacy compliance in defined circumstances.

Procedural updates include expanded powers for notices to produce or attend (Division 10, inserted 2017), requirements for audio-visual recording (s 83GA, 2019), service by electronic means or on authorised legal representatives (s 83C amendments 2021), and reporting to Integrity Oversight Victoria (s 83D, updated 2024). The 2024 amendments also updated the law enforcement agency definition to include Integrity Oversight Victoria (s 3) and adjusted s 83D reporting.

Definition updates reflect machinery of government changes (Council definition via Local Government Act 2020, addition of Post Sentence Authority, Victorian Legal Services Board and Commissioner). The protective data security standards issuance now requires ministerial agreement (s 86(4), 2024).

These changes broaden permissible information flows for public protection purposes, modernise oversight and procedural powers, integrate data security more tightly with privacy regulation, and respond to evolving threats in family violence, child safety, health, terrorism and data management while maintaining the core IPP framework and Commissioner independence (s 8A(3), 8B(3)).

(Word count for this section: 367)

The source text does not detail specific decided cases; instead it establishes the jurisdictional framework and identifies points of potential contention. VCAT has exclusive jurisdiction to hear complaints referred under ss 62, 66, 71 or by the Minister under s 65 (s 73(1)). Parties are the complainant and respondent, with the Information Commissioner able to be joined (s 74). Time limits apply for Minister-referred complaints (s 75). VCAT must ensure exempt documents (particularly those under FOI Act s 28(1)) are not disclosed except to members or staff, with limited orders possible under s 51(2) of the Victorian Civil and Administrative Tribunal Act 1998 (s 76). Decisions are limited where a certificate under s 83J(2) has been given (s 73(3)).

Controversies are likely to arise around the breadth of law enforcement exemptions in s 15, which turn on the agency's belief on reasonable grounds that noncompliance is necessary for listed functions. The exemption for community policing by Victoria Police (s 15(d)) and the expansive definition of law enforcement agency (s 3, including agencies performing prevention, detection, investigation or punishment functions) could generate disputes about characterisation of activities.

Information usage arrangements (Div 6) and public interest determinations (Div 5) involve public interest balancing tests (ss 31(2), 39(1), 47(3)–(4), 49). The requirement that public interest in handling substantially outweighs public interest in compliance, combined with consultation and reporting obligations (ss 29(4)–(6), 36, 48, 54), invites debate about weighting of privacy against public purposes. Disallowance by Parliament (s 42) adds a political layer.

The outsourcing provisions in s 17 create joint liability unless the contract contains the prescribed provision and the principle is enforceable against the provider. Determining whether a State contract meets s 17(2) and whether s 17(4) applies could be contentious, especially with the broad definition of contracted service provider and subcontractor (s 4(3)).

Compliance notices under s 78 require a serious or flagrant contravention or five breaches in two years. The threshold and the Commissioner's discretion (s 78(6) having regard to VCAT decisions) may be challenged on review (s 83). Notices to produce or attend raise self-incrimination, privilege and cabinet document issues (ss 83I–83J), with statutory secrecy expressly overridden (s 83K). The mandatory reporting to Integrity Oversight Victoria (s 83D) and audio-visual recording (s 83GA) introduce new accountability but also potential disputes about prejudice to complaint handling (s 83GA(5)).

Capacity provisions in s 28, particularly the definition of authorised representative and the test of incapacity despite reasonable assistance (s 28(3)), could generate disputes in guardianship, medical treatment and child representation contexts, especially with cross-references to the Guardianship and Administration Act 2019, Powers of Attorney Act 2014 and Medical Treatment Planning and Decisions Act 2016.

Protective data security plans and standards (ss 86–89) and their exemption from FOI (s 90) may create tension between security transparency and operational secrecy. The Commissioner's power to require access to data and systems (ss 106–108), including from the Chief Commissioner of Police (with limited refusal grounds in s 107(2)), has been the subject of statutory clarification through Deputy Commissioner powers and Victoria Police Act 2013 s 19 disapplication.

Overall, the text reveals a legislative design that channels disputes into structured conciliation, VCAT merits review and parliamentary disallowance, while leaving room for controversy around the breadth of exemptions, the weight of public interest tests, the scope of outsourcing liability and the balance between security and oversight.

(Word count for this section: 351)

Most practitioners assume the Act is limited to personal information, yet Part 4 applies protective data security standards to all public sector data, including non-personal information (definition in s 3 and s 88). A public sector body Head can therefore face compliance obligations and plan requirements for datasets that fall outside the IPPs.

The outsourcing rule in s 17(4) contains a trap: an act or practice by a contracted service provider is taken to be that of the outsourcing party unless the contract contains a binding provision and the relevant IPP is capable of enforcement against the provider under the Act's procedures. Many standard contracts fail the second limb, leaving the outsourcing party exposed.

Section 15 law enforcement exemptions turn on the agency's own belief on reasonable grounds. However, the exemption is from compliance with listed IPPs only; it does not automatically exempt from the broader interference with privacy definition in s 16 or from VCAT scrutiny if the belief is challenged as unreasonable.

Approved information usage arrangements under s 45 can modify IPPs or rely on information handling provisions, but only after a certificate (s 49), ministerial approval (s 50) and publication (s 50(4)–(5) with redactions for personal or exempt matter). Parties sometimes assume internal agreements suffice; without the statutory steps, the modification has no effect.

Public interest determinations and temporary determinations cannot cover IPP 4 (data security) or IPP 6 (access and correction) (ss 29(3), 38(3), 39(3)). Organisations facing security or access disputes cannot use this pathway.

The 45-day response period in IPP 6.8 is strict, yet s 62(1)(d) allows the Commissioner to decline complaints made more than 45 days after the complainant became aware of the act or practice. Late internal requests can therefore bar external complaints.

Conciliation evidence is inadmissible (s 70) but only if all parties agree otherwise. A party who wishes to preserve admissibility options must withhold agreement, a nuance often missed in settlement discussions.

Notices to produce or attend under s 83A can require immediate attendance if delay would risk evidence destruction, offence commission, escape or serious prejudice (s 83C(2)). The reasonable excuse defences in ss 83I–83K do not apply to the immediacy decision itself.

Section 120 secrecy applies to former Commissioners, acting Commissioners and former staff, creating lifelong obligations. Many former public servants underestimate the ongoing criminal risk.

The annual reporting obligation on approved information usage arrangements (s 54) and public interest determinations longer than 12 months (s 36) is often overlooked, yet the Commissioner must review the determination within 60 days of receiving the report (s 36(2)).

Finally, while the Act binds the Crown (s 8(1)), s 7(2) states a contravention does not create criminal liability except as expressly provided. Only the specific offences in ss 82, 120, 122 and 123 can ground prosecution; general IPP breaches remain civil or administrative only.

(Word count for this section: 378)

Organisations should begin with a mapping exercise: identify all personal information and public sector data holdings, map flows against the IPPs in Schedule 1 and applicable data security standards. A documented privacy policy addressing IPP 5.1 must be maintained and made available on request (IPP 5.1–5.2).

Collection practices must satisfy IPP 1: necessity test, lawful and fair means, timely notice to individuals (or steps to ensure awareness if collected from third parties), and preference for collection directly from the individual. Consent must be express or implied and, for sensitive information, explicit under IPP 10.1(a). Where capacity is in issue, verify authorised representative status under s 28(6) and ensure actions align with the individual's known wishes (s 28(4)).

Use and disclosure must stay within primary purpose or satisfy one of the IPP 2.1 exceptions. Document any secondary use or disclosure under IPP 2.1(g) (s 2.2). For research or statistics, ensure impracticability of consent and recipient non-disclosure undertakings.

Data quality (IPP 3) and security (IPP 4) require reasonable steps: regular accuracy checks, access controls, encryption, staff training, incident response plans and a destruction or de-identification policy. For public sector data systems, align with the Victorian protective data security framework and applicable standards issued under s 86.

Access and correction requests under IPP 6 must be actioned within 45 days. Establish procedures to assess the ten refusal grounds in cl 6.1, consider mutually agreed intermediaries (cl 6.3), charge only prescribed fees after advising the individual (cl 6.4), and provide written reasons for refusal or delay. Corrections or statements of correction must be attached to records.

Unique identifiers must be assigned only when necessary for efficient functions (IPP 7.1). Adoption of another organisation's unique identifier requires necessity, consent or outsourcing context (IPP 7.2). Use or disclosure is limited (IPP 7.3). Do not require provision of a unique identifier to obtain a service unless required or authorised by law or for the purpose it was assigned (IPP 7.4).

Anonymity must be offered wherever lawful and practicable (IPP 8). Transborder transfers require reasonable belief in substantially similar protections, consent, contractual necessity or reasonable steps to prevent inconsistent handling (IPP 9).

For codes of practice, assess whether an existing approved code applies or whether development of a sector-specific code would provide greater operational clarity. Any code must meet the stringency test and be approved through the s 22 process.

Protective data security plans are mandatory. Within two years of standards issuance, complete a security risk profile assessment covering contracted service providers, develop a plan addressing the standards, and review on significant change or biennially (s 89). Provide the plan to the Information Commissioner. Law enforcement entities must align with standards issued under s 92.

Implement a complaints handling system that directs individuals to the Information Commissioner where internal resolution is unavailable or after 45 days (s 57(2)(c)). Train staff on conciliation participation, notice response and VCAT processes. Maintain records of conciliation agreements for possible VCAT registration (s 69).

For information usage arrangements or public interest determinations, prepare detailed applications addressing the statutory criteria in ss 45 and 29, engage in required consultation, and ensure ongoing annual reporting (ss 36, 54).

Delegate appropriately under s 8O but retain core functions. Ensure all staff and contractors are aware of secrecy obligations (s 120) and protection from liability conditions (s 117). Conduct regular audits against IPPs and standards, retain evidence of reasonable steps for due diligence defences (s 118), and prepare for Commissioner access requests under ss 106–110.

Review contracts with service providers to include the necessary privacy binding clause (s 17(2)). Update policies whenever standards, codes or exemptions are amended. Maintain a register of all determinations, arrangements and certificates.

Compliance is an ongoing risk management exercise. Document every decision point—necessity, reasonable steps, public interest balancing, consent validity—to demonstrate adherence if audited or challenged.

(Word count for this section: 521)

(Total deep-dive word count: approximately 3,065)