129Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017

129 Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 Schedule 3 has effect. New s. 130 inserted by No. 11/2021 s. 170, repealed by No. 60/2014 s. 130(4). Pt 9 (Heading and ss 129–141) repealed by No. 60/2014 s. 141. Schedules Schedule 1––The Information Privacy Principles In these Principles— Sch. 1 def. of *sensitive information* amended by No. 31/2024 s. 61. ***sensitive information*** means information or an opinion about an individual's— (a) racial or ethnic origin; or (b) political opinions; or (c) membership of a political association; or (d) religious beliefs or affiliations; or (e) philosophical beliefs; or (f) membership of a professional or trade association; or (g) membership of a trade union; or (h) sexual orientation or practices; or (i) criminal record— that is also personal information; Sch. 1 def. of *unique identifier* amended by No. 60/2017 s. 34(1). ***unique identifier*** means an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name and does not include an identifier within the meaning of the **Health Records Act 2001**. 1 Principle 1—Collection 1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities. 1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way. 1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of— (a) the identity of the organisation and how to contact it; and (b) the fact that the individual is able to gain access to the information; and (c) the purposes for which the information is collected; and (d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and (e) any law that requires the particular information to be collected; and (f) the main consequences (if any) for the individual if all or part of the information is not provided. 1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual. 1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual. 2 Principle 2—Use and Disclosure 2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless— (a) both of the following apply— (i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; (ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or (b) the individual has consented to the use or disclosure; or (c) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual— (i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and (ii) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information; or (d) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent— Sch. 1 cl. 2.1(d)(i) amended by No. 23/2017 s. 22(1). (i) a serious threat to an individual's life, health, safety or welfare; or (ii) a serious threat to public health, public safety or public welfare; or (e) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or (f) the use or disclosure is required or authorised by or under law; or (g) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency— (i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; (iii) the protection of the public revenue; (iv) the prevention, detection, investigation or remedying of seriously improper conduct; (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or (h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the organisation to disclose the personal information and— (i) the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and (ii) an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be connected with the performance by ASIO or ASIS (as the case requires) of its functions. 2.2 If an organisation uses or discloses personal information under IPP 2.1(g), it must make a written note of the use or disclosure. 3 Principle 3—Data Quality 3.1 An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date. 4 Principle 4—Data Security 4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. 4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. 5 Principle 5—Openness 5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it. 5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. 6 Principle 6—Access and Correction 6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that— Sch. 1 cl. 6.1(a) amended by No. 23/2017 s. 22(2). (a) providing access would pose a serious threat to the life or health of any individual; or (b) providing access would have an unreasonable impact on the privacy of other individuals; or (c) the request for access is frivolous or vexatious; or (d) the information relates to existing legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings; or (e) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or (f) providing access would be unlawful; or (g) denying access is required or authorised by or under law; or (h) providing access would be likely to prejudice an investigation of possible unlawful activity; or (i) providing access would be likely to prejudice— (i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; or (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or (iii) the protection of public revenue; or (iv) the prevention, detection, investigation or remedying of seriously improper conduct; or (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders— by or on behalf of a law enforcement agency; or (j) ASIO, ASIS or a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia. 6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information. 6.3 If the organisation is not required to provide the individual with access to the information because of one or more of IPP 6.1(a) to (j) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties. 6.4 If an organisation charges for providing access to personal information, the organisation— (a) must advise an individual who requests access to personal information that the organisation will provide access on the payment of the prescribed fee; and (b) may refuse access to the personal information until the fee is paid. 6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date. 6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation must take reasonable steps to do so. 6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information. 6.8 If an individual requests access to, or the correction of, personal information held by an organisation, the organisation must— (a) provide access, or reasons for the denial of access; or (b) correct the personal information, or provide reasons for the refusal to correct the personal information; or (c) provide reasons for the delay in responding to the request for access to or for the correction of personal information— as soon as practicable, but no later than 45 days after receiving the request. 7 Principle 7—Unique Identifiers 7.1 An organisation must not assign unique identifiers to individuals unless the assignment of unique identifiers is necessary to enable the organisation to carry out any of its functions efficiently. 7.2 An organisation must not adopt as its own unique identifier of an individual a unique identifier of the individual that has been assigned by another organisation unless— (a) it is necessary to enable the organisation to carry out any of its functions efficiently; or (b) it has obtained the consent of the individual to the use of the unique identifier; or (c) it is an outsourcing organisation adopting the unique identifier created by a contracted service provider in the performance of its obligations to the organisation under a State contract. 7.3 An organisation must not use or disclose a unique identifier assigned to an individual by another organisation unless— (a) the use or disclosure is necessary for the organisation to fulfil its obligations to the other organisation; or (b) one or more of IPP 2.1(d) to (g) applies to the use or disclosure; or (c) it has obtained the consent of the individual to the use or disclosure. 7.4 An organisation must not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned. 8 Principle 8—Anonymity 8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation. 9 Principle 9—Transborder Data Flows 9.1 An organisation may transfer personal information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if— (a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Information Privacy Principles; or (b) the individual consents to the transfer; or (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of precontractual measures taken in response to the individual's request; or (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or (e) all of the following apply— (i) the transfer is for the benefit of the individual; (ii) it is impracticable to obtain the consent of the individual to that transfer; (iii) if it were practicable to obtain that consent, the individual would be likely to give it; or (f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles. 10 Principle 10—Sensitive Information 10.1 An organisation must not collect sensitive information about an individual unless— (a) the individual has consented; or Sch. 1 cl. 10.1(b) amended by No. 60/2017 s. 34(2). (b) the collection is required or authorised under law; or Sch. 1 cl. 10.1(c) amended by No. 23/2017 s. 22(3). (c) the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual whom the information concerns— (i) is physically or legally incapable of giving consent to the collection; or (ii) physically cannot communicate consent to the collection; or (d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim. 10.2 Despite IPP 10.1, an organisation may collect sensitive information about an individual if— (a) the collection— (i) is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or (ii) is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and (b) there is no reasonably practicable alternative to collecting the information for that purpose; and (c) it is impracticable for the organisation to seek the individual's consent to the collection. Schedule 2––Transitional and savings provisions 1 Definitions In this Schedule— ***commencement day*** means the day on which Part 8 comes into operation; ***Commissioner for Law Enforcement Data Security*** means the Commissioner for Law Enforcement Data Security appointed under section 5 of the **Commissioner for Law Enforcement Data Security Act 2005** as in force immediately before the commencement day; ***former Commissioner*** means— (a) the Commissioner for Law Enforcement Data Security; or (b) the Privacy Commissioner; ***old Act*** means— (a) the **Commissioner for Law Enforcement Data Security Act 2005**; or (b) the **Information Privacy Act 2000**; ***Privacy Commissioner*** means the Privacy Commissioner appointed under section 50 of the **Information Privacy Act 2000** as in force immediately before the commencement day. 2 General transitional provisions (1) This Schedule does not affect or take away from the **Interpretation of Legislation Act 1984**. (2) If a repealed provision of an old Act continues to apply by force of this Schedule, the following provisions also continue to apply in relation to that provision— (a) any other repealed provisions of the old Act necessary to give effect to that provision; (b) any regulations made under the old Act for the purposes of that provision. (3) Without limiting subclause (1), in declaring that certain provisions of the new Act are to be treated as re-enacting with modifications certain provisions of the **Information Privacy Act 2000**, this Schedule must not be taken to limit the operation of any provision of the **Interpretation of Legislation Act 1984** relating to the re‑enactment. (4) This Schedule applies despite anything to the contrary in any other provision of the new Act. 3 Superseded reference (1) On and from the commencement day, a reference to an old Act in any Act or in any instrument made under any Act or in any other document of any kind, must be read as a reference to this Act unless the context otherwise requires. (2) In this clause, a reference to any Act does not include a reference to this Act or a provision of an old Act continued by this Act. 4 Re-enacted provisions—Information Privacy Act 2000 A provision or provisions of the **Information Privacy Act 2000** specified in Column 1 of the Table are taken to be re-enacted (with modifications) by the provision or provisions of this Act appearing opposite in Column 2 of the Table. | *Old provision* | *New provision* | | Section 14(1) and (2) | Section 18 | | Section 15(2) | Section 19 | | Section 16(1) and (4) | Section 20 | | Section 18 | Section 21 | | Section 19 | Section 22 | | Section 20 | Section 23 | | Section 21 | Section 24 | | Section 22 | Section 25 | | Section 23 | Section 26 | | Section 24 | Section 27 | | Section 25 | Section 57 | | Section 26 | Section 58 | | Section 27 | Sections 59 and 60 | | Section 28 | Section 61 | | Section 29 (except subsection (3)) | Section 62 | | Sections 29(3), 34A, 34B, 34C and 34D | Section 63 | | Section 30 | Section 64 | | Section 31 | Section 65 | | Section 32 | Section 66 | | Section 33 | Section 67 | | Section 34 | Section 68 | | Section 35 | Section 69 | | Section 36 | Section 70 | | Section 37 | Section 71 | | Section 38 | Section 72 | | Section 39 | Section 73 | | Section 40 | Section 74 | | Section 41 | Section 75 | | Section 42 | Section 76 | | Section 43 | Section 77 | | Section 44 | Section 78 | | Section 45 | Section 79 | | Section 46 | Section 80 | | Section 47 | Section 81 | | Section 48 | Section 82 | | Section 49 | Section 83 | | Section 64 | Section 28 | | Section 65 | Section 122 | | Section 66 | Section 117 | | Section 68 | Section 118 | | Section 69 | Section 119 | | Schedule 1 | Schedule 1 | 5 Office of Privacy Commissioner abolished (a) the office of the Privacy Commissioner is abolished and the person holding that office and any person acting in that office go out of office; and (b) all rights, property and assets that, immediately before that day, were vested in the office of the Privacy Commissioner are, by force of this section, vested in the office of the Commissioner; and (c) all debts, liabilities and obligations of the office of the Privacy Commissioner existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the new Commissioner; and (d) the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Privacy Commissioner was a party immediately before that day; and (e) the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Privacy Commissioner as a party and in force immediately before that day. 6 Office of Commissioner for Law Enforcement Data Security abolished (a) the office of the Commissioner for Law Enforcement Data Security is abolished and the person holding that office and any person acting in that office go out of office; and (b) all rights, property and assets that, immediately before that day, were vested in the office of the Commissioner for Law Enforcement Data Security are, by force of this section, vested in the office of the Commissioner; and (c) all debts, liabilities and obligations of the office of the Commissioner for Law Enforcement Data Security existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the Commissioner; and (d) the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Commissioner for Law Enforcement Data Security was a party immediately before that day; and (e) the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Commissioner for Law Enforcement Data Security as a party and in force immediately before that day. 7 References to former Commissioner On the commencement day any reference to a former Commissioner in any Act (other than this Act) or in any rule, regulation, order, agreement, instrument, deed or other document (by whatever named called or however described) must, so far as it relates to any period on or after that day and if not inconsistent with the context or subject-matter, be construed as a reference to the Commissioner. 8 Staff of Privacy Commissioner and Commissioner for Law Enforcement Data Security On the commencement day, any staff employed under Part 3 of the **Public Administration Act 2004** immediately before the commencement day by a former Commissioner are taken to be employed by the Commissioner under section 114 of this Act. 9 Offences On and after the commencement day, the Commissioner may commence or continue a prosecution for an offence committed under the **Information Privacy Act 2000** or the **Commissioner for Law Enforcement Data Security Act 2005**. 10 Annual reports under Information Privacy Act 2000 for reporting periods which end before commencement day (b) the Privacy Commissioner has not prepared a report of operations referred to in section 62 of the **Information Privacy Act 2000** for that reporting period before that day. (2) On and after the commencement day, the Commissioner must, for the reporting period, prepare a report of operations under Part 7 of the **Financial Management Act 1994** which includes the information required by section 62 of the **Information Privacy Act 2000**. (3) Section 62 of the **Information Privacy Act 2000** applies for the purposes of subclause (2) as if that section had not been repealed. 11 Annual reports under Information Privacy Act 2000 for reporting periods that end on or after commencement day (1) This clause applies if a reporting period ends on or after the commencement day. (2) On and after the commencement day, the Commissioner must, for the reporting period, prepare a report which includes the information required by section 62 of the **Information Privacy Act 2000** and include that report as part of the Commissioner's first report after the end of the reporting period under section 116. (3) Section 62 of the **Information Privacy Act 2000** applies for the purposes of subclause (2) as if that section had not been repealed. 12 Approved codes of practice (1) On the commencement day, an approved code of practice under the **Information Privacy Act 2000** that was in operation immediately before that day, is taken to be an approved code of practice under this Act. (2) On the commencement day, the register of approved codes of practice kept under section 22 of the **Information Privacy Act 2000** is taken to be the register established under section 25 of this Act.