We give out personal information frequently. 

In fact, there’s not a lot we can do without giving away our information. Opening a bank account, signing  a lease, applying for a job, seeking healthcare and even buying something all requires us to give out some kind of personal information. 

It may seem harmless and like a valid exchange in most cases. However, it’s still necessary that when we do give out our personal information, it remains protected so that it cannot be used against us.  

In 2014, Victoria passed legislation that aims to protect individuals when they come into contact with government agencies and share personal information with them. 

Keep reading to learn more. 

What Is The Privacy And Data Protection Act 2014 (Vic)?

The Privacy And Data Protection Act 2014 (Vic) (PDP Act) determines how Victorian government agencies are to handle the personal information they receive. 

The legislation does not cover health information or federal agencies such as Centrelink. It can only be applied to government agencies that are established within Victoria. 

The PDP Act provides 10 information privacy principles that give detailed instructions on how information is to be collected, what kind of information is suitable for collection and how it is to be used and stored. 

The principles also set the standard for the flow of information, quality, necessity and anonymity. 

What Are The Information Privacy Principles?

The information privacy principles listed under the PDP Act are as follows: 

  • Collection 
  • Use and disclosure
  • Data quality 
  • Data security
  • Openness
  • Access and correction
  • Unique identifiers
  • Anonymity 
  • Transborder data flows 
  • Sensitive information 

Each rule talks about what agencies need to do when collecting information. Every rule has an exception, so we recommend getting familiar with them as much as possible to make sure your conduct is within the bounds of the legislation. 

If you’re ever unsure, it’s best to contact a legal professional to gain some clarity. 

For more information on privacy and data protection, you can check out this guide.  

Why Is Privacy Important?

The right to privacy is considered to be a basic and fundamental human right. 

When an individual’s private information falls into the wrong hands, it can have some pretty serious consequences. This can include being used to influence a person’s personal or political decisions, compromising their dignity and risking their security. 

Therefore, when a person’s personal information is collected by an agency, they must take active steps to protect it. 

Personal Vs Sensitive Information

The 10th and final principle under the information privacy principles is sensitive information

The principle states that an agency should not be collecting the sensitive information of individuals unless an exception applies. 

You may be wondering, “isn’t all personal information sensitive? What is the difference?”

The answer is, while some type of sensitive information can also be personal information, not all types of personal information are sensitive. 

To elaborate, personal information is something that can be used to identify an individual. Types of personal information include: 

  • Phone number
  • Home address
  • Email address
  • Bank details
  • Birthplace

Sensitive information, on the other hand, is knowledge about another person that can be used against them in a biassed or predicted way. For example, an individuals sexual orientation, criminal history, ethnicity or health information can be used against them by triggering biases.

In most ordinary cases, there won’t be a need to collect sensitive information. However, if you do end up doing so, make sure you are complying with the relevant legislation and being active in protecting it.  

How Can I Comply With Victorian Privacy Legislation?

Even though the PDP Act is written for government agencies, it is also applicable for contracted services providers working on behalf of the government. If your organisation falls under this category, then you will need to comply with the legislation. 

If you need more information on your privacy obligations in Victoria, the Office of the Victorian Information Commissioner (OVIC) is the main government agency that deals with privacy regulations. 

Even if the local Victorian regulations don’t apply to your business, there are still other privacy regulations you will likely need to look into.  

On a federal level, it’s good to check if your business is covered by the Privacy Act 1988 or the Australian Privacy Principles

As this is federal legislation, it cannot be ignored for the Victorian one- meaning you will need to comply with both if they are applicable to you. 

In both cases, the privacy regulations require you to let  people know when their private information is being collected. This is done by having a privacy policy in place

What Should A Privacy Policy Contain?

A Privacy Policy is a legal document that lets users to your website know their information is being collected. It should be clear, easy to read and accessible for all users. 

Generally, your Privacy Policy needs to cover: 

  • The information that will be collected
  • Why the information is being collected
  • The purposes it will be used for
  • How long the information will be kept
  • How it be be stored
  • If the information will be shared with the third party 
  • Contact details if users want access to their private data 

If you need help writing your Privacy Policy, contact us today and our expert legal team will be happy to draw one up for you that is compliant with the relevant legislation. 

If you are not legally required to have a privacy policy, either under state or federal law, then you can still consider getting one. Being transparent with your customers or clients about what is being done with their information can help you build a more trusting relationship with them. 

In turn, this can help with your business’ overall relationship with the broader community. 

How To Build A Strong Cyber Security System

In addition to having a privacy policy, it’s also your duty to take active measures in building a strong cyber security system. This way, if a breach ever occurs and liability is being assessed, it can help to point out that your business did everything reasonably possible to keep all the information secure. 

There are a number of ways you can go about building a strong cyber security system, the method you choose will depend on the kind of data your business collects and the resources available to you. Common ways to secure data security include: 

  • Limiting the amount of people that have access to the data
  • Training all staff in cyber security measures
  • Keeping everything secured and password protected
  • Regularly updating your cyber security systems 

It also helps to be prepared in case a breach does occur. A Data Breach Response Plan is a set of steps that are put in place in case a breach happens. Having a plan in place can make your response more efficient and aid in resolving the issue quicker. 

International Data Privacy Laws

If your business expands outside of Australia, then you will need to be aware of international data privacy laws as well. 

Different regions may have privacy requirements that you will need to adhere to if your business operates in their country as well. For example, if you are thinking of opening your business up to the European audience, then you will need to update your privacy policy (or write a new one) that reflects their General Data Protection Regulation

Our lawyers can draft a GDPR Privacy Policy for your business. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union’s version of our privacy principles. When you’re taking a look at the GDPR, you may find similarities to the Australian principles, however, there are also some key differences. 

As we noted, their requirements for what a privacy policy must contain are a little more comprehensive than the Australian ones. Their definitions around what constitutes ‘personal data’ also differs slightly. 

It’s important to be aware of these differences and adjust your business practices as well as update those legal documents accordingly.  

Key Takeaways

Privacy and data protection are one of your most relevant legal obligations as a business. It’s important to be up to date with them and ensure your business’ practices are in line with the regulations. To summarise what we’ve discussed: 

  • The PDP Act is data and privacy legislation that applies mainly to Victorian government agencies
  • Privacy is a fundamental human right
  • Personal and sensitive information are two different things. Distinguishing them can aid in deciding what rules apply
  • If Victorian privacy legislations does not apply, federal ones might still be applicable
  • There’s a chance you will need to have a privacy policy in place
  • If your business collects data, then it should also actively aim to have a strong cyber security system 
  • Businesses that operate internationally need to follow the privacy regulations of overseas regions, such as the GDPR  

If you would like a consultation on privacy and data protection, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles