EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer
Main laws

Victoria Act

Privacy and Data Protection Act 2014 (Vic)

The Privacy and Data Protection Act 2014 sets Victorian public-sector privacy and data security rules.

In forceVictoriaPlain-English guide4 practical checks

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

  • The Privacy and Data Protection Act 2014 is mostly a Victorian public-sector privacy and data security law, but private businesses can still feel it through State contracts,...
  • If your business hosts systems, processes forms, manages records or provides services for a Victorian public-sector organisation, expect privacy, information security, incident...

Likely relevant if

  • Victorian businesses contracted to government departments, councils or public bodies
  • SaaS, IT, cybersecurity and records-management providers handling Victorian public-sector data
  • Consultants, outsourced service providers and agencies collecting personal information for Victorian public-sector work

Check first

  • Identify whether the business is acting as a contracted service provider to a Victorian public-sector organisation.
  • Build privacy and information security obligations into the contract, subcontractor terms and operating procedures.
  • Handle personal information consistently with the applicable information privacy principles and any approved code or public-sector direction.

Does this apply to your business?

For most small businesses, the Privacy Act 1988 is the first privacy law to check. The Victorian Privacy and Data Protection Act is different. It is aimed mainly at Victorian public-sector organisations, but it can become very practical for private businesses that work with them.

If you provide software, support, hosting, consulting, records management, marketing, recruitment, call-centre, health, education or community services to a Victorian public-sector customer, the contract may require you to follow privacy and protective data security controls that come from this Act.

In practice

  • Check whether the customer is a Victorian public-sector organisation.
  • Check whether you collect, store, access or process personal information for that customer.
  • Check whether the contract passes through privacy, security, audit, incident notice or subcontractor controls.
  • Do not assume your usual commercial privacy policy is enough for public-sector work.

What to put into the contract

The business risk usually shows up in the services agreement. A public-sector customer may expect detailed controls around where data is stored, who can access it, how incidents are reported, what happens if a subcontractor is used, and what evidence you can give if the customer is audited.

Practical sense check

  • Map the personal information and public-sector data you will handle.
  • Set clear permitted-use wording and ban unrelated use of the data.
  • Add incident reporting timeframes that your team can realistically meet.
  • Flow privacy and security obligations down to subcontractors.
  • Plan return, deletion and transition steps before the contract ends.

Plain-English glossary

Contracted service provider
A private provider that performs services for a Victorian public-sector organisation under a State contract, where privacy and security obligations can be pushed through the contract.
Information Privacy Principles
Victorian privacy principles that regulate how covered organisations collect, use, disclose, secure and give access to personal information.
Protective data security standards
Security standards for Victorian public-sector data and systems. They can matter commercially where a business stores, manages or processes public-sector data for a government customer.

Common questions

Does this Act apply to every Victorian small business?

No. It is mainly a Victorian public-sector regime. A private business should pay close attention if it is a contracted service provider, handles Victorian public-sector information, or is asked to comply with public-sector privacy and protective data security obligations in a tender or services contract.

Is this the same as the Privacy Act 1988?

No. The Commonwealth Privacy Act is separate. Some businesses need to think about both: the Commonwealth Act for customer and employee data, and this Victorian Act where public-sector work or Victorian government data is involved.

What should I check before signing a Victorian government contract?

Check the privacy clauses, data security standards, incident notification duties, audit rights, subcontracting rules, offshore hosting restrictions and data return or deletion obligations.

Related topics

Privacy & DataDigital & EcommerceContracts & Commercial

How Sprintlaw can help

Privacy PolicyRegulatory Compliance

Update history

Reviewed2000 Act

Information Privacy Act 2000 history added

Victorian Legislation records the Information Privacy Act 2000 as Act 98 of 2000 in the as-made legislation collection.