Before you begin
Slot gameThis digital guide is for Victorian public sector organisations developing a digital service that might involve the collection, handling, use or disclosure of personal information. It’s designed to help you think about your obligations under the Privacy and Data Protection Act 2014 (Vic) (PDP Act), including the Information Privacy Principles (IPPs) which are set out in Schedule 1 of the PDP Act.
Examples of a digital service include mobile applications, websites and other online platforms. All digital services that deal with personal information in the manner described above must comply with the IPPs.
In this digital guide, ‘personal information’ is understood to have the same meaning provided in section 3 of the PDP Act.
The information in this guide is general in nature and it shouldn’t be regarded as legal advice. If you need more specific information, get independent legal advice or consult the relevant policy.
Who must protect privacy?
Part 3 of the PDP Act governs the handling of personal information in the Victorian public sector. This includes data collected through digital services.
A list of organisations that are subject to the PDP Act includes:
- public sector agencies
- local councils
- courts or tribunals
- Victoria Police (with some exceptions)
- contracted service providers (in relation to the services they provide under a State contract)
Slot gameVisit the OVIC website for a list of
Slot gameVisit the Victorian Public Sector Commission (VPSC) for a full list of
Your organisation may be subject to other legislation which covers the handling of personal information. In some cases, this may override or modify the PDP Act. We recommend speaking to your organisation’s legal counsel or Privacy Officer to see if this applies to you.
Why is privacy important?
Slot gamePrivacy is important for digital services as many of them rely on the collection and use of data in one way or another. It’s also easier to collect and analyse data now more than ever. Users are becoming aware of this and they expect greater privacy protections. But there are other reasons why privacy is important:
- Privacy is a human right under the Charter of Human Rights and Responsibilities Act 2006 (Vic)
- Privacy rights are legislated
- Good privacy practice builds trust and engagement with your digital service
- Privacy breaches can cause harm to your users, and financial and reputational damage to your organisation
- Responding to privacy complaints and data breaches can be costly and time-consuming
What is personal information?
Slot gameThe PDP Act defines 'personal information' and how it must be handled.
Slot gamePersonal information is defined as:
Information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but doesn’t include information of a kind to which the Health Records Act 2001 applies.
Slot gameIf your digital service collects, uses or discloses personal information, then the PDP Act and the 10 IPPs apply.
What is sensitive information?
Slot gameSensitive information is a subset of personal information. There are greater obligations when collecting and handling sensitive information because it carries greater risk. An unauthorised collection or use of sensitive information is likely to be more damaging than for personal information. For example, sensitive information could potentially be used to discriminate on the basis of racial or ethnic origin, sexual practices, or political opinions.
The PDP Act defines sensitive information under the following categories:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual orientation or practices
- criminal record - that is also personal information
Slot gameSensitive information must only be collected if it is permitted by one of the exceptions listed in IPP 10. In most cases, you must get informed consent from the user when collecting sensitive information. If sensitive information is collected, it remains subject to all the other IPPs just like all other personal information.
Visit the OVIC website for .
What about health information?
The collection and handling of health information is regulated by:
- the Health Records Act 2001 (Vic)
- the Health Privacy Principles (HPPs) set out in Schedule 1 of the Health Records Act 2001
Slot gameThe HPPs apply to both public sector and private sector organisations.
Slot gameUnder the Health Records Act 2001, the definition of ‘health information’ is not limited to an individual’s medical conditions; it also includes, among other things, other personal information collected to provide a health service.
Slot gameHealth information is not just about medical conditions; it can also include behavioural and wellbeing information.
You’ll need to comply with the HPPs if your digital service collects health information (as defined in the Health Records Act 2001).
Read more about the
Information Privacy Principles (IPPs)
Slot gameThe 10 Information Privacy Principles (IPPs) are the core of privacy law in Victoria. They set out the minimum standard for how the Victorian public sector should manage personal information.
It’s important to review the IPPs and understand what they mean for your digital service. It's likely that most (if not all) of the IPPs will apply.
Read for more information.
The Office of the Victorian Information Commissioner (OVIC)
OVIC is the primary regulator and source of independent advice about how the public sector is permitted to collect, use and disclose personal information.
OVIC provides to help agencies understand their privacy obligations under the PDP Act.
What standards must be met?
You must comply with the Privacy and Data Protection Act 2014 (Vic) and the 10 IPPs when collecting, handling, using or disclosing personal information.
What does the Victorian Government recommend?
Here are a range of tools and processes to help you meet your privacy obligations when designing, building and managing a digital service. Some of these are a requirement under the PDP Act.
Know if you’re handling personal information
Personal information is any information about an individual who is identified or whose identity is reasonably ascertainable. There is no definitive list of what is or isn't personal information. It can depend on who is collecting the information and the context in which they are collecting it. It can also change over time.
Work with your Privacy Officer
Most public sector organisations have a Privacy Officer. The role of a Privacy Officer is to promote good privacy practices in your organisation and help you comply with your privacy obligations.
Slot gameInvolve your Privacy Officer at the start of any project that may involve personal information. They can help you with:
- conducting a Privacy Impact Assessment (PIA)
- writing a collection notice
- developing a privacy statement
- responding to a data breach or privacy complaint
Slot gameOVIC encourages all organisations to have a Privacy Officer. You should nominate a Privacy Officer if your organisation doesn’t already have one.
Protect privacy by design
Slot gameProtecting privacy is not a ‘check the box’ activity. Privacy by design means proactively embedding good privacy practices into the design of your technologies, services and business practices. Everyone in your organisation shares a responsibility to protect privacy.
To protect privacy by design, you can:
- include prompts and templates for privacy in your project initiation documents
- conduct Privacy Impact Assessments at the start of any project that may involve personal information
- create a culture of privacy in your organisation
Slot gameTalk to your Privacy Officer for help with protecting privacy by design or
Minimise your data
Slot gameOne way to protect the privacy of your users is to minimise the amount of personal information you collect and handle. To minimise your data, you must:
- give your users the option of remaining anonymous when entering into transactions with your organisation (IPP 8)
- only collect the personal information if it’s necessary for one or more of your organisation’s activities (IPP 1.1)
- destroy or permanently de-identify any personal information you no longer need (IPP 4.2)
Conduct a Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) is an important tool that helps you to evaluate your digital service's compliance with the IPPs. A PIA is a great way to identify any potential privacy risks and plan accordingly.
You should conduct a PIA at the start of any project that potentially involves personal information. For digital services, this is likely to be all of them.
Slot gameThere may be more than 1 party involved when building or managing a digital service. If this is the case, when protecting privacy:
- consider convening a team, with representatives from both parties, to conduct a joint PIA
- be clear about how accountability is shared between the parties
- work with the other party to make sure they’re aware of their responsibilities around personal information
Slot gameA PIA is a ‘living document’ and should be reviewed and updated regularly. You should also update your PIA if you plan to make changes to your digital service that may impact the collection or handling of personal information.
Ask your Privacy Officer for help with completing a PIA. They may also have a template you can use.
Slot gameOVIC has a for organisations to download and use and a .
Provide a collection notice
When collecting personal information, you must take reasonable steps to ensure that the user is aware of the collection. This requirement is described in IPP 1.3. This is so that your users can make an informed decision about disclosing their personal information.
Here are some examples of when a collection notice may be required for a digital service:
- subscribing to an email newsletter
- submitting an application
- filling out a survey
- creating an account
- registering for an event
A collection notice is a small statement provided to your users at the time and point of collection, briefly describing why their information is being collected and what it will be used for. IPP 1.3 contains a list of information that must be included in a collection notice. We recommend that collection notices be:
- highly visible
- clearly tied to the information you are collecting
Slot gameAsk your Privacy Officer for help with creating a collection notice. You can visit the OVIC website for more information about what must be in your collection notice.
Slot gameGetting consent is not the same as providing a collection notice. Consent is an element of collection that is required in particular circumstances. You may need to get consent from your users when you want to:
- use their personal information for something different from when you first collected it (a secondary purpose)
- adopt or disclose a unique identifier
- transfer their personal information outside of Victoria
- collect sensitive information
Slot gameSpeak to your Privacy Officer to understand if you need to get consent from your users. If you are getting consent, make sure that:
- the individual has the capacity to consent
- the consent is voluntary, informed, specific and current
There are some circumstances in which consent is not necessary, for example where there is authorising legislation that provides for this. Consult your Privacy Officer for more information.
Visit the OVIC website for more
Develop a privacy statement
A privacy statement is a description of how your digital service manages personal information. It demonstrates your digital service’s commitment to privacy by explaining how it adheres to its privacy obligations.
Slot gameA privacy statement helps you to meet your obligations under the IPPs but it’s also for the benefit of your users. Keep this in mind when developing a privacy statement; it should be informative and easy to understand.
Slot gameAsk your Privacy Officer for help with developing a privacy statement. You can also read
Slot gameYour users should be able to easily find your privacy statement on your digital service.
Protect privacy when using vendor tools
Many digital services use vendor tools and software to help them function or improve their service. These tools provide capabilities such as data analytics, mailing services and online form submission. These tools often collect and handle your users' information automatically. They may also store or transfer your users' information outside of Victoria or disclose their information to other parties.
Plan how you will work with these vendors to protect your users’ privacy. These vendor tools and their information handling practices must comply with the IPPs (to the extent they are dealing with the personal information of your users). During your PIA, map what vendor tools your digital service will use and the personal information they will handle. To protect your users’ privacy when using vendor tools, you should:
- minimise the vendor tools your digital service use and the information they collect
- consider engaging the vendor as a contracted service provider (CSP)
- ensure any contracts or terms of service are consistent with the IPPs
- include in your privacy statement the vendor tools your digital service uses, the information they collect and how the handle it
- provide a collection notice if the information they collect is potentially personal information
You should review your privacy impact assessment whenever you are considering using a new vendor tool with your digital service.
We recommend seeking advice from your Privacy Officer, legal counsel or OVIC on how to ensure your third-party web vendor tools are following the IPPs.
Work with your CSP to protect privacy
You may be thinking of engaging a contracted service provider (CSP) to help you design, build or manage your digital service. The services provided by a CSP should comply with the PDP Act and the IPPs.
Slot gameWork with your CSP to protect the privacy of your users. Make sure that your contract with the CSP outlines what their privacy obligations are. You may also want to direct them to any resources (such as this Digital Guide) to help them comply with the PDP Act.
Visit the OVIC website for more information on
Keep your personal information secure
Any personal information your digital service collects should be stored securely. Your organisation may be subject to the Victorian Protective Data Security Framework and Victorian Protective Data Security Standards.
Slot gameYou must comply with IPP 9 if you are storing your personal information outside of Victoria.
Protect privacy when sharing information
Slot gameThere are many benefits to sharing information. However, it’s vital that information sharing is done responsibly to protect individuals’ privacy rights. You must comply with IPP 2 when disclosing personal information.
View the OVIC website for more
Slot gameHere are some other ways to share information while protecting privacy.
Publish an open data set
The Victorian Government encourages making Victorian government data available to the public. The open data policy has been developed to support this.
Not all government data is suitable for release. Access to data may need to be restricted for reasons of:
- public safety
- law enforcement
- public health
- pre-existing contractual arrangements.
De-identify your data
Slot gameIt’s important to de-identify your data before sharing it, particularly in an open-data context.
Use an API
An application programming interface (API) is an interface that enables safe and reliable software communication.The Victorian Government takes an API-first approach. This approach favours the use of APIs in most integration scenarios. We recommend including an API with every Victorian Government online service, where possible.
Plan for data breaches
A breach of your digital service's data can impact the privacy of your users. It’s important to plan for data breaches.
To help prepare for a data breach, OVIC recommends developing a data breach response plan. This plan outlines how you will respond to a data breach by providing guidance and sharing responsibility.
Your organisation may already have in place a data breach response plan.
Slot gameOVIC have issued a that are subject to the PDP Act to prepare for and respond to the privacy implications of data breaches that involve personal information.
Slot gameData breaches with a Business Impact Level (BIL) of 2 or higher must be reported to OVIC under the . Speak to your privacy officer or cyber security team for more information on reporting requirements.
Respond to privacy complaints
It’s important that your users are made aware of their right to lodge a privacy complaint, and how this can be done. It’s also important to take privacy complaints seriously. We recommend including this in your privacy statement.
Ask your Privacy Officer for help with responding to privacy complaints.
OVIC have provided a .
The Victorian Ombudsman's may help you to resolve a privacy complaint in the first instance.
Reviewed 07 September 2020