Privacy and Data Protection Act 2014 (Vic)
Version No. 031
Privacy and Data Protection Act 2014
No. 60 of 2014
Version incorporating amendments as at
11 September 2024
TABLE OF PROVISIONS
Section Page
Part 1—Preliminary
1Purposes
2Commencement
3Definitions
4Interpretation
5Objects
6Relationship of this Act to other laws
7Rights and liabilities
8Act binds the Crown
Part 1A—Functions, powers of Information Commissioner and appointment of Privacy and Data Protection Deputy Commissioner
Division 1—Performance of functions
8AFunctions of Information Commissioner
8BFunctions of Privacy and Data Protection Deputy Commissioner
8CInformation privacy functions
8DProtective data security and law enforcement data security functions
8EPerformance of concurrent functions
8FInformation Commissioner may confer functions on Privacy and Data Protection Deputy Commissioner
8GGeneral powers of Information Commissioner and Privacy and Data Protection Deputy Commissioner
Division 2—Privacy and Data Protection Deputy Commissioner
8HAppointment of Privacy and Data Protection Deputy Commissioner
8ITerms and conditions of appointment of Privacy and Data Protection Deputy Commissioner
8JRemuneration
8KVacancy and resignation of Privacy and Data Protection Deputy Commissioner
8LSuspension and removal from office
8MActing Privacy and Data Protection Deputy Commissioner
8NValidity of acts and decisions
Division 3—General
8ODelegation
8PDirections
Part 2—Application of this Act
9Definition
10Courts, tribunals etc.
10ARoyal Commissions etc.
11Parliamentary Committees
12Publicly-available information
Part 3—Information privacy
Division 1—Application of this Part
13Public sector organisations to which this Part applies
14Exemption—Freedom of Information Act 1982
15Exemption—law enforcement
15AExemption—information sharing under the Family Violence Protection Act 2008
15BExemption—information sharing under the Child Wellbeing and Safety Act 2005
15CExemption—information sharing for quality and safety purposes under the Health Services Act 1988
15DInformation sharing under Division 6 of Part 4A of Terrorism (Community Protection) Act 2003
16What is an interference with privacy of an individual?
17Effect of outsourcing
Division 2—Information Privacy Principles
18Information Privacy Principles
19Application of Information Privacy Principles
20Organisations to comply with Information Privacy Principles
Division 3—Codes of practice
21Codes of practice
22Process for approval of code of practice or code amendment
23Organisations bound by code of practice
24Effect of approved code
25Codes of practice register
26Revocation of approval
27Effect of revocation of approval or amendment or expiry of approved code
Division 4—Capacity to consent or make a request or exercise right of access
28Capacity to consent or make a request or exercise right of access
Division 5—Public interest determinations and temporary public interest determinations
Subdivision 1—Public interest determinations
29Public interest determination
30Application taken to be application for temporary public interest determination on request
31Information Commissioner may make public interest determination
32Effect of public interest determination
33Duration of public interest determination
34Amendment of public interest determination
35Revocation of public interest determination
36Reporting and review
Subdivision 2—Temporary public interest determinations
37Temporary public interest determination
38Application for temporary public interest determination
39Information Commissioner may make temporary public interest determination
40Duration of temporary public interest determination
41Revocation of temporary public interest determination
Subdivision 3—Disallowance of determinations
42Disallowance of determinations
Division 6—Information usage arrangements
43Definitions
44Approval of arrangement not required if information use otherwise permitted
45Meaning of information usage arrangement
46Parties to an information usage arrangement
47Information Commissioner to consider information usage arrangement
48Information Commissioner's report
49Information Commissioner's certificate
50Ministerial approval of information usage arrangement
51Effect of approved information usage arrangement
52Amendment of approved information usage arrangement
53Revocation of approval of information usage arrangement
54Reporting requirements for approved information usage arrangements
Division 7—Certification
55Information Commissioner may certify consistency of act or practice
56Review of decision to issue certificate
Division 8—Information privacy complaints
Subdivision 1—Making a complaint
57Complaints
58Complaint referred to Information Commissioner
59Complaints by minors
60Complaints by people with a disability
Subdivision 2—Procedure after a complaint is made
61Information Commissioner must notify respondent
62Circumstances in which Information Commissioner may decline to entertain complaint
63Information Commissioner may refer complaint
64Information Commissioner may dismiss stale complaint
65Minister may refer a complaint direct to VCAT
65APreliminary inquiries and consultation
65BInformal resolution
66What happens if conciliation is inappropriate?
Subdivision 3—Conciliation of complaints
67Conciliation process
68Information Commissioner may issue notice to produce or attend
69Conciliation agreements
70Evidence of conciliation is inadmissible
71What happens if conciliation fails?
Subdivision 4—Interim orders
72VCAT may make interim orders before hearing
Subdivision 5—Jurisdiction of VCAT
73When may VCAT hear a complaint?
74Who are the parties to a proceeding?
75Time limits for complaints referred by the Minister
76Inspection of exempt documents by VCAT
77What may VCAT decide?
Division 9—Enforcement of Information Privacy Principles and approved information usage arrangements
78Compliance notice
79Power to compel production of documents or attendance of witness
82Offence not to comply with compliance notice
83Application for review
Division 10—Notices to produce or attend
83ANotice to produce or attend
83BVariation or revocation of a notice to produce or attend
83CService of notice to produce documents or to attend
83DOffice of the Information Commissioner to report to the Victorian Inspectorate on issue of notice to produce or attend
83EPower to take evidence on oath or affirmation
83FLegal advice and representation
83GProtection of legal practitioners and persons—notice to produce or attend
83GAAudio or video recording of examination
83HFailure to comply with notice to produce or attend
83IReasonable excuse—self-incrimination
83JReasonable excuse—cabinet documents and legal professional privilege
83KStatutory secrecy not a reasonable excuse
83LAct applies equally to attendance in person or by audio or audio visual link
Part 4—Protective data security
Division 1—Application of Part
84Application of Part
Division 2—Protective data security framework
85Information Commissioner to develop Victorian protective data security framework
Division 3—Protective data security standards
86Information Commissioner may issue protective data security standards
87Amendment, revocation or reissue of standards
88Compliance with protective data security standards
Division 4—Protective data security plans
89Protective data security plans
90Exemption—Freedom of Information Act 1982
Part 5—Law enforcement data security
91Application of Part
92Information Commissioner may issue law enforcement data security standards
93Inconsistency with protective data security standards
94Compliance with law enforcement data security standards
Part 6—General powers of Information Commissioner
Division 1—General powers of Information Commissioner
106Information Commissioner may require access to data and data systems from public sector body Heads
107Information Commissioner may require access to data and data systems from Chief Commissioner of Police
108Information Commissioner may request access to crime statistics data
109Information Commissioner may copy or take extracts from data
110Public sector body Heads to provide assistance
111Reports to the Minister and other reports
112Disclosure during course of compliance audit—data security
113Disclosure to the IBAC
Division 2—Reporting
116Report on performance and exercise of powers
Part 7—General
117Protection from liability
118Employees and agents
119Fees for access
120Secrecy
121Information Commissioner to give notice before certain disclosures
122Offence to obstruct, mislead or provide false information
123Offences by organisations or bodies
124Prosecutions
125Regulations
Part 8—Repeal of Acts and transitional and savings provisions
126Repeal of Information Privacy Act 2000
127Repeal of Commissioner for Law Enforcement Data Security Act 2005
128Transitional and savings provisions
129Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017
Schedules
Schedule 1––The Information Privacy Principles
Schedule 2––Transitional and savings provisions
Schedule 3—Transitional provisions—Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017
═══════════════
Endnotes
1 General information
2 Table of Amendments
3 Explanatory details
Version No. 031
Privacy and Data Protection Act 2014
No. 60 of 2014
Version incorporating amendments as at
11 September 2024
The Parliament of Victoria enacts:
PART 1—PRELIMINARY
1Purposes
The purposes of this Act are—
(a)to provide for responsible collection and handling of personal information in the Victorian public sector; and
(b)to provide remedies for interferences with the information privacy of an individual; and
(c)to establish a protective data security regime for the Victorian public sector; and
(d)to establish a regime for monitoring and assuring public sector data security; and
(e)to provide for the appointment of the Privacy and Data Protection Deputy Commissioner; and
(f)to repeal the Information Privacy
Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005 and make consequential amendments to other Acts.
2Commencement
(1)Subject to this section, this Act comes into operation on a day or days to be proclaimed.
(2)Division 1 of Part 9 comes into operation on the later of—
(a)the day after the day on which this Act receives the Royal Assent; and
(b)the day on which section 278 of the Victoria Police Act 2013 comes into operation.
(3)Division 2 of Part 9 comes into operation on the later of—
(a)the day after the day on which this Act receives the Royal Assent; and
(b)the day on which section 157 of the Legal Profession Uniform Law Application Act 2014 comes into operation.
(4)If a provision of this Act (other than a provision referred to in subsection (2) or (3)) does not come into operation before 9 December 2014, it comes into operation on that day.
3Definitions
In this Act—
applicable code of practice, in relation to an organisation, means an approved code of practice by which the organisation is bound;
approved code of practice means a code of practice approved under Division 3 of Part 3 as amended and in operation for the time being;
approved information usage arrangement means an information usage arrangement approved under Division 6 of Part 3;
authorised legal representative of a person means an Australian legal practitioner who has been instructed by a person to receive documents on the person's behalf;
body means body (whether incorporated or not);
Chief Commissioner of Police means the Chief Commissioner of Police appointed under section 17 of the Victoria Police Act 2013;
Chief Statistician means the person employed as the Chief Statistician under section 4 of the Crime Statistics Act 2014;
child means a person under the age of 18 years;
* * * * *
Commonwealth-regulated organisation means an agency within the meaning of the Privacy Act 1988 of the Commonwealth and to which that Act applies;
consent means express consent or implied consent;
contracted service provider means a person or body who provides services under a State contract;
correct, in relation to personal information, means alter that information by way of amendment, deletion or addition;
Council has the same meaning as in the Local Government Act 2020;
crime statistics data means—
(a)any law enforcement data obtained by the Chief Statistician from the Chief Commissioner of Police under section 7 of the Crime Statistics Act 2014; or
(b)any information derived from data referred to in paragraph (a) by the Chief Statistician or an employee or consultant referred to in section 6 of the Crime Statistics Act 2014 in the performance of functions under that Act, other than information published by the Chief Statistician under section 5(1)(a) of that Act;
crime statistics data system means a database kept by the Chief Statistician (whether in computerised or other form and however described) containing crime statistics data;
current certificate means a certificate issued under section 55(1) that has not expired or been set aside;
data security standards means—
(a)protective data security standards; or
(b)law enforcement data security standards;
de-identified, in relation to personal information, means personal information that no longer relates to an identifiable individual or an individual who can be reasonably identified;
enactment means an Act or a Commonwealth Act or an instrument of a legislative character made under an Act or a Commonwealth Act;
Federal Privacy Commissioner means the Privacy Commissioner appointed under the Australian Information Commissioner Act 2010 of the Commonwealth;
generally available publication means a publication (whether in paper or electronic form) that is generally available to members of the public and includes information held on a public register;
handling, in relation to personal information, means collection, holding, management, use, disclosure or transfer of personal information;
IBAC means the Independent Broad-based Anti-corruption Commission established under section 12 of the Independent Broad-based Anti-corruption Commission Act 2011;
illness means a physical, mental or emotional illness, and includes a suspected illness;
Information Commissioner means the Information Commissioner appointed under section 6C of the Freedom of Information Act 1982;
information handling provision means a provision of an Act that permits handling of personal information—
(a)as authorised or required by law or by or under an Act; or
(b)in circumstances or for purposes required by law or by or under an Act;
Information Privacy Principle means any of the Information Privacy Principles set out in Schedule 1;
information usage arrangement has the meaning given by section 45;
IPP means Information Privacy Principle;
law enforcement agency means—
(a)Victoria Police; or
(b)the police force or police service of another State or a Territory; or
(c)the Australian Federal Police; or
(d)the Australian Crime Commission established under section 7 of the Australian Crime Commission Act 2002 of the Commonwealth; or
(e)the Commissioner appointed under section 8A of the Corrections Act 1986; or
(ea)the Director, Fines Victoria employed under section 4 of the Fines Reform Act 2014;
(f)the Business Licensing Authority established under Part 2 of the Business Licensing Authority Act 1998; or
(g)a commission established by a law of Victoria or the Commonwealth or of any other State or a Territory with the function of investigating matters relating to criminal activity generally or of a specified class or classes; or
(h)the Chief Examiner and Examiners appointed under Part 3 of the Major Crime (Investigative Powers) Act 2004; or
(i)the IBAC; or
(j)the sheriff within the meaning of the Sheriff Act 2009; or
(k)the Victorian Inspectorate; or
(l)the Adult Parole Board established by section 61 of the Corrections Act 1986; or
(la)the Post Sentence Authority continued in existence by section 290 of the Serious Offenders Act 2018; or
(m)the Youth Parole Board within the meaning of the Children, Youth and Families Act 2005; or
(ma)the Victorian Legal Services Board within the meaning of the Legal Profession Uniform Law Application Act 2014; or
(mb)the Victorian Legal Services Commissioner within the meaning of the Legal Profession Uniform Law Application Act 2014; or
(n)an agency responsible for the performance of functions or activities directed to—
(i)the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction for a breach; or
(ii)the management of property seized or restrained under laws relating to the confiscation of the proceeds of crime or the enforcement of such laws, or of orders made under such laws; or
(o)an agency responsible for the execution or implementation of an order or decision made by a court or tribunal; or
(p)an agency that provides correctional services, including a contractor within the meaning of the Corrections Act 1986, or a subcontractor of that contractor, but only in relation to a function or duty or the exercise of a power conferred on it by or under that Act; or
(q)an agency responsible for the protection of the public revenue under a law administered by it;
law enforcement data means any information obtained, received or held by Victoria Police—
(a)for the purpose of one or more of its, or any other law enforcement agency's law enforcement functions or activities; or
(b)for the enforcement of laws relating to the confiscation of the proceeds of crime; or
(c)in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or
(d)for the purposes of its community policing functions;
law enforcement data security standards means the standards issued, amended or reissued by the Information Commissioner under section 92;
law enforcement data system means a database kept by Victoria Police (whether in computerised or other form and however described) containing law enforcement data;
legal practitioner means an Australian legal practitioner;
member of staff, of the Office of the Victorian Information Commissioner, means a person employed or engaged under section 6Q of the Freedom of Information Act 1982;
notice to produce or attend means a notice issued under section 68 or 79, and includes a notice as varied under section 83B;
Office of the Victorian Information Commissioner means the Office of the Victorian Information Commissioner established under the Freedom of Information Act 1982;
organisation means a person or body to which Part 3 applies under section 13;
parent, in relation to a child, includes—
(a)the father and mother of the child; and
(b)the spouse of the father or mother of the child; and
(c)the domestic partner of the father or mother of the child; and
(d)a person who has custody of the child; and
(e)a person whose name is entered as the parent of the child in the register of births in the Register maintained by the Registrar of Births, Deaths and Marriages under Part 7 of the Births, Deaths and Marriages Registration Act 1996; and
(f)a person who acknowledges that they are the parent of the child by an instrument of the kind described in section 8(2) or (2A) of the Status of Children Act 1974; and
(g)a person in respect of whom a court has made a declaration or a finding or order that the person is the parent of the child;
personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies;
personal privacy means privacy of personal information;
Privacy and Data Protection Deputy Commissioner means the Privacy and Data Protection Deputy Commissioner appointed under section 8H;
protective data security plan means a plan prepared under section 89;
protective data security standards means the standards issued by the Information Commissioner under section 86 or amended or reissued under section 87;
public interest determination means a determination made under section 31;
public register means a document held by a public sector agency or a Council and open to inspection by members of the public (whether or not on payment of a fee) under an Act or regulation (other than the Freedom of Information Act 1982 or the Public Records Act 1973) containing information that—
(a)a person or body was required or permitted to give to that public sector agency or Council under an Act or regulation; and
(b)would be personal information if the document were not a generally available publication;
public sector agency means a public service body or a public entity within the meaning of the Public Administration Act 2004;
public sector body Head has the meaning given in the Public Administration Act 2004;
public sector data means any information (including personal information) obtained, received or held by an agency or body to which Part 4 applies, whether or not the agency or body obtained, received or holds that information in connection with the functions of that agency or body;
public sector data system includes—
(a)information technology for storage of public sector data, including hardware and software; and
(b)non-electronic means for storage of public sector data; and
(c)procedures for dealing with public sector data, including by use of information technology and non-electronic means;
public service body Head has the meaning given in the Public Administration Act 2004;
State contract means a contract between an organisation, or a person, agency or body to which Part 4 or 5 of this Act applies, and another person or body (whether or not this Act or a Part of this Act applies to the person or body) under which services are provided to one party (the outsourcing party) by the other party (the contracted service provider) in connection with the performance of the functions of the outsourcing party, including services that the outsourcing party provides to other persons or bodies;
temporary public interest determination means a temporary public interest determination made under section 39;
third party, in relation to personal information, means a person or body other than the organisation holding the information and the individual to whom the information relates;
Victorian Inspectorate means the Victorian Inspectorate established under section 8 of the Victorian Inspectorate Act 2011;
Victorian protective data security framework means the Victorian protective data security framework developed under section 85.
4Interpretation
(1)For the purposes of this Act, an organisation holds personal information if the information is contained in a document that is in the possession or under the control of the organisation, whether alone or jointly with other persons or bodies, irrespective of where the document is situated, whether in or outside Victoria.
(2)If a provision of this Act refers to an IPP by a number, the reference is a reference to the IPP designated by that number.
(3)A reference in this Act to a contracted service provider is a reference to a person or body in the capacity of contracted service provider and includes a reference to a subcontractor of the contracted service provider (or of another such subcontractor) for the purposes (whether direct or indirect) of the State contract.
(4)Without limiting section 37(a) of the Interpretation of Legislation Act 1984, a reference in this Act to an organisation using a neuter pronoun includes a reference to an organisation that is an individual, unless the contrary intention appears.
5Objects
The objects of this Act are—
(a)to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector; and
(b)to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; and
(c)to promote awareness of responsible personal information handling practices in the public sector; and
(d)to promote the responsible and transparent handling of personal information in the public sector; and
(e)to promote responsible data security practices in the public sector.
6Relationship of this Act to other laws
(1)If a provision made by or under this Act (other than Division 5, 6 or 7 of Part 3) relating to an Information Privacy Principle or applicable code of practice is inconsistent with a provision made by or under any other Act, that other provision prevails and the provision made by or under this Act is (to the extent of the inconsistency) of no force or effect.
(2)Without limiting subsection (1), nothing in this Act affects the operation of the Freedom of Information Act 1982 or any right, privilege, obligation or liability conferred or imposed under that Act or any exemption arising under that Act.
7Rights and liabilities
(1)Nothing in this Act—
(a)gives rise to any civil cause of action; or
(b)without limiting paragraph (a), operates to create in any person any legal right enforceable in a court or tribunal—
otherwise than in accordance with the procedures set out in this Act.
(2)A contravention of this Act does not create any criminal liability except to the extent expressly provided by this Act.
8Act binds the Crown
(1)This Act binds the Crown in right of Victoria and, so far as the legislative power of the Parliament permits, the Crown in all its other capacities.
(2)Nothing in this Act makes the Crown in any of its capacities liable to be prosecuted for an offence.
PART 1A—FUNCTIONS, POWERS OF INFORMATION COMMISSIONER AND APPOINTMENT OF PRIVACY AND DATA PROTECTION DEPUTY COMMISSIONER
Division 1—Performance of functions
8AFunctions of Information Commissioner
(1)The Information Commissioner has the following functions—
(a)functions relating to information privacy set out in section 8C;
(b)functions relating to protective data security and law enforcement data security set out in section 8D;
(c)functions conferred on the Information Commissioner by or under this Act;
(d)functions conferred on the Information Commissioner by or under any other Act.
(2)The Information Commissioner must have regard to the objects of this Act in the performance of the Commissioner's functions and the exercise of the Commissioner's powers under this Act.
(3)Except where expressly provided in this Act, the Information Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Information Commissioner's duties and functions and the exercise of the Information Commissioner's powers.
8BFunctions of Privacy and Data Protection Deputy Commissioner
(1)The Privacy and Data Protection Deputy Commissioner has the following functions—
(a)functions relating to information privacy set out in section 8C(2);
(b)functions relating to protective data security and law enforcement data security set out in section 8D(2);
(c)any function conferred by the Information Commissioner on the Deputy Commissioner by authorisation under section 8F;
(d)any other function conferred on the Information Commissioner by or under this Act, except—
(i)a function of the Information Commissioner referred to in section 8A(1)(d); or
(ii)a function of the Information Commissioner referred to in section 8C(1) or 8D(1); or
(iii)a function of the Information Commissioner referred to in
section 8F; or(iv)a function of the Information Commissioner referred to in section 8O; or
(v)issuing directions under section 8P; or
(vi)making reports under section 116.
(2)The Privacy and Data Protection Deputy Commissioner must have regard to the objects of this Act in the performance of the Deputy Commissioner's functions and the exercise of the Deputy Commissioner's powers under this Act.
(3)
Except where expressly provided in this
Act, the Privacy and Data Protection Deputy Commissioner is not subject to the direction or control of the Minister in respect of the performance of the Deputy Commissioner's duties and functions and the exercise of the Deputy Commissioner's powers.
8CInformation privacy functions
(1)The Information Commissioner has the following functions in relation to information privacy—
(a)in accordance with Division 3 of Part 3, to undertake activities relating to the development and approval of codes of practice;
(b)to develop and publish model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;
(c)to make public interest determinations and temporary public interest determinations in accordance with Division 5 of Part 3;
(d)to approve information usage arrangements in accordance with Division 6 of Part 3;
(e)to examine and assess any proposed legislation that would require or authorise acts or practices of an organisation that may, in the absence of the legislation, be interferences with the privacy of an individual or that may otherwise have an adverse effect on the privacy of an individual, and to report to the Minister the results of the examination and assessment;
(f)to make public statements in relation to any matter affecting personal privacy or the privacy of any class of individual;
(g)to issue guidelines and other materials in relation to the Information Privacy Principles and information usage arrangements;
(h)to undertake reviews of any matters relating to information privacy, as requested by the Minister;
(i)to make reports or recommendations in relation to information privacy as provided for by section 111.
(2)The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to information privacy—
(a)to promote understanding and acceptance of the Information Privacy Principles and of the objects of those Principles;
(b)to examine the practice of an organisation with respect to personal information maintained by that organisation for the purpose of ascertaining whether or not the information is maintained according to the Information Privacy Principles or any applicable code of practice;
(c)to issue certificates under Division 7 of Part 3;
(d)subject to this Act—
(i)to receive complaints about an act or practice of an organisation; and
(ii)if appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the complaint;
(e)to issue compliance notices under Division 9 of Part 3 and to carry out an investigation for that purpose;
(f)to conduct or commission audits of records of personal information maintained by an organisation for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles or any applicable code of practice;
(g)to consult and cooperate with persons and bodies concerned with information privacy;
(h)to undertake research in relation to matters relating to information privacy.
8DProtective data security and law enforcement data security functions
(1)The Information Commissioner has the following functions in relation to protective data security and law enforcement data security—
(a)to issue protective data security standards and law enforcement data security standards;
(b)to develop the Victorian protective data security framework;
(c)to issue guidelines and other materials in relation to protective data security standards;
(d)to undertake reviews of any matters relating to protective data security, as requested by the Minister;
(e)to undertake reviews of any matters relating to law enforcement data security and crime statistics data security, as requested by the Minister;
(f)to make reports or recommendations in relation to data security as provided for by section 111.
(2)The Information Commissioner and the Privacy and Data Protection Deputy Commissioner each have the following functions in relation to protective data security and law enforcement data security—
(a)to promote the uptake of protective data security standards by the public sector;
(b)to conduct monitoring and assurance activities, including audits, to ascertain compliance with data security standards;
(c)to refer findings of monitoring and assurance activities, including audits, to an appropriate person or body for further action;
(d)to undertake research in relation to matters relating to protective data security and law enforcement data security relevant to the public sector, particularly relating to information and communications technology;
(e)to retain copies of protective data security plans.
8EPerformance of concurrent functions
If a function may be performed by the Information Commissioner and the Privacy and Data Protection Deputy Commissioner, that function may be performed by—
(a)the Information Commissioner; or
(b)the Privacy and Data Protection Deputy Commissioner; or
(c)the Information Commissioner and the Privacy and Data Protection Deputy Commissioner.
8FInformation Commissioner may confer functions on Privacy and Data Protection Deputy Commissioner
(1)The Information Commissioner may in writing authorise the Privacy and Data Protection Deputy Commissioner to perform any of the following functions of the Information Commissioner, as specified in the authorisation—
(a)to undertake activities in relation to the development or approval of a specified code of practice;
(b)to develop and publish specified model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria;
(c)to make a specified public interest determination or a specified temporary public interest determination in accordance with Division 5 of Part 3;
(d)to approve a specified information usage arrangement;
(e)to issue a specified protective data security standard or a specified law enforcement data standard;
(f)to review or amend the Victorian protective data security framework, as specified;
(g)to issue guidelines and other materials in relation to a specified protective data security standard.
(2)The Information Commissioner may at any time in writing revoke an authorisation under this section, and on that revocation may continue and complete any action commenced under the authorisation by the Privacy and Data Protection Deputy Commissioner.
8GGeneral powers of Information Commissioner and Privacy and Data Protection Deputy Commissioner
(1)The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Information Commissioner's functions.
(2)The Privacy and Data Protection Deputy Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of the Deputy Commissioner's functions.
Division 2—Privacy and Data Protection Deputy Commissioner
8HAppointment of Privacy and Data Protection Deputy Commissioner
(1)The Governor in Council may appoint an eligible person as the Privacy and Data Protection Deputy Commissioner.
(2)A person is not eligible for appointment
as the Privacy and Data Protection Deputy Commissioner if the person is—(a)a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(b)a member of a council.
(3)A person may hold office as Privacy and Data Protection Deputy Commissioner for not more than 2 terms (whether consecutive terms or otherwise).
8ITerms and conditions of appointment of Privacy and Data Protection Deputy Commissioner
(1)The appointment of the Privacy and Data Protection Deputy Commissioner is to be for the period, not exceeding 5 years, set out in the instrument of appointment.
(2)Subject to this Part, the Privacy and Data Protection Deputy Commissioner holds office on the terms and conditions determined by the Governor in Council.
(3)Subject to section 8H(3), the Privacy and Data Protection Deputy Commissioner may be reappointed.
(4)The Privacy and Data Protection Deputy Commissioner is entitled to leave of absence as determined by the Governor in Council.
(5)The Privacy and Data Protection Deputy Commissioner must not directly or indirectly engage in paid employment outside the duties of the relevant office.
8JRemuneration
The Privacy and Data Protection Deputy Commissioner is entitled to be paid the remuneration and allowances that are determined by the Governor in Council.
8KVacancy and resignation of Privacy and Data Protection Deputy Commissioner
(1)The Privacy and Data Protection Deputy Commissioner ceases to hold office if the office holder—
(a)resigns by notice in writing delivered to the Minister; or
(b)becomes an insolvent under administration; or
(c)is convicted of an indictable offence or an offence that, if committed in Victoria, would be an indictable offence; or
(d)nominates for election for the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(e)nominates for election as a member of a council; or
(f)is removed from office under section 8L.
(2)The Privacy and Data Protection Deputy Commissioner's resignation under subsection (1)(a) takes effect on—
(a)the day on which it is received by the Minister; or
(b)if a later day is specified in the notice, on that day.
8LSuspension and removal from office
(1)The Governor in Council, on the recommendation of the Minister, may suspend or remove the Privacy and Data Protection Deputy Commissioner from office on any of the following grounds—
(a)misconduct;
(b)neglect of duty;
(c)inability to perform the duties of the office;
(d)any other ground on which the Governor in Council is satisfied that the Privacy and Data Protection Deputy Commissioner should not hold office.
(2)If the Privacy and Data Protection Deputy Commissioner is removed from office, the Minister must cause a full statement of the grounds for removal to be presented to each House of Parliament within 10 sitting days of that House after the removal.
8MActing Privacy and Data Protection Deputy Commissioner
(1)The Governor in Council, on the recommendation of the Minister, may appoint an eligible person to act as the Privacy and Data Protection Deputy Commissioner—
(a)during a vacancy in the office of the Deputy Commissioner; or
(b)during any period, or all periods, when the Deputy Commissioner is absent from duty or from the State or, for another reason, cannot perform the functions of the office.
(2)A person is not eligible for appointment to
act as the Privacy and Data Protection Deputy Commissioner if the person is—(a)a member of the Parliament of Victoria or of the Commonwealth or of another State or a Territory; or
(b)a member of a council.
(3)An appointment under subsection (1) is for the period, not exceeding 12 months, set out in the instrument of appointment.
(4)The Governor in Council, on the recommendation of the Minister, may at any time remove the acting Privacy and Data Protection Deputy Commissioner from office.
(5)While a person is acting in the office of the Privacy and Data Protection Deputy Commissioner, the person—
(a)has, and may exercise, all the powers and must perform all the duties of that office under this Act and any other Act; and
(b)is entitled to be paid the remuneration and allowances that the Privacy and Data Protection Deputy Commissioner would have been entitled to for performing those duties.
8NValidity of acts and decisions
An act or decision of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner is not invalid only because—
(a)of a defect or irregularity in or in connection with the appointment of the Privacy and Data Protection Deputy Commissioner or acting Privacy and Data Protection Deputy Commissioner; or
(b)in the case of an acting Privacy and Data Protection Deputy Commissioner, the occasion for so acting had not arisen or had ceased.
Division 3—General
8ODelegation
(1)The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or a member of staff of the Office of the Victorian Information Commissioner any of the Information Commissioner's functions and powers under this Act except this power of delegation.
(2)The Information Commissioner may by instrument delegate to the Privacy and Data Protection Deputy Commissioner or any member of staff of the Office of the Victorian Information Commissioner a function or power relating to information privacy, protective data security or law enforcement data security conferred on the Information Commissioner by or under any other Act.
(3)With the written consent of the Information Commissioner, the Privacy and Data Protection Deputy Commissioner may by instrument delegate to a member of staff any of the Deputy Commissioner's functions and powers (including any function or power delegated under subsection (1)) except this power of delegation.
8PDirections
The Information Commissioner may issue directions to the Privacy and Data Protection Deputy Commissioner or to any member of staff of the Office of the Victorian Information Commissioner for the purposes of this Act in relation to the performance of functions under this Act other than in relation to the following—
(a)certifying consistency of an act or practice under section 55; or
(b)the conciliation of a complaint under Subdivision 3 of Division 8 of Part 3.
PART 2—APPLICATION OF THIS ACT
9Definition
In this Part, information means—
(a)personal information; or
(b)public sector data; or
(c)law enforcement data; or
(d)crime statistics data.
10Courts, tribunals etc.
Nothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information—
(a)in relation to its or the holder's judicial or quasi-judicial functions, by—
(i)a court or tribunal; or
(ii)the holder of a judicial or quasi-judicial office or other office pertaining to a court or tribunal in their capacity as the holder of that office; or
(b)in relation to those matters which relate to the judicial or quasi-judicial functions of the court or tribunal, by—
(i)a registry or other office of a court or tribunal; or
(ii)the staff of such a registry or other office in their capacity as members of that staff.
10ARoyal Commissions etc.
(1)Nothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Royal Commission, a Board of Inquiry or a Formal Review for the purposes of, or in connection with, the performance of its functions.
(2)In this section—
Board of Inquiry has the same meaning as in the Inquiries Act 2014;
Formal Review has the same meaning as in the Inquiries Act 2014;
Royal Commission means—
(a)a Royal Commission established under the Inquiries Act 2014; or
(b)a Royal Commission established under the prerogative of the Crown.
11Parliamentary Committees
(1)Nothing in this Act or in any Information Privacy Principle or any data security standard applies in respect of the collection, holding, management, use, disclosure or transfer of information by a Parliamentary Committee in the course of carrying out its functions as a Parliamentary Committee.
(2)In this section—
Parliamentary Committee means—
(a)a Joint Investigatory Committee, or the House Committee, within the meaning of the Parliamentary Committees Act 2003; or
(b)a committee of the Legislative Council or the Legislative Assembly.
12Publicly-available information
(1)Nothing in this Act or in any Information Privacy Principle or any data security standard applies to any information contained in a document that is—
(a)a generally available publication; or
(b)kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
(c)a public record under the control of the Keeper of Public Records that is available for public inspection in accordance with the Public Records Act 1973; or
(d)archives within the meaning of the Copyright Act 1968 of the Commonwealth.
(2)Subsection (1) does not take away from section 20(2) which imposes duties on a public sector agency or a Council in administering a public register.
PART 3—INFORMATION PRIVACY
Division 1—Application of this Part
13Public sector organisations to which this Part applies
(1)Subject to subsection (2), this Part applies to the following—
(a)a Minister;
(b)a Parliamentary Secretary, including the Parliamentary Secretary of the Cabinet;
(c)a public sector agency;
(d)a Council;
(e)a body established or appointed for a public purpose by or under an Act;
(f)a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act;
(g)a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act;
(h)a court or tribunal;
(i)Victoria Police;
(j)a contracted service provider, but only in relation to its provision of services under a State contract which contains a provision of a kind referred to in section 17(2);
(k)any other body that is declared, or to the extent that it is declared, by an Order under subsection (3)(a) to be an organisation for the purposes of this subsection.
(2)This Part does not apply to a person or body referred to in subsection (1) that is—
(a)a Commonwealth-regulated organisation; or
(b)declared, or to the extent that it is declared, by an Order under subsection (3)(b) not to be an organisation for the purposes of subsection (1)(e), (f) or (g).
(3)The Governor in Council may, on the recommendation of the Minister, by Order published in the Government Gazette—
(a)declare a body to be, either wholly or to the extent specified in the Order, an organisation for the purposes of subsection (1); or
(b)declare a body referred to in subsection (1)(e) or (f), or a person holding an office or position referred to in subsection (1)(g), not to be an organisation for the purposes of that subsection, either wholly or to the extent specified in the Order.
(4)The Minister may only recommend to the Governor in Council the making of an Order under subsection (3)(b) in respect of a body or person if satisfied that—
(a)another scheme (whether contained in an enactment or given legislative force by an enactment) would apply to the collection, holding, management, use, disclosure and transfer by that body or person of personal information if that person or body were not an organisation for the purposes of subsection (1), either wholly or to the extent specified in the Order; and
(b)the collection, holding, management, use, disclosure and transfer by that body or person of personal information is more appropriately governed by that other scheme.
14Exemption—Freedom of Information Act 1982
(1)Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if—
(a)the document is a document of an agency within the meaning of the Freedom of Information Act 1982; and
(b)access can only be granted to the document or information, or the information can only be corrected, in accordance with that Act.
(2)Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if—
(a)the document is an official document of a Minister within the meaning of the Freedom of Information Act 1982; and
(b)access can only be granted to the document or information, or the information can only be corrected, in accordance with that Act.
(3)Nothing in IPP 6 or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with applies to a document containing personal information or to the personal information contained in a document if access would not be granted to the document under the Freedom of Information Act 1982 because of section 5(3), 6 or 6AA of that Act.
15Exemption—law enforcement
It is not necessary for a law enforcement agency to comply with IPP 1.3 to 1.5, 2.1, 6.1 to 6.8, 7.1 to 7.4, 9.1 or 10.1 if it believes on reasonable grounds that the noncompliance is necessary—
(a)for the purposes of one or more of its, or any other law enforcement agency's, law enforcement functions or activities; or
(b)for the enforcement of laws relating to the confiscation of the proceeds of crime; or
(c)in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or
(d)in the case of Victoria Police, for the purposes of its community policing functions.
15AExemption—information sharing under the Family Violence Protection Act 2008
(1)Nothing in IPP 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.4 or 1.5 or prescribing how IPP 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an information sharing entity for the purposes of Part 5A of the Family Violence Protection Act 2008 about a person of concern, or a person who is alleged to pose a risk of committing family violence.
(1A)Nothing in IPP 1.3, 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.3, 1.4 or 1.5 or prescribing how IPP 1.3, 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an authorised Hub entity for the purposes of Part 5B of the Family Violence Protection Act 2008.
* * * * *
(4)Nothing in IPP 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.4 or 1.5 or prescribing how IPP 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information about an individual by the Central Information Point for the purposes of Part 5A of the Family Violence Protection Act 2008.
(5)Nothing in IPP 6, or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with, applies to personal information about an individual held by the Central Information Point for the purposes of Part 5A of the Family Violence Protection Act 2008.
* * * * *
(7)In this section—
authorised Hub entity has the meaning given in the Family Violence Protection Act 2008;
Central Information Point has the meaning given in section 144O of the Family Violence Protection Act 2008;
family violence has the meaning given in the Family Violence Protection Act 2008;
* * * * *
information sharing entity has the meaning given in the Family Violence Protection Act 2008;
* * * * *
person of concern has the meaning given in section 144B of the Family Violence Protection Act 2008.
* * * * *
15BExemption—information sharing under the Child Wellbeing and Safety Act 2005
(1)Nothing in IPP 1.4, or any applicable code of practice modifying the application of IPP 1.4 or prescribing how IPP 1.4 is to be applied or complied with, applies to the collection of personal information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the Child Wellbeing and Safety Act 2005, or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act.
(2)Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the Child Wellbeing and Safety Act 2005, to the extent that the application of, or compliance with, IPP 1.5 would be contrary to the promotion of the wellbeing or safety of a child to whom the information relates.
(3)Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of the Child Wellbeing and Safety Act 2005.
(4)Nothing in IPP 10.1, or any applicable code of practice modifying the application of IPP 10.1 or prescribing how IPP 10.1 is to be applied or complied with, applies to the collection, use or disclosure of sensitive information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the Child Wellbeing and Safety Act 2005, or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act.
(5)Nothing in an IPP, or any applicable code of practice modifying the application of an IPP or prescribing how an IPP is to be applied or complied with, applies to the collection, use or disclosure of personal or sensitive information by an information sharing entity or a restricted information sharing entity for the purposes of Part 6A of the Child Wellbeing and Safety Act 2005, or by a Child Link user or the Secretary to the Department of Education and Training for the purposes of Part 7A of that Act, to the extent that the IPP requires the consent of the person to whom the information relates for the collection, use or disclosure of that information.
(6)In this section—
Child Link user has the same meaning as in the Child Wellbeing and Safety Act 2005;
information sharing entity has the same meaning as in the Child Wellbeing and Safety Act 2005;
restricted information sharing entity has the same meaning as in the Child Wellbeing and Safety Act 2005.
15CExemption—information sharing for quality and safety purposes under the Health Services Act 1988
(1)Nothing in IPP 1.4, or any applicable code of practice modifying the application of IPP 1.4 or prescribing how IPP 1.4 is to be applied or complied with, applies to the collection of personal information for the purposes of Part 6B of the Health Services Act 1988 by any of the following—
(a)the Secretary to the Department of Health and Human Services;
(b)a quality and safety body;
(c)a health service entity;
(d)a special adviser.
(2)Nothing in IPP 1.5, or any applicable code of practice modifying the application of IPP 1.5 or prescribing how IPP 1.5 is to be applied or complied with, applies to the collection of personal information for the purposes of Part 6B of the Health Services Act 1988 by any of the following—
(a)the Secretary to the Department of Health and Human Services;
(b)a quality and safety body;
(c)a health service entity;
(d)a special adviser.
(3)Nothing in an IPP, or any applicable code of practice modifying the application of an IPP or prescribing how an IPP is to be applied or complied with, applies to the collection of personal or sensitive information for the purposes of Part 6B of the Health Services Act 1988 by—
(a)the Secretary; or
(b)a quality and safety body; or
(c)a health service entity; or
(d)a special adviser—
to the extent that the IPP requires the consent of the person to whom the information relates for the collection of that information.
(4)In this section—
health service entity has the same meaning as in section 134V of the Health Services Act 1988;
quality and safety body has the same meaning as in section 134V of the Health Services Act 1988;
special adviser has the same meaning as in section 134V of the Health Services Act 1988.
15DInformation sharing under Division 6 of Part 4A of Terrorism (Community Protection) Act 2003
(1)Nothing in IPP 1.3, 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.3, 1.4 or 1.5 or prescribing how IPP 1.3, 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an authorised discloser in accordance with Division 6 of Part 4A of the Terrorism (Community Protection) Act 2003.
(2)Nothing in IPP 2, or any applicable code of practice modifying the application of IPP 2 or prescribing how IPP 2 is to be applied or complied with, applies to the use or disclosure, for the purposes of Part 4A of the Terrorism (Community Protection) Act 2003, of personal information that an authorised discloser has had disclosed to them in accordance with Division 6 of that Part.
(3)Nothing in IPP 6, or any applicable code of practice modifying the application of IPP 6 or prescribing how IPP 6 is to be applied or complied with, applies to personal information that an authorised discloser has had disclosed to them in accordance with Division 6 of Part 4A of the Terrorism (Community Protection) Act 2003.
(4)In this section—
authorised discloser has the same meaning as it has in Division 6 of Part 4A of the Terrorism (Community Protection) Act 2003.
Note
See section 22EJ of that Act.
16What is an interference with privacy of an individual?
For the purposes of this Act, an act done or practice engaged in by an organisation is an interference with the privacy of an individual if, and only if, the act or practice is contrary to, or inconsistent with—
(a)an Information Privacy Principle or an applicable code of practice; or
(b)a public interest determination or a temporary public interest determination; or
(c)an approved information usage arrangement; or
(d)a current certificate.
17Effect of outsourcing
(1)Subject to this section, the status or effect for the purposes of this Act (other than Part 4) of an act or practice is not affected by the existence or operation of a State contract.
(2)A State contract may provide for the contracted service provider to be bound by the Information Privacy Principles and any applicable code of practice with respect to any act done, or practice engaged in, by the contracted service provider for the purposes of the State contract in the same way and to the same extent as the outsourcing party would have been bound by them in respect of that act or practice had it been directly done or engaged in by the outsourcing party.
(3)If a provision of a kind referred to in subsection (2) is in force under a State contract, the Information Privacy Principles and any applicable code of practice apply to an act done, or practice engaged in, by the contracted service provider in the same way and to the same extent as they would have applied to the outsourcing party in respect of that act or practice had it been directly done or engaged in by the outsourcing party.
(4)An act or practice that is an interference with the privacy of an individual done or engaged in by a contracted service provider for the purposes of the State contract must, for the purposes of this Act (other than Part 4) and any applicable code of practice, be taken to have been done or engaged in by the outsourcing party as well as the contracted service provider unless—
(a)the outsourcing party establishes that a provision of a kind referred to in subsection (2) was in force under the State contract at the relevant time in relation to the act or practice; and
(b)the Information Privacy Principle or applicable code of practice to which the act or practice is contrary, or with which it is inconsistent, is capable of being enforced against the contracted service provider in accordance with the procedures set out in this Act.
(5)Section 118(1) does not apply to an act done or practice engaged in by a contracted service provider acting within the scope of a State contract.
Division 2—Information Privacy Principles
18Information Privacy Principles
(1)The Information Privacy Principles are set out in Schedule 1.
(2)Nothing in any Information Privacy Principle affects the operation or extent of any exemption arising under Part 2 or section 14, 15 or 15A and those Principles must be construed accordingly.
19Application of Information Privacy Principles
The Information Privacy Principles apply in relation to all personal information, whether collected by the organisation before or after the commencement of this section.
20Organisations to comply with Information Privacy Principles
(1)An organisation must not do an act, or engage in a practice, that contravenes an Information Privacy Principle in respect of personal information collected, held, managed, used, disclosed or transferred by it.
(2)A public sector agency or a Council must, in administering a public register, so far as is reasonably practicable, not do an act or engage in a practice that would contravene an Information Privacy Principle in respect of information collected, held, managed, used, disclosed or transferred by it in connection with the administration of the public register if that information were personal information.
(3)Subsections (1) and (2) do not apply if the act or practice is permitted under—
(a)a public interest determination; or
(b)a temporary public interest determination; or
(c)an approved information usage arrangement.
Division 3—Codes of practice
21Codes of practice
(1)An organisation may discharge its duty to comply with an Information Privacy Principle in respect of personal information collected, held, managed, used, disclosed or transferred by it by complying with a code of practice approved under this Division and binding on the organisation.
(2)A code of practice may—
(a)modify the application of any one or more of the Information Privacy Principles by prescribing standards, whether or not in substitution for any Information Privacy Principle, that are at least as stringent as the standards prescribed by the Information Privacy Principle; or
(b)prescribe how any one or more of the Information Privacy Principles are to be applied or complied with.
(3)A code of practice may apply in relation to any one or more of the following—
(a)any specified information or class of information;
(b)any specified organisation or class of organisation;
(c)any specified activity or class of activity;
(d)any specified industry, profession or calling or class of industry, profession or calling.
(4)A code of practice may also—
(a)impose controls on an organisation that matches data for the purpose of producing or verifying information about an identifiable individual; or
(b)in relation to charging—
(i)set guidelines to be followed in determining charges; or
(ii)prescribe circumstances in which no charge may be imposed; or
(c)prescribe—
(i)procedures for dealing with complaints alleging a contravention of the code, including the appointment of an independent code administrator to whom complaints may be made; or
(ii)remedies available where a complaint is substantiated; or
(d)provide for the review of the code by the Information Commissioner; or
(e)provide for the expiry of the code.
(5)Subsection (1) applies also to a public sector agency or a Council in seeking to discharge its duty to comply, so far as is reasonably practicable, with an Information Privacy Principle in relation to a public register as imposed by section 20(2) and this Part has effect accordingly.
22Process for approval of code of practice or code amendment
(1)An organisation may seek approval of a code of practice, or of an amendment to an approved code of practice, by submitting the code or amendment to the Information Commissioner.
(2)The Governor in Council, on the recommendation of the Minister acting on the advice received from the Information Commissioner under subsection (3), may by notice published in the Government Gazette approve a code of practice or an amendment to an approved code of practice.
(3)The Information Commissioner may advise the Minister to recommend to the Governor in Council that a code of practice, or an amendment to an approved code of practice, be approved if in the Information Commissioner's opinion—
(a)the code or amendment is consistent with the objects of this Act in relation to the personal information to which the code applies; and
(b)the code prescribes standards that are at least as stringent as the standards prescribed by the Information Privacy Principles; and
(c)the code specifies—
(i)the organisations bound (either wholly or to a limited extent) by the code; or
(ii)a way of determining the organisations that are, or will be, bound (either wholly or to a limited extent) by the code; and
(d)only organisations that consent to be bound by the code are, or will be, bound by the code.
(4)Before deciding whether or not to advise the Minister to recommend approval of a code of practice or of an amendment to an approved code of practice, the Information Commissioner—
(a)may consult any person or body that the Information Commissioner considers it appropriate to consult; and
(b)must have regard to the extent to which members of the public have been given an opportunity to comment on the code or amendment.
(5)A code of practice or an amendment to an approved code of practice comes into operation at the beginning of—
(a)the day on which the notice of approval under subsection (2) is published in the Government Gazette; or
(b)any later day stated in the notice as the day on which the code or amendment comes into operation.
23Organisations bound by code of practice
(1)An approved code of practice binds—
(a)any organisation—
(i)that sought approval of it; or
(ii)that consents to be bound by the approved code; and
(b)any organisation that, by written notice given to the Information Commissioner, states that it intends to be bound by the approved code of practice as it is then in operation and that is capable of applying to the organisation.
(2)A notice under subsection (1)(b) may indicate an intention that the organisation be bound by the approved code of practice—
(a)generally; or
(b)only in respect of specified information or a specified class of information collected, held, managed, used, disclosed or transferred by it; or
(c)only in respect of any specified activity or class of activity.
(3)A notice under subsection (1)(b) has no effect unless the Information Commissioner approves it.
(4)The Information Commissioner may approve a notice under subsection (1)(b) if satisfied that the approved code of practice is capable of applying to the organisation to the extent set out in the notice.
(5)An organisation is bound by an approved code of practice—
(a)in the case of an organisation referred to in subsection (1)(a), on and after the coming into operation of the code; and
(b)in the case of an organisation referred to in subsection (1)(b), on and after the later of—
(i)the date stated in the notice as the date on and after which the organisation will be bound by the code; or
(ii)the date on which the organisation is notified of the Information Commissioner's approval of the notice.
(6)An organisation bound by an approved code of practice may, by written notice given to the Information Commissioner, state that it intends to cease to be bound by that code.
(7)An organisation ceases to be bound by an approved code of practice on and after the date of the notice under subsection (6) or any later date stated in that notice as the date on and after which the organisation will cease to be bound by the code.
24Effect of approved code
(1)If an approved code of practice is in operation and binding on an organisation, an act done, or practice engaged in, by the organisation that contravenes the code, is, for the purposes of this Act, taken to be a contravention of an Information Privacy Principle and may be dealt with as provided by that code and this Act.
(2)Subsection (1) has effect whether or not that
act or practice would otherwise contravene any Information Privacy Principle.
25Codes of practice register
(1)The Information Commissioner must cause a register of all approved codes of practice to be established and maintained.
(2)The Information Commissioner may determine the form of the register.
(3)A person may during business hours—
(a)inspect the register and any documents that form part of it; or
(b)on the payment of any prescribed fee, obtain a copy of any entry in, or document forming part of, the register.
26Revocation of approval
(1)The Governor in Council, on the recommendation of the Minister acting on advice received from the Information Commissioner under subsection (2), may by notice published in the Government Gazette revoke the approval of a code of practice or of an amendment to an approved code of practice.
(2)The Information Commissioner may advise the Minister to recommend to the Governor in Council that a code of practice, or an amendment to an approved code of practice, be revoked.
(3)The Information Commissioner may act under subsection (2) on the Information Commissioner's own initiative or on an application for revocation made by an individual or organisation.
(4)Before deciding whether or not to advise the Minister to recommend revocation of the approval of a code of practice or of an amendment to an approved code of practice, the Information Commissioner—
(a)must consult the organisation that sought approval of the code or amendment and may consult any other person or body that the Information Commissioner considers it appropriate to consult; and
(b)must have regard to the extent to which members of the public have been given an opportunity to comment on the proposed revocation.
(5)An approved code of practice or approved amendment ceases to be in operation at the beginning of—
(a)the day on which the notice of revocation under subsection (1) is published in the Government Gazette; or
(b)any later day stated in that notice as the day on which the code or amendment ceases to be in operation.
27Effect of revocation of approval or amendment or expiry of approved code
(1)The revocation of the approval of a code of practice or of an amendment to an approved code of practice, or the expiry of an approved code of practice, or the ceasing of an organisation to be bound by an approved code of practice, does not—
(a)revive anything not in force or existing at the time at which the revocation, expiry or cessation becomes operative; or
(b)affect the previous operation of the code or anything duly done or suffered under, or in relation to, the code; or
(c)affect any right, privilege, obligation or liability acquired, accrued or incurred under, or in relation to, the code; or
(d)affect any penalty incurred in respect of any contravention of the code or in respect of any offence against section 82(1) committed in relation to a compliance notice issued because of any contravention of the code; or
(e)affect any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation, liability or penalty referred to in paragraphs (c) and (d).
(2)Any investigation, legal proceeding or remedy referred to in subsection (1)(e) may be commenced, continued or enforced, and any penalty may be imposed, as if the code or amendment had not been revoked or the code had not expired or the organisation had not ceased to be bound by the code.
(3)Subject to subsection (1), if an amendment to an approved code of practice is revoked, as from the beginning of the day on which the amendment ceases to be in operation, the code takes effect as if it had not been amended.
(4)Nothing in this section prevents the application to an organisation of an Information Privacy Principle (without any modification) on and after the day on which an applicable code of practice, that modified the application of that Information Privacy Principle, ceases to be in operation.
Division 4—Capacity to consent or make a request or exercise right of access
28Capacity to consent or make a request or exercise right of access
(1)If an Information Privacy Principle or an applicable code of practice requires the consent of an individual to the collection, holding, management, use or disclosure of personal information or to the transfer of personal information to someone who is outside Victoria, an authorised representative of the individual may give that consent if—
(a)the individual is incapable of giving consent; and
(b)the consent is reasonably necessary for the lawful performance of functions or duties or exercise of powers in respect of the individual by the authorised representative.
(2)If an Information Privacy Principle or an applicable code of practice empowers an individual to request access to, or the correction of, personal information or confers on an individual a right of access to personal information, the power to make that request, or that right of access, may be exercised—
(a)by—
(i)the individual personally, except if the individual is a child who is incapable of making the request; or
(ii)a supportive attorney acting under a supportive attorney appointment, within the meaning of the Powers of Attorney Act 2014; or
(iii)a supportive administrator acting under a supportive administration order within the meaning of the Guardianship and Administration Act 2019; or
(iv)a supportive guardian acting under a supportive guardianship order within the meaning of the Guardianship and Administration Act 2019; and
(b)by an authorised representative of the individual if—
(i)the individual is incapable of making the request or exercising the right of access; and
(ii)the personal information to be accessed is reasonably necessary for the lawful performance of functions or duties or exercise of powers in respect of the individual by the authorised representative.
(3)For the purposes of subsections (1) and (2), an individual is incapable of giving consent, making the request or exercising the right of access if the individual is incapable (despite the provision of reasonable assistance by another individual) by reason of age, injury, disease, senility, illness, disability, physical impairment or mental disorder of—
(a)understanding the general nature and effect of giving the consent, making the request or exercising the right of access (as the case requires); or
(b)communicating the consent or refusal of consent, making the request or personally exercising the right of access (as the case requires).
(4)An authorised representative of an individual must not give consent or request access to, or the correction of, personal information if the authorised representative knows or believes that the consent or request does not accord with the wishes expressed, and not changed or withdrawn, by the individual before the individual became incapable of giving consent or requesting access and any purported consent given or request made in those circumstances is of no effect.
5Office of Privacy Commissioner abolished
On the commencement day—
(a)the office of the Privacy Commissioner is abolished and the person holding that office and any person acting in that office go out of office; and
(b)all rights, property and assets that, immediately before that day, were vested in the office of the Privacy Commissioner are, by force of this section, vested in the office of the Commissioner; and
(c)all debts, liabilities and obligations of the office of the Privacy Commissioner existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the new Commissioner; and
(d)the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Privacy Commissioner was a party immediately before that day; and
(e)the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Privacy Commissioner as a party and in force immediately before that day.
6Office of Commissioner for Law Enforcement Data Security abolished
On the commencement day—
(a)the office of the Commissioner for Law Enforcement Data Security is abolished and the person holding that office and any person acting in that office go out of office; and
(b)all rights, property and assets that, immediately before that day, were vested in the office of the Commissioner for Law Enforcement Data Security are, by force of this section, vested in the office of the Commissioner; and
(c)all debts, liabilities and obligations of the office of the Commissioner for Law Enforcement Data Security existing immediately before that day become, by force of this section, debts, liabilities and obligations of the office of the Commissioner; and
(d)the Commissioner is, by force of this section, substituted as a party to any proceeding pending in any court or tribunal to which the Commissioner for Law Enforcement Data Security was a party immediately before that day; and
(e)the Commissioner is, by force of this section, substituted as a party to any arrangement or contract entered into by or on behalf of the Commissioner for Law Enforcement Data Security as a party and in force immediately before that day.
7References to former Commissioner
On the commencement day any reference to a former Commissioner in any Act (other than this Act) or in any rule, regulation, order, agreement, instrument, deed or other document (by whatever named called or however described) must, so far as it relates to any period on or after that day and if not inconsistent with the context or subject-matter, be construed as a reference to the Commissioner.
8Staff of Privacy Commissioner and Commissioner for Law Enforcement Data Security
On the commencement day, any staff employed under Part 3 of the Public Administration Act 2004 immediately before the commencement day by a former Commissioner are taken to be employed by the Commissioner under section 114 of this Act.
9Offences
On and after the commencement day, the Commissioner may commence or continue a prosecution for an offence committed under the Information Privacy Act 2000 or the Commissioner for Law Enforcement Data Security Act 2005.
10Annual reports under Information Privacy Act 2000 for reporting periods which end before commencement day
(1)This clause applies if—
(a)a reporting period has ended before the commencement day; and
(b)the Privacy Commissioner has not prepared a report of operations referred to in section 62 of the Information Privacy Act 2000 for that reporting period before that day.
(2)On and after the commencement day, the Commissioner must, for the reporting period, prepare a report of operations under Part 7 of the Financial Management Act 1994 which includes the information required by section 62 of the Information Privacy Act 2000.
(3)Section 62 of the Information Privacy Act 2000 applies for the purposes of subclause (2) as if that section had not been repealed.
(4)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
11Annual reports under Information Privacy Act 2000 for reporting periods that end on or after commencement day
(1)This clause applies if a reporting period ends on or after the commencement day.
(2)On and after the commencement day, the Commissioner must, for the reporting period, prepare a report which includes the information required by section 62 of the Information Privacy Act 2000 and include that report as part of the Commissioner's first report after the end of the reporting period under section 116.
(3)Section 62 of the Information Privacy Act 2000 applies for the purposes of subclause (2) as if that section had not been repealed.
(4)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
12Approved codes of practice
(1)On the commencement day, an approved code of practice under the Information Privacy Act 2000 that was in operation immediately before that day, is taken to be an approved code of practice under this Act.
(2)On the commencement day, the register of approved codes of practice kept under section 22 of the Information Privacy Act 2000 is taken to be the register established under section 25 of this Act.
13Complaints and compliance notices
(1)This Act applies to a complaint made but not declined, referred or finally determined under the Information Privacy Act 2000 before the commencement day as if the complaint had been made under section 58 of this Act.
(2)This Act applies to a compliance notice served under section 44 of the Information Privacy Act 2000 but not set aside before the commencement day as if the compliance notice had been served under section 78 of this Act.
14Annual reports under Commissioner for Law Enforcement Data Security Act 2005 for reporting periods which end before commencement day
(1)This clause applies if—
(a)a reporting period has ended before the commencement day; and
(b)the Commissioner for Law Enforcement Data Security has not made a report to the Minister under section 17 of the Commissioner for Law Enforcement Data Security Act 2005 for that reporting period before that day.
(2)On and after the commencement day, the Commissioner must, for the reporting period, make a report to the Minister under section 17 of the Commissioner for Law Enforcement Data Security Act 2005.
(3)Section 17 of the Commissioner for Law Enforcement Data Security Act 2005 applies for the purposes of subclause (2) as if that section had not been repealed.
(4)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
15Annual reports under Commissioner for Law Enforcement Data Security Act 2005 for reporting periods which end on or after commencement day
(1)This clause applies if a reporting period ends on or after the commencement day.
(2)On and after the commencement day, the Commissioner must, for the reporting period, make a report to the Minister under section 17 of the Commissioner for Law Enforcement Data Security Act 2005 and include that report as part of the Commissioner's first report after the end of the reporting period under section 116.
(3)Section 17 of the Commissioner for Law Enforcement Data Security Act 2005 applies for the purposes of subclause (2) as if that section had not been repealed.
(4)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
16Annual reports under Commissioner for Law Enforcement Data Security Act 2005 that have not been laid before Parliament
(1)This clause applies if—
(a)a report has been made to the Minister under section 17 of the Commissioner for Law Enforcement Data Security Act 2005 before the commencement day; and
(b)that report has not been laid before each House of Parliament in accordance with that section before that day.
(2)Despite the repeal of section 17 of the Commissioner for Law Enforcement Data Security Act 2005, subsection (2) of that section continues to apply in respect of that report.
SCHEDULE 3—TRANSITIONAL PROVISIONS—FREEDOM OF INFORMATION AMENDMENT (OFFICE OF THE VICTORIAN INFORMATION COMMISSIONER) ACT 2017
1Definition
In this Schedule—
commencement day means the day on which Part 3 of the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 comes into operation.
2Office of Commissioner for Privacy and Data Protection abolished
On the commencement day—
(a)the office of the Commissioner for Privacy and Data Protection is abolished and the person holding that office and any person acting in that office go out of office; and
(b)all rights, property and assets that, immediately before that day, were vested in the office of the Commissioner for Privacy and Data Protection are, by force of this clause, vested in the Office of the Victorian Information Commissioner; and
(c)all debts, liabilities and obligations of the office of the Commissioner for Privacy and Data Protection existing immediately before that day become, by force of this clause, debts, liabilities and obligations of the Office of the Victorian Information Commissioner; and
(d)the Information Commissioner is, by force of this clause, substituted as a party to any proceeding pending in any court or tribunal to which the Commissioner for Privacy and Data Protection was a party immediately before that day; and
(e)the Information Commissioner is, by force of this clause, substituted as a party to any arrangement or contract entered into by or on behalf of the Commissioner for Privacy and Data Protection as a party and in force immediately before that day.
3References to Commissioner for Privacy and Data Protection
On the commencement day any reference to the Commissioner for Privacy and Data Protection in any Act (other than this Act) or in any rule, regulation, order, agreement, instrument, deed or other document (by whatever name called or however described) must, so far as it relates to any period on or after that day and if not inconsistent with the context or subject matter, be construed as a reference to the Information Commissioner, in the Information Commissioner's capacity under this Act.
4Staff
On the commencement day, any staff employed under Part 3 of the Public AdministrationAct 2004 immediately before the commencement day by the Commissioner for Privacy and Data Protection are taken to be employed by the Information Commissioner under section 6Q of the Freedom of Information Act 1982.
5Codes of practice
This Act as in force on and after the commencement day applies to any application to approve a code of practice or amend an approved code of practice that was received but not approved before the commencement day.
6Public interest determinations
This Act as in force on and after the commencement day applies to any application for a public interest determination or a temporary public interest determination that was received but not determined before the commencement day.
7Information usage arrangements
This Act as in force on and after the commencement day applies in relation to any application to approve an information usage arrangement or amend an approved information usage arrangement that was received but not approved before the commencement day and anything done under this Act as in force before the commencement day in relation to that application has effect for that purpose.
8Complaints
This Act as in force immediately before the commencement day continues to apply in relation to any complaint made under Division 8 of Part 3 but not determined before the commencement day as if any reference to the Commissioner for Privacy and Data Protection were a reference to the Information Commissioner.
9Compliance notices
This Act as in force immediately before the commencement day continues to apply in relation to a written notice given before the commencement day under section 79, as in force immediately before its substitution, as if any reference to the Commissioner for Privacy and Data Protection were a reference to the Information Commissioner.
10Protective data security standards
The Information Commissioner may amend, revoke or reissue in accordance with section 87 a protective data security standard issued and in force before the commencement day.
11Law enforcement data security standards
The Information Commissioner may amend, revoke or reissue in accordance with section 92 a law enforcement data security standard issued and in force before the commencement day.
12Reports for reporting periods which end before commencement day
(1)This clause applies if—
(a)a reporting period has ended before the commencement day; and
(b)the Commissioner for Privacy and Data Protection has not prepared an annual report referred to in section 116 for that reporting period before that day.
(2)On and after the commencement day, the Information Commissioner must prepare an annual report for the reporting period in accordance with section 116.
(3)The annual report may be prepared as a composite report with the report prepared under clause 14 of Schedule 1 to the Freedom of Information Act 1982.
(4)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
13Annual reports for reporting periods which end on or after the commencement day
(1)This clause applies if a reporting period ends
on or after the commencement day.
(2)On and after the commencement day, the Information Commissioner must prepare a report in accordance with section 116 for the part of the reporting period occurring before the commencement day and include that report in the Information Commissioner's first report under that section after the end of the reporting period.
(3)In this clause—
reporting period means the period commencing on 1 July in any year and ending on 30 June in the following year.
14Report to Minister
(1)This clause applies if the Commissioner for Privacy and Data Protection has not prepared a report requested under section 111 before the commencement day.
(2)On and after the commencement day, the Information Commissioner must prepare the report in accordance with section 111 as in force before the commencement day.
═══════════════
ENDNOTES
1 General information
See for Victorian Bills, Acts and current Versions of legislation and up-to-date legislative information.
Minister's second reading speech—
Legislative Assembly: 12 June 2014
Legislative Council: 7 August 2014
The long title for the Bill for this Act was "A Bill for an Act to provide for responsible collection and handling of personal information in the Victorian public sector, to establish a protective data security regime, to repeal the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005, to make consequential amendments to other Acts and for other purposes."
The Privacy and Data Protection Act 2014 was assented to on 2 September 2014 and came into operation as follows:
Sections 129–136 on 3 September 2014: section 2(2); sections 1–128,
138–141 on 17 September 2014: Special Gazette (No. 317) 16 September 2014 page 1; section 137 on 1 July 2015: section 2(3).
INTERPRETATION OF LEGISLATION ACT 1984 (ILA)
Style changes
Section 54A of the ILA authorises the making of the style changes set out in Schedule 1 to that Act.
References to ILA s. 39B
Sidenotes which cite ILA s. 39B refer to section 39B of the ILA which provides that where an undivided section or clause of a Schedule is amended by the insertion of one or more subsections or subclauses, the original section or clause becomes subsection or subclause (1) and is amended by the insertion of the expression "(1)" at the beginning of the original section or clause.
Interpretation
As from 1 January 2001, amendments to section 36 of the ILA have the following effects:
• Headings
All headings included in an Act which is passed on or after 1 January 2001 form part of that Act. Any heading inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, forms part of that Act. This includes headings to Parts, Divisions or Subdivisions in a Schedule; sections; clauses; items; tables; columns; examples; diagrams; notes or forms. See section 36(1A)(2A).
• Examples, diagrams or notes
All examples, diagrams or notes included in an Act which is passed on or after 1 January 2001 form part of that Act. Any examples, diagrams or notes inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, form part of that Act. See section 36(3A).
• Punctuation
All punctuation included in an Act which is passed on or after 1 January 2001 forms part of that Act. Any punctuation inserted in an Act which was passed before 1 January 2001, by an Act passed on or after 1 January 2001, forms part of that Act. See section 36(3B).
• Provision numbers
All provision numbers included in an Act form part of that Act, whether inserted in the Act before, on or after 1 January 2001. Provision numbers include section numbers, subsection numbers, paragraphs and subparagraphs. See section 36(3C).
• Location of "legislative items"
A "legislative item" is a penalty, an example or a note. As from 13 October 2004, a legislative item relating to a provision of an Act is taken to be at the foot of that provision even if it is preceded or followed by another legislative item that relates to that provision. For example, if a penalty at the foot of a provision is followed by a note, both of these legislative items will be regarded as being at the foot of that provision. See section 36B.
• Other material
Any explanatory memorandum, table of provisions, endnotes, index and other material printed after the Endnotes does not form part of an Act.
See section 36(3)(3D)(3E).
2 Table of Amendments
This publication incorporates amendments made to the Privacy and Data Protection Act 2014 by Acts and subordinate instruments.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Privacy and Data Protection Act 2014, No. 60/2014
Assent Date: 2.9.14 Commencement Date: Ss 129–136 on 3.9.14: s. 2(2); s. 141 on 17.9.14: Special Gazette (No. 317) 16.9.14 p. 1; s. 137 on 1.7.15: s. 2(3); s. 130(4) inserted on 26.4.21 by No. 11/2021 s. 170: s. 2(2) Note: S. 141 repealed Pt 9 (ss 129–141) and Sch. 3 on 9.12.15; s. 130(4) repealed s. 130 on 26.4.23 CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Inquiries Act 2014, No. 67/2014
Assent Date: 23.9.14 Commencement Date: S. 147(Sch. 2 item 28) on 15.10.14: Special Gazette (No. 364) 14.10.14 p. 2 CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Statute Law Revision Act 2015, No. 21/2015
Assent Date: 16.6.15 Commencement Date: S. 3(Sch. 1 item 41) on 1.8.15: s. 2(1) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Health Complaints Act 2016, No. 22/2016
Assent Date: 3.5.16 Commencement Date: S. 240 on 1.2.17: s. 2(2) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Fines Reform and Infringements Acts Amendment Act 2016, No. 29/2016
Assent Date: 31.5.16 Commencement Date: S. 111 on 31.12.17: s. 2(5) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Powers of Attorney Amendment Act 2016, No. 64/2016
Assent Date: 15.11.16 Commencement Date: S. 16 on 1.5.17: s. 2(2) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Medical Treatment Planning and Decisions Act 2016, No. 69/2016
Assent Date: 29.11.16 Commencement Date: S. 158 on 12.3.18: s. 2(2) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017, No. 20/2017
Assent Date: 16.5.17 Commencement Date: Ss 78–106 on 1.9.17: s. 2(3) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Family Violence Protection Amendment (Information Sharing) Act 2017, No. 23/2017 (as amended by No. 60/2017)
Assent Date: 14.6.17 Commencement Date: Ss 20–22 on 26.2.18: Special Gazette (No. 40) 6.2.18 p. 1 CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Serious Sex Offenders (Detention and Supervision) Amendment (Governance) Act 2017, No. 57/2017
Assent Date: 8.11.17 Commencement Date: S. 50 on 27.2.18: Special Gazette (No. 49) 13.2.18 p. 1 Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Victorian Data Sharing Act 2017, No. 60/2017
Assent Date: 5.12.17 Commencement Date: S. 34 on 6.12.17: s. 2 CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Children Legislation Amendment (Information Sharing) Act 2018, No. 11/2018
Assent Date: 10.4.18 Commencement Date: S. 43 on 11.4.18: Special Gazette (No. 164) 10.4.18
p. 1; s. 31 on 27.9.18: Special Gazette (No. 405) 4.9.18 p. 1Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Serious Offenders Act 2018, No. 27/2018
Assent Date: 26.6.18 Commencement Date: S. 362 on 3.9.18: Special Gazette (No. 356) 31.7.18 p. 1 Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Integrity and Accountability Legislation Amendment (Public Interest Disclosures, Oversight and Independence) Act 2019, No. 2/2019
Assent Date: 5.3.19 Commencement Date: S. 209 on 6.3.19: s. 2(1); s. 145 on 1.1.20: s. 2(3) Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Guardianship and Administration Act 2019, No. 13/2019
Assent Date: 4.6.19 Commencement Date: S. 221(Sch. 1 item 39) on 1.3.20: s. 2(2) Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Children Legislation Amendment Act 2019, No. 30/2019
Assent Date: 17.9.19 Commencement Date: S. 19 on 18.9.19: s. 2(1) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Health Legislation Amendment and Repeal Act 2019, No. 34/2019
Assent Date: 22.10.19 Commencement Date: S. 87 on 27.8.20: s. 2(3) Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Local Government Act 2020, No. 9/2020
Assent Date: 24.3.20 Commencement Date: S. 390(Sch. 1 item 80) on 6.4.20: Special Gazette (No. 150) 24.3.20 p. 1 CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Justice Legislation Amendment (System Enhancements and Other Matters) Act 2021, No. 11/2021
Assent Date: 23.3.21 Commencement Date: Ss 164–170 on 26.4.21: s. 2(2) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Terrorism (Community Protection) Amendment Act 2021, No. 47/2021
Assent Date: 3.11.21 Commencement Date: S. 28 on 2.9.22: s. 2(3) Current State: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Mental Health and Wellbeing Act 2022, No. 39/2022
Assent Date: 6.9.22 Commencement Date: S. 853 on 1.9.23: s. 2(2) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
Justice Legislation Amendment (Integrity, Defamation and Other Matters) Act 2024, No. 31/2024
Assent Date: 10.9.24 Commencement Date: Ss 51–61 on 11.9.24: s. 2(1) CurrentState: This information relates only to the provision/s amending the Privacy and Data Protection Act 2014
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
3 Explanatory details
No entries at date of publication.
0
0
0