Victorian Bills Victorian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
PARLIAMENT OF VICTORIA
Data Protection Act 1999
Act No.
TABLE OF PROVISIONS
Clause Page
PART 1--PRELIMINARY 1
1. Purpose 1
2. Commencement 2
3. Definitions 2
4. Interpretative provisions 8
5. Objects of Act 9
6. Relationship of this Act to other laws 9
7. Nature of rights created by this Act 10
8. Act binds the Crown 10
PART 2--APPLICATION OF THIS ACT 11
Division 1--Public Sector Organisations 11
9. Application to public sector 11
Division 2--Private Sector Organisations 12
10. Application to private sector 12
11. Arrangement with Commonwealth 13
Division 3--Exemptions 14
12. Personal, family or household affairs 14
13. Courts, tribunals, etc. 14
14. Publicly-available information 14
15. News media 15
16. Statistical compilations, etc. 15
17. Freedom of Information Act 1982 16
18. Law enforcement 16
PART 3--INFORMATION PRIVACY 18
19. Information Privacy Principles 18
20. Application of IPPs 18
21. Organisations to comply with IPPs 18
22. Effect of outsourcing 20
i
532027B.I1-25/5/99
Clause Page
PART 4--CODES OF PRACTICE 22
23. Codes of practice 22
24. Process for approval of code of practice or code variation 24
25. Organisations bound by code of practice 25
26. Effect of approved code 26
27. Codes of practice register 27
28. Revocation of approval 27
29. Effect of revocation of approval or variation or expiry of
approved code 28
PART 5--COMPLAINTS 31
Division 1--Making a Complaint 31
30. Complaints 31
31. Complaints by minors and people with an impairment 32
Division 2--Procedure after a Complaint is Made 33
32. Privacy Commissioner must notify respondent 33
33. Circumstances in which Privacy Commissioner may decline to
entertain complaint 33
34. Privacy Commissioner may dismiss stale complaint 35
35. Minister may refer a complaint direct to Tribunal 35
36. What happens if conciliation is inappropriate? 36
Division 3--Conciliation of Complaints 36
37. Conciliation process 36
38. Power to obtain information and documents 37
39. Conciliation agreements 38
40. Evidence of conciliation is inadmissible 39
41. What happens if conciliation fails? 39
Division 4--Interim orders 40
42. Tribunal may make interim orders before hearing 40
Division 5--Jurisdiction of the Tribunal 41
43. When may the Tribunal hear a complaint? 41
44. Who are the parties to a proceeding? 41
45. Time limits for certain complaints 42
46. What may the Tribunal decide? 42
PART 6--ENFORCEMENT OF INFORMATION PRIVACY
PRINCIPLES 45
47. Compliance notice 45
48. Power to obtain information and documents 46
49. Power to examine witnesses 47
ii
532027B.I1-25/5/99
Clause Page
50. Protection against self-incrimination 47
51. Offence not to comply with enforcement notice 48
52. Application for review 48
PART 7--PRIVACY COMMISSIONER 49
53. Privacy Commissioner 49
54. Remuneration and allowances 49
55. Terms and conditions of appointment 49
56. Vacancy, resignation 50
57. Suspension of Privacy Commissioner 50
58. Acting appointment 51
59. Validity of acts and decisions 51
60. Staff 52
61. Functions 52
62. Powers 56
63. Privacy Commissioner to have regard to certain matters 56
64. Delegation 56
65. Annual reports 56
66. Other reports 57
PART 8--GENERAL 58
67. Failure to attend etc. before Privacy Commissioner 58
68. Protection from liability 58
69. Secrecy 60
70. Employees and agents 61
71. Offences by organisations or bodies 61
72. Prosecutions 62
73. Supreme Court--limitation of jurisdiction 62
74. Regulations 62
PART 9--AMENDMENT OF CERTAIN ACTS 63
75. Amendment of Parliamentary Committees Act 1968 63
76. Amendment of Magistrates' Court Act 1989 63
77. Amendment of Public Sector Management and Employment
Act 1998 63
78. Amendment of Victorian Civil and Administrative Tribunal
Act 1998 63
__________________
SCHEDULE 1--The Information Privacy Principles 65
iii
532027B.I1-25/5/99
Clause Page
NOTES 73
iv
532027B.I1-25/5/99
PARLIAMENT OF VICTORIA
A BILL
to establish a data protection regime for the public and private sectors,
to amend the Parliamentary Committees Act 1968 and certain other
Acts and for other purposes.
Data Protection Act 1999
The Parliament of Victoria enacts as follows:
PART 1--PRELIMINARY
1. Purpose
The purpose of this Act is to establish a regime for
the protection of personal information in the
5 public and private sectors in Victoria.
1
532027B.I1-25/5/99
Data Protection Act 1999
s. 2
Act No.
2. Commencement
(1) Section 1 and this section come into operation on
the day on which this Act receives the Royal
Assent.
5 (2) The remaining provisions of this Act come into
operation on a day or days to be proclaimed.
3. Definitions
In this Act--
"applicable code of practice", in relation to an
10 organisation or an outsourced service
provider under an outsourcing contract with
an organisation, means an approved code of
practice by which the organisation is bound;
"approved code of practice" means a code of
15 practice approved under Part 4 as varied and
in operation for the time being;
"body" means body (whether incorporated or
not);
"code administrator", in relation to a code of
20 practice, means an independent code
administrator appointed in accordance with
the code to whom complaints may be made
in accordance with the code alleging a
contravention of the code;
25 "Commonwealth-regulated organisation"
means an agency to which the Privacy Act
1988 of the Commonwealth applies or a
person in the capacity of contracted service
provider within the meaning of that Act1;
30 "consent" means express consent or implied
consent;
"correct", in relation to personal information,
means to alter that information by way of
amendment, deletion or addition;
2
532027B.I1-25/5/99
Data Protection Act 1999
s. 3
Act No.
"Council" has the same meaning as in the Local
Government Act 1989;
"enactment" means an Act or a Commonwealth
Act or an instrument of a legislative
5 character made under an Act or a
Commonwealth Act;
"Federal Privacy Commissioner" means the
Privacy Commissioner appointed under the
Privacy Act 1988 of the Commonwealth;
10 "generally available publication" means a
publication (whether in paper or electronic
form) that is generally available to members
of the public and includes a public register;
"identifier" means an identifier (usually a
15 number) assigned by an organisation to an
individual uniquely to identify that
individual for the purposes of the operations
of the organisation but does not include an
identifier that consists only of the
20 individual's name;
"individual" means a natural person;
"Information Privacy Principle" means any of
the Information Privacy Principles set out in
Schedule 1;
25 "insolvent under administration" means--
(a) a person who is an undischarged
bankrupt; or
(b) a person for whom a debt agreement
has been made under Part IX of the
30 Bankruptcy Act 1966 of the
Commonwealth (or the corresponding
provisions of the law of another
jurisdiction) if the debt agreement has
3
532027B.I1-25/5/99
Data Protection Act 1999
s. 3
Act No.
not ended or has not been terminated;
or
(c) a person who has executed a deed of
arrangement under Part X of the
5 Bankruptcy Act 1966 of the
Commonwealth (or the corresponding
provisions of the law of another
jurisdiction) if the terms of the deed
have not been fully complied with; or
10 (d) a person whose creditors have accepted
a composition under Part X of the
Bankruptcy Act 1966 of the
Commonwealth (or the corresponding
provisions of the law of another
15 jurisdiction) if a final payment has not
been made under that composition;
"IPP" means Information Privacy Principle;
"law enforcement agency" means--
(a) the police force of Victoria or of any
20 other State or of the Northern
Territory; or
(b) the Australian Federal Police; or
(c) the National Crime Authority; or
(d) the Commissioner appointed under
25 section 8A of the Corrections Act
1986; or
(e) the Business Licensing Authority
established under Part 2 of the
Business Licensing Authority Act
30 1998; or
(f) a commission established by a law of
Victoria or the Commonwealth or of
any other State or a Territory with the
function of investigating matters
4
532027B.I1-25/5/99
Data Protection Act 1999
s. 3
Act No.
relating to criminal activity generally
or of a specified class or classes; or
(g) an agency established, or expressly
authorised or empowered, by or under
5 an Act or a Commonwealth Act to
perform functions or activities directed
to--
(i) the prevention, detection,
investigation, prosecution or
10 punishment of criminal offences
or breaches of a law imposing a
penalty or sanction for a breach;
or
(ii) the management of property
15 seized or restrained under laws
relating to the confiscation of the
proceeds of crime or the
enforcement of such laws; or
(h) an agency responsible for the
20 execution or implementation of an
order or decision made by a court or
tribunal including an agency that
executes warrants, provides
correctional services or makes
25 decisions relating to the release of
persons from custody; or
(i) an agency responsible for the
protection of the public revenue under
a law administered by it;
30 "news activity" means--
(a) the gathering of news for the purposes
of dissemination to the public or any
section of the public; or
(b) the preparation or compiling of articles
35 or programmes of or concerning news,
5
532027B.I1-25/5/99
Data Protection Act 1999
s. 3
Act No.
observations on news or current affairs
for the purposes of dissemination to
the public or any section of the public;
or
5 (c) the dissemination to the public or any
section of the public of any article or
programme of or concerning news,
observations on news or current
affairs;
10 "news medium" means any organisation whose
business, or whose principal business,
consists of a news activity;
"officer", in relation to a body corporate, has the
meaning given by section 82A of the
15 Corporations Law of Victoria;
"organisation" means a person or body that is an
organisation for the purposes of this Act by
force of Division 1 or 2 of Part 2;
"outsourcing contract" means a contract or
20 arrangement between an organisation and
another person or body (whether an
organisation for the purposes of this Act or
not) under which services are to be provided
to one (the outsourcing organisation) by the
25 other (the outsourced service provider) in
connection with the performance of
functions of the outsourcing organisation,
including services that the outsourcing
organisation is to provide to other persons or
30 bodies;
"personal information" means information
(whether fact, opinion or evaluative material)
recorded in any form about an individual
from which the individual is capable of
35 being identified (whether directly from the
information or from the information when
6
532027B.I1-25/5/99
Data Protection Act 1999
s. 3
Act No.
read in combination with other information
contained in a generally available
publication) but does not include information
contained in a generally available
5 publication;
"personal privacy" means privacy of personal
information;
"Privacy Commissioner" means the Privacy
Commissioner appointed under Part 7;
10 "private sector organisation" means any person
or body that is not, or to the extent that it is
not, a person or body to which this Act
applies by force of section 9(1);
"public sector agency" means an Agency or
15 public authority within the meaning of the
Public Sector Management and
Employment Act 1998;
"public register" means a document held by a
public sector agency or a Council and open
20 to inspection by members of the public
(whether or not on payment of a fee) by
force of a provision made by or under an Act
other than the Freedom of Information Act
1982 or the Public Records Act 1973
25 containing information that--
(a) a person or body was required or
permitted to give to that public sector
agency or Council by force of a
provision made by or under an Act;
30 and
(b) would be personal information if the
document were not a generally
available publication;
7
532027B.I1-25/5/99
Data Protection Act 1999
s. 4
Act No.
"subject of the information", in relation to
personal information, means the individual
to whom the information relates;
"third party", in relation to personal
5 information, means a person or body other
than the organisation holding the information
and the individual who is the subject of the
information;
"Tribunal" means Victorian Civil and
10 Administrative Tribunal established by the
Victorian Civil and Administrative
Tribunal Act 1998.
4. Interpretative provisions
(1) For the purposes of this Act, an organisation holds
15 personal information if the information is
contained in a document that is in the possession
or under the control of the organisation, whether
alone or jointly with other persons or bodies,
irrespective of where the document is situated,
20 whether in or outside Victoria.
(2) For the purposes of this Act, an act done or
practice engaged in by an organisation is an
interference with the privacy of an individual if,
and only if, the act or practice is contrary to, or
25 inconsistent with, an IPP or an applicable code of
practice.
(3) If a provision of this Act refers to an IPP by a
number, the reference is a reference to the IPP
designated by that number.
30 (4) A reference in this Act to an outsourced service
provider is a reference to a person or body in the
capacity of outsourced service provider and
includes a reference to a subcontractor of the
outsourced service provider (or of another such
8
532027B.I1-25/5/99
Data Protection Act 1999
s. 5
Act No.
subcontractor) for the purposes (whether direct or
indirect) of the outsourcing contract.
(5) Without limiting section 37(a) of the
Interpretation of Legislation Act 1984, a
5 reference in this Act to an organisation using a
neuter pronoun includes a reference to an
organisation that is a natural person, unless the
contrary intention appears.
5. Objects of Act
10 The objects of this Act are--
(a) to balance the public interest in the free flow
of information with the public interest in
protecting the privacy of personal
information;
15 (b) to promote awareness of responsible
personal information handling practices;
(c) to promote the responsible and transparent
handling of personal information;
(d) to provide a co-regulatory environment for
20 the handling of personal information that--
(i) is flexible enough to be adapted cost-
effectively to specific and differing
needs; and
(ii) is sensitive to international
25 developments and obligations.
6. Relationship of this Act to other laws
(1) If a provision made by or under this Act is
inconsistent with a provision made by or under
any other Act or any Commonwealth Act, that
30 other provision prevails and the provision made
by or under this Act is (to the extent of the
inconsistency) of no force or effect.
9
532027B.I1-25/5/99
Data Protection Act 1999
s. 7
Act No.
(2) Without limiting sub-section (1), nothing in this
Act affects the operation of the Freedom of
Information Act 1982 or any right, privilege,
obligation or liability conferred or imposed under
5 that Act or any exemption arising under that Act.
7. Nature of rights created by this Act
(1) Nothing in this Act--
(a) gives rise to any civil cause of action; or
(b) without limiting paragraph (a), operates to
10 create in any person any legal right
enforceable in a court or tribunal--
otherwise than in accordance with the procedures
set out in this Act.
(2) A contravention of this Act does not create any
15 criminal liability except to the extent expressly
provided by this Act.
8. Act binds the Crown
(1) This Act binds the Crown in right of Victoria and,
so far as the legislative power of the Parliament
20 permits, the Crown in all its other capacities.
(2) Nothing in this Act makes the Crown in any of its
capacities liable to be prosecuted for an offence.
_______________
10
532027B.I1-25/5/99
Data Protection Act 1999
s. 9
Act No.
PART 2--APPLICATION OF THIS ACT
Division 1--Public Sector Organisations
9. Application to public sector
(1) This Act applies to--
5 (a) a Minister;
(b) a public sector agency;
(c) a Council;
(d) a body established or appointed for a public
purpose by or under an Act;
10 (e) a body established or appointed for a public
purpose by the Governor in Council, or by a
Minister, otherwise than under an Act;
(f) a person holding an office or position
established by or under an Act or to which
15 he or she was appointed by the Governor in
Council, or by a Minister, otherwise than
under an Act;
(g) a court or tribunal;
(h) the police force of Victoria;
20 (i) any other body that is declared, or to the
extent that it is declared, by an Order under
sub-section (2)(a) to be an organisation for
the purposes of this sub-section--
excluding any person or body that is a
25 Commonwealth-regulated organisation or
declared, or to the extent that it is declared, by an
Order under sub-section (2)(b) not to be an
organisation for the purposes of the relevant
paragraph of this sub-section.
11
532027B.I1-25/5/99
Data Protection Act 1999
s. 10
Act No.
(2) The Governor in Council may, by Order published
in the Government Gazette--
(a) declare a body to be, either wholly or to the
extent specified in the Order, an organisation
5 for the purposes of sub-section (1); or
(b) declare a body referred to in paragraph (d)
or (e), or a person holding an office or
position referred to in paragraph (f), not to
be an organisation for the purposes of that
10 paragraph, either wholly or to the extent
specified in the Order.
(3) The Minister may only recommend to the
Governor in Council the making of an Order
under sub-section (2)(b) in respect of a body or
15 person if satisfied that the collection, holding, use
and disclosure by that body or person of personal
information is more appropriately governed by
another scheme (whether contained in an
enactment or given legislative force by an
20 enactment) which would apply if that person or
body were not an organisation for the purposes of
the relevant paragraph of sub-section (1), either
wholly or to the extent specified in the Order.
(4) A person or body to which this Act applies by
25 force of sub-section (1) is an organisation for the
purposes of this Act, either wholly or to the
relevant extent.
(5) This section is subject to Division 3.
Division 2--Private Sector Organisations
30 10. Application to private sector
(1) This Act applies to all private sector
organisations.
12
532027B.I1-25/5/99
Data Protection Act 1999
s. 11
Act No.
(2) A private sector organisation is an organisation
for the purposes of this Act.
(3) This section is subject to Division 3.
11. Arrangement with Commonwealth
5 (1) The Governor in Council may arrange with the
Governor-General of the Commonwealth for the
exercise and discharge, in relation to any private
sector organisation, by the Federal Privacy
Commissioner on behalf of the Government of
10 Victoria of all or any powers, duties, functions or
authorities which, in the absence of the
arrangement, would be exercisable under this Act
in relation to that organisation by the Privacy
Commissioner appointed under Part 7.
15 (2) An agreement relating to an arrangement referred
to in sub-section (1) may provide for all or any
matters necessary or convenient to be provided
for, or incidental to, carrying out the arrangement
and must enable the arrangement to be terminated
20 by the Governor in Council at any time.
(3) Notice of an arrangement under this section must
be published in the Government Gazette and, in
any proceedings under this Act, production of a
copy of or an extract from the Government
25 Gazette containing the notice is evidence that the
arrangement has been made and is still in
operation.
(4) References in this Act to the Privacy
Commissioner must be construed as including
30 references to the Federal Privacy Commissioner to
the extent that the Federal Privacy Commissioner
exercises and discharges on behalf of the
Government of Victoria any powers, duties,
functions or authorities of the Privacy
35 Commissioner under this Act in accordance with
an arrangement under this section.
13
532027B.I1-25/5/99
Data Protection Act 1999
s. 12
14
Act No.
Division 3--Exemptions
12. Personal, family or household affairs
Nothing in this Act or in any IPP applies in
respect of the collection, holding, management,
5 use, disclosure or transfer of personal information
by an individual, or personal information held by
an individual, only for the purposes of, or in
connection with, his or her personal, family or
household affairs.
10 13. Courts, tribunals, etc.
Nothing in this Act or in any IPP applies in
respect of the collection, holding, management,
use, disclosure or transfer of personal
information--
15 (a) in relation to its or his or her judicial or
quasi-judicial functions, by--
(i) a court or tribunal; or
(ii) the holder of a judicial or quasi-judicial
office or other office pertaining to a
20 court or tribunal in his or her capacity
as the holder of that office; or
(b) in relation to those matters which relate to
the judicial or quasi-judicial functions of the
court or tribunal, by--
25 (i) a registry or other office of a court or
tribunal; or
(ii) the staff of such a registry or other
office in their capacity as members of
that staff.
30 14. Publicly-available information
14
532027B.I1-25/5/99
Data Protection Act 1999
Act No.
(1) Nothing in this Act or in any IPP applies to a
document containing personal information, or to
the personal information contained in a document,
that is--
5 (a) a generally available publication; or
(b) kept in a library, art gallery or museum for
the purposes of reference, study or
exhibition; or
(c) a public record under the control of the
10 Keeper of Public Records that is available
for public inspection in accordance with the
Public Records Act 1973; or
(d) archives within the meaning of the Copyright
Act 1968 of the Commonwealth.
15 (2) Sub-section (1) does not take away from section
21(5) which imposes duties on a public sector
agency or a Council in administering a public
register.
15. News media
20 (1) Nothing in IPP 1 or IPP 2 applies to the
collection, use or disclosure of personal
information by a news medium in connection with
its news activities.
(2) Nothing in IPP 6 applies to personal information
25 held by a news medium in connection with its
news activities unless and until the information is
actually disseminated to the public or any section
of the public.
16. Statistical compilations, etc.
30 Nothing in IPP 2 applies to the use or disclosure
of personal information by an organisation in
connection with a legitimate function or activity
of that organisation in compiling statistics or
15
532027B.I1-25/5/99
Data Protection Act 1999
s. 17
Act No.
carrying out research other than for publication in
a form that identifies any particular individual.
17. Freedom of Information Act 1982
Nothing in IPP 6 applies to--
5 (a) a document containing personal information,
or to the personal information contained in a
document, that is--
(i) a document of an agency within the
meaning of the Freedom of
10 Information Act 1982; or
(ii) an official document of a Minister
within the meaning of that Act; or
(iii) a document to which Part IIIA of that
Act applies--
15 and access can only be granted to that
document or information, and that
information can only be corrected, in
accordance with the procedures set out in,
and in the form required or permitted by, that
20 Act; or
(b) a document containing personal information,
or to the personal information contained in a
document, to which access would not be
granted under the Freedom of Information
25 Act 1982 because of section 6 of that Act.
18. Law enforcement
It is not necessary for a law enforcement agency
to comply with IPP 1.3 to 1.5, 2.1, 6.1 to 6.9, 9.1
or 10.1 if it believes on reasonable grounds that
30 the non-compliance is necessary--
(a) for the purposes of one or more of its, or any
other law enforcement agency's, legitimate
law enforcement functions or activities; or
16
532027B.I1-25/5/99
Data Protection Act 1999
s. 18
Act No.
(b) for the enforcement of laws relating to the
confiscation of the proceeds of crime; or
(c) in connection with the conduct of
proceedings commenced, or about to be
5 commenced, in any court or tribunal.
_______________
17
532027B.I1-25/5/99
Data Protection Act 1999
s. 19
Act No.
PART 3--INFORMATION PRIVACY
19. Information Privacy Principles
(1) The Information Privacy Principles are set out in
Schedule 1.
5 (2) Nothing in any Information Privacy Principle
affects the operation or extent of any exemption
arising under Division 3 of Part 2 and those
Principles must be construed accordingly.
20. Application of IPPs
10 (1) IPP 1 and IPP 10 apply only in relation to
information collected--
(a) in the case of a public sector organisation,
after the commencement of section 9; and
(b) in the case of a private sector organisation,
15 after the commencement of section 10.
(2) The remaining Information Privacy Principles
apply in relation to all personal information,
whether collected by the organisation before or
after the commencement of section 9 or 10, as the
20 case requires.
21. Organisations to comply with IPPs
(1) Subject to section 20, an organisation must not do
an act, or engage in a practice, that contravenes an
Information Privacy Principle in respect of
25 personal information collected, held, used or
disclosed by it.
(2) Sub-section (1) only applies in relation to an
Information Privacy Principle, other than IPP 4
and IPP 6, on and from--
30 (a) in the case of a public sector organisation,
the first anniversary of the commencement
of section 9; and
18
532027B.I1-25/5/99
Data Protection Act 1999
s. 21
Act No.
(b) in the case of a private sector organisation,
the first anniversary of the commencement
of section 10.
(3) Despite sub-sections (1) and (2), sub-section (1)
5 does not apply to the doing of an act, or the
engaging in of a practice, by an organisation that,
but for this sub-section, would constitute a
contravention of an Information Privacy Principle,
other than IPP 4 and IPP 6, if--
10 (a) the doing of the act or the engaging in of the
practice is necessary for the performance of
a contract to which the organisation is a
party entered into by the organisation--
(i) in the case of a public sector
15 organisation, before the commencement
of section 9; and
(ii) in the case of a private sector
organisation, before the commencement
of section 10; and
20 (b) the act is done or the practice is engaged in
before the second anniversary of the
commencement of section 9 or 10 (as the
case requires) or the end of any extension of
that period granted in relation to that contract
25 under sub-section (4).
(4) On the application of an organisation before the
expiry of the period referred to in sub-section
(3)(b) (including any extension of that period
granted under this sub-section), the Privacy
30 Commissioner may grant an extension of that
period in relation to a specified contract if he or
she is of the opinion that the organisation is doing
its best--
(a) to comply with the IPPs consistent with its
35 obligations under the contract; and
19
532027B.I1-25/5/99
Data Protection Act 1999
s. 22
Act No.
(b) to seek to have the contract re-negotiated to
enable the organisation to comply fully with
the IPPs.
(5) A public sector agency or a Council must, in
5 administering a public register, so far as is
reasonably practicable not do an act or engage in a
practice that would contravene an Information
Privacy Principle in respect of information
collected, held, used or disclosed by it in
10 connection with the administration of the public
register if that information were personal
information.
22. Effect of outsourcing
(1) Subject to this section, the status or effect for the
15 purposes of this Act of an act or practice is not
affected by the existence or operation of an
outsourcing contract.
(2) An outsourcing contract may provide for the
outsourced service provider to be bound by the
20 Information Privacy Principles and any applicable
code of practice with respect to any act done, or
practice engaged in, by the outsourced service
provider in the same way and to the same extent
as the outsourcing organisation would have been
25 bound by them in respect of that act or practice
had it been directly done or engaged in by the
outsourcing organisation.
(3) If a provision of a kind referred to in sub-section
(2) is in force under an outsourcing contract, the
30 Information Privacy Principles and any applicable
code of practice apply to an act done, or practice
engaged in, by the outsourced service provider in
the same way and to the same extent as they
would have applied to the outsourcing
35 organisation in respect of that act or practice had
20
532027B.I1-25/5/99
Data Protection Act 1999
s. 22
Act No.
it been directly done or engaged in by the
outsourcing organisation.
(4) An act or practice that is an interference with the
privacy of an individual done or engaged in by an
5 outsourced service provider must, for the purposes
of this Act and any applicable code of practice, be
taken to have been done or engaged in by the
outsourcing organisation as well as the outsourced
service provider unless--
10 (a) the outsourcing organisation establishes that
a provision of a kind referred to in sub-
section (2) was in force under the
outsourcing contract at the relevant time in
relation to the act or practice; and
15 (b) the IPP or applicable code of practice to
which the act or practice is contrary, or with
which it is inconsistent, is capable of being
enforced against the outsourced service
provider in accordance with the procedures
20 set out in this Act.
(5) Section 70(1) does not apply to an act done or
practice engaged in by an outsourced service
provider acting within the scope of an outsourcing
contract.
25 _______________
21
532027B.I1-25/5/99
Data Protection Act 1999
s. 23
Act No.
PART 4--CODES OF PRACTICE
23. Codes of practice
(1) An organisation can discharge its duty to comply
with an Information Privacy Principle in respect
5 of personal information collected, held, used or
disclosed by it by complying with a code of
practice approved under this Part and binding on
the organisation.
(2) A code of practice may--
10 (a) modify the application of any one or more of
the Information Privacy Principles by--
(i) prescribing standards that are more
stringent or less stringent than the
standards prescribed by any
15 Information Privacy Principle; or
(ii) exempting any act or practice from an
Information Privacy Principle, either
unconditionally or subject to any
conditions that are prescribed in the
20 code of practice; or
(b) prescribe how any one or more of the
Information Privacy Principles are to be
applied, or are to be complied with; or
(c) prescribe standards in relation to any matter
25 in substitution for standards prescribed by an
Information Privacy Principle.
(3) A code of practice may apply in relation to any
one or more of the following--
(a) any specified information or class of
30 information;
(b) any specified organisation or class of
organisation;
22
532027B.I1-25/5/99
Data Protection Act 1999
s. 23
Act No.
(c) any specified activity or class of activity;
(d) any specified industry, profession or calling
or class of industry, profession or calling.
(4) A code of practice may also--
5 (a) impose controls on an organisation that
matches data for the purpose of producing or
verifying information about an identifiable
individual; or
(b) in relation to charging--
10 (i) set guidelines to be followed in
determining charges; or
(ii) prescribe circumstances in which no
charge may be imposed; or
(c) prescribe--
15 (i) procedures for dealing with complaints
alleging a contravention of the code,
including the appointment of an
independent code administrator to
whom complaints may be made; or
20 (ii) remedies available where a complaint is
substantiated; or
(d) provide for the review of the code by the
Privacy Commissioner; or
(e) provide for the expiry of the code.
25 (5) Sub-section (1) applies also to a public sector
agency or a Council in seeking to discharge its
duty to comply, so far as is reasonably practicable,
with an Information Privacy Principle in relation
to a public register as imposed by section 21(5)
30 and this Part has effect accordingly.
23
532027B.I1-25/5/99
Data Protection Act 1999
s. 24
Act No.
24. Process for approval of code of practice or code
variation
(1) An organisation may seek approval of a code of
practice, or of a variation of an approved code of
5 practice, by submitting the code or variation to the
Privacy Commissioner.
(2) The Governor in Council, on the recommendation
of the Minister made after considering the advice
of the Privacy Commissioner, may by notice
10 published in the Government Gazette approve a
code of practice or a variation of an approved
code of practice.
(3) The Privacy Commissioner may advise the
Minister to recommend to the Governor in
15 Council that a code of practice, or a variation of
an approved code of practice, be approved if in his
or her opinion--
(a) the code or variation would substantially
achieve the objects of this Act in relation to
20 the personal information to which the code
applies; and
(b) approving the code or variation is not
contrary to the public interest.
(4) Before deciding whether or not to advise the
25 Minister to recommend approval of a code of
practice or of a variation of an approved code of
practice, the Privacy Commissioner--
(a) if not also the Federal Privacy
Commissioner, must consult that
30 Commissioner unless the code or variation is
not capable of applying to a private sector
organisation; and
(b) may consult any other person or body that
the Privacy Commissioner considers it
35 appropriate to consult; and
24
532027B.I1-25/5/99
Data Protection Act 1999
s. 25
Act No.
(c) must have regard to the extent to which
members of the public have been given an
opportunity to comment on the code or
variation.
5 (5) A code of practice or variation comes into
operation at the beginning of--
(a) the day on which the notice of approval
under sub-section (2) is published in the
Government Gazette; or
10 (b) such later day as is expressed in that notice
as the day on which the code or variation
comes into operation.
25. Organisations bound by code of practice
(1) An approved code of practice binds--
15 (a) any organisation that sought approval of it;
and
(b) any organisation that, by notice in writing
given to the Privacy Commissioner, states
that it intends to be bound by an approved
20 code of practice that is then in operation and
that is capable of applying to the
organisation.
(2) A notice under sub-section (1)(b) may indicate an
intention that the organisation be bound by the
25 approved code of practice--
(a) generally; or
(b) only in respect of specified information or a
specified class of information collected,
held, used or disclosed by it; or
30 (c) only in respect of any specified activity or
class of activity.
(3) A notice under sub-section (1)(b) has no effect
unless the Privacy Commissioner approves it.
25
532027B.I1-25/5/99
Data Protection Act 1999
s. 26
Act No.
(4) The Privacy Commissioner may approve a notice
under sub-section (1)(b) if satisfied that the
approved code of practice is capable of applying
to the organisation to the extent set out in the
5 notice.
(5) An organisation is bound by an approved code of
practice--
(a) in the case of an organisation referred to in
sub-section (1)(a), on and from the coming
10 into operation of the code; and
(b) in the case of an organisation referred to in
sub-section (1)(b), on and from the date
expressed in the notice under that sub-
section as the date on and from which the
15 organisation will be bound by the code or the
date on which the organisation is notified of
the Privacy Commissioner's approval of the
notice, whichever is the later.
(6) An organisation bound by an approved code of
20 practice may, by notice in writing given to the
Privacy Commissioner, state that it intends to
cease to be bound by that code.
(7) An organisation ceases to be bound by an
approved code of practice on and from the date of
25 the notice under sub-section (6) or such later date
as is expressed in that notice as the date on and
from which the organisation will cease to be
bound by the code.
26. Effect of approved code
30 If an approved code of practice is in operation and
binding on an organisation--
(a) an act done, or practice engaged in, by the
organisation that would otherwise
contravene an Information Privacy Principle
35 is, for the purposes of this Act, deemed not
26
532027B.I1-25/5/99
Data Protection Act 1999
s. 27
Act No.
to be a contravention of that principle if the
act or practice does not contravene the code;
and
(b) an act done, or practice engaged in, by the
5 organisation that contravenes the code, even
though that act or practice would not
otherwise contravene any Information
Privacy Principle, is, for the purposes of this
Act, deemed to be a contravention of an
10 Information Privacy Principle and may be
dealt with as provided by that code and this
Act.
27. Codes of practice register
(1) The Privacy Commissioner must cause a register
15 of all approved codes of practice to be established
and maintained and for that purpose may
determine the form of the register.
(2) A person may at any reasonable time--
(a) inspect the register and any documents that
20 form part of it; or
(b) on the payment of any fee required by the
regulations, obtain a copy of any entry in, or
document forming part of, the register.
28. Revocation of approval
25 (1) The Governor in Council, on the recommendation
of the Minister made after considering the advice
of the Privacy Commissioner, may by notice
published in the Government Gazette revoke the
approval of a code of practice or of a variation of
30 an approved code of practice.
(2) The Privacy Commissioner may act under sub-
section (1) on his or her own initiative or on an
application for revocation made to him or her by
an individual or organisation.
27
532027B.I1-25/5/99
Data Protection Act 1999
s. 29
Act No.
(3) Before deciding whether or not to advise the
Minister to recommend revocation of the approval
of a code of practice or of a variation of an
approved code of practice, the Privacy
5 Commissioner--
(a) if not also the Federal Privacy
Commissioner, must consult that
Commissioner unless the code or variation
does not apply to a private sector
10 organisation; and
(b) must consult the organisation that sought
approval of the code or variation and may
consult any other person or body that the
Privacy Commissioner considers it
15 appropriate to consult; and
(c) must have regard to the extent to which
members of the public have been given an
opportunity to comment on the proposed
revocation.
20 (4) An approved code of practice or approved
variation ceases to be in operation at the
beginning of--
(a) the day on which the notice of revocation
under sub-section (1) is published in the
25 Government Gazette; or
(b) such later day as is expressed in that notice
as the day on which the code or variation
ceases to be in operation.
29. Effect of revocation of approval or variation or expiry
30 of approved code
(1) The revocation of the approval of a code of
practice or of a variation of an approved code of
practice, or the expiry of an approved code of
practice, or the ceasing of an organisation to be
35 bound by a code of practice, does not--
28
532027B.I1-25/5/99
Data Protection Act 1999
s. 29
Act No.
(a) revive anything not in force or existing at the
time at which the revocation, expiry or
cessation becomes operative; or
(b) affect the previous operation of the code or
5 anything duly done or suffered under, or in
relation to, the code; or
(c) affect any right, privilege, obligation or
liability acquired, accrued or incurred under,
or in relation to, the code; or
10 (d) affect any penalty incurred in respect of any
contravention of the code or in respect of any
offence against section 51(1) committed in
relation to a compliance notice issued
because of any contravention of the code; or
15 (e) affect any investigation, legal proceeding or
remedy in respect of any such right,
privilege, obligation, liability or penalty as is
mentioned in paragraphs (c) and (d)--
and any such investigation, legal proceeding or
20 remedy may be instituted, continued or enforced
and any such penalty may be imposed as if the
code or variation had not been revoked or the
code had not expired or the organisation had not
ceased to be bound by the code.
25 (2) Subject to sub-section (1), if a variation of an
approved code of practice is revoked, the code
takes effect without that variation as from the
beginning of the day on which the variation ceases
to be in operation in all respects as if the variation
30 had not been made.
(3) Nothing in this section prevents the application to
an organisation, or an outsourced service provider
under an outsourcing contract with an
organisation, of an IPP (without any modification)
35 on and from the day on which an applicable code
29
532027B.I1-25/5/99
Data Protection Act 1999
s. 29
Act No.
of practice, that modified the application of that
IPP, ceases to be in operation.
_______________
30
532027B.I1-25/5/99
Data Protection Act 1999
s. 30
Act No.
PART 5--COMPLAINTS
Division 1--Making a Complaint
30. Complaints
(1) An individual in respect of whom personal
5 information is, or has at any time been, held by an
organisation may complain to the Privacy
Commissioner about an act or practice that may
be an interference with the privacy of the
individual2.
10 (2) A complaint may be made under sub-section (1)
if--
(a) there is no applicable code of practice in
relation to the holding of the information by
the organisation; or
15 (b) there is an applicable code of practice in
relation to the holding of the information by
the organisation but that code does not
provide for the appointment of a code
administrator to whom complaints may be
20 made; or
(c) there is an applicable code of practice in
relation to the holding of the information by
the organisation that provides for the
appointment of a code administrator and not
25 less than 45 days before complaining under
sub-section (1) the individual complained to
the code administrator in accordance with
the procedures set out in that code but has
received no response or a response that the
30 individual considers to be inadequate.
(3) In the case of an act or practice that may be an
interference with the privacy of 2 or more
individuals, any one of those individuals may
31
532027B.I1-25/5/99
Data Protection Act 1999
s. 31
Act No.
make a complaint under sub-section (1) on behalf
of all of the individuals with their consent.
(4) A complaint must be in writing and lodged with
the Privacy Commissioner by hand, facsimile or
5 other electronic transmission or post.
(5) It is the duty of employees in the office of the
Privacy Commissioner to provide appropriate
assistance to an individual who wishes to make a
complaint and requires assistance to formulate the
10 complaint.
(6) The complaint must specify the respondent to the
complaint.
(7) If the organisation is a legal person, the
organisation shall be the respondent and, if the
15 organisation is an unincorporated body, the
members of the committee of management of the
organisation shall be the respondents.
(8) A failure to comply with sub-section (6) does not
render the complaint, or any step taken in relation
20 to it, a nullity.
31. Complaints by minors and people with an impairment
(1) A complaint may be made--
(a) by a child; or
(b) on behalf of a child by--
25 (i) a parent of the child; or
(ii) any other individual with the consent of
the child or of a parent of the child.
(2) If an individual is unable to complain because of
impairment, a complaint may be made on behalf
30 of that individual by--
(a) an individual authorised by that individual to
complain on his or her behalf; or
32
532027B.I1-25/5/99
Data Protection Act 1999
s. 32
Act No.
(b) if that individual is unable to authorise
another individual, any other individual on
his or her behalf.
(3) In this section "parent" and "impairment" have
5 the same respective meanings as in the Equal
Opportunity Act 1995.
Division 2--Procedure after a Complaint is Made
32. Privacy Commissioner must notify respondent
The Privacy Commissioner must notify the
10 respondent in writing of the complaint as soon as
practicable after receiving it.
33. Circumstances in which Privacy Commissioner may
decline to entertain complaint
(1) The Privacy Commissioner may decline to
15 entertain a complaint made under section 30(1) by
notifying the complainant and the respondent in
writing to that effect within 90 days after the day
on which the complaint was lodged if the Privacy
Commissioner considers that--
20 (a) the act or practice about which the complaint
has been made is not an interference with the
privacy of an individual; or
(b) the act or practice is subject to an applicable
code of practice and all mechanisms for
25 seeking redress available under that code
have not been exhausted; or
(c) although a complaint has been made to the
Privacy Commissioner about the act or
practice, the complainant has not complained
30 to the respondent; or
(d) the complaint to the Privacy Commissioner
was made more than 45 days after the
33
532027B.I1-25/5/99
Data Protection Act 1999
s. 33
Act No.
complainant became aware of the act or
practice; or
(e) the complaint is frivolous, vexatious,
misconceived or lacking in substance; or
5 (f) the act or practice is the subject of an
application under another enactment and the
subject-matter of the complaint has been, or
is being, dealt with adequately under that
enactment; or
10 (g) the act or practice could be made the subject
of an application under another enactment
for a more appropriate remedy; or
(h) the complainant has complained to the
respondent about the act or practice and
15 either--
(i) the respondent has dealt, or is dealing,
adequately with the complaint; or
(ii) the respondent has not yet had an
adequate opportunity to deal with the
20 complaint.
(2) Before declining to entertain a complaint, the
Privacy Commissioner may, by written notice,
invite any person--
(a) to attend before the Privacy Commissioner,
25 or an employee in the office of the Privacy
Commissioner, for the purpose of discussing
the subject matter of the complaint; or
(b) to produce any documents specified in the
notice.
30 (3) Within 60 days after receiving the Privacy
Commissioner's notice declining to entertain a
complaint, the complainant, by notice in writing
given to the Privacy Commissioner, may require
34
532027B.I1-25/5/99
Data Protection Act 1999
s. 34
Act No.
him or her to refer the complaint to the Tribunal
for hearing under Division 5.
(4) The Privacy Commissioner must comply with a
notice under sub-section (3).
5 (5) If the complainant does not notify the Privacy
Commissioner under sub-section (3), the Privacy
Commissioner may dismiss the complaint.
(6) As soon as possible after a dismissal under sub-
section (5), the Privacy Commissioner must, by
10 written notice, notify the complainant and the
respondent of the dismissal.
(7) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
15 34. Privacy Commissioner may dismiss stale complaint
(1) The Privacy Commissioner may dismiss a
complaint if he or she has had no substantive
response from the complainant in the period of
90 days following a request by the Privacy
20 Commissioner for a response in relation to the
complaint.
(2) As soon as possible after a dismissal under sub-
section (1), the Privacy Commissioner must, by
written notice, notify the complainant and the
25 respondent of the dismissal.
(3) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
35. Minister may refer a complaint direct to Tribunal
30 (1) If the Minister considers that the subject matter of
a complaint raises an issue of important public
policy, the Minister may refer the complaint direct
to the Tribunal for hearing under Division 5,
whether or not the Privacy Commissioner has
35
532027B.I1-25/5/99
Data Protection Act 1999
s. 36
Act No.
considered it or the complaint is in the process of
being conciliated.
(2) The Minister is not a party to a proceeding on a
complaint referred to the Tribunal under sub-
5 section (1) unless joined by the Tribunal.
36. What happens if conciliation is inappropriate?
(1) If the Privacy Commissioner does not consider it
reasonably possible that a complaint may be
conciliated successfully under Division 3, he or
10 she must notify the complainant and the
respondent in writing.
(2) Within 60 days after receiving the Privacy
Commissioner's notice under sub-section (1), the
complainant, by written notice, may require the
15 Privacy Commissioner to refer the complaint to
the Tribunal for hearing under Division 5.
(3) The Privacy Commissioner must comply with a
notice under sub-section (2).
(4) If the complainant does not notify the Privacy
20 Commissioner under sub-section (2), the Privacy
Commissioner may dismiss the complaint.
(5) As soon as possible after a dismissal under sub-
section (4), the Privacy Commissioner must, by
written notice, notify the complainant and the
25 respondent of the dismissal.
(6) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
Division 3--Conciliation of Complaints
30 37. Conciliation process
(1) If the Privacy Commissioner considers it
reasonably possible that a complaint may be
36
532027B.I1-25/5/99
Data Protection Act 1999
s. 38
Act No.
conciliated successfully, he or she must make all
reasonable endeavours to conciliate the complaint.
(2) Sub-section (1) does not apply to a complaint--
(a) that the Privacy Commissioner has declined
5 to entertain under section 33 or dismissed
under section 34; or
(b) that the Minister has referred to the Tribunal
under section 35.
(3) The Privacy Commissioner may require a party to
10 attend a conciliation either personally or by a
representative who has authority to settle the
matter on behalf of the party.
38. Power to obtain information and documents
(1) If the Privacy Commissioner has reason to believe
15 that a person has information or a document
relevant to a conciliation under this Division, the
Privacy Commissioner may give to the person a
written notice requiring the person--
(a) to give the information to the Privacy
20 Commissioner in writing signed by the
person or, in the case of a body corporate, by
an officer of the body corporate; or
(b) to produce the document to the Privacy
Commissioner.
25 (2) If the Privacy Commissioner has reason to believe
that a person has information relevant to a
conciliation under this Division, the Privacy
Commissioner may give to the person a written
notice requiring the person to attend before the
30 Privacy Commissioner at a time and place
specified in the notice to answer questions
relevant to the complaint.
(3) The Privacy Commissioner is not entitled to
require an agency within the meaning of the
37
532027B.I1-25/5/99
Data Protection Act 1999
s. 39
Act No.
Freedom of Information Act 1982 or a Minister
to give any information if the Secretary to the
Department of Premier and Cabinet furnishes to
the Privacy Commissioner a certificate certifying
5 that the giving of that information (including in
answer to a question) would involve the
disclosure of information which, if included in a
document of the agency or an official document of
the Minister, would cause the document to be--
10 (a) an exempt document for the purposes of that
Act; or
(b) a document to which Part IIIA of that Act
applies.
39. Conciliation agreements
15 (1) If, following conciliation, the parties to the
complaint reach agreement with respect to the
subject matter of the complaint--
(a) at the request of any party made within
30 days after agreement is reached, a written
20 record of the conciliation agreement is to be
prepared by the parties or the Privacy
Commissioner; and
(b) the record must be signed by or on behalf of
each party and certified by the Privacy
25 Commissioner; and
(c) the Privacy Commissioner must give each
party a copy of the signed and certified
record.
(2) Any party, after notifying in writing the other
30 party, may lodge a copy of the signed and
certified record with the Tribunal for registration.
(3) Subject to sub-section (4), the Tribunal must
register the record and give a certified copy of the
registered record to each party.
38
532027B.I1-25/5/99
Data Protection Act 1999
s. 40
Act No.
(4) If the Tribunal, constituted by a presidential
member, considers that it may not be practicable
to enforce, or to supervise compliance with, a
conciliation agreement, the Tribunal may refuse to
5 register the record of the agreement.
(5) On registration, the record must be taken to be an
order of the Tribunal in accordance with its terms
and may be enforced accordingly.
(6) The refusal of the Tribunal to register the record
10 of a conciliation agreement does not affect the
validity of the agreement.
40. Evidence of conciliation is inadmissible
Evidence of anything said or done in the course of
a conciliation is not admissible in proceedings
15 before the Tribunal or any other legal proceedings
relating to the subject matter of the complaint,
unless all parties to the conciliation otherwise
agree.
41. What happens if conciliation fails?
20 (1) If the Privacy Commissioner has attempted
unsuccessfully to conciliate a complaint, he or she
must notify the complainant and the respondent in
writing.
(2) Within 60 days after receiving the Privacy
25 Commissioner's notice under sub-section (1), the
complainant, by written notice, may require the
Privacy Commissioner to refer the complaint to
the Tribunal for hearing under Division 5.
(3) The Privacy Commissioner must comply with a
30 notice under sub-section (2).
(4) If the complainant does not notify the Privacy
Commissioner under sub-section (2), the Privacy
Commissioner may dismiss the complaint.
39
532027B.I1-25/5/99
Data Protection Act 1999
s. 42
Act No.
(5) As soon as possible after a dismissal under sub-
section (4), the Privacy Commissioner must, by
written notice, notify the complainant and the
respondent of the dismissal.
5 (6) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
Division 4--Interim orders
42. Tribunal may make interim orders before hearing
10 (1) A complainant or a respondent or the Privacy
Commissioner may apply to the Tribunal for an
interim order to prevent any party to the complaint
from acting in a manner prejudicial to
negotiations or conciliation or to any decision or
15 order the Tribunal might subsequently make.
(2) An application may be made under sub-section (1)
at any time before the complaint is referred to the
Tribunal.
(3) In making an interim order, the Tribunal must
20 have regard to--
(a) whether or not the complainant has
established a prima facie case with respect to
the complaint; and
(b) any possible detriment or advantage to the
25 public interest in making the order; and
(c) any possible detriment to the complainant's
or the respondent's case if the order is not
made.
(4) An interim order applies for the period, not
30 exceeding 28 days, specified in it and may be
extended from time to time by the Tribunal.
40
532027B.I1-25/5/99
Data Protection Act 1999
s. 43
Act No.
(5) The party against whom the interim order is
sought is a party to the proceeding on an
application under sub-section (1).
(6) In making an interim order, the Tribunal--
5 (a) may require any undertaking as to costs or
damages that it considers appropriate; and
(b) may make provision for the lifting of the
order if specified conditions are met.
(7) The Tribunal may assess any costs or damages
10 referred to in sub-section (6)(a).
(8) Nothing in this section affects or takes away from
the Tribunal's power under section 123 of the
Victorian Civil and Administrative Tribunal
Act 1998 to make orders of an interim nature in a
15 proceeding in the Tribunal in respect of a
complaint.
Division 5--Jurisdiction of the Tribunal
43. When may the Tribunal hear a complaint?
(1) The Tribunal may hear a complaint--
20 (a) referred to it by the Privacy Commissioner
under section 33, 36 or 41;
(b) referred to it by the Minister under section
35.
(2) The Tribunal also has the jurisdiction conferred
25 by section 42.
44. Who are the parties to a proceeding?
(1) The complainant and the respondent are parties to
a proceeding in respect of a complaint referred to
in section 43(1).
30 (2) The Privacy Commissioner is not a party to a
proceeding in respect of a complaint referred to in
section 43(1)(a) unless joined by the Tribunal.
41
532027B.I1-25/5/99
Data Protection Act 1999
s. 45
Act No.
45. Time limits for certain complaints
(1) The Tribunal must commence hearing a complaint
within 30 days after its referral to the Tribunal if
the complaint was referred to it by the Minister
5 under section 35.
(2) The Tribunal, constituted by a presidential
member, may extend the period of 30 days under
sub-section (1) by one further period of not more
than 30 days.
10 46. What may the Tribunal decide?
(1) After hearing the evidence and representations
that the parties to a complaint desire to adduce or
make, the Tribunal may--
(a) find the complaint or any part of it proven
15 and make any one or more of the following
orders--
(i) an order restraining the respondent, or
the organisation of which the
respondent is the principal executive,
20 from repeating or continuing any act or
practice the subject of the complaint
which the Tribunal has found to
constitute an interference with the
privacy of an individual;
25 (ii) an order that the respondent perform or
carry out any reasonable act or course
of conduct to redress any loss or
damage suffered by the complainant,
including injury to the complainant's
30 feelings or humiliation suffered by the
complainant, by reason of the act or
practice the subject of the complaint;
(iii) an order that the complainant is entitled
to a specified amount, not exceeding
35 $100 000, by way of compensation for
42
532027B.I1-25/5/99
Data Protection Act 1999
s. 46
Act No.
any loss or damage suffered by the
complainant, including injury to the
complainant's feelings or humiliation
suffered by the complainant, by reason
5 of the act or practice the subject of the
complaint;
(iv) if the act or practice the subject of the
complaint is subject to an approved
code of practice, an order that the code
10 administrator take specified steps in the
matter, which may include using
conciliation or mediation, securing an
apology or undertaking as to future
conduct from the respondent or the
15 payment of compensation, not
exceeding $100 000, by the respondent;
or
(b) find the complaint or any part of it proven
but decline to take any further action in the
20 matter; or
(c) find the complaint or any part of it not
proven and make an order that the complaint
or part be dismissed; or
(d) in any case, make an order that the
25 complainant is entitled to a specified amount
to reimburse the complainant for expenses
reasonably incurred by the complainant in
connection with the making of the complaint
and the proceedings held in respect of it
30 under this Act.
(2) In an order under sub-paragraph (i) or (ii) of
paragraph (a) of sub-section (1) arising out of a
breach of IPP 6.6 or 6.7, the Tribunal may include
an order that--
43
532027B.I1-25/5/99
Data Protection Act 1999
s. 46
Act No.
(a) an organisation or respondent make an
appropriate correction to the personal
information; or
(b) an organisation or respondent attach to the
5 record of personal information a statement
provided by the complainant of a correction
sought by the complainant.
(3) If an order of the Tribunal relates to a public
register, the Privacy Commissioner must, as soon
10 as practicable after its making, report the order to
the Minister responsible for the public sector
agency or Council that administers that public
register.
(4) The Privacy Commissioner may include in a
15 report under sub-section (3) recommendations in
relation to any matter that concerns the need for,
or the desirability of, legislative or administrative
action in the interests of personal privacy.
_______________
20
44
532027B.I1-25/5/99
Data Protection Act 1999
s. 47
Act No.
PART 6--ENFORCEMENT OF INFORMATION PRIVACY
PRINCIPLES
47. Compliance notice
(1) The Privacy Commissioner may serve a
5 compliance notice on an organisation if it appears
to him or her that--
(a) the organisation has done an act or engaged
in a practice in contravention of an
Information Privacy Principle, including an
10 act or practice that is in contravention of an
applicable code of practice; and
(b) the act or practice--
(i) constitutes a serious or flagrant
contravention; or
15 (ii) is of a kind that has been done or
engaged in by the organisation on at
least 5 separate occasions within the
previous 2 years.
(2) A compliance notice requires the organisation to
20 take specified action within a specified period, not
exceeding one month, for the purpose of ensuring
compliance with the Principle or applicable code
of practice.
(3) If the Privacy Commissioner is satisfied, on the
25 application of an organisation on which a
compliance notice is served, that it is not
reasonably possible to take the action specified in
the notice within the period specified in the
notice, the Privacy Commissioner may extend the
30 period specified in the notice on the giving to him
or her by the organisation of an undertaking to
take the specified action within the extended
period.
45
532027B.I1-25/5/99
Data Protection Act 1999
s. 48
Act No.
(4) The Privacy Commissioner may only extend a
period under sub-section (3) if an application for
the extension is made before the period specified
in the notice expires.
5 (5) The Privacy Commissioner may act under sub-
section (1) on his or her own initiative or on an
application by an individual who was a
complainant under Part 5.
(6) In deciding whether or not to serve a compliance
10 notice, the Privacy Commissioner may have
regard to the extent to which the organisation has
complied with a decision of the Tribunal under
Division 5 of Part 5.
48. Power to obtain information and documents
15 (1) If the Privacy Commissioner has reason to believe
that a person has information or a document
relevant to a decision under section 47(1), the
Privacy Commissioner may give to the person a
written notice requiring the person--
20 (a) to give the information to the Privacy
Commissioner in writing signed by the
person or, in the case of a body corporate, by
an officer of the body corporate; or
(b) to produce the document to the Privacy
25 Commissioner.
(2) If the Privacy Commissioner has reason to believe
that a person has information relevant to a
decision under section 47(1), the Privacy
Commissioner may give to the person a written
30 notice requiring the person to attend before the
Privacy Commissioner at a time and place
specified in the notice to answer questions
relevant to the decision.
(3) The Privacy Commissioner is not entitled to
35 require an agency within the meaning of the
46
532027B.I1-25/5/99
Data Protection Act 1999
s. 49
Act No.
Freedom of Information Act 1982 or a Minister
to give any information if the Secretary to the
Department of Premier and Cabinet furnishes to
the Privacy Commissioner a certificate certifying
5 that the giving of that information (including in
answer to a question) would involve the
disclosure of information which, if included in a
document of the agency or an official document of
the Minister, would cause the document to be--
10 (a) an exempt document for the purposes of that
Act; or
(b) a document to which Part IIIA of that Act
applies.
49. Power to examine witnesses
15 (1) The Privacy Commissioner may administer an
oath or affirmation to a person required under
section 48(2) to attend before the Privacy
Commissioner and may examine the person on
oath or affirmation.
20 (2) The oath or affirmation to be taken or made by a
person for the purposes of this section is an oath
or affirmation that the answers the person will
give will be true.
50. Protection against self-incrimination
25 (1) It is a reasonable excuse for a natural person to
refuse or fail to give information or answer a
question when required to do so under this Part if
giving the information or answering the question
might tend to incriminate the person.
30 (2) A person is not excused from producing a
document when required to do so under this Part
on the ground that the document might tend to
incriminate the person.
(3) This section does not limit section 48(3).
47
532027B.I1-25/5/99
Data Protection Act 1999
s. 51
Act No.
51. Offence not to comply with enforcement notice
(1) An organisation must comply with a compliance
notice served on it under section 47(1).
Penalty: In the case of a body corporate,
5 3000 penalty units;
In any other case, 600 penalty units.
(2) An offence against sub-section (1) is an indictable
offence.
52. Application for review
10 (1) An individual or organisation whose interests are
affected by a decision of the Privacy
Commissioner under section 47(1) to serve a
compliance notice may apply to the Tribunal for
review of the decision.
15 (2) An application for review must be made within
28 days after the later of--
(a) the day on which the decision is made; or
(b) if, under the Victorian Civil and
Administrative Tribunal Act 1998, the
20 person requests a statement of reasons for
the decision, the day on which the statement
of reasons is given to the person or the
person is informed under section 46(5) of
that Act that a statement of reasons will not
25 be given.
(3) The Privacy Commissioner is a party to a
proceeding on a review under this section.
_______________
48
532027B.I1-25/5/99
Data Protection Act 1999
s. 53
Act No.
PART 7--PRIVACY COMMISSIONER
53. Privacy Commissioner
(1) There shall be a Privacy Commissioner who shall
be appointed by the Governor in Council.
5 (2) The Privacy Commissioner shall not be a member
of the Parliament of Victoria or of the
Commonwealth or of any other State or a
Territory.
54. Remuneration and allowances
10 The Privacy Commissioner is entitled to be paid
the remuneration and allowances that are
determined by the Governor in Council.
55. Terms and conditions of appointment
(1) Subject to this Part, the Privacy Commissioner
15 holds office for the period, not exceeding 7 years,
that is specified in the instrument of appointment
but is eligible for re-appointment.
(2) Subject to this Part, the Privacy Commissioner
holds office on the terms and conditions
20 determined by the Governor in Council.
(3) The Privacy Commissioner is entitled to leave of
absence as determined by the Governor in
Council.
(4) Subject to sub-section (5), the Privacy
25 Commissioner must not engage, directly or
indirectly, in paid employment outside the duties
of Privacy Commissioner.
(5) Sub-section (4) does not apply to the Privacy
Commissioner in respect of the office of Federal
30 Privacy Commissioner.
49
532027B.I1-25/5/99
Data Protection Act 1999
s. 56
Act No.
(6) The Public Sector Management and
Employment Act 1998 does not apply to the
Privacy Commissioner in respect of the office of
Privacy Commissioner, except as provided in
5 section 16 of that Act.
56. Vacancy, resignation
(1) The Privacy Commissioner ceases to hold office if
he or she--
(a) becomes an insolvent under administration;
10 or
(b) is convicted of an indictable offence or an
offence which, if committed in Victoria,
would be an indictable offence; or
(c) nominates for election for either House of
15 the Parliament of Victoria or of the
Commonwealth or of any other State or a
Territory.
(2) The Privacy Commissioner may resign by notice
in writing delivered to the Minister.
20 57. Suspension of Privacy Commissioner
(1) The Governor in Council may suspend the Privacy
Commissioner from office.
(2) The Minister must cause to be laid before each
House of Parliament a full statement of the
25 grounds of suspension within 7 sitting days of that
House after the suspension.
(3) The Privacy Commissioner must be removed from
office by the Governor in Council if each House
of Parliament within 20 sitting days after the day
30 when the statement is laid before it declares by
resolution that the Privacy Commissioner ought to
be removed from office.
(4) The Governor in Council must remove the
suspension and restore the Privacy Commissioner
50
532027B.I1-25/5/99
Data Protection Act 1999
s. 58
59
Act No.
to office unless each House makes a declaration of
the kind specified in sub-section (3) within the
time specified in that sub-section.
58. Acting appointment
5 (1) The Governor in Council may appoint a person to
act in the office of Privacy Commissioner--
(a) during a vacancy in that office; or
(b) during a period or all periods when the
person holding that office is absent from
10 duty or is, for any reason, unable to perform
the duties of the office.
(2) An appointment under sub-section (1) is for the
period, not exceeding 6 months, that is specified
in the instrument of appointment.
15 (3) A person is not eligible to be appointed under sub-
section (1) if the person is a member of the
Parliament of Victoria or of the Commonwealth or
of any other State or a Territory.
(4) The Governor in Council may at any time remove
20 the acting Privacy Commissioner from office.
(5) While a person is acting in the office of the
Privacy Commissioner in accordance with this
section, the person--
(a) has, and may exercise, all the powers and
25 must perform all the duties of that office
under this Act; and
(b) is entitled to be paid the remuneration and
allowances that the Privacy Commissioner
would have been entitled to for performing
30 those duties.
59. Validity of acts and decisions
51
532027B.I1-25/5/99
Data Protection Act 1999
Act No.
An act or decision of the Privacy Commissioner
or acting Privacy Commissioner is not invalid
only because--
(a) of a defect or irregularity in or in connection
5 with his or her appointment; or
(b) in the case of an acting Privacy
Commissioner, that the occasion for so
acting had not arisen or had ceased.
60. Staff
10 (1) There may be employed under Part 3 of the
Public Sector Management and Employment
Act 1998 any employees that are necessary for the
purposes of this Act.
(2) The Privacy Commissioner may engage as many
15 consultants as are required for the exercise of his
or her functions.
61. Functions
The functions of the Privacy Commissioner are--
(a) to promote an understanding and acceptance
20 of the Information Privacy Principles and of
the objects of those Principles;
(b) in accordance with Part 4, to consider at the
request of an organisation whether to advise
the Minister to recommend to the Governor
25 in Council the approval of a code of practice
(or of a variation of an approved code of
practice) in relation to that organisation;
(c) in accordance with Part 4, to consider at the
request of an individual or organisation
30 whether to advise the Minister to recommend
to the Governor in Council the revocation of
the approval of a code of practice or of a
variation of an approved code of practice;
52
532027B.I1-25/5/99
Data Protection Act 1999
s. 61
Act No.
(d) to issue guidelines in relation to the
development of codes of practice and
variations of a kind referred to in
paragraph (b);
5 (e) to issue guidelines on procedures to be
adopted, consistent with the procedures
under the Freedom of Information Act
1982, where--
(i) the organisation holding the personal
10 information is an agency within the
meaning of that Act or a Minister; and
(ii) the personal information is contained in
a document of the agency, or an official
document of a Minister, within the
15 meaning of that Act;
(f) to publish model terms capable of being
adopted by an organisation in a contract or
arrangement with a recipient of personal
information being transferred by the
20 organisation outside Victoria;
(g) to examine the practice of an organisation
with respect to personal information
maintained by that organisation for the
purpose of ascertaining whether or not the
25 information is maintained according to the
Information Privacy Principles or any
applicable code of practice;
(h) subject to this Act, to receive complaints
about an act or practice of an organisation--
30 (i) that may contravene an Information
Privacy Principle; or
(ii) that may interfere with the privacy of
an individual or may otherwise have an
adverse effect on the privacy of an
35 individual--
53
532027B.I1-25/5/99
Data Protection Act 1999
s. 61
Act No.
and, if the Privacy Commissioner considers
it appropriate to do so, to endeavour, by
conciliation, to effect a settlement of the
matters that gave rise to the complaint;
5 (i) to issue compliance notices under Part 6 and
to carry out an investigation for this purpose;
(j) to conduct or commission audits of records
of personal information maintained by an
organisation for the purpose of ascertaining
10 whether the records are maintained
according to the Information Privacy
Principles or any applicable code of practice;
(k) to monitor and report on the adequacy of
equipment and user safeguards;
15 (l) to examine and assess any proposed
legislation that would require or authorise
acts or practices of an organisation that may,
in the absence of the legislation, be
interferences with the privacy of an
20 individual or that may otherwise have an
adverse effect on the privacy of an
individual, and to report to the Minister the
results of the examination and assessment;
(m) to undertake research into, and to monitor
25 developments in, data processing and
computer technology (including data
matching and data linkage) to ensure that
any adverse effects of such developments on
personal privacy are minimised, and to
30 report to the Minister the results of the
research and monitoring;
(n) to make reports and recommendations to the
Minister, or the Minister responsible for a
public sector agency or a Council
35 administering a public register, in relation to
any matter that concerns the need for, or the
54
532027B.I1-25/5/99
Data Protection Act 1999
s. 61
Act No.
desirability of, legislative or administrative
action in the interests of personal privacy;
(o) for the purpose of promoting the protection
of personal privacy, to undertake educational
5 programs on the Privacy Commissioner's
own behalf or in co-operation with other
persons or bodies acting on behalf of the
Privacy Commissioner;
(p) to make public statements in relation to any
10 matter affecting personal privacy or the
privacy of any class of individual;
(q) to receive and invite representations from
members of the public on any matter
affecting personal privacy;
15 (r) to consult and co-operate with other persons
and bodies concerned with personal privacy;
(s) to provide advice (with or without a request)
to any individual or organisation on any
matter relevant to the operation of this Act;
20 (t) to examine and assess (with or without a
request) the impact on personal privacy of
any act or practice, or proposed act or
practice, of an organisation;
(u) to make suggestions to any individual or
25 organisation in relation to any matter that
concerns the need for, or the desirability of,
action by that individual or organisation in
the interests of personal privacy;
(v) to gather information that, in the opinion of
30 the Privacy Commissioner, will assist the
Privacy Commissioner in carrying out his or
her functions under this Act;
(w) to review any approved code of practice,
whether or not expressly authorised to do so
35 by the code.
55
532027B.I1-25/5/99
Data Protection Act 1999
s. 62
65
Act No.
62. Powers
The Privacy Commissioner has power to do all
things that are necessary or convenient to be done
for or in connection with the performance of his or
5 her functions.
63. Privacy Commissioner to have regard to certain
matters
In the performance of his or her functions and the
exercise of his or her powers under this Act, the
10 Privacy Commissioner must--
(a) have regard to the objects of this Act; and
(b) if also the Federal Privacy Commissioner,
ensure that any advice given, or
recommendation made, by him or her is
15 capable of acceptance, adaptation and
extension in Victoria; and
(c) ensure that any codes of practice, or
variations of approved codes of practice, that
he or she advises the Minister to recommend
20 for approval reflect the objects of this Act.
64. Delegation
(1) The Privacy Commissioner may, by instrument,
delegate to an employee referred to in section
60(1) any of his or her powers under this Act
25 other than this power of delegation.
(2) The Privacy Commissioner may, by instrument,
delegate to any person any of his or her powers
under Division 3 of Part 5.
65. Annual reports
30 The Privacy Commissioner must each year
include the following information in the report of
operations of the office under Part 7 of the
Financial Management Act 1994--
56
532027B.I1-25/5/99
Data Protection Act 1999
Act No.
(a) the number of audits of records of personal
information conducted under section 61(j)
during the preceding financial year; and
(b) the organisations in respect of which those
5 audits were conducted.
66. Other reports
(1) In addition to the report of operations under Part 7
of the Financial Management Act 1994, the
Privacy Commissioner may report to the Minister
10 on any act or practice that the Privacy
Commissioner considers to be an interference
with the privacy of an individual, whether or not a
complaint has been made under section 30(1).
(2) The Minister may cause a copy of a report
15 referred to in sub-section (1) to be laid before
each House of the Parliament.
(3) The Privacy Commissioner may from time to
time, in the public interest, publish reports and
recommendations relating generally to the Privacy
20 Commissioner's functions under this Act or to any
matter investigated by the Privacy Commissioner,
whether or not the matters to be dealt with in any
such report have been the subject of a report to the
Minister.
25 _______________
57
532027B.I1-25/5/99
Data Protection Act 1999
s. 67
Act No.
PART 8--GENERAL
67. Failure to attend etc. before Privacy Commissioner
A person must not, without reasonable excuse--
(a) refuse or fail--
5 (i) to attend before the Privacy
Commissioner; or
(ii) to be sworn or make an affirmation; or
(iii) to give information; or
(iv) to answer a question or produce a
10 document--
when so required by the Privacy
Commissioner under this Act; or
(b) wilfully obstruct, hinder or resist the Privacy
Commissioner or an employee in the office
15 of the Privacy Commissioner or a delegate of
the Privacy Commissioner in--
(i) performing, or attempting to perform, a
function or duty under this Act; or
(ii) exercising, or attempting to exercise, a
20 power under this Act; or
(c) furnish information or make a statement to
the Privacy Commissioner knowing that it is
false or misleading in a material particular.
Penalty: 60 penalty units.
25 68. Protection from liability
(1) A person who lodges a complaint under section
30(1) is not personally liable for any loss, damage
or injury suffered by another person by reason
only of the lodging of the complaint.
58
532027B.I1-25/5/99
Data Protection Act 1999
s. 68
Act No.
(2) A person who produces a document, or gives any
information or evidence, to the Privacy
Commissioner under this Act is not personally
liable for any loss, damage or injury suffered by
5 another person by reason only of that production
or giving.
(3) Sub-section (4) applies where--
(a) a person has been provided by an
organisation with access to personal
10 information; and
(b) the access was required by IPP 6 or an
applicable code of practice or the
organisation, or an employee or agent of the
organisation acting within the scope of his or
15 her actual or apparent authority, believed in
good faith that the access was required by
IPP 6 or an applicable code of practice.
(4) The provision of access to personal information in
the circumstances referred to in sub-section (3)--
20 (a) is not to be regarded as making the
organisation, or any employee or agent of the
organisation, liable for defamation or breach
of confidence or guilty of a criminal offence
by reason only of the provision of access; or
25 (b) is not to be regarded as making any person
who provided the personal information to the
organisation liable for defamation or breach
of confidence in respect of any publication
involved in, or resulting from, the provision
30 of access by reason only of that person
having provided the personal information to
the organisation; or
(c) must not be taken for the purpose of the law
relating to defamation or breach of
35 confidence to constitute an authorisation or
59
532027B.I1-25/5/99
Data Protection Act 1999
s. 69
Act No.
approval of the publication of the
information by the person who is provided
with access to it.
69. Secrecy
5 (1) A person who is, or has been, the Privacy
Commissioner, an acting Privacy Commissioner,
an employee in the office of the Privacy
Commissioner or a consultant engaged by the
Privacy Commissioner must not, directly or
10 indirectly, make a record of, disclose or
communicate to any person any information
relating to the affairs of any individual or
organisation acquired in the performance of
functions or duties or the exercise of powers under
15 this Act, unless--
(a) it is necessary to do so for the purposes of, or
in connection with, the performance of a
function or duty or the exercise of a power
under this Act; or
20 (b) the person to whom the information relates
gives written consent to the making of the
record, disclosure or communication.
Penalty: 60 penalty units.
(2) Without limiting sub-section (1), the Privacy
25 Commissioner must not disclose or communicate
to any person, other than a person employed in the
office of the Privacy Commissioner, any
information given to the Privacy Commissioner
pursuant to a requirement made under Division 3
30 of Part 5 or Part 6 (including information
contained in a document required to be produced
to the Privacy Commissioner) unless he or she
has--
(a) notified the person from whom the
35 information was obtained of the proposal to
60
532027B.I1-25/5/99
Data Protection Act 1999
s. 70
Act No.
disclose or communicate that information;
and
(b) given that person a reasonable opportunity to
object to the disclosure or communication.
5 70. Employees and agents
(1) Any act done or practice engaged in on behalf of
an organisation by an employee or agent of the
organisation acting within the scope of his or her
actual or apparent authority is to be taken, for the
10 purposes of this Act including a prosecution for an
offence against this Act, to have been done or
engaged in by the organisation and not by the
employee or agent unless the organisation
establishes that it took reasonable precautions and
15 exercised due diligence to avoid the act being
done or the practice being engaged in by its
employee or agent.
(2) If, for the purpose of investigating a complaint or
a proceeding for an offence against this Act, it is
20 necessary to establish the state of mind of an
organisation in relation to a particular act or
practice, it is sufficient to show--
(a) that the act was done or practice engaged in
by an employee or agent of the organisation
25 acting within the scope of his or her actual or
apparent authority; and
(b) that the employee or agent had that state of
mind.
71. Offences by organisations or bodies
30 If this Act provides that an organisation or body is
guilty of an offence, that reference to an
organisation or body must, if the organisation or
body is unincorporated, be read as a reference to
each member of the committee of management of
35 the organisation or body.
61
532027B.I1-25/5/99
Data Protection Act 1999
s. 72
Act No.
72. Prosecutions
(1) A proceeding for an offence against this Act may
only be brought by--
(a) a member of the police force; or
5 (b) the Privacy Commissioner; or
(c) a person authorised to do so, either generally
or in a particular case, by the Privacy
Commissioner.
(2) In a proceeding for an offence against this Act it
10 must be presumed, in the absence of evidence to
the contrary, that the person bringing the
proceeding was authorised to bring it.
73. Supreme Court--limitation of jurisdiction
It is the intention of section 7 to alter or vary
15 section 85 of the Constitution Act 1975.
74. Regulations
The Governor in Council may make regulations
for or with respect to any matter or thing required
or permitted by this Act to be prescribed or
20 necessary to be prescribed to give effect to this
Act.
_______________
62
532027B.I1-25/5/99
Data Protection Act 1999
s. 75
Act No.
PART 9--AMENDMENT OF CERTAIN ACTS
75. Amendment of Parliamentary Committees Act 1968
No. 7727.
In section 4D(a) of the Parliamentary
Reprint No. 4
Committees Act 1968, after sub-paragraph (iii) as at 28 July
5 insert-- 1997. Further
amended by
"(iiia) unduly requires or authorises acts or Nos 93/1997
and 46/1998.
practices that may have an adverse effect on
personal privacy within the meaning of the
Data Protection Act 1999; or".
10 76. Amendment of Magistrates' Court Act 1989
No. 51/1989.
In Schedule 4 to the Magistrates' Court Act
Reprint No. 5
1989, after item 38 insert-- as at 1 July
1998. Further
"39. Non-compliance with enforcement notice amended by
Nos 60/1998,
Offences under section 51(1) of the Data Protection
102/1998,
15 Act 1999.". 10/1999 and
13/1999.
77. Amendment of Public Sector Management and
Employment Act 1998
No. 45/1998.
In section 16(1) of the Public Sector
Management and Employment Act 1998, after
20 paragraph (h) insert--
"(i) the Privacy Commissioner in relation to the
office of the Privacy Commissioner.".
78. Amendment of Victorian Civil and Administrative
Tribunal Act 1998
No. 53/1998.
25 In Schedule 1 to the Victorian Civil and
Amended by
Administrative Tribunal Act 1998, after Part 5 Nos 46/1998,
insert-- 92/1998,
101/1998 and
12/1999.
63
532027B.I1-25/5/99
Data Protection Act 1999
s. 78
Act No.
"PART 5A--DATA PROTECTION ACT 1999
11A. Intervention by Privacy Commissioner
The Privacy Commissioner may intervene at any time in
a proceeding under the Data Protection Act 1999.
5 11B. Notification in other proceedings
(1) If an application is made under section 42 (interim
order) or a referral under section 35 (Minister's referral)
of the Data Protection Act 1999, the principal registrar
must notify the Privacy Commissioner.
10 (2) Sub-clause (1) does not apply in the case of an
application by the Privacy Commissioner under
section 42 of the Data Protection Act 1999.
11C. Privacy Commissioner may apply for interim
injunction
15 The Privacy Commissioner may apply for an order
granting an interim injunction under section 123 in a
proceeding under the Data Protection Act 1999
whether or not he or she is a party to that proceeding.
11D. Compulsory conference
20 The presiding member at a compulsory conference in a
proceeding under the Data Protection Act 1999 may
refer any matter to the Privacy Commissioner for
investigation, negotiation or conciliation.
11E. Settlement offers
25 Sections 112 to 115 do not apply to a proceeding under
the Data Protection Act 1999.".
__________________
64
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
SCHEDULE 1
Section 19.
THE INFORMATION PRIVACY PRINCIPLES
Principle 1--Collection
5 1.1 An organisation must only collect personal information that is
necessary for one or more of its legitimate functions or activities.
1.2 An organisation must only collect personal information by lawful and
fair means and not in an unreasonably intrusive way.
1.3 At or before the time an organisation collects personal information
10 from the subject of the information (or, if that is not practicable, as
soon as practicable thereafter), it must take the steps (if any) that are
in the circumstances reasonable to ensure that the subject of the
information is aware of--
(a) the identity of the organisation and how to contact it; and
15 (b) the fact that he or she is able to gain access to the information;
and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which) it
usually discloses information of this kind; and
20 (e) any law that requires the particular information to be collected;
and
(f) the main consequences (if any) for the individual if all or part of
the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation must only
25 collect personal information directly from the subject of the
information.
1.5 If an organisation collects personal information from a third party, it
must take the steps (if any) that are in the circumstances reasonable to
ensure that the subject of the information is or has been made aware
30 of the matters listed in IPP 1.3.
Principle 2--Use and Disclosure
2.1 An organisation must only use or disclose personal information for a
purpose other than the primary purpose of collection (a "secondary
purpose") if--
65
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
(a) the secondary purpose is related to the primary purpose of
collection and the subject of the information would reasonably
expect the organisation to use or disclose the information for the
secondary purpose; or
5 (b) the individual has consented to the use or disclosure; or
(c) the organisation uses the information for the purpose of direct
marketing and--
(i) it is impracticable for the organisation to seek the
individual's consent before using the information; and
10 (ii) the organisation gives the individual the express
opportunity, at the time of first contact or thereafter on
request, at no cost to the individual, to decline to receive
any further direct marketing communications; and
(iii) the organisation complies with the individual's wishes; or
15 (d) the organisation reasonably believes that the use or disclosure is
necessary to lessen or prevent--
(i) a serious and imminent threat to an individual's life, health
or safety; or
(ii) a serious threat to public health or public safety; or
20 (e) the organisation has reason to suspect that unlawful activity has
been, is being or may be engaged in, and uses or discloses the
personal information as a necessary part of its investigation of
the matter or in reporting its concerns to relevant persons or
authorities; or
25 (f) the use or disclosure is required or specifically authorised by
law; or
(g) the Australian Security Intelligence Organization (ASIO) or the
Australian Secret Intelligence Service (ASIS), in connection
with its functions, has requested the organisation to disclose the
30 personal information and--
(i) the disclosure is made to an officer or employee of ASIO or
ASIS (as the case requires) authorised in writing by the
Director-General of ASIO or ASIS (as the case requires) to
receive the disclosure; and
35 (ii) an officer or employee of ASIO or ASIS (as the case
requires) authorised in writing by the Director-General of
ASIO or ASIS (as the case requires) for the purposes of this
paragraph has certified that the disclosure would be
66
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
connected with the performance by ASIO or ASIS (as the
case requires) of its functions; or
(h) the organisation reasonably believes that the use or disclosure is
reasonably necessary for--
5 (i) the prevention, detection, investigation, prosecution or
punishment of--
(A) criminal offences; or
(B) breaches of a law imposing a penalty or sanction; or
(ii) the enforcement of laws relating to the confiscation of the
10 proceeds of crime; or
(iii) the protection of public revenue; or
(iv) the prevention, detection, investigation or remedying of
seriously improper conduct; or
(v) the preparation for, or conduct of, proceedings before any
15 court or tribunal, or implementation of the orders of a court
or tribunal--
by or on behalf of a law enforcement agency.
2.2 While it is not intended to deter organisations from lawfully co-
operating with agencies performing law enforcement functions or
20 with ASIO or ASIS in the performance of their functions, it should be
noted that--
(a) IPP 2.1 does not override any existing legal obligations not to
disclose personal information; and
(b) nothing in IPP 2.1 requires an organisation to disclose personal
25 information; and
(c) an organisation is always entitled not to disclose personal
information in the absence of a legal obligation to do so.
2.3 If an organisation uses or discloses personal information under
paragraph (h) of IPP 2.1, it must make a note of the use or disclosure.
30 Principle 3--Data Quality
3.1 An organisation must take the steps (if any) that are in the
circumstances reasonable to make sure that the personal information it
collects, uses or discloses, is accurate, complete and up to date.
Principle 4--Data Security
35 4.1 An organisation must take the steps (if any) that are in the
circumstances reasonable to protect the personal information it holds
67
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
from misuse and loss and from unauthorised access, modification or
disclosure.
4.2 An organisation must take the steps (if any) that are in the
circumstances reasonable to destroy or permanently de-identify
5 personal information if it is no longer needed for any purpose.
Principle 5--Openness
5.1 An organisation must have clearly expressed policies on its
management of personal information which are readily available.
5.2 An organisation, on request, must take the steps (if any) that are in the
10 circumstances reasonable to let individuals know, generally, what sort
of personal information it holds, for what purposes, and how it
collects, holds, uses and discloses that information.
Principle 6--Access and Correction
6.1 Where an organisation holds personal information about an
15 individual, it must provide the individual with access to the
information within 45 days after a request for access, except to the
extent that--
(a) providing access would pose a serious and imminent threat to the
life or health of any individual; or
20 (b) providing access would have an unreasonable impact on the
privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
(d) the information relates to existing legal dispute resolution
proceedings between the organisation and the individual, and the
25 information would not be accessible by the process of discovery
in those proceedings; or
(e) providing access would reveal the intentions of the organisation
in relation to negotiations with the individual in such a way as to
prejudice those negotiations; or
30 (f) providing access would be unlawful; or
(g) denying access is specifically authorised by law; or
(h) providing access would be likely to prejudice an investigation of
possible unlawful activity; or
(i) providing access would be likely to prejudice--
35 (i) the prevention, detection, investigation, prosecution or
punishment of--
(A) criminal offences; or
68
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
(B) breaches of a law imposing a penalty or sanction; or
(ii) the enforcement of laws relating to the confiscation of the
proceeds of crime; or
(iii) the protection of public revenue; or
5 (iv) the prevention, detection, investigation or remedying of
seriously improper conduct; or
(v) the preparation for, or conduct of, proceedings before any
court or tribunal, or implementation of the orders of a court
or tribunal--
10 by or on behalf of a law enforcement agency; or
(j) ASIO, ASIS or a law enforcement agency performing a lawful
national security function asks the organisation not to provide
access on the basis that providing access would be likely to
cause damage to the national security of Australia.
15 6.2 Where providing access would reveal evaluative information
generated within the organisation in connection with a commercially
sensitive decision-making process, the organisation may give the
individual an explanation for the decision rather than direct access to
the information.
20 6.3 If an organisation has given an individual an explanation under
IPP 6.2, and the individual believes that direct access to the evaluative
information is necessary to provide a reasonable explanation of the
reasons for the decision, the individual must have access to an
independent process to review whether that is so.
25 6.4 Wherever direct access by the individual is impracticable or
inappropriate, the organisation and the individual must consider
whether the use of mutually agreed intermediaries would allow
sufficient access to meet the needs of both parties.
6.5 If an organisation levies charges for providing access to personal
30 information, those charges must not be excessive.
6.6 If an organisation holds personal information about an individual and
the individual is able to establish that the information is not accurate,
complete and up to date, the organisation must take the steps (if any)
that are in the circumstances reasonable to correct the information so
35 that it is accurate, complete and up to date.
6.7 If the individual and the organisation disagree about whether the
information is accurate, complete and up to date, and the individual
asks the organisation to associate with the information a statement
claiming that the information is not accurate, complete or up to date,
69
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
the organisation must take the steps (if any) that are in the
circumstances reasonable to do so.
6.8 An organisation is not required to correct personal information at the
request of an individual if it is not required to provide the individual
5 with access to that information.
6.9 An organisation must provide reasons for denial of access or
correction.
Principle 7--Identifiers
7.1 An organisation that is not a government agency must not adopt as its
10 own identifier an identifier that has been assigned by a government
agency (or by an agent of, or contractor to, a government agency
acting in its capacity as agent or contractor).
7.2 An organisation must not use or disclose an identifier assigned to an
individual by another organisation that is a government agency (or by
15 an agent of or contractor to another organisation that is a government
agency acting in its capacity as agent or contractor) unless one of
paragraphs (d) to (h) of IPP 2.1 applies.
7.3 Government agencies must not assign common identifiers to an
individual if to do so would lessen the protection afforded to personal
20 information about that individual by these principles.
Principle 8--Anonymity
8.1 Wherever it is lawful and practicable, individuals must have the
option of not identifying themselves when entering transactions.
Principle 9--Transborder Data Flows
25 9.1 An organisation may only transfer personal information outside
Victoria if--
(a) the organisation reasonably believes that the recipient of the
information is subject to a statute, binding scheme or contract
which effectively upholds principles for fair information handling
30 that are substantially similar to these principles; or
(b) the individual concerned consents to the transfer; or
(c) the transfer is necessary for the performance of a legal duty or of a
contract between the individual concerned and the organisation, or
for the implementation of pre-contractual measures taken in
35 response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the individual concerned
between the organisation and a third party; or
70
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
(e) the transfer is for the benefit of the individual concerned and--
(i) it is not practicable to obtain the consent of the subject of
the information to that transfer; and
(ii) if it were practicable to obtain that consent, the subject of
5 the information would be likely to give it; or
(f) the organisation has taken the steps (if any) that are in the
circumstances reasonable to ensure that the information which it
has transferred will not be collected, held, used or disclosed by the
recipient of the information inconsistently with these principles.
10 9.2 An organisation must be taken to have complied with paragraph (f) of
IPP 9.1 if there is in force a contract or arrangement between the
organisation and the recipient with respect to the information
transferred that adopts the model terms published by the Privacy
Commissioner for this purpose.
15 Principle 10--Sensitive Information
10.1 An organisation must not collect personal information revealing racial
or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership or details of health or sex life unless--
(a) the subject of the information has consented; or
20 (b) the collection is required or specifically authorised by law; or
(c) the collection is necessary to prevent or lessen a serious and
imminent threat to the life or health of any individual, where the
subject of the information is physically or legally incapable of
giving consent; or
25 (d) in the course of the legitimate activities of a non-profit-seeking
body with a racial, ethnic, political, philosophical, religious or
trade-union aim and on condition that the information relates
solely to the members of the body or to individuals who have
regular contact with it in connection with its purposes and that
30 the information is not disclosed without the consent of the
subject of the information; or
(e) the collection is necessary for the establishment, exercise or
defence of a legal claim.
10.2 IPP 10.1 does not apply where--
35 (a) the information is required for the purposes of preventative
medicine, medical diagnosis, the provision of care or treatment
or the management of health-care services; and
71
532027B.I1-25/5/99
Data Protection Act 1999
Sch. 1
Act No.
(b) the information is collected--
(i) as required by law; or
(ii) in accordance with rules established by competent health or
medical bodies dealing with obligations of professional
5 confidentiality.
72
532027B.I1-25/5/99
Data Protection Act 1999
Notes
Act No.
NOTES
1
S. 3: Section 6(1) of the Privacy Act 1988 of the Commonwealth defines
"agency" as meaning--
(a) a Minister; or
(b) a Department; or
(c) a body (whether incorporated or not), or a tribunal, established or
appointed for a public purpose by or under a Commonwealth
enactment, not being--
(i) an incorporated company, society or association; or
(ii) an organisation within the meaning of the Conciliation and
Arbitration Act 1904 or a branch of such an organisation; or
(d) a body established or appointed by the Governor-General, or by a
Minister, otherwise than by or under a Commonwealth enactment; or
(e) a person holding or performing the duties of an office established by
or under, or an appointment made under, a Commonwealth enactment,
other than a person who, by virtue of holding that office, is the
Secretary of a Department; or
(f) a person holding or performing the duties of an appointment, being an
appointment made by the Governor-General, or by a Minister,
otherwise than under a Commonwealth enactment; or
(g) a federal court; or
(h) the Australian Federal Police; or
(i) an eligible case manager.
2
S. 30(1): Section 4(2) defines what is meant by this expression.
By Authority. Government Printer for the State of Victoria.
73
532027B.I1-25/5/99
[Index] [Search] [Download] [Related Items] [Help]