Search

Victorian Bills

Search AustLII

Search Options
  • Advanced Search…
×
Close
  • Specific Year
    Any

DATA PROTECTION BILL 1999

PARLIAMENT OF VICTORIA Data Protection Act 1999 Act No. TABLE OF PROVISIONS Clause Page PART 1--PRELIMINARY 1 1. Purpose 1 2. Commencement 2 3. Definitions 2 4. Interpretative provisions 8 5. Objects of Act 9 6. Relationship of this Act to other laws 9 7. Nature of rights created by this Act 10 8. Act binds the Crown 10 PART 2--APPLICATION OF THIS ACT 11 Division 1--Public Sector Organisations 11 9. Application to public sector 11 Division 2--Private Sector Organisations 12 10. Application to private sector 12 11. Arrangement with Commonwealth 13 Division 3--Exemptions 14 12. Personal, family or household affairs 14 13. Courts, tribunals, etc. 14 14. Publicly-available information 14 15. News media 15 16. Statistical compilations, etc. 15 17. Freedom of Information Act 1982 16 18. Law enforcement 16 PART 3--INFORMATION PRIVACY 18 19. Information Privacy Principles 18 20. Application of IPPs 18 21. Organisations to comply with IPPs 18 22. Effect of outsourcing 20 i 532027B.I1-25/5/99

 

 

Clause Page PART 4--CODES OF PRACTICE 22 23. Codes of practice 22 24. Process for approval of code of practice or code variation 24 25. Organisations bound by code of practice 25 26. Effect of approved code 26 27. Codes of practice register 27 28. Revocation of approval 27 29. Effect of revocation of approval or variation or expiry of approved code 28 PART 5--COMPLAINTS 31 Division 1--Making a Complaint 31 30. Complaints 31 31. Complaints by minors and people with an impairment 32 Division 2--Procedure after a Complaint is Made 33 32. Privacy Commissioner must notify respondent 33 33. Circumstances in which Privacy Commissioner may decline to entertain complaint 33 34. Privacy Commissioner may dismiss stale complaint 35 35. Minister may refer a complaint direct to Tribunal 35 36. What happens if conciliation is inappropriate? 36 Division 3--Conciliation of Complaints 36 37. Conciliation process 36 38. Power to obtain information and documents 37 39. Conciliation agreements 38 40. Evidence of conciliation is inadmissible 39 41. What happens if conciliation fails? 39 Division 4--Interim orders 40 42. Tribunal may make interim orders before hearing 40 Division 5--Jurisdiction of the Tribunal 41 43. When may the Tribunal hear a complaint? 41 44. Who are the parties to a proceeding? 41 45. Time limits for certain complaints 42 46. What may the Tribunal decide? 42 PART 6--ENFORCEMENT OF INFORMATION PRIVACY PRINCIPLES 45 47. Compliance notice 45 48. Power to obtain information and documents 46 49. Power to examine witnesses 47 ii 532027B.I1-25/5/99

 

 

Clause Page 50. Protection against self-incrimination 47 51. Offence not to comply with enforcement notice 48 52. Application for review 48 PART 7--PRIVACY COMMISSIONER 49 53. Privacy Commissioner 49 54. Remuneration and allowances 49 55. Terms and conditions of appointment 49 56. Vacancy, resignation 50 57. Suspension of Privacy Commissioner 50 58. Acting appointment 51 59. Validity of acts and decisions 51 60. Staff 52 61. Functions 52 62. Powers 56 63. Privacy Commissioner to have regard to certain matters 56 64. Delegation 56 65. Annual reports 56 66. Other reports 57 PART 8--GENERAL 58 67. Failure to attend etc. before Privacy Commissioner 58 68. Protection from liability 58 69. Secrecy 60 70. Employees and agents 61 71. Offences by organisations or bodies 61 72. Prosecutions 62 73. Supreme Court--limitation of jurisdiction 62 74. Regulations 62 PART 9--AMENDMENT OF CERTAIN ACTS 63 75. Amendment of Parliamentary Committees Act 1968 63 76. Amendment of Magistrates' Court Act 1989 63 77. Amendment of Public Sector Management and Employment Act 1998 63 78. Amendment of Victorian Civil and Administrative Tribunal Act 1998 63 __________________ SCHEDULE 1--The Information Privacy Principles 65 iii 532027B.I1-25/5/99

 

 

Clause Page NOTES 73 iv 532027B.I1-25/5/99

 

 

PARLIAMENT OF VICTORIA A BILL to establish a data protection regime for the public and private sectors, to amend the Parliamentary Committees Act 1968 and certain other Acts and for other purposes. Data Protection Act 1999 The Parliament of Victoria enacts as follows: PART 1--PRELIMINARY 1. Purpose The purpose of this Act is to establish a regime for the protection of personal information in the 5 public and private sectors in Victoria. 1 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 2 Act No. 2. Commencement (1) Section 1 and this section come into operation on the day on which this Act receives the Royal Assent. 5 (2) The remaining provisions of this Act come into operation on a day or days to be proclaimed. 3. Definitions In this Act-- "applicable code of practice", in relation to an 10 organisation or an outsourced service provider under an outsourcing contract with an organisation, means an approved code of practice by which the organisation is bound; "approved code of practice" means a code of 15 practice approved under Part 4 as varied and in operation for the time being; "body" means body (whether incorporated or not); "code administrator", in relation to a code of 20 practice, means an independent code administrator appointed in accordance with the code to whom complaints may be made in accordance with the code alleging a contravention of the code; 25 "Commonwealth-regulated organisation" means an agency to which the Privacy Act 1988 of the Commonwealth applies or a person in the capacity of contracted service provider within the meaning of that Act1; 30 "consent" means express consent or implied consent; "correct", in relation to personal information, means to alter that information by way of amendment, deletion or addition; 2 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 3 Act No. "Council" has the same meaning as in the Local Government Act 1989; "enactment" means an Act or a Commonwealth Act or an instrument of a legislative 5 character made under an Act or a Commonwealth Act; "Federal Privacy Commissioner" means the Privacy Commissioner appointed under the Privacy Act 1988 of the Commonwealth; 10 "generally available publication" means a publication (whether in paper or electronic form) that is generally available to members of the public and includes a public register; "identifier" means an identifier (usually a 15 number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the 20 individual's name; "individual" means a natural person; "Information Privacy Principle" means any of the Information Privacy Principles set out in Schedule 1; 25 "insolvent under administration" means-- (a) a person who is an undischarged bankrupt; or (b) a person for whom a debt agreement has been made under Part IX of the 30 Bankruptcy Act 1966 of the Commonwealth (or the corresponding provisions of the law of another jurisdiction) if the debt agreement has 3 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 3 Act No. not ended or has not been terminated; or (c) a person who has executed a deed of arrangement under Part X of the 5 Bankruptcy Act 1966 of the Commonwealth (or the corresponding provisions of the law of another jurisdiction) if the terms of the deed have not been fully complied with; or 10 (d) a person whose creditors have accepted a composition under Part X of the Bankruptcy Act 1966 of the Commonwealth (or the corresponding provisions of the law of another 15 jurisdiction) if a final payment has not been made under that composition; "IPP" means Information Privacy Principle; "law enforcement agency" means-- (a) the police force of Victoria or of any 20 other State or of the Northern Territory; or (b) the Australian Federal Police; or (c) the National Crime Authority; or (d) the Commissioner appointed under 25 section 8A of the Corrections Act 1986; or (e) the Business Licensing Authority established under Part 2 of the Business Licensing Authority Act 30 1998; or (f) a commission established by a law of Victoria or the Commonwealth or of any other State or a Territory with the function of investigating matters 4 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 3 Act No. relating to criminal activity generally or of a specified class or classes; or (g) an agency established, or expressly authorised or empowered, by or under 5 an Act or a Commonwealth Act to perform functions or activities directed to-- (i) the prevention, detection, investigation, prosecution or 10 punishment of criminal offences or breaches of a law imposing a penalty or sanction for a breach; or (ii) the management of property 15 seized or restrained under laws relating to the confiscation of the proceeds of crime or the enforcement of such laws; or (h) an agency responsible for the 20 execution or implementation of an order or decision made by a court or tribunal including an agency that executes warrants, provides correctional services or makes 25 decisions relating to the release of persons from custody; or (i) an agency responsible for the protection of the public revenue under a law administered by it; 30 "news activity" means-- (a) the gathering of news for the purposes of dissemination to the public or any section of the public; or (b) the preparation or compiling of articles 35 or programmes of or concerning news, 5 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 3 Act No. observations on news or current affairs for the purposes of dissemination to the public or any section of the public; or 5 (c) the dissemination to the public or any section of the public of any article or programme of or concerning news, observations on news or current affairs; 10 "news medium" means any organisation whose business, or whose principal business, consists of a news activity; "officer", in relation to a body corporate, has the meaning given by section 82A of the 15 Corporations Law of Victoria; "organisation" means a person or body that is an organisation for the purposes of this Act by force of Division 1 or 2 of Part 2; "outsourcing contract" means a contract or 20 arrangement between an organisation and another person or body (whether an organisation for the purposes of this Act or not) under which services are to be provided to one (the outsourcing organisation) by the 25 other (the outsourced service provider) in connection with the performance of functions of the outsourcing organisation, including services that the outsourcing organisation is to provide to other persons or 30 bodies; "personal information" means information (whether fact, opinion or evaluative material) recorded in any form about an individual from which the individual is capable of 35 being identified (whether directly from the information or from the information when 6 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 3 Act No. read in combination with other information contained in a generally available publication) but does not include information contained in a generally available 5 publication; "personal privacy" means privacy of personal information; "Privacy Commissioner" means the Privacy Commissioner appointed under Part 7; 10 "private sector organisation" means any person or body that is not, or to the extent that it is not, a person or body to which this Act applies by force of section 9(1); "public sector agency" means an Agency or 15 public authority within the meaning of the Public Sector Management and Employment Act 1998; "public register" means a document held by a public sector agency or a Council and open 20 to inspection by members of the public (whether or not on payment of a fee) by force of a provision made by or under an Act other than the Freedom of Information Act 1982 or the Public Records Act 1973 25 containing information that-- (a) a person or body was required or permitted to give to that public sector agency or Council by force of a provision made by or under an Act; 30 and (b) would be personal information if the document were not a generally available publication; 7 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 4 Act No. "subject of the information", in relation to personal information, means the individual to whom the information relates; "third party", in relation to personal 5 information, means a person or body other than the organisation holding the information and the individual who is the subject of the information; "Tribunal" means Victorian Civil and 10 Administrative Tribunal established by the Victorian Civil and Administrative Tribunal Act 1998. 4. Interpretative provisions (1) For the purposes of this Act, an organisation holds 15 personal information if the information is contained in a document that is in the possession or under the control of the organisation, whether alone or jointly with other persons or bodies, irrespective of where the document is situated, 20 whether in or outside Victoria. (2) For the purposes of this Act, an act done or practice engaged in by an organisation is an interference with the privacy of an individual if, and only if, the act or practice is contrary to, or 25 inconsistent with, an IPP or an applicable code of practice. (3) If a provision of this Act refers to an IPP by a number, the reference is a reference to the IPP designated by that number. 30 (4) A reference in this Act to an outsourced service provider is a reference to a person or body in the capacity of outsourced service provider and includes a reference to a subcontractor of the outsourced service provider (or of another such 8 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 5 Act No. subcontractor) for the purposes (whether direct or indirect) of the outsourcing contract. (5) Without limiting section 37(a) of the Interpretation of Legislation Act 1984, a 5 reference in this Act to an organisation using a neuter pronoun includes a reference to an organisation that is a natural person, unless the contrary intention appears. 5. Objects of Act 10 The objects of this Act are-- (a) to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information; 15 (b) to promote awareness of responsible personal information handling practices; (c) to promote the responsible and transparent handling of personal information; (d) to provide a co-regulatory environment for 20 the handling of personal information that-- (i) is flexible enough to be adapted cost- effectively to specific and differing needs; and (ii) is sensitive to international 25 developments and obligations. 6. Relationship of this Act to other laws (1) If a provision made by or under this Act is inconsistent with a provision made by or under any other Act or any Commonwealth Act, that 30 other provision prevails and the provision made by or under this Act is (to the extent of the inconsistency) of no force or effect. 9 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 7 Act No. (2) Without limiting sub-section (1), nothing in this Act affects the operation of the Freedom of Information Act 1982 or any right, privilege, obligation or liability conferred or imposed under 5 that Act or any exemption arising under that Act. 7. Nature of rights created by this Act (1) Nothing in this Act-- (a) gives rise to any civil cause of action; or (b) without limiting paragraph (a), operates to 10 create in any person any legal right enforceable in a court or tribunal-- otherwise than in accordance with the procedures set out in this Act. (2) A contravention of this Act does not create any 15 criminal liability except to the extent expressly provided by this Act. 8. Act binds the Crown (1) This Act binds the Crown in right of Victoria and, so far as the legislative power of the Parliament 20 permits, the Crown in all its other capacities. (2) Nothing in this Act makes the Crown in any of its capacities liable to be prosecuted for an offence. _______________ 10 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 9 Act No. PART 2--APPLICATION OF THIS ACT Division 1--Public Sector Organisations 9. Application to public sector (1) This Act applies to-- 5 (a) a Minister; (b) a public sector agency; (c) a Council; (d) a body established or appointed for a public purpose by or under an Act; 10 (e) a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act; (f) a person holding an office or position established by or under an Act or to which 15 he or she was appointed by the Governor in Council, or by a Minister, otherwise than under an Act; (g) a court or tribunal; (h) the police force of Victoria; 20 (i) any other body that is declared, or to the extent that it is declared, by an Order under sub-section (2)(a) to be an organisation for the purposes of this sub-section-- excluding any person or body that is a 25 Commonwealth-regulated organisation or declared, or to the extent that it is declared, by an Order under sub-section (2)(b) not to be an organisation for the purposes of the relevant paragraph of this sub-section. 11 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 10 Act No. (2) The Governor in Council may, by Order published in the Government Gazette-- (a) declare a body to be, either wholly or to the extent specified in the Order, an organisation 5 for the purposes of sub-section (1); or (b) declare a body referred to in paragraph (d) or (e), or a person holding an office or position referred to in paragraph (f), not to be an organisation for the purposes of that 10 paragraph, either wholly or to the extent specified in the Order. (3) The Minister may only recommend to the Governor in Council the making of an Order under sub-section (2)(b) in respect of a body or 15 person if satisfied that the collection, holding, use and disclosure by that body or person of personal information is more appropriately governed by another scheme (whether contained in an enactment or given legislative force by an 20 enactment) which would apply if that person or body were not an organisation for the purposes of the relevant paragraph of sub-section (1), either wholly or to the extent specified in the Order. (4) A person or body to which this Act applies by 25 force of sub-section (1) is an organisation for the purposes of this Act, either wholly or to the relevant extent. (5) This section is subject to Division 3. Division 2--Private Sector Organisations 30 10. Application to private sector (1) This Act applies to all private sector organisations. 12 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 11 Act No. (2) A private sector organisation is an organisation for the purposes of this Act. (3) This section is subject to Division 3. 11. Arrangement with Commonwealth 5 (1) The Governor in Council may arrange with the Governor-General of the Commonwealth for the exercise and discharge, in relation to any private sector organisation, by the Federal Privacy Commissioner on behalf of the Government of 10 Victoria of all or any powers, duties, functions or authorities which, in the absence of the arrangement, would be exercisable under this Act in relation to that organisation by the Privacy Commissioner appointed under Part 7. 15 (2) An agreement relating to an arrangement referred to in sub-section (1) may provide for all or any matters necessary or convenient to be provided for, or incidental to, carrying out the arrangement and must enable the arrangement to be terminated 20 by the Governor in Council at any time. (3) Notice of an arrangement under this section must be published in the Government Gazette and, in any proceedings under this Act, production of a copy of or an extract from the Government 25 Gazette containing the notice is evidence that the arrangement has been made and is still in operation. (4) References in this Act to the Privacy Commissioner must be construed as including 30 references to the Federal Privacy Commissioner to the extent that the Federal Privacy Commissioner exercises and discharges on behalf of the Government of Victoria any powers, duties, functions or authorities of the Privacy 35 Commissioner under this Act in accordance with an arrangement under this section. 13 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 12 14 Act No. Division 3--Exemptions 12. Personal, family or household affairs Nothing in this Act or in any IPP applies in respect of the collection, holding, management, 5 use, disclosure or transfer of personal information by an individual, or personal information held by an individual, only for the purposes of, or in connection with, his or her personal, family or household affairs. 10 13. Courts, tribunals, etc. Nothing in this Act or in any IPP applies in respect of the collection, holding, management, use, disclosure or transfer of personal information-- 15 (a) in relation to its or his or her judicial or quasi-judicial functions, by-- (i) a court or tribunal; or (ii) the holder of a judicial or quasi-judicial office or other office pertaining to a 20 court or tribunal in his or her capacity as the holder of that office; or (b) in relation to those matters which relate to the judicial or quasi-judicial functions of the court or tribunal, by-- 25 (i) a registry or other office of a court or tribunal; or (ii) the staff of such a registry or other office in their capacity as members of that staff. 30 14. Publicly-available information 14 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Act No. (1) Nothing in this Act or in any IPP applies to a document containing personal information, or to the personal information contained in a document, that is-- 5 (a) a generally available publication; or (b) kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or (c) a public record under the control of the 10 Keeper of Public Records that is available for public inspection in accordance with the Public Records Act 1973; or (d) archives within the meaning of the Copyright Act 1968 of the Commonwealth. 15 (2) Sub-section (1) does not take away from section 21(5) which imposes duties on a public sector agency or a Council in administering a public register. 15. News media 20 (1) Nothing in IPP 1 or IPP 2 applies to the collection, use or disclosure of personal information by a news medium in connection with its news activities. (2) Nothing in IPP 6 applies to personal information 25 held by a news medium in connection with its news activities unless and until the information is actually disseminated to the public or any section of the public. 16. Statistical compilations, etc. 30 Nothing in IPP 2 applies to the use or disclosure of personal information by an organisation in connection with a legitimate function or activity of that organisation in compiling statistics or 15 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 17 Act No. carrying out research other than for publication in a form that identifies any particular individual. 17. Freedom of Information Act 1982 Nothing in IPP 6 applies to-- 5 (a) a document containing personal information, or to the personal information contained in a document, that is-- (i) a document of an agency within the meaning of the Freedom of 10 Information Act 1982; or (ii) an official document of a Minister within the meaning of that Act; or (iii) a document to which Part IIIA of that Act applies-- 15 and access can only be granted to that document or information, and that information can only be corrected, in accordance with the procedures set out in, and in the form required or permitted by, that 20 Act; or (b) a document containing personal information, or to the personal information contained in a document, to which access would not be granted under the Freedom of Information 25 Act 1982 because of section 6 of that Act. 18. Law enforcement It is not necessary for a law enforcement agency to comply with IPP 1.3 to 1.5, 2.1, 6.1 to 6.9, 9.1 or 10.1 if it believes on reasonable grounds that 30 the non-compliance is necessary-- (a) for the purposes of one or more of its, or any other law enforcement agency's, legitimate law enforcement functions or activities; or 16 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 18 Act No. (b) for the enforcement of laws relating to the confiscation of the proceeds of crime; or (c) in connection with the conduct of proceedings commenced, or about to be 5 commenced, in any court or tribunal. _______________ 17 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 19 Act No. PART 3--INFORMATION PRIVACY 19. Information Privacy Principles (1) The Information Privacy Principles are set out in Schedule 1. 5 (2) Nothing in any Information Privacy Principle affects the operation or extent of any exemption arising under Division 3 of Part 2 and those Principles must be construed accordingly. 20. Application of IPPs 10 (1) IPP 1 and IPP 10 apply only in relation to information collected-- (a) in the case of a public sector organisation, after the commencement of section 9; and (b) in the case of a private sector organisation, 15 after the commencement of section 10. (2) The remaining Information Privacy Principles apply in relation to all personal information, whether collected by the organisation before or after the commencement of section 9 or 10, as the 20 case requires. 21. Organisations to comply with IPPs (1) Subject to section 20, an organisation must not do an act, or engage in a practice, that contravenes an Information Privacy Principle in respect of 25 personal information collected, held, used or disclosed by it. (2) Sub-section (1) only applies in relation to an Information Privacy Principle, other than IPP 4 and IPP 6, on and from-- 30 (a) in the case of a public sector organisation, the first anniversary of the commencement of section 9; and 18 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 21 Act No. (b) in the case of a private sector organisation, the first anniversary of the commencement of section 10. (3) Despite sub-sections (1) and (2), sub-section (1) 5 does not apply to the doing of an act, or the engaging in of a practice, by an organisation that, but for this sub-section, would constitute a contravention of an Information Privacy Principle, other than IPP 4 and IPP 6, if-- 10 (a) the doing of the act or the engaging in of the practice is necessary for the performance of a contract to which the organisation is a party entered into by the organisation-- (i) in the case of a public sector 15 organisation, before the commencement of section 9; and (ii) in the case of a private sector organisation, before the commencement of section 10; and 20 (b) the act is done or the practice is engaged in before the second anniversary of the commencement of section 9 or 10 (as the case requires) or the end of any extension of that period granted in relation to that contract 25 under sub-section (4). (4) On the application of an organisation before the expiry of the period referred to in sub-section (3)(b) (including any extension of that period granted under this sub-section), the Privacy 30 Commissioner may grant an extension of that period in relation to a specified contract if he or she is of the opinion that the organisation is doing its best-- (a) to comply with the IPPs consistent with its 35 obligations under the contract; and 19 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 22 Act No. (b) to seek to have the contract re-negotiated to enable the organisation to comply fully with the IPPs. (5) A public sector agency or a Council must, in 5 administering a public register, so far as is reasonably practicable not do an act or engage in a practice that would contravene an Information Privacy Principle in respect of information collected, held, used or disclosed by it in 10 connection with the administration of the public register if that information were personal information. 22. Effect of outsourcing (1) Subject to this section, the status or effect for the 15 purposes of this Act of an act or practice is not affected by the existence or operation of an outsourcing contract. (2) An outsourcing contract may provide for the outsourced service provider to be bound by the 20 Information Privacy Principles and any applicable code of practice with respect to any act done, or practice engaged in, by the outsourced service provider in the same way and to the same extent as the outsourcing organisation would have been 25 bound by them in respect of that act or practice had it been directly done or engaged in by the outsourcing organisation. (3) If a provision of a kind referred to in sub-section (2) is in force under an outsourcing contract, the 30 Information Privacy Principles and any applicable code of practice apply to an act done, or practice engaged in, by the outsourced service provider in the same way and to the same extent as they would have applied to the outsourcing 35 organisation in respect of that act or practice had 20 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 22 Act No. it been directly done or engaged in by the outsourcing organisation. (4) An act or practice that is an interference with the privacy of an individual done or engaged in by an 5 outsourced service provider must, for the purposes of this Act and any applicable code of practice, be taken to have been done or engaged in by the outsourcing organisation as well as the outsourced service provider unless-- 10 (a) the outsourcing organisation establishes that a provision of a kind referred to in sub- section (2) was in force under the outsourcing contract at the relevant time in relation to the act or practice; and 15 (b) the IPP or applicable code of practice to which the act or practice is contrary, or with which it is inconsistent, is capable of being enforced against the outsourced service provider in accordance with the procedures 20 set out in this Act. (5) Section 70(1) does not apply to an act done or practice engaged in by an outsourced service provider acting within the scope of an outsourcing contract. 25 _______________ 21 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 23 Act No. PART 4--CODES OF PRACTICE 23. Codes of practice (1) An organisation can discharge its duty to comply with an Information Privacy Principle in respect 5 of personal information collected, held, used or disclosed by it by complying with a code of practice approved under this Part and binding on the organisation. (2) A code of practice may-- 10 (a) modify the application of any one or more of the Information Privacy Principles by-- (i) prescribing standards that are more stringent or less stringent than the standards prescribed by any 15 Information Privacy Principle; or (ii) exempting any act or practice from an Information Privacy Principle, either unconditionally or subject to any conditions that are prescribed in the 20 code of practice; or (b) prescribe how any one or more of the Information Privacy Principles are to be applied, or are to be complied with; or (c) prescribe standards in relation to any matter 25 in substitution for standards prescribed by an Information Privacy Principle. (3) A code of practice may apply in relation to any one or more of the following-- (a) any specified information or class of 30 information; (b) any specified organisation or class of organisation; 22 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 23 Act No. (c) any specified activity or class of activity; (d) any specified industry, profession or calling or class of industry, profession or calling. (4) A code of practice may also-- 5 (a) impose controls on an organisation that matches data for the purpose of producing or verifying information about an identifiable individual; or (b) in relation to charging-- 10 (i) set guidelines to be followed in determining charges; or (ii) prescribe circumstances in which no charge may be imposed; or (c) prescribe-- 15 (i) procedures for dealing with complaints alleging a contravention of the code, including the appointment of an independent code administrator to whom complaints may be made; or 20 (ii) remedies available where a complaint is substantiated; or (d) provide for the review of the code by the Privacy Commissioner; or (e) provide for the expiry of the code. 25 (5) Sub-section (1) applies also to a public sector agency or a Council in seeking to discharge its duty to comply, so far as is reasonably practicable, with an Information Privacy Principle in relation to a public register as imposed by section 21(5) 30 and this Part has effect accordingly. 23 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 24 Act No. 24. Process for approval of code of practice or code variation (1) An organisation may seek approval of a code of practice, or of a variation of an approved code of 5 practice, by submitting the code or variation to the Privacy Commissioner. (2) The Governor in Council, on the recommendation of the Minister made after considering the advice of the Privacy Commissioner, may by notice 10 published in the Government Gazette approve a code of practice or a variation of an approved code of practice. (3) The Privacy Commissioner may advise the Minister to recommend to the Governor in 15 Council that a code of practice, or a variation of an approved code of practice, be approved if in his or her opinion-- (a) the code or variation would substantially achieve the objects of this Act in relation to 20 the personal information to which the code applies; and (b) approving the code or variation is not contrary to the public interest. (4) Before deciding whether or not to advise the 25 Minister to recommend approval of a code of practice or of a variation of an approved code of practice, the Privacy Commissioner-- (a) if not also the Federal Privacy Commissioner, must consult that 30 Commissioner unless the code or variation is not capable of applying to a private sector organisation; and (b) may consult any other person or body that the Privacy Commissioner considers it 35 appropriate to consult; and 24 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 25 Act No. (c) must have regard to the extent to which members of the public have been given an opportunity to comment on the code or variation. 5 (5) A code of practice or variation comes into operation at the beginning of-- (a) the day on which the notice of approval under sub-section (2) is published in the Government Gazette; or 10 (b) such later day as is expressed in that notice as the day on which the code or variation comes into operation. 25. Organisations bound by code of practice (1) An approved code of practice binds-- 15 (a) any organisation that sought approval of it; and (b) any organisation that, by notice in writing given to the Privacy Commissioner, states that it intends to be bound by an approved 20 code of practice that is then in operation and that is capable of applying to the organisation. (2) A notice under sub-section (1)(b) may indicate an intention that the organisation be bound by the 25 approved code of practice-- (a) generally; or (b) only in respect of specified information or a specified class of information collected, held, used or disclosed by it; or 30 (c) only in respect of any specified activity or class of activity. (3) A notice under sub-section (1)(b) has no effect unless the Privacy Commissioner approves it. 25 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 26 Act No. (4) The Privacy Commissioner may approve a notice under sub-section (1)(b) if satisfied that the approved code of practice is capable of applying to the organisation to the extent set out in the 5 notice. (5) An organisation is bound by an approved code of practice-- (a) in the case of an organisation referred to in sub-section (1)(a), on and from the coming 10 into operation of the code; and (b) in the case of an organisation referred to in sub-section (1)(b), on and from the date expressed in the notice under that sub- section as the date on and from which the 15 organisation will be bound by the code or the date on which the organisation is notified of the Privacy Commissioner's approval of the notice, whichever is the later. (6) An organisation bound by an approved code of 20 practice may, by notice in writing given to the Privacy Commissioner, state that it intends to cease to be bound by that code. (7) An organisation ceases to be bound by an approved code of practice on and from the date of 25 the notice under sub-section (6) or such later date as is expressed in that notice as the date on and from which the organisation will cease to be bound by the code. 26. Effect of approved code 30 If an approved code of practice is in operation and binding on an organisation-- (a) an act done, or practice engaged in, by the organisation that would otherwise contravene an Information Privacy Principle 35 is, for the purposes of this Act, deemed not 26 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 27 Act No. to be a contravention of that principle if the act or practice does not contravene the code; and (b) an act done, or practice engaged in, by the 5 organisation that contravenes the code, even though that act or practice would not otherwise contravene any Information Privacy Principle, is, for the purposes of this Act, deemed to be a contravention of an 10 Information Privacy Principle and may be dealt with as provided by that code and this Act. 27. Codes of practice register (1) The Privacy Commissioner must cause a register 15 of all approved codes of practice to be established and maintained and for that purpose may determine the form of the register. (2) A person may at any reasonable time-- (a) inspect the register and any documents that 20 form part of it; or (b) on the payment of any fee required by the regulations, obtain a copy of any entry in, or document forming part of, the register. 28. Revocation of approval 25 (1) The Governor in Council, on the recommendation of the Minister made after considering the advice of the Privacy Commissioner, may by notice published in the Government Gazette revoke the approval of a code of practice or of a variation of 30 an approved code of practice. (2) The Privacy Commissioner may act under sub- section (1) on his or her own initiative or on an application for revocation made to him or her by an individual or organisation. 27 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 29 Act No. (3) Before deciding whether or not to advise the Minister to recommend revocation of the approval of a code of practice or of a variation of an approved code of practice, the Privacy 5 Commissioner-- (a) if not also the Federal Privacy Commissioner, must consult that Commissioner unless the code or variation does not apply to a private sector 10 organisation; and (b) must consult the organisation that sought approval of the code or variation and may consult any other person or body that the Privacy Commissioner considers it 15 appropriate to consult; and (c) must have regard to the extent to which members of the public have been given an opportunity to comment on the proposed revocation. 20 (4) An approved code of practice or approved variation ceases to be in operation at the beginning of-- (a) the day on which the notice of revocation under sub-section (1) is published in the 25 Government Gazette; or (b) such later day as is expressed in that notice as the day on which the code or variation ceases to be in operation. 29. Effect of revocation of approval or variation or expiry 30 of approved code (1) The revocation of the approval of a code of practice or of a variation of an approved code of practice, or the expiry of an approved code of practice, or the ceasing of an organisation to be 35 bound by a code of practice, does not-- 28 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 29 Act No. (a) revive anything not in force or existing at the time at which the revocation, expiry or cessation becomes operative; or (b) affect the previous operation of the code or 5 anything duly done or suffered under, or in relation to, the code; or (c) affect any right, privilege, obligation or liability acquired, accrued or incurred under, or in relation to, the code; or 10 (d) affect any penalty incurred in respect of any contravention of the code or in respect of any offence against section 51(1) committed in relation to a compliance notice issued because of any contravention of the code; or 15 (e) affect any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation, liability or penalty as is mentioned in paragraphs (c) and (d)-- and any such investigation, legal proceeding or 20 remedy may be instituted, continued or enforced and any such penalty may be imposed as if the code or variation had not been revoked or the code had not expired or the organisation had not ceased to be bound by the code. 25 (2) Subject to sub-section (1), if a variation of an approved code of practice is revoked, the code takes effect without that variation as from the beginning of the day on which the variation ceases to be in operation in all respects as if the variation 30 had not been made. (3) Nothing in this section prevents the application to an organisation, or an outsourced service provider under an outsourcing contract with an organisation, of an IPP (without any modification) 35 on and from the day on which an applicable code 29 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 29 Act No. of practice, that modified the application of that IPP, ceases to be in operation. _______________ 30 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 30 Act No. PART 5--COMPLAINTS Division 1--Making a Complaint 30. Complaints (1) An individual in respect of whom personal 5 information is, or has at any time been, held by an organisation may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual2. 10 (2) A complaint may be made under sub-section (1) if-- (a) there is no applicable code of practice in relation to the holding of the information by the organisation; or 15 (b) there is an applicable code of practice in relation to the holding of the information by the organisation but that code does not provide for the appointment of a code administrator to whom complaints may be 20 made; or (c) there is an applicable code of practice in relation to the holding of the information by the organisation that provides for the appointment of a code administrator and not 25 less than 45 days before complaining under sub-section (1) the individual complained to the code administrator in accordance with the procedures set out in that code but has received no response or a response that the 30 individual considers to be inadequate. (3) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may 31 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 31 Act No. make a complaint under sub-section (1) on behalf of all of the individuals with their consent. (4) A complaint must be in writing and lodged with the Privacy Commissioner by hand, facsimile or 5 other electronic transmission or post. (5) It is the duty of employees in the office of the Privacy Commissioner to provide appropriate assistance to an individual who wishes to make a complaint and requires assistance to formulate the 10 complaint. (6) The complaint must specify the respondent to the complaint. (7) If the organisation is a legal person, the organisation shall be the respondent and, if the 15 organisation is an unincorporated body, the members of the committee of management of the organisation shall be the respondents. (8) A failure to comply with sub-section (6) does not render the complaint, or any step taken in relation 20 to it, a nullity. 31. Complaints by minors and people with an impairment (1) A complaint may be made-- (a) by a child; or (b) on behalf of a child by-- 25 (i) a parent of the child; or (ii) any other individual with the consent of the child or of a parent of the child. (2) If an individual is unable to complain because of impairment, a complaint may be made on behalf 30 of that individual by-- (a) an individual authorised by that individual to complain on his or her behalf; or 32 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 32 Act No. (b) if that individual is unable to authorise another individual, any other individual on his or her behalf. (3) In this section "parent" and "impairment" have 5 the same respective meanings as in the Equal Opportunity Act 1995. Division 2--Procedure after a Complaint is Made 32. Privacy Commissioner must notify respondent The Privacy Commissioner must notify the 10 respondent in writing of the complaint as soon as practicable after receiving it. 33. Circumstances in which Privacy Commissioner may decline to entertain complaint (1) The Privacy Commissioner may decline to 15 entertain a complaint made under section 30(1) by notifying the complainant and the respondent in writing to that effect within 90 days after the day on which the complaint was lodged if the Privacy Commissioner considers that-- 20 (a) the act or practice about which the complaint has been made is not an interference with the privacy of an individual; or (b) the act or practice is subject to an applicable code of practice and all mechanisms for 25 seeking redress available under that code have not been exhausted; or (c) although a complaint has been made to the Privacy Commissioner about the act or practice, the complainant has not complained 30 to the respondent; or (d) the complaint to the Privacy Commissioner was made more than 45 days after the 33 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 33 Act No. complainant became aware of the act or practice; or (e) the complaint is frivolous, vexatious, misconceived or lacking in substance; or 5 (f) the act or practice is the subject of an application under another enactment and the subject-matter of the complaint has been, or is being, dealt with adequately under that enactment; or 10 (g) the act or practice could be made the subject of an application under another enactment for a more appropriate remedy; or (h) the complainant has complained to the respondent about the act or practice and 15 either-- (i) the respondent has dealt, or is dealing, adequately with the complaint; or (ii) the respondent has not yet had an adequate opportunity to deal with the 20 complaint. (2) Before declining to entertain a complaint, the Privacy Commissioner may, by written notice, invite any person-- (a) to attend before the Privacy Commissioner, 25 or an employee in the office of the Privacy Commissioner, for the purpose of discussing the subject matter of the complaint; or (b) to produce any documents specified in the notice. 30 (3) Within 60 days after receiving the Privacy Commissioner's notice declining to entertain a complaint, the complainant, by notice in writing given to the Privacy Commissioner, may require 34 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 34 Act No. him or her to refer the complaint to the Tribunal for hearing under Division 5. (4) The Privacy Commissioner must comply with a notice under sub-section (3). 5 (5) If the complainant does not notify the Privacy Commissioner under sub-section (3), the Privacy Commissioner may dismiss the complaint. (6) As soon as possible after a dismissal under sub- section (5), the Privacy Commissioner must, by 10 written notice, notify the complainant and the respondent of the dismissal. (7) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section. 15 34. Privacy Commissioner may dismiss stale complaint (1) The Privacy Commissioner may dismiss a complaint if he or she has had no substantive response from the complainant in the period of 90 days following a request by the Privacy 20 Commissioner for a response in relation to the complaint. (2) As soon as possible after a dismissal under sub- section (1), the Privacy Commissioner must, by written notice, notify the complainant and the 25 respondent of the dismissal. (3) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section. 35. Minister may refer a complaint direct to Tribunal 30 (1) If the Minister considers that the subject matter of a complaint raises an issue of important public policy, the Minister may refer the complaint direct to the Tribunal for hearing under Division 5, whether or not the Privacy Commissioner has 35 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 36 Act No. considered it or the complaint is in the process of being conciliated. (2) The Minister is not a party to a proceeding on a complaint referred to the Tribunal under sub- 5 section (1) unless joined by the Tribunal. 36. What happens if conciliation is inappropriate? (1) If the Privacy Commissioner does not consider it reasonably possible that a complaint may be conciliated successfully under Division 3, he or 10 she must notify the complainant and the respondent in writing. (2) Within 60 days after receiving the Privacy Commissioner's notice under sub-section (1), the complainant, by written notice, may require the 15 Privacy Commissioner to refer the complaint to the Tribunal for hearing under Division 5. (3) The Privacy Commissioner must comply with a notice under sub-section (2). (4) If the complainant does not notify the Privacy 20 Commissioner under sub-section (2), the Privacy Commissioner may dismiss the complaint. (5) As soon as possible after a dismissal under sub- section (4), the Privacy Commissioner must, by written notice, notify the complainant and the 25 respondent of the dismissal. (6) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section. Division 3--Conciliation of Complaints 30 37. Conciliation process (1) If the Privacy Commissioner considers it reasonably possible that a complaint may be 36 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 38 Act No. conciliated successfully, he or she must make all reasonable endeavours to conciliate the complaint. (2) Sub-section (1) does not apply to a complaint-- (a) that the Privacy Commissioner has declined 5 to entertain under section 33 or dismissed under section 34; or (b) that the Minister has referred to the Tribunal under section 35. (3) The Privacy Commissioner may require a party to 10 attend a conciliation either personally or by a representative who has authority to settle the matter on behalf of the party. 38. Power to obtain information and documents (1) If the Privacy Commissioner has reason to believe 15 that a person has information or a document relevant to a conciliation under this Division, the Privacy Commissioner may give to the person a written notice requiring the person-- (a) to give the information to the Privacy 20 Commissioner in writing signed by the person or, in the case of a body corporate, by an officer of the body corporate; or (b) to produce the document to the Privacy Commissioner. 25 (2) If the Privacy Commissioner has reason to believe that a person has information relevant to a conciliation under this Division, the Privacy Commissioner may give to the person a written notice requiring the person to attend before the 30 Privacy Commissioner at a time and place specified in the notice to answer questions relevant to the complaint. (3) The Privacy Commissioner is not entitled to require an agency within the meaning of the 37 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 39 Act No. Freedom of Information Act 1982 or a Minister to give any information if the Secretary to the Department of Premier and Cabinet furnishes to the Privacy Commissioner a certificate certifying 5 that the giving of that information (including in answer to a question) would involve the disclosure of information which, if included in a document of the agency or an official document of the Minister, would cause the document to be-- 10 (a) an exempt document for the purposes of that Act; or (b) a document to which Part IIIA of that Act applies. 39. Conciliation agreements 15 (1) If, following conciliation, the parties to the complaint reach agreement with respect to the subject matter of the complaint-- (a) at the request of any party made within 30 days after agreement is reached, a written 20 record of the conciliation agreement is to be prepared by the parties or the Privacy Commissioner; and (b) the record must be signed by or on behalf of each party and certified by the Privacy 25 Commissioner; and (c) the Privacy Commissioner must give each party a copy of the signed and certified record. (2) Any party, after notifying in writing the other 30 party, may lodge a copy of the signed and certified record with the Tribunal for registration. (3) Subject to sub-section (4), the Tribunal must register the record and give a certified copy of the registered record to each party. 38 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 40 Act No. (4) If the Tribunal, constituted by a presidential member, considers that it may not be practicable to enforce, or to supervise compliance with, a conciliation agreement, the Tribunal may refuse to 5 register the record of the agreement. (5) On registration, the record must be taken to be an order of the Tribunal in accordance with its terms and may be enforced accordingly. (6) The refusal of the Tribunal to register the record 10 of a conciliation agreement does not affect the validity of the agreement. 40. Evidence of conciliation is inadmissible Evidence of anything said or done in the course of a conciliation is not admissible in proceedings 15 before the Tribunal or any other legal proceedings relating to the subject matter of the complaint, unless all parties to the conciliation otherwise agree. 41. What happens if conciliation fails? 20 (1) If the Privacy Commissioner has attempted unsuccessfully to conciliate a complaint, he or she must notify the complainant and the respondent in writing. (2) Within 60 days after receiving the Privacy 25 Commissioner's notice under sub-section (1), the complainant, by written notice, may require the Privacy Commissioner to refer the complaint to the Tribunal for hearing under Division 5. (3) The Privacy Commissioner must comply with a 30 notice under sub-section (2). (4) If the complainant does not notify the Privacy Commissioner under sub-section (2), the Privacy Commissioner may dismiss the complaint. 39 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 42 Act No. (5) As soon as possible after a dismissal under sub- section (4), the Privacy Commissioner must, by written notice, notify the complainant and the respondent of the dismissal. 5 (6) A complainant may take no further action under this Act in relation to the subject matter of a complaint dismissed under this section. Division 4--Interim orders 42. Tribunal may make interim orders before hearing 10 (1) A complainant or a respondent or the Privacy Commissioner may apply to the Tribunal for an interim order to prevent any party to the complaint from acting in a manner prejudicial to negotiations or conciliation or to any decision or 15 order the Tribunal might subsequently make. (2) An application may be made under sub-section (1) at any time before the complaint is referred to the Tribunal. (3) In making an interim order, the Tribunal must 20 have regard to-- (a) whether or not the complainant has established a prima facie case with respect to the complaint; and (b) any possible detriment or advantage to the 25 public interest in making the order; and (c) any possible detriment to the complainant's or the respondent's case if the order is not made. (4) An interim order applies for the period, not 30 exceeding 28 days, specified in it and may be extended from time to time by the Tribunal. 40 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 43 Act No. (5) The party against whom the interim order is sought is a party to the proceeding on an application under sub-section (1). (6) In making an interim order, the Tribunal-- 5 (a) may require any undertaking as to costs or damages that it considers appropriate; and (b) may make provision for the lifting of the order if specified conditions are met. (7) The Tribunal may assess any costs or damages 10 referred to in sub-section (6)(a). (8) Nothing in this section affects or takes away from the Tribunal's power under section 123 of the Victorian Civil and Administrative Tribunal Act 1998 to make orders of an interim nature in a 15 proceeding in the Tribunal in respect of a complaint. Division 5--Jurisdiction of the Tribunal 43. When may the Tribunal hear a complaint? (1) The Tribunal may hear a complaint-- 20 (a) referred to it by the Privacy Commissioner under section 33, 36 or 41; (b) referred to it by the Minister under section 35. (2) The Tribunal also has the jurisdiction conferred 25 by section 42. 44. Who are the parties to a proceeding? (1) The complainant and the respondent are parties to a proceeding in respect of a complaint referred to in section 43(1). 30 (2) The Privacy Commissioner is not a party to a proceeding in respect of a complaint referred to in section 43(1)(a) unless joined by the Tribunal. 41 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 45 Act No. 45. Time limits for certain complaints (1) The Tribunal must commence hearing a complaint within 30 days after its referral to the Tribunal if the complaint was referred to it by the Minister 5 under section 35. (2) The Tribunal, constituted by a presidential member, may extend the period of 30 days under sub-section (1) by one further period of not more than 30 days. 10 46. What may the Tribunal decide? (1) After hearing the evidence and representations that the parties to a complaint desire to adduce or make, the Tribunal may-- (a) find the complaint or any part of it proven 15 and make any one or more of the following orders-- (i) an order restraining the respondent, or the organisation of which the respondent is the principal executive, 20 from repeating or continuing any act or practice the subject of the complaint which the Tribunal has found to constitute an interference with the privacy of an individual; 25 (ii) an order that the respondent perform or carry out any reasonable act or course of conduct to redress any loss or damage suffered by the complainant, including injury to the complainant's 30 feelings or humiliation suffered by the complainant, by reason of the act or practice the subject of the complaint; (iii) an order that the complainant is entitled to a specified amount, not exceeding 35 $100 000, by way of compensation for 42 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 46 Act No. any loss or damage suffered by the complainant, including injury to the complainant's feelings or humiliation suffered by the complainant, by reason 5 of the act or practice the subject of the complaint; (iv) if the act or practice the subject of the complaint is subject to an approved code of practice, an order that the code 10 administrator take specified steps in the matter, which may include using conciliation or mediation, securing an apology or undertaking as to future conduct from the respondent or the 15 payment of compensation, not exceeding $100 000, by the respondent; or (b) find the complaint or any part of it proven but decline to take any further action in the 20 matter; or (c) find the complaint or any part of it not proven and make an order that the complaint or part be dismissed; or (d) in any case, make an order that the 25 complainant is entitled to a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with the making of the complaint and the proceedings held in respect of it 30 under this Act. (2) In an order under sub-paragraph (i) or (ii) of paragraph (a) of sub-section (1) arising out of a breach of IPP 6.6 or 6.7, the Tribunal may include an order that-- 43 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 46 Act No. (a) an organisation or respondent make an appropriate correction to the personal information; or (b) an organisation or respondent attach to the 5 record of personal information a statement provided by the complainant of a correction sought by the complainant. (3) If an order of the Tribunal relates to a public register, the Privacy Commissioner must, as soon 10 as practicable after its making, report the order to the Minister responsible for the public sector agency or Council that administers that public register. (4) The Privacy Commissioner may include in a 15 report under sub-section (3) recommendations in relation to any matter that concerns the need for, or the desirability of, legislative or administrative action in the interests of personal privacy. _______________ 20 44 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 47 Act No. PART 6--ENFORCEMENT OF INFORMATION PRIVACY PRINCIPLES 47. Compliance notice (1) The Privacy Commissioner may serve a 5 compliance notice on an organisation if it appears to him or her that-- (a) the organisation has done an act or engaged in a practice in contravention of an Information Privacy Principle, including an 10 act or practice that is in contravention of an applicable code of practice; and (b) the act or practice-- (i) constitutes a serious or flagrant contravention; or 15 (ii) is of a kind that has been done or engaged in by the organisation on at least 5 separate occasions within the previous 2 years. (2) A compliance notice requires the organisation to 20 take specified action within a specified period, not exceeding one month, for the purpose of ensuring compliance with the Principle or applicable code of practice. (3) If the Privacy Commissioner is satisfied, on the 25 application of an organisation on which a compliance notice is served, that it is not reasonably possible to take the action specified in the notice within the period specified in the notice, the Privacy Commissioner may extend the 30 period specified in the notice on the giving to him or her by the organisation of an undertaking to take the specified action within the extended period. 45 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 48 Act No. (4) The Privacy Commissioner may only extend a period under sub-section (3) if an application for the extension is made before the period specified in the notice expires. 5 (5) The Privacy Commissioner may act under sub- section (1) on his or her own initiative or on an application by an individual who was a complainant under Part 5. (6) In deciding whether or not to serve a compliance 10 notice, the Privacy Commissioner may have regard to the extent to which the organisation has complied with a decision of the Tribunal under Division 5 of Part 5. 48. Power to obtain information and documents 15 (1) If the Privacy Commissioner has reason to believe that a person has information or a document relevant to a decision under section 47(1), the Privacy Commissioner may give to the person a written notice requiring the person-- 20 (a) to give the information to the Privacy Commissioner in writing signed by the person or, in the case of a body corporate, by an officer of the body corporate; or (b) to produce the document to the Privacy 25 Commissioner. (2) If the Privacy Commissioner has reason to believe that a person has information relevant to a decision under section 47(1), the Privacy Commissioner may give to the person a written 30 notice requiring the person to attend before the Privacy Commissioner at a time and place specified in the notice to answer questions relevant to the decision. (3) The Privacy Commissioner is not entitled to 35 require an agency within the meaning of the 46 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 49 Act No. Freedom of Information Act 1982 or a Minister to give any information if the Secretary to the Department of Premier and Cabinet furnishes to the Privacy Commissioner a certificate certifying 5 that the giving of that information (including in answer to a question) would involve the disclosure of information which, if included in a document of the agency or an official document of the Minister, would cause the document to be-- 10 (a) an exempt document for the purposes of that Act; or (b) a document to which Part IIIA of that Act applies. 49. Power to examine witnesses 15 (1) The Privacy Commissioner may administer an oath or affirmation to a person required under section 48(2) to attend before the Privacy Commissioner and may examine the person on oath or affirmation. 20 (2) The oath or affirmation to be taken or made by a person for the purposes of this section is an oath or affirmation that the answers the person will give will be true. 50. Protection against self-incrimination 25 (1) It is a reasonable excuse for a natural person to refuse or fail to give information or answer a question when required to do so under this Part if giving the information or answering the question might tend to incriminate the person. 30 (2) A person is not excused from producing a document when required to do so under this Part on the ground that the document might tend to incriminate the person. (3) This section does not limit section 48(3). 47 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 51 Act No. 51. Offence not to comply with enforcement notice (1) An organisation must comply with a compliance notice served on it under section 47(1). Penalty: In the case of a body corporate, 5 3000 penalty units; In any other case, 600 penalty units. (2) An offence against sub-section (1) is an indictable offence. 52. Application for review 10 (1) An individual or organisation whose interests are affected by a decision of the Privacy Commissioner under section 47(1) to serve a compliance notice may apply to the Tribunal for review of the decision. 15 (2) An application for review must be made within 28 days after the later of-- (a) the day on which the decision is made; or (b) if, under the Victorian Civil and Administrative Tribunal Act 1998, the 20 person requests a statement of reasons for the decision, the day on which the statement of reasons is given to the person or the person is informed under section 46(5) of that Act that a statement of reasons will not 25 be given. (3) The Privacy Commissioner is a party to a proceeding on a review under this section. _______________ 48 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 53 Act No. PART 7--PRIVACY COMMISSIONER 53. Privacy Commissioner (1) There shall be a Privacy Commissioner who shall be appointed by the Governor in Council. 5 (2) The Privacy Commissioner shall not be a member of the Parliament of Victoria or of the Commonwealth or of any other State or a Territory. 54. Remuneration and allowances 10 The Privacy Commissioner is entitled to be paid the remuneration and allowances that are determined by the Governor in Council. 55. Terms and conditions of appointment (1) Subject to this Part, the Privacy Commissioner 15 holds office for the period, not exceeding 7 years, that is specified in the instrument of appointment but is eligible for re-appointment. (2) Subject to this Part, the Privacy Commissioner holds office on the terms and conditions 20 determined by the Governor in Council. (3) The Privacy Commissioner is entitled to leave of absence as determined by the Governor in Council. (4) Subject to sub-section (5), the Privacy 25 Commissioner must not engage, directly or indirectly, in paid employment outside the duties of Privacy Commissioner. (5) Sub-section (4) does not apply to the Privacy Commissioner in respect of the office of Federal 30 Privacy Commissioner. 49 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 56 Act No. (6) The Public Sector Management and Employment Act 1998 does not apply to the Privacy Commissioner in respect of the office of Privacy Commissioner, except as provided in 5 section 16 of that Act. 56. Vacancy, resignation (1) The Privacy Commissioner ceases to hold office if he or she-- (a) becomes an insolvent under administration; 10 or (b) is convicted of an indictable offence or an offence which, if committed in Victoria, would be an indictable offence; or (c) nominates for election for either House of 15 the Parliament of Victoria or of the Commonwealth or of any other State or a Territory. (2) The Privacy Commissioner may resign by notice in writing delivered to the Minister. 20 57. Suspension of Privacy Commissioner (1) The Governor in Council may suspend the Privacy Commissioner from office. (2) The Minister must cause to be laid before each House of Parliament a full statement of the 25 grounds of suspension within 7 sitting days of that House after the suspension. (3) The Privacy Commissioner must be removed from office by the Governor in Council if each House of Parliament within 20 sitting days after the day 30 when the statement is laid before it declares by resolution that the Privacy Commissioner ought to be removed from office. (4) The Governor in Council must remove the suspension and restore the Privacy Commissioner 50 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 58 59 Act No. to office unless each House makes a declaration of the kind specified in sub-section (3) within the time specified in that sub-section. 58. Acting appointment 5 (1) The Governor in Council may appoint a person to act in the office of Privacy Commissioner-- (a) during a vacancy in that office; or (b) during a period or all periods when the person holding that office is absent from 10 duty or is, for any reason, unable to perform the duties of the office. (2) An appointment under sub-section (1) is for the period, not exceeding 6 months, that is specified in the instrument of appointment. 15 (3) A person is not eligible to be appointed under sub- section (1) if the person is a member of the Parliament of Victoria or of the Commonwealth or of any other State or a Territory. (4) The Governor in Council may at any time remove 20 the acting Privacy Commissioner from office. (5) While a person is acting in the office of the Privacy Commissioner in accordance with this section, the person-- (a) has, and may exercise, all the powers and 25 must perform all the duties of that office under this Act; and (b) is entitled to be paid the remuneration and allowances that the Privacy Commissioner would have been entitled to for performing 30 those duties. 59. Validity of acts and decisions 51 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Act No. An act or decision of the Privacy Commissioner or acting Privacy Commissioner is not invalid only because-- (a) of a defect or irregularity in or in connection 5 with his or her appointment; or (b) in the case of an acting Privacy Commissioner, that the occasion for so acting had not arisen or had ceased. 60. Staff 10 (1) There may be employed under Part 3 of the Public Sector Management and Employment Act 1998 any employees that are necessary for the purposes of this Act. (2) The Privacy Commissioner may engage as many 15 consultants as are required for the exercise of his or her functions. 61. Functions The functions of the Privacy Commissioner are-- (a) to promote an understanding and acceptance 20 of the Information Privacy Principles and of the objects of those Principles; (b) in accordance with Part 4, to consider at the request of an organisation whether to advise the Minister to recommend to the Governor 25 in Council the approval of a code of practice (or of a variation of an approved code of practice) in relation to that organisation; (c) in accordance with Part 4, to consider at the request of an individual or organisation 30 whether to advise the Minister to recommend to the Governor in Council the revocation of the approval of a code of practice or of a variation of an approved code of practice; 52 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 61 Act No. (d) to issue guidelines in relation to the development of codes of practice and variations of a kind referred to in paragraph (b); 5 (e) to issue guidelines on procedures to be adopted, consistent with the procedures under the Freedom of Information Act 1982, where-- (i) the organisation holding the personal 10 information is an agency within the meaning of that Act or a Minister; and (ii) the personal information is contained in a document of the agency, or an official document of a Minister, within the 15 meaning of that Act; (f) to publish model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the 20 organisation outside Victoria; (g) to examine the practice of an organisation with respect to personal information maintained by that organisation for the purpose of ascertaining whether or not the 25 information is maintained according to the Information Privacy Principles or any applicable code of practice; (h) subject to this Act, to receive complaints about an act or practice of an organisation-- 30 (i) that may contravene an Information Privacy Principle; or (ii) that may interfere with the privacy of an individual or may otherwise have an adverse effect on the privacy of an 35 individual-- 53 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 61 Act No. and, if the Privacy Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the complaint; 5 (i) to issue compliance notices under Part 6 and to carry out an investigation for this purpose; (j) to conduct or commission audits of records of personal information maintained by an organisation for the purpose of ascertaining 10 whether the records are maintained according to the Information Privacy Principles or any applicable code of practice; (k) to monitor and report on the adequacy of equipment and user safeguards; 15 (l) to examine and assess any proposed legislation that would require or authorise acts or practices of an organisation that may, in the absence of the legislation, be interferences with the privacy of an 20 individual or that may otherwise have an adverse effect on the privacy of an individual, and to report to the Minister the results of the examination and assessment; (m) to undertake research into, and to monitor 25 developments in, data processing and computer technology (including data matching and data linkage) to ensure that any adverse effects of such developments on personal privacy are minimised, and to 30 report to the Minister the results of the research and monitoring; (n) to make reports and recommendations to the Minister, or the Minister responsible for a public sector agency or a Council 35 administering a public register, in relation to any matter that concerns the need for, or the 54 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 61 Act No. desirability of, legislative or administrative action in the interests of personal privacy; (o) for the purpose of promoting the protection of personal privacy, to undertake educational 5 programs on the Privacy Commissioner's own behalf or in co-operation with other persons or bodies acting on behalf of the Privacy Commissioner; (p) to make public statements in relation to any 10 matter affecting personal privacy or the privacy of any class of individual; (q) to receive and invite representations from members of the public on any matter affecting personal privacy; 15 (r) to consult and co-operate with other persons and bodies concerned with personal privacy; (s) to provide advice (with or without a request) to any individual or organisation on any matter relevant to the operation of this Act; 20 (t) to examine and assess (with or without a request) the impact on personal privacy of any act or practice, or proposed act or practice, of an organisation; (u) to make suggestions to any individual or 25 organisation in relation to any matter that concerns the need for, or the desirability of, action by that individual or organisation in the interests of personal privacy; (v) to gather information that, in the opinion of 30 the Privacy Commissioner, will assist the Privacy Commissioner in carrying out his or her functions under this Act; (w) to review any approved code of practice, whether or not expressly authorised to do so 35 by the code. 55 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 62 65 Act No. 62. Powers The Privacy Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or 5 her functions. 63. Privacy Commissioner to have regard to certain matters In the performance of his or her functions and the exercise of his or her powers under this Act, the 10 Privacy Commissioner must-- (a) have regard to the objects of this Act; and (b) if also the Federal Privacy Commissioner, ensure that any advice given, or recommendation made, by him or her is 15 capable of acceptance, adaptation and extension in Victoria; and (c) ensure that any codes of practice, or variations of approved codes of practice, that he or she advises the Minister to recommend 20 for approval reflect the objects of this Act. 64. Delegation (1) The Privacy Commissioner may, by instrument, delegate to an employee referred to in section 60(1) any of his or her powers under this Act 25 other than this power of delegation. (2) The Privacy Commissioner may, by instrument, delegate to any person any of his or her powers under Division 3 of Part 5. 65. Annual reports 30 The Privacy Commissioner must each year include the following information in the report of operations of the office under Part 7 of the Financial Management Act 1994-- 56 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Act No. (a) the number of audits of records of personal information conducted under section 61(j) during the preceding financial year; and (b) the organisations in respect of which those 5 audits were conducted. 66. Other reports (1) In addition to the report of operations under Part 7 of the Financial Management Act 1994, the Privacy Commissioner may report to the Minister 10 on any act or practice that the Privacy Commissioner considers to be an interference with the privacy of an individual, whether or not a complaint has been made under section 30(1). (2) The Minister may cause a copy of a report 15 referred to in sub-section (1) to be laid before each House of the Parliament. (3) The Privacy Commissioner may from time to time, in the public interest, publish reports and recommendations relating generally to the Privacy 20 Commissioner's functions under this Act or to any matter investigated by the Privacy Commissioner, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister. 25 _______________ 57 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 67 Act No. PART 8--GENERAL 67. Failure to attend etc. before Privacy Commissioner A person must not, without reasonable excuse-- (a) refuse or fail-- 5 (i) to attend before the Privacy Commissioner; or (ii) to be sworn or make an affirmation; or (iii) to give information; or (iv) to answer a question or produce a 10 document-- when so required by the Privacy Commissioner under this Act; or (b) wilfully obstruct, hinder or resist the Privacy Commissioner or an employee in the office 15 of the Privacy Commissioner or a delegate of the Privacy Commissioner in-- (i) performing, or attempting to perform, a function or duty under this Act; or (ii) exercising, or attempting to exercise, a 20 power under this Act; or (c) furnish information or make a statement to the Privacy Commissioner knowing that it is false or misleading in a material particular. Penalty: 60 penalty units. 25 68. Protection from liability (1) A person who lodges a complaint under section 30(1) is not personally liable for any loss, damage or injury suffered by another person by reason only of the lodging of the complaint. 58 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 68 Act No. (2) A person who produces a document, or gives any information or evidence, to the Privacy Commissioner under this Act is not personally liable for any loss, damage or injury suffered by 5 another person by reason only of that production or giving. (3) Sub-section (4) applies where-- (a) a person has been provided by an organisation with access to personal 10 information; and (b) the access was required by IPP 6 or an applicable code of practice or the organisation, or an employee or agent of the organisation acting within the scope of his or 15 her actual or apparent authority, believed in good faith that the access was required by IPP 6 or an applicable code of practice. (4) The provision of access to personal information in the circumstances referred to in sub-section (3)-- 20 (a) is not to be regarded as making the organisation, or any employee or agent of the organisation, liable for defamation or breach of confidence or guilty of a criminal offence by reason only of the provision of access; or 25 (b) is not to be regarded as making any person who provided the personal information to the organisation liable for defamation or breach of confidence in respect of any publication involved in, or resulting from, the provision 30 of access by reason only of that person having provided the personal information to the organisation; or (c) must not be taken for the purpose of the law relating to defamation or breach of 35 confidence to constitute an authorisation or 59 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 69 Act No. approval of the publication of the information by the person who is provided with access to it. 69. Secrecy 5 (1) A person who is, or has been, the Privacy Commissioner, an acting Privacy Commissioner, an employee in the office of the Privacy Commissioner or a consultant engaged by the Privacy Commissioner must not, directly or 10 indirectly, make a record of, disclose or communicate to any person any information relating to the affairs of any individual or organisation acquired in the performance of functions or duties or the exercise of powers under 15 this Act, unless-- (a) it is necessary to do so for the purposes of, or in connection with, the performance of a function or duty or the exercise of a power under this Act; or 20 (b) the person to whom the information relates gives written consent to the making of the record, disclosure or communication. Penalty: 60 penalty units. (2) Without limiting sub-section (1), the Privacy 25 Commissioner must not disclose or communicate to any person, other than a person employed in the office of the Privacy Commissioner, any information given to the Privacy Commissioner pursuant to a requirement made under Division 3 30 of Part 5 or Part 6 (including information contained in a document required to be produced to the Privacy Commissioner) unless he or she has-- (a) notified the person from whom the 35 information was obtained of the proposal to 60 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 70 Act No. disclose or communicate that information; and (b) given that person a reasonable opportunity to object to the disclosure or communication. 5 70. Employees and agents (1) Any act done or practice engaged in on behalf of an organisation by an employee or agent of the organisation acting within the scope of his or her actual or apparent authority is to be taken, for the 10 purposes of this Act including a prosecution for an offence against this Act, to have been done or engaged in by the organisation and not by the employee or agent unless the organisation establishes that it took reasonable precautions and 15 exercised due diligence to avoid the act being done or the practice being engaged in by its employee or agent. (2) If, for the purpose of investigating a complaint or a proceeding for an offence against this Act, it is 20 necessary to establish the state of mind of an organisation in relation to a particular act or practice, it is sufficient to show-- (a) that the act was done or practice engaged in by an employee or agent of the organisation 25 acting within the scope of his or her actual or apparent authority; and (b) that the employee or agent had that state of mind. 71. Offences by organisations or bodies 30 If this Act provides that an organisation or body is guilty of an offence, that reference to an organisation or body must, if the organisation or body is unincorporated, be read as a reference to each member of the committee of management of 35 the organisation or body. 61 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 72 Act No. 72. Prosecutions (1) A proceeding for an offence against this Act may only be brought by-- (a) a member of the police force; or 5 (b) the Privacy Commissioner; or (c) a person authorised to do so, either generally or in a particular case, by the Privacy Commissioner. (2) In a proceeding for an offence against this Act it 10 must be presumed, in the absence of evidence to the contrary, that the person bringing the proceeding was authorised to bring it. 73. Supreme Court--limitation of jurisdiction It is the intention of section 7 to alter or vary 15 section 85 of the Constitution Act 1975. 74. Regulations The Governor in Council may make regulations for or with respect to any matter or thing required or permitted by this Act to be prescribed or 20 necessary to be prescribed to give effect to this Act. _______________ 62 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 75 Act No. PART 9--AMENDMENT OF CERTAIN ACTS 75. Amendment of Parliamentary Committees Act 1968 No. 7727. In section 4D(a) of the Parliamentary Reprint No. 4 Committees Act 1968, after sub-paragraph (iii) as at 28 July 5 insert-- 1997. Further amended by "(iiia) unduly requires or authorises acts or Nos 93/1997 and 46/1998. practices that may have an adverse effect on personal privacy within the meaning of the Data Protection Act 1999; or". 10 76. Amendment of Magistrates' Court Act 1989 No. 51/1989. In Schedule 4 to the Magistrates' Court Act Reprint No. 5 1989, after item 38 insert-- as at 1 July 1998. Further "39. Non-compliance with enforcement notice amended by Nos 60/1998, Offences under section 51(1) of the Data Protection 102/1998, 15 Act 1999.". 10/1999 and 13/1999. 77. Amendment of Public Sector Management and Employment Act 1998 No. 45/1998. In section 16(1) of the Public Sector Management and Employment Act 1998, after 20 paragraph (h) insert-- "(i) the Privacy Commissioner in relation to the office of the Privacy Commissioner.". 78. Amendment of Victorian Civil and Administrative Tribunal Act 1998 No. 53/1998. 25 In Schedule 1 to the Victorian Civil and Amended by Administrative Tribunal Act 1998, after Part 5 Nos 46/1998, insert-- 92/1998, 101/1998 and 12/1999. 63 532027B.I1-25/5/99

 

 

Data Protection Act 1999 s. 78 Act No. "PART 5A--DATA PROTECTION ACT 1999 11A. Intervention by Privacy Commissioner The Privacy Commissioner may intervene at any time in a proceeding under the Data Protection Act 1999. 5 11B. Notification in other proceedings (1) If an application is made under section 42 (interim order) or a referral under section 35 (Minister's referral) of the Data Protection Act 1999, the principal registrar must notify the Privacy Commissioner. 10 (2) Sub-clause (1) does not apply in the case of an application by the Privacy Commissioner under section 42 of the Data Protection Act 1999. 11C. Privacy Commissioner may apply for interim injunction 15 The Privacy Commissioner may apply for an order granting an interim injunction under section 123 in a proceeding under the Data Protection Act 1999 whether or not he or she is a party to that proceeding. 11D. Compulsory conference 20 The presiding member at a compulsory conference in a proceeding under the Data Protection Act 1999 may refer any matter to the Privacy Commissioner for investigation, negotiation or conciliation. 11E. Settlement offers 25 Sections 112 to 115 do not apply to a proceeding under the Data Protection Act 1999.". __________________ 64 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. SCHEDULE 1 Section 19. THE INFORMATION PRIVACY PRINCIPLES Principle 1--Collection 5 1.1 An organisation must only collect personal information that is necessary for one or more of its legitimate functions or activities. 1.2 An organisation must only collect personal information by lawful and fair means and not in an unreasonably intrusive way. 1.3 At or before the time an organisation collects personal information 10 from the subject of the information (or, if that is not practicable, as soon as practicable thereafter), it must take the steps (if any) that are in the circumstances reasonable to ensure that the subject of the information is aware of-- (a) the identity of the organisation and how to contact it; and 15 (b) the fact that he or she is able to gain access to the information; and (c) the purposes for which the information is collected; and (d) to whom (or the types of individuals or organisations to which) it usually discloses information of this kind; and 20 (e) any law that requires the particular information to be collected; and (f) the main consequences (if any) for the individual if all or part of the information is not provided. 1.4 If it is reasonable and practicable to do so, an organisation must only 25 collect personal information directly from the subject of the information. 1.5 If an organisation collects personal information from a third party, it must take the steps (if any) that are in the circumstances reasonable to ensure that the subject of the information is or has been made aware 30 of the matters listed in IPP 1.3. Principle 2--Use and Disclosure 2.1 An organisation must only use or disclose personal information for a purpose other than the primary purpose of collection (a "secondary purpose") if-- 65 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. (a) the secondary purpose is related to the primary purpose of collection and the subject of the information would reasonably expect the organisation to use or disclose the information for the secondary purpose; or 5 (b) the individual has consented to the use or disclosure; or (c) the organisation uses the information for the purpose of direct marketing and-- (i) it is impracticable for the organisation to seek the individual's consent before using the information; and 10 (ii) the organisation gives the individual the express opportunity, at the time of first contact or thereafter on request, at no cost to the individual, to decline to receive any further direct marketing communications; and (iii) the organisation complies with the individual's wishes; or 15 (d) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent-- (i) a serious and imminent threat to an individual's life, health or safety; or (ii) a serious threat to public health or public safety; or 20 (e) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or 25 (f) the use or disclosure is required or specifically authorised by law; or (g) the Australian Security Intelligence Organization (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the organisation to disclose the 30 personal information and-- (i) the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and 35 (ii) an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be 66 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. connected with the performance by ASIO or ASIS (as the case requires) of its functions; or (h) the organisation reasonably believes that the use or disclosure is reasonably necessary for-- 5 (i) the prevention, detection, investigation, prosecution or punishment of-- (A) criminal offences; or (B) breaches of a law imposing a penalty or sanction; or (ii) the enforcement of laws relating to the confiscation of the 10 proceeds of crime; or (iii) the protection of public revenue; or (iv) the prevention, detection, investigation or remedying of seriously improper conduct; or (v) the preparation for, or conduct of, proceedings before any 15 court or tribunal, or implementation of the orders of a court or tribunal-- by or on behalf of a law enforcement agency. 2.2 While it is not intended to deter organisations from lawfully co- operating with agencies performing law enforcement functions or 20 with ASIO or ASIS in the performance of their functions, it should be noted that-- (a) IPP 2.1 does not override any existing legal obligations not to disclose personal information; and (b) nothing in IPP 2.1 requires an organisation to disclose personal 25 information; and (c) an organisation is always entitled not to disclose personal information in the absence of a legal obligation to do so. 2.3 If an organisation uses or discloses personal information under paragraph (h) of IPP 2.1, it must make a note of the use or disclosure. 30 Principle 3--Data Quality 3.1 An organisation must take the steps (if any) that are in the circumstances reasonable to make sure that the personal information it collects, uses or discloses, is accurate, complete and up to date. Principle 4--Data Security 35 4.1 An organisation must take the steps (if any) that are in the circumstances reasonable to protect the personal information it holds 67 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. from misuse and loss and from unauthorised access, modification or disclosure. 4.2 An organisation must take the steps (if any) that are in the circumstances reasonable to destroy or permanently de-identify 5 personal information if it is no longer needed for any purpose. Principle 5--Openness 5.1 An organisation must have clearly expressed policies on its management of personal information which are readily available. 5.2 An organisation, on request, must take the steps (if any) that are in the 10 circumstances reasonable to let individuals know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. Principle 6--Access and Correction 6.1 Where an organisation holds personal information about an 15 individual, it must provide the individual with access to the information within 45 days after a request for access, except to the extent that-- (a) providing access would pose a serious and imminent threat to the life or health of any individual; or 20 (b) providing access would have an unreasonable impact on the privacy of other individuals; or (c) the request for access is frivolous or vexatious; or (d) the information relates to existing legal dispute resolution proceedings between the organisation and the individual, and the 25 information would not be accessible by the process of discovery in those proceedings; or (e) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or 30 (f) providing access would be unlawful; or (g) denying access is specifically authorised by law; or (h) providing access would be likely to prejudice an investigation of possible unlawful activity; or (i) providing access would be likely to prejudice-- 35 (i) the prevention, detection, investigation, prosecution or punishment of-- (A) criminal offences; or 68 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. (B) breaches of a law imposing a penalty or sanction; or (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or (iii) the protection of public revenue; or 5 (iv) the prevention, detection, investigation or remedying of seriously improper conduct; or (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal-- 10 by or on behalf of a law enforcement agency; or (j) ASIO, ASIS or a law enforcement agency performing a lawful national security function asks the organisation not to provide access on the basis that providing access would be likely to cause damage to the national security of Australia. 15 6.2 Where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the decision rather than direct access to the information. 20 6.3 If an organisation has given an individual an explanation under IPP 6.2, and the individual believes that direct access to the evaluative information is necessary to provide a reasonable explanation of the reasons for the decision, the individual must have access to an independent process to review whether that is so. 25 6.4 Wherever direct access by the individual is impracticable or inappropriate, the organisation and the individual must consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties. 6.5 If an organisation levies charges for providing access to personal 30 information, those charges must not be excessive. 6.6 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take the steps (if any) that are in the circumstances reasonable to correct the information so 35 that it is accurate, complete and up to date. 6.7 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, 69 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. the organisation must take the steps (if any) that are in the circumstances reasonable to do so. 6.8 An organisation is not required to correct personal information at the request of an individual if it is not required to provide the individual 5 with access to that information. 6.9 An organisation must provide reasons for denial of access or correction. Principle 7--Identifiers 7.1 An organisation that is not a government agency must not adopt as its 10 own identifier an identifier that has been assigned by a government agency (or by an agent of, or contractor to, a government agency acting in its capacity as agent or contractor). 7.2 An organisation must not use or disclose an identifier assigned to an individual by another organisation that is a government agency (or by 15 an agent of or contractor to another organisation that is a government agency acting in its capacity as agent or contractor) unless one of paragraphs (d) to (h) of IPP 2.1 applies. 7.3 Government agencies must not assign common identifiers to an individual if to do so would lessen the protection afforded to personal 20 information about that individual by these principles. Principle 8--Anonymity 8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions. Principle 9--Transborder Data Flows 25 9.1 An organisation may only transfer personal information outside Victoria if-- (a) the organisation reasonably believes that the recipient of the information is subject to a statute, binding scheme or contract which effectively upholds principles for fair information handling 30 that are substantially similar to these principles; or (b) the individual concerned consents to the transfer; or (c) the transfer is necessary for the performance of a legal duty or of a contract between the individual concerned and the organisation, or for the implementation of pre-contractual measures taken in 35 response to the individual's request; or (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual concerned between the organisation and a third party; or 70 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. (e) the transfer is for the benefit of the individual concerned and-- (i) it is not practicable to obtain the consent of the subject of the information to that transfer; and (ii) if it were practicable to obtain that consent, the subject of 5 the information would be likely to give it; or (f) the organisation has taken the steps (if any) that are in the circumstances reasonable to ensure that the information which it has transferred will not be collected, held, used or disclosed by the recipient of the information inconsistently with these principles. 10 9.2 An organisation must be taken to have complied with paragraph (f) of IPP 9.1 if there is in force a contract or arrangement between the organisation and the recipient with respect to the information transferred that adopts the model terms published by the Privacy Commissioner for this purpose. 15 Principle 10--Sensitive Information 10.1 An organisation must not collect personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or details of health or sex life unless-- (a) the subject of the information has consented; or 20 (b) the collection is required or specifically authorised by law; or (c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the subject of the information is physically or legally incapable of giving consent; or 25 (d) in the course of the legitimate activities of a non-profit-seeking body with a racial, ethnic, political, philosophical, religious or trade-union aim and on condition that the information relates solely to the members of the body or to individuals who have regular contact with it in connection with its purposes and that 30 the information is not disclosed without the consent of the subject of the information; or (e) the collection is necessary for the establishment, exercise or defence of a legal claim. 10.2 IPP 10.1 does not apply where-- 35 (a) the information is required for the purposes of preventative medicine, medical diagnosis, the provision of care or treatment or the management of health-care services; and 71 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Sch. 1 Act No. (b) the information is collected-- (i) as required by law; or (ii) in accordance with rules established by competent health or medical bodies dealing with obligations of professional 5 confidentiality. 72 532027B.I1-25/5/99

 

 

Data Protection Act 1999 Notes Act No. NOTES 1 S. 3: Section 6(1) of the Privacy Act 1988 of the Commonwealth defines "agency" as meaning-- (a) a Minister; or (b) a Department; or (c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being-- (i) an incorporated company, society or association; or (ii) an organisation within the meaning of the Conciliation and Arbitration Act 1904 or a branch of such an organisation; or (d) a body established or appointed by the Governor-General, or by a Minister, otherwise than by or under a Commonwealth enactment; or (e) a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department; or (f) a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, otherwise than under a Commonwealth enactment; or (g) a federal court; or (h) the Australian Federal Police; or (i) an eligible case manager. 2 S. 30(1): Section 4(2) defines what is meant by this expression. By Authority. Government Printer for the State of Victoria. 73 532027B.I1-25/5/99

 

 

Download

Cited By

Join the discussion