This website is for use by legal professionals (lawyers and law practices) only. If the information is used incorrectly, you could risk losing money or your legal rights. If you are a member of the public looking for free advice about your legal problems please visit legalaid.vic.gov.au, or contact our Legal Help advice line on 1300 792 387, Monday to Friday from 8 am to 6 pm. 

If you decide to use or rely on the information or make decisions based on the information in this website (which VLA does not recommend) VLA is not liable to you or any third party in any way for any loss, damage, costs or expenses you or they may suffer or incur as a result.

Organisations that must follow privacy laws

Information about the kinds of information that is protected by the privacy laws.

Privacy protection laws control the way that governments and businesses must treat information that they collect.

Not all organisations that collect private information are bound by privacy protection laws. The type of protection will depend on whether the organisation is public or private, whether it is based in Victoria or Australia wide and on the type and size of the organisation or business.

Victorian public organisations

Public organisations have to follow privacy protection laws. The laws about Victorian organisations are are set out in the Privacy and Data Protection Act 2014 (Vic)(opens in a new window). It applies to government departments and agencies that are based in Victoria, such as:

  • public schools
  • public hospitals
  • Victoria Police
  • local councils
  • statutory organisations such as Victoria Legal Aid and VicRoads
  • businesses that provide a service to the State government and agree to follow privacy laws (such as a school bus operator).

Privacy principles

These organisations must comply with 10 Information Privacy Principles for handling personal information. These principles cover how organisations:

  • collect personal information
  • handle personal information
  • use and disclose personal information
  • keep personal information secure
  • keep people informed about how they handle personal information
  • make sure personal information is accurate
  • create unique identifiers
  • allow people to remain anonymous
  • send information outside of the organisation.

For list of government departments see Victorian Government Directory(opens in a new window).

Note: There is a separate Act that deals with information related to a person's health see Privacy and health information.

Outsourcing to a private company

If a public sector organisation contracts work out to a private company, they will often make it a condition in their contract that they must be bound by the Information Privacy Principles.

See s. 17—Privacy and Data Protection Act 2014 (Vic)(opens in a new window).

Where to complain

Complaints about a breach under Victorian law can be made to the Commissioner for Privacy and Data Protection.

See Commissioner for Privacy and Data Protection—Make a privacy complaint(opens in a new window).

Commonwealth laws

Under the Commonwealth Privacy Act 1988 there are 13 Australian Privacy Principles which set out the standards, rights and obligations that people can expect when government and some private sector organisations handle, hold access or correct personal information. If a relevant organisation breaches one of these principles, they have interfered with a person's privacy. If this happens a person can complain to the Officer of the Australian Information Commissioner.

See OAIC—Rights and responsibilities(opens in a new window) and s. 13, Schedule 1—Privacy Act 1988 (Cth)(opens in a new window).

Commonwealth Government bodies

Commonwealth Government departments and agencies that are cover all of Australia are included, such as:

  • Centrelink (part of the Commonwealth Department of Human Services)
  • Department of Immigration and Border protection
  • The Australian Federal Police

For a list of departments and agencies see Australian Government Directory—A–Z list of Australian Government Departments and Agencies(opens in a new window).

Private organisations

Some private organisations must also follow privacy protection law, depending on the type of business, and the size of the business. Private organisations that are bound by the Australian Privacy Principles (APPs) are called Australian Privacy Principle entities (APP entities). AAP entities are defined as agencies or organisations under the Privacy Act 1988 (Cth)(opens in a new window) ('the Act') and can include:

  • all private businesses with an annual turnover of more than $3,000,000 (called large businesses)
  • some smaller businesses if they:
    • provide health services (including doctors, gyms and private hospitals)
    • buy and sell personal information
    • provide credit reporting services
    • are contracted by the Commonwealth Government to perform services
    • are related to a business that must comply with the Privacy Act 1988
    • are prescribed businesses in the regulations
    • handle tax file numbers (TFNs)
    • agree.

See ss. 6A, 6D—Privacy Act 1988 (Cth)(opens in a new window).

Small businesses

Small businesses can choose to follow the privacy law by opting in. The Office of the Australian Information Commission has a list of all businesses that have opted in.

See Office of the Australian Information Commissioner—Opt in Register(opens in a new window).

Small business must follow the Privacy Act 1988 (Cth)(opens in a new window) if they are involved in activities related to:

  • operating a residential tenancy database
  • the conduct of a protection action ballot
  • money laundering and counter terrorism.

See OAIC—Rights and responsibilities(opens in a new window).

What is an organisation?

An organisation is broadly defined under the Privacy Act 1988 (Cth). It includes:

  • an individual
  • body corporate
  • partnership, or
  • any other unincorporated association or trust.

These entities must not breach an Australian Privacy Principle unless an exemption applies. These exemptions are set out in sections 16A and 16B of the Act.

See ss. 6C, 16A, 16B—Privacy Act 1988 (Cth)(opens in a new window).

What is an agency?

An agency is defined as a minister, department, tribunal or other body that is appointed for a public purpose under a Commonwealth law (not including an incorporated company, society or association). It could also be a:

  • body established by the Governor-General (GG), a minister
  • person holding or performing the duties of an office, or following an appointment by a minister or by the GG
  • federal court
  • Australian Federal Police
  • Norfolk Island agency
  • eligible hearing service provider
  • service operator under the Healthcare Identifiers Act 2010 (Cth)

See s. 6—Privacy Act 1988 (Cth)(opens in a new window).

Who is not covered under Commonwealth law?

Some organisations are exempted from the privacy laws. These include:

  • Registered political parties
  • ASIO
  • State or territory authorities (or prescribed instrumentalities)
  • Members of Parliament when performing their parliamentary roles
  • Small businesses (with a turnover of less than $3,000,000) that do not provide a health service, sell or trade personal information, provide credit or handle tax file numbers. Note they can choose to be covered by privacy law.

For a list of businesses that have chosen to register under the privacy law see Office of the Australian Information Commissioner—Opt in Register(opens in a new window).

Legislation

Privacy and Data Protection Act 2014 (Vic)

  • s. 13—public sector organisations that must comply
  • s. 15—exemption for law enforcement agencies
  • s. 16—explains what an interference with privacy is
  • Schedule 1—Lists Information Privacy Principles

See Privacy and Data Protection Act 2014 (Vic)(opens in a new window).

Privacy Act 1988 (Cth)

  • s. 6—defines an 'agency' and 'APP entity' as an agency or organisation
  • s. 6A—breach of an Australian Privacy Principle
  • s. 6C—defines an organisation as an 'individual, body corporate, partnership, trust or any other unincorporated association that is not a small business operator, registered political party, agency, state or territory authority or prescribed instrumentality of a state or territory '
  • s. 6D—defines a small business as one with an annual turnover in the previous financial year of $3 million or less.
  • s. 16A—permitted general situations relating to collection, use or disclosure
  • s. 16B—permitted health situations relating to collection, use or disclosure
  • Schedule 1—Australian Privacy Principles

See Privacy Act 1988 (Cth)(opens in a new window).

Privacy Regulations 2013 (Cth)

  • r. 11—defines a credit reporting business

See Privacy Regulations 2013 (Cth)(opens in a new window).

Australian Government

The Commonwealth Government website directory lists its departments and agencies.

See Australian Government Directory—A–Z list of Australian Government Departments and Agencies(opens in a new window).

Australian Information Commissioner (OAIC)

This site lists the small businesses that have chosen to be covered by the Commonwealth Privacy Act 1988.

See:

Victorian Government

This Victorian Government site, lists contact details for government departments and their agencies.

See Victorian Government Directory(opens in a new window).

Commissioner for Privacy and Data Protection

See:

Updated