How to comply

Organisations regulated by the privacy provisions of the Privacy and Data Protection Act 2014 (PDPA) can take proactive steps to promote compliance with the Act. These steps include:

Information Privacy Principles

Flexibility mechanisms

Privacy policies and collection notices

Appointing a privacy officer

Adopting Privacy by Design

Conducting Privacy Impact Assessments

Information Privacy Principles

The principle information privacy obligation in the PDPA is that an organisation (defined in section 3 to mean the public sector organisations in section 13) must not do an act, or engage in a practice, that contravenes an Information Privacy Principle (IPP) in respect of personal information collected, held, managed, used, disclosed or transferred by it Section 20(1)).

Staff working with personal information need to fully understand how the IPPs apply in their way-to-day work and to know where to seek help and guidance when necessary.

Further information on the IPPs can be found here.

Flexibility mechanisms

This prohibition does not apply if that act or practice is permitted under one of the following of the PDPA’s flexibility mechanisms:

  • a public interest determination
  • a temporary public interest determination, and
  • an approved information usage arrangement.

More information on the flexibility mechanisms can be found here.

Privacy policies and collection notices

IPP 5.1 requires an organisation to have a written policy about its management of personal information, and to make this available on request.

IPP 5.2 requires an organisation to tell people, if they ask, about the general sorts of personal information it holds and how it handles that information.

See Drafting a privacy policy and Collection notices

Appointing a privacy officer

The Office of the Commissioner for Privacy and Data Protection (CPDP) encourages all organisations regulated by the PDPA to appoint a Privacy Officer. The aim of this role is to assist the application of the PDPA within their own organisation.

Suggested role of privacy officers
  • To receive advice and updated information from the CPDP about the implementation of the PDPA
  • To act as a first point of contact/liaison with the CPDP for all matters related to privacy and personal information
  • To act as a focal point within their organisation for all matters related to privacy and personal information
  • To act as a first point of contact for members of the public for all matters related to privacy and personal information

Depending on the size of an organisation, the Privacy Officer may be involved in some or all of the following tasks:

  • Disseminating information on privacy issues within his or her organisation
  • Co-ordinating the steps to be taken by their organisation in order to implement the PDPA, including:
      • Privacy by Design
      • Privacy Impact Assessments
      • Privacy awareness and training for staff
      • Receiving and handling complaints lodged within their organisation, including any required liaison with CPDP should a formal complaint be lodged with the Commissioner
      • Ensuring that all complaints about privacy breaches and/or internal reviews are dealt with in the proper manner
      • Coordinating/assisting response to a privacy breach
Adopting Privacy by Design

‘Privacy by Design’ (PbD) has been adopted by the CPDP as a core policy to underpin information privacy management in the Victorian public sector.

PbD is a methodology that enables privacy to be ‘built in’ to the design and architecture of information systems, business processes and networked infrastructure. PbD aims to ensure that privacy is considered before, at the start of, and throughout the development and implementation of initiatives that involve the collection and handling of personal information.

PbD enables public sector policy-makers, information technology professionals and those responsible for delivering services to the community to approach privacy as a ‘design feature’ of public sector processes and activities rather than as a compliance burden to be endured or to which lip-service is given. It shifts the privacy focus to prevention rather than compliance, using innovative approaches that are anchored in genuine respect for individuals’ personal information.

Further information about Privacy by Design can be found here.

Privacy Impact Assessments

A privacy impact assessment (PIA) is a tool that is designed to assess an organisation’s compliance with their information privacy obligations, and to identify any potential privacy risks and mitigation strategies. A PIA should ideally be completed at the design stage of a new system or program, and then revisited as program requirements and legal obligations change.

Further information about Privacy Impact Assessments can be found here.