Who has to comply?

Your organisation may have privacy obligations under the Privacy and Data Protection Act 2014 (PDPA).

The organisations to which the former Information Privacy Act 2000 (Vic) applied remain subject to the privacy provisions of the PDPA. These organisations are listed in Part 3 (Information Privacy) of the PDPA as follows:

s. 13 Public sector organisations to which this Part applies
Subject to subsection (2), Part 3 applies to the following –

a) a Minister;

b) a Parliamentary Secretary, including the Parliamentary Secretary of the Cabinet;

c) a public sector agency;

d) a Council;

e) a body established or appointed for a public purpose by or under an Act;

f) a body established or appointed for a public purpose by the Governor in Council, or by a Minister, otherwise than under an Act;

g) a person holding an office or position established by or under an Act (other than the office of member of the Parliament of Victoria) or to which the person was appointed by the Governor in Council, or by a Minister, otherwise than under an Act;

h) a court or tribunal;

i) the police force of Victoria;

j) a contracted service provider, but only in relation to its provision of services under a State contract which contains a provision of a kind referred to in section 17(2);

k) any other body that is declared, or to the extent that it is declared, by an Order under subsection (3)(a) to be an organisation for the purposes of this subsection.

( 2) This Part does not apply to a person or body referred to in subsection (1) that is –

a) a Commonwealth-regulated organisation; or

b) declared, or to the extent that it is declared, by an Order under subsection (3)(b) not to be an organisation for the purposes of subsection (1)(e), (f) or (g).

(3) The Governor in Council may, on the recommendation of the Minister, by Order published in the Government Gazette –

a) declare a body to be, either wholly or to the extent specified in the Order, an organisation for the purposes of subsection (1); or

b) declare a body referred to in subsection (1)(e) or (f), or a person holding an office or position referred to in subsection (1)(g), not to be an organisation for the purposes of that subsection, either wholly or to the extent specified in the Order.

(4) The Minister may only recommend to the Governor in Council the making of an Order under subsection (3)(b) in respect of a body or person if satisfied that –

a) another scheme (whether contained in an enactment or given legislative force by an enactment) would apply to the collection, holding, management, use, disclosure and transfer by that body or person of personal information if that person or body were not an organisation for the purposes of subsection (1), either wholly or to the extent specified in the Order; and

b) the collection, holding, management, use, disclosure and transfer by that body or person of personal information is more appropriately governed by that other scheme.

How does the PDPA affect contracted service providers?

The information privacy obligations of contacted service providers, and organisations that outsource to contracted service providers, remain unchanged.