Privacy and Data Protection Act 2014
Often terms used when discussing privacy have a particular privacy related meaning. Here is an alphabetical list of the most common terms and their definition in the context of information privacy.
Privacy legislation provides individuals with a statutory right of “access”. This refers to an individual’s right to see or know about his or her own information that is held by an organisation. This access is usually granted via a Freedom of Information application.
Usually, in Victoria, this means The Privacy and Data Protection Act 2014 (PDPA), depending upon the information it refers to; this may mean the Health Records Act 2001 (Health Records Act).
The Privacy and Data Protection Act 2014 regulates the personal information handling activities of the Victorian Public Sector and its funded services (except personal health information). This statute is regulated by the Victorian Commissioner for Privacy and Data Protection and contains 10 Information Privacy Principles (IPPs).
The Health Records Act 2001 regulates both public and private sector organisations in Victoria that handle personal health information. The 11 Health Privacy Principles in the Health Records Act, are similar in spirit and principle to the IPPs of the PDPA, but are tailored to the specific requirements of health services and health information. This statute is regulated by the Victorian Health Services Commissioner.
Authorised by law
“Authorised by law” refers to circumstances where the law permits, but does not require, an organisation to use, disclose, or deny access to, personal information. The word “authorised” suggests that an organisation has some discretion as to whether or not to use or disclose or deny access to information. That is, they are not forced either to use/disclose or not to.
An organisation collects personal information when it records information in any form that it has gathered or acquired from any source by any means, in circumstances where an individual is identifiable. This includes information that:
an organisation comes across by accident or has not asked for but nevertheless keeps
information an organisation receives directly from an individual who is the data subject and files it
information about an individual received from somebody else that is kept.
In Victoria this would refer to the Commissioner for Privacy and Data Protection when referring to the PDPA, and the Health Services Commissioner in the context of the Health Records Act.
Cookies are often used by organisations to build up profiles of a user’s buying habits and interests. They do this when users provide information about themselves to the web site, purchase something online or subscribe to a free service.
Directly related purpose
A directly related purpose is one that has a logical connection with the primary purpose of collection. It is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. “Use or disclosure for a directly related purpose” would include use or disclosure for:
monitoring, evaluating, auditing the provision of a particular product or service the organisation is providing to the individual
managing the provision of the service or product
ensuring the conditions required by the service or product are met
following up complaints about the service or product
administrative purposes associated with providing, following up, or receiving payment for a service or product
reminders when a person receives a service on a regular basis.
A disclosure occurs when a data custodian releases information to another party. Examples of disclosures include when an organisation provides information:
from one of its divisions (the data custodian) to another of its divisions; or
to other organisations – e.g. to carry out an outsourced function
The Health Records Act regulates personal health information and defines “health information” as:
(a) Information or opinion about-
i. The physical, mental or psychological health (at any time) of an individual; or
ii. A disability (at any time) of an individual; or
iii. An individual's expressed wishes about the future provision of health services to them; or
iv. A health service provided, or to be provided, to an individual, that is also personal information; or
Other personal information collected to provide, or in providing, a health service; or
(c) Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of their body parts, organs or body substances; or
(d) Genetic information about an individual in a form which is or could be predictive of the individual's health at any time.
The word “individual” means a natural person and is used in relation to the person who is the data subject. The words “person” or “people” are used when referring to anyone other than the individual who is the data subject.
The reference to law in the PDPD means Commonwealth, State and Territory legislation as well as the common law.
Law enforcement bodies
Law enforcement bodies are defined in the Privacy and Data Protection Act 2014, as:
(a) the police force of Victoria
(b) the police force or police service of another State or a Territory
(c) the Australian Federal Police
(d) the Australian Crime Commission established under the Australian Crime Commission Act
(e) the Commissioner appointed under the Corrections Act 1986
(f) the Business Licensing Authority established under the Business Licensing Authority Act 1998
(g) a commission established by a law of Victoria or the Commonwealth or of any other State or a Territory with the function of investigating matters relating to criminal activity
(h) the Chief Examiner and Examiners appointed under the Major Crime (Investigative Powers) Act 2004
(i) the IBAC
(j) the sheriff within the meaning of the Sheriff Act 2009
(k) the Victorian Inspectorate
(l) the Adult Parole Board established by the Corrections Act 1986
(m ) the Youth Parole Board within the meaning of the Children, Youth and Families Act 2005
(n) an agency responsible for the performance of functions or activities directed to—
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction for a breach
(ii) the management of property seized or restrained under laws relating to the confiscation of the proceeds of crime or the enforcement of such laws, or of orders made under such laws
(o) an agency responsible for the execution or implementation of an order or decision made by a court or tribunal
(p) an agency that provides correctional services, including a contractor within the meaning of the Corrections Act 1986 (including a contractor or subcontractor)
(q) an agency responsible for the protection of the public revenue under a law administered by it.
Lawful refers to an action that is not prohibited by law and therefore undertaking or performing such an action does not fall outside of the boundaries of lawful behaviour. This is a wider concept that “authorised by law” or “required by law”.
The word “necessary” is used in the legislation when defining what information an organisation may collect. This means “necessary” in a practical sense ( i.e. if an organisation cannot, in practice, effectively pursue a function or activity without collecting specific personal information, then that personal information would be regarded as “necessary”).
Personal information, means information or an opinion whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. It does not include health information. The term “personal information” must relate to a natural person (i.e. a human).
Personal information can range from the very sensitive (for example, political beliefs, medical history, sexual preference or medical records) to the everyday (for example, hair colour, address, phone number). The information need not be accurate, it may include opinion and speculation and it may simply be false information.
It does not matter what media the information is held on (such as data or hard copy documents), if the information makes clear which individual it refers to then the person is identifiable. Whether a person’s identity is reasonably ascertainable will depend on the context the information is available in and on who holds the information.
Practicable and impracticable
What is practicable or impracticable involves assessing the facts of the particular situation at hand. It is not determined by a person’s or organisation’s preference. Something is not genuinely impractical simply because it involves greater expense, inconvenience or effort on the part of an organisation or individual.
The primary purpose(s) are the dominant or fundamental reason(s) for information being collected in any particular transaction, and without which the transaction would not occur.
When an individual gives (and an organisation collects) personal information, the individual and the organisation do so for a particular purpose, for example, to secure a license to use public land or to receive a service such as a call back with expert advice, etc. This is the primary purpose of collection, even if the organisation wishes to use it for other purposes at a later date.
These additional purposes will always be secondary purposes for that transaction, even if the organisation tells the person about them, and even if the organisation obtains the individual’s consent to use or disclose the information for those additional purposes.
A fictional example of collecting information for more than one primary purpose related to the organisation’s functions might be to collect the same information for:
primary purpose = HR purposes, and
primary purpose = Emergency management volunteering.
Note that the person would need to be clearly advised of both these purposes in the privacy collection statement at the time of collection.
In modern society the term privacy may be used to describe a number of related human rights:
Personal privacy, which considers the integrity of an individual’s body
Privacy of personal behaviour, which incorporates sensitive social issues such as sexual preference, political activities and religious practices
Privacy of personal communications, which revolves around the concept of confidential voice, speech and telecommunications
Privacy of territory which may be defined as the right to personal space and to the protection of one’s property from trespass
Information Privacy or Data Privacy, which relates to the protection of personally identifying information. Information Privacy seeks to provide individuals with more control over the handling and use of information about them.
It is Information Privacy and Data Privacy that is protected by the PDPA.
The terms “reasonable” and “unreasonable” appear frequently throughout the IPPs. They relate to the expectations of “a person in the street” with no specialist knowledge with regard to decisions or steps taken by organisations under particular circumstances. For example, when collecting, correcting, or using and disclosing information and when operating public registers.
Determining what is ‘reasonable’ will require consideration of the factual circumstances in which a person or organisation is acting rather than the preferences of the individual or the organisation, or the specialist knowledge of the agency’s officers.
A record is any information held on any medium that can be retrieved, such as, a document, a database, a photograph or voice recording. The fact it is held in a manner that is retrievable makes it a record.
A related purpose includes purposes associated with the primary purpose. A related purpose must have some logical connection to, and arise in the context of, the primary purpose. Uses or disclosures for a related purpose include:
giving an individual information closely associated with the product or service the person already receives
advising an individual of changes in conditions related to the product or service the person receives
notifying a former or existing client of an organisation of a business change of address.
Required by law
“Required by law” refers to circumstances where a law (other than the PDPA or the Health Records Act) requires an organisation to collect, use, disclose or deny access to, personal information. In certain instances, failing to comply with such a legal requirement may be an offence. Such a law may specifically require an organisation to collect, use, disclose or deny access to personal information.
It may also be a law that gives another body, such as a government agency, a general information gathering power that includes the power to require an organisation to disclose information to it.
Secondary purposes are purposes other than the primary purpose that an organisation has in mind for the information it collects. Related and directly related purposes are both secondary purposes.
Organisations must not use or disclose information for secondary purposes unless the secondary purpose is related or directly related to the purpose of collection and within reasonable expectations of a “person in the street” with no expert knowledge or where consent of the individual has been provided.
A fictional example of collecting information for a secondary purpose would be to collect it for:
primary purpose = HR purposes; secondary purpose = using the information which was collected for HR purposes to manage a work cover claim
primary purpose = Emergency management volunteering; secondary purpose = using the information which was collected for emergency management volunteering to arrange a ‘fit for fire-fighting’ assessment for the person to undertake this role.
Sensitive information is information or an opinion about an individual’s:
racial or ethnic origin
political opinions, membership of a political association
religious beliefs, affiliations
membership of a professional or trade association
membership of a trade union
sexual preferences or practices
Serious and imminent threat
The IPPs provide for the release of personal information in circumstances where there is a “serious and imminent” threat to an individual’s life, health or welfare.
For there to be a serious threat to an individual’s life, health or welfare, it would significantly negatively impact an individual’s life or health, for example, a threat of bodily injury, mental abuse, illness or death, murder or assault, the threat of spreading an infectious disease or endangering life through setting fires.
“Imminent” means that the threatened harm must be about to happen, likely to occur at any minute.
Serious threat to public health or public safety
Public health and public safety are not defined in the PDPA. Various public health acts, while not necessarily defining public health, give some indication of the range of conditions and threats that have been considered to be significant enough to warrant legislating about them in the public interest. This includes condition such as:
sexually transmitted disease
diseases caused by environmental hazards and toxins
infection arising from an outbreak of infectious disease
vaccine preventable diseases.
Use of personal information relates to the handling or manipulation of personal information for a specified purpose. Examples of uses of information are:
adding information to a data base
forming an opinion based on information collected and noting it on a file
interpreting the information to provide or decline a service or license.
If you require further information or advice about privacy, please contact:
INSERT FOR YOUR AGENCY
© The State of Victoria Department of Environment, Land, Water and Planning 2015