JavaScript is required

Protect privacy - digital guide

Understand how to protect privacy when designing, building and managing a digital service.

Before you begin

This digital guide is for Victorian public sector organisations developing a digital service that might involve the collection, handling, use or disclosure of personal information. It’s designed to help you think about your obligations under the Privacy and Data Protection Act 2014 (Vic) (PDP Act), including the Information Privacy Principles (IPPs) which are set out in Schedule 1 of the PDP Act.

Examples of a digital service include mobile applications, websites and other online platforms. All digital services that deal with personal information in the manner described above must comply with the IPPs.

In this digital guide, ‘personal information’ is understood to have the same meaning provided in section 3 of the PDP Act.

The information in this guide is general in nature and it shouldn’t be regarded as legal advice. If you need more specific information, get independent legal advice or consult the relevant policy.

Who must protect privacy?

Part 3 of the PDP Act governs the handling of personal information in the Victorian public sector. This includes data collected through digital services.

A list of organisations that are subject to the PDP Act includes:

  • public sector agencies
  • Ministers
  • local councils
  • courts or tribunals
  • Victoria Police (with some exceptions)
  • contracted service providers (in relation to the services they provide under a State contract)

Visit the OVIC website for a list of organisations that are subject to Part 3 of the PDP Act

Visit the Victorian Public Sector Commission (VPSC) for a full list of Victorian public sector bodies

Your organisation may be subject to other legislation which covers the handling of personal information. In some cases, this may override or modify the PDP Act. We recommend speaking to your organisation’s legal counsel or Privacy Officer to see if this applies to you.

Why is privacy important?

Privacy is important for digital services as many of them rely on the collection and use of data in one way or another. It’s also easier to collect and analyse data now more than ever. Users are becoming aware of this and they expect greater privacy protections. But there are other reasons why privacy is important:

  • Privacy is a human right under the Charter of Human Rights and Responsibilities Act 2006 (Vic)
  • Privacy rights are legislated
  • Good privacy practice builds trust and engagement with your digital service
  • Privacy breaches can cause harm to your users, and financial and reputational damage to your organisation
  • Responding to privacy complaints and data breaches can be costly and time-consuming

What is personal information?

The PDP Act defines 'personal information' and how it must be handled.

Personal information is defined as:

Information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but doesn’t include information of a kind to which the Health Records Act 2001 applies.

If your digital service collects, uses or discloses personal information, then the PDP Act and the 10 IPPs apply.

What is sensitive information?

Sensitive information is a subset of personal information. There are greater obligations when collecting and handling sensitive information because it carries greater risk. An unauthorised collection or use of sensitive information is likely to be more damaging than for personal information. For example, sensitive information could potentially be used to discriminate on the basis of racial or ethnic origin, sexual practices, or political opinions.

The PDP Act defines sensitive information under the following categories:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual orientation or practices
  • criminal record - that is also personal information

Sensitive information must only be collected if it is permitted by one of the exceptions listed in IPP 10. In most cases, you must get informed consent from the user when collecting sensitive information. If sensitive information is collected, it remains subject to all the other IPPs just like all other personal information.

Visit the OVIC website for further information on sensitive information.

What about health information?

The collection and handling of health information is regulated by:

  • the Health Records Act 2001 (Vic)
  • the Health Privacy Principles (HPPs) set out in Schedule 1 of the Health Records Act 2001

The HPPs apply to both public sector and private sector organisations.

Under the Health Records Act 2001, the definition of ‘health information’ is not limited to an individual’s medical conditions; it also includes, among other things, other personal information collected to provide a health service.

Health information is not just about medical conditions; it can also include behavioural and wellbeing information.

You’ll need to comply with the HPPs if your digital service collects health information (as defined in the Health Records Act 2001).

Read more about the Health Records Act 2001 and the HPPs

Information Privacy Principles (IPPs)

The 10 Information Privacy Principles (IPPs) are the core of privacy law in Victoria. They set out the minimum standard for how the Victorian public sector should manage personal information.

It’s important to review the IPPs and understand what they mean for your digital service. It's likely that most (if not all) of the IPPs will apply.

Read OVIC’s guide to the IPPs for more information.

The Office of the Victorian Information Commissioner (OVIC)

OVIC is the primary regulator and source of independent advice about how the public sector is permitted to collect, use and disclose personal information.

OVIC provides guidance and resources to help agencies understand their privacy obligations under the PDP Act.

What standards must be met?

You must comply with the Privacy and Data Protection Act 2014 (Vic) and the 10 IPPs when collecting, handling, using or disclosing personal information.

What does the Victorian Government recommend?

Here are a range of tools and processes to help you meet your privacy obligations when designing, building and managing a digital service. Some of these are a requirement under the PDP Act.

Know if you’re handling personal information

Personal information is any information about an individual who is identified or whose identity is reasonably ascertainable. There is no definitive list of what is or isn't personal information. It can depend on who is collecting the information and the context in which they are collecting it. It can also change over time.

It may not always be immediately clear what is or isn’t personal information, so take the time to think about it. Check your organisation’s privacy policy or visit the OVIC website for guidance on personal information, including a checklist and examples

Work with your Privacy Officer

Most public sector organisations have a Privacy Officer. The role of a Privacy Officer is to promote good privacy practices in your organisation and help you comply with your privacy obligations.

Involve your Privacy Officer at the start of any project that may involve personal information. They can help you with:

  • conducting a Privacy Impact Assessment (PIA)
  • writing a collection notice
  • developing a privacy statement
  • responding to a data breach or privacy complaint

OVIC encourages all organisations to have a Privacy Officer. You should nominate a Privacy Officer if your organisation doesn’t already have one.

Protect privacy by design

Protecting privacy is not a ‘check the box’ activity. Privacy by design means proactively embedding good privacy practices into the design of your technologies, services and business practices. Everyone in your organisation shares a responsibility to protect privacy.

To protect privacy by design, you can:

  • include prompts and templates for privacy in your project initiation documents
  • conduct Privacy Impact Assessments at the start of any project that may involve personal information
  • create a culture of privacy in your organisation

Talk to your Privacy Officer for help with protecting privacy by design or view the OVIC website for more information

Minimise your data

One way to protect the privacy of your users is to minimise the amount of personal information you collect and handle. To minimise your data, you must:

  • give your users the option of remaining anonymous when entering into transactions with your organisation (IPP 8)
  • only collect the personal information if it’s necessary for one or more of your organisation’s activities (IPP 1.1)
  • destroy or permanently de-identify any personal information you no longer need (IPP 4.2)

Conduct a Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is an important tool that helps you to evaluate your digital service's compliance with the IPPs. A PIA is a great way to identify any potential privacy risks and plan accordingly.

You should conduct a PIA at the start of any project that potentially involves personal information. For digital services, this is likely to be all of them.

There may be more than 1 party involved when building or managing a digital service. If this is the case, when protecting privacy:

  • consider convening a team, with representatives from both parties, to conduct a joint PIA
  • be clear about how accountability is shared between the parties
  • work with the other party to make sure they’re aware of their responsibilities around personal information

A PIA is a ‘living document’ and should be reviewed and updated regularly. You should also update your PIA if you plan to make changes to your digital service that may impact the collection or handling of personal information.

Ask your Privacy Officer for help with completing a PIA. They may also have a template you can use.

OVIC has a PIA template for organisations to download and use and a PIA accompanying guide.

Provide a collection notice

When collecting personal information, you must take reasonable steps to ensure that the user is aware of the collection. This requirement is described in IPP 1.3. This is so that your users can make an informed decision about disclosing their personal information.

Here are some examples of when a collection notice may be required for a digital service:

  • subscribing to an email newsletter
  • submitting an application
  • filling out a survey
  • creating an account
  • registering for an event

A collection notice is a small statement provided to your users at the time and point of collection, briefly describing why their information is being collected and what it will be used for. IPP 1.3 contains a list of information that must be included in a collection notice. We recommend that collection notices be:

  • succinct
  • highly visible
  • clearly tied to the information you are collecting

Ask your Privacy Officer for help with creating a collection notice. You can visit the OVIC website for more information about what must be in your collection notice.

Getting consent is not the same as providing a collection notice. Consent is an element of collection that is required in particular circumstances. You may need to get consent from your users when you want to:

  • use their personal information for something different from when you first collected it (a secondary purpose)
  • adopt or disclose a unique identifier
  • transfer their personal information outside of Victoria
  • collect sensitive information

Speak to your Privacy Officer to understand if you need to get consent from your users. If you are getting consent, make sure that:

  • the individual has the capacity to consent
  • the consent is voluntary, informed, specific and current

There are some circumstances in which consent is not necessary, for example where there is authorising legislation that provides for this. Consult your Privacy Officer for more information.

Visit the OVIC website for more information on consent

Develop a privacy statement

A privacy statement is a description of how your digital service manages personal information. It demonstrates your digital service’s commitment to privacy by explaining how it adheres to its privacy obligations.

A privacy statement helps you to meet your obligations under the IPPs but it’s also for the benefit of your users. Keep this in mind when developing a privacy statement; it should be informative and easy to understand.

Your organisation may already have a privacy policy that applies to your digital service. In this case, we recommend developing a privacy statement specific to your digital service and in line with your organisation's privacy policy.

Ask your Privacy Officer for help with developing a privacy statement. You can also read OVIC’s guide to drafting a privacy policy

Your users should be able to easily find your privacy statement on your digital service.

Protect privacy when using vendor tools

Many digital services use vendor tools and software to help them function or improve their service. These tools provide capabilities such as data analytics, mailing services and online form submission. These tools often collect and handle your users' information automatically. They may also store or transfer your users' information outside of Victoria or disclose their information to other parties.

Plan how you will work with these vendors to protect your users’ privacy. These vendor tools and their information handling practices must comply with the IPPs (to the extent they are dealing with the personal information of your users). During your PIA, map what vendor tools your digital service will use and the personal information they will handle. To protect your users’ privacy when using vendor tools, you should:

  • minimise the vendor tools your digital service use and the information they collect
  • consider engaging the vendor as a contracted service provider (CSP)
  • ensure any contracts or terms of service are consistent with the IPPs
  • include in your privacy statement the vendor tools your digital service uses, the information they collect and how the handle it
  • provide a collection notice if the information they collect is potentially personal information

You should review your privacy impact assessment whenever you are considering using a new vendor tool with your digital service.

We recommend seeking advice from your Privacy Officer, legal counsel or OVIC on how to ensure your third-party web vendor tools are following the IPPs.

Work with your CSP to protect privacy

You may be thinking of engaging a contracted service provider (CSP) to help you design, build or manage your digital service. The services provided by a CSP should comply with the PDP Act and the IPPs.

Work with your CSP to protect the privacy of your users. Make sure that your contract with the CSP outlines what their privacy obligations are. You may also want to direct them to any resources (such as this Digital Guide) to help them comply with the PDP Act.

Visit the OVIC website for more information on working with CSPs to protect privacy

Keep your personal information secure

Any personal information your digital service collects should be stored securely. Your organisation may be subject to the Victorian Protective Data Security Framework and Victorian Protective Data Security Standards.

View our Secure your Service - Digital Guide for more information.

You must comply with IPP 9 if you are storing your personal information outside of Victoria.

Protect privacy when sharing information

There are many benefits to sharing information. However, it’s vital that information sharing is done responsibly to protect individuals’ privacy rights. You must comply with IPP 2 when disclosing personal information.

View the OVIC website for more information on disclosure and IPP 2

Here are some other ways to share information while protecting privacy.

Publish an open data set

The Victorian Government encourages making Victorian government data available to the public. The open data policy has been developed to support this.

Not all government data is suitable for release. Access to data may need to be restricted for reasons of:

  • privacy
  • public safety
  • security
  • law enforcement
  • public health
  • pre-existing contractual arrangements.

Refer to publish an open data set - digital guide for more information.

De-identify your data

It’s important to de-identify your data before sharing it, particularly in an open-data context.

Use an API

An application programming interface (API) is an interface that enables safe and reliable software communication.The Victorian Government takes an API-first approach. This approach favours the use of APIs in most integration scenarios. We recommend including an API with every Victorian Government online service, where possible.

Refer to understand the API design principles - digital guide for more information.

Plan for data breaches

A breach of your digital service's data can impact the privacy of your users. It’s important to plan for data breaches.

To help prepare for a data breach, OVIC recommends developing a data breach response plan. This plan outlines how you will respond to a data breach by providing guidance and sharing responsibility.

Your organisation may already have in place a data breach response plan.

OVIC have issued a guide to assist organisations that are subject to the PDP Act to prepare for and respond to the privacy implications of data breaches that involve personal information.

Data breaches with a Business Impact Level (BIL) of 2 or higher must be reported to OVIC under the information security incident notification scheme. Speak to your privacy officer or cyber security team for more information on reporting requirements.

Respond to privacy complaints

It’s important that your users are made aware of their right to lodge a privacy complaint, and how this can be done. It’s also important to take privacy complaints seriously. We recommend including this in your privacy statement.

Ask your Privacy Officer for help with responding to privacy complaints.

OVIC have provided a guide for organisations responding to privacy complaints.

The Victorian Ombudsman's Complaint Handling Guide for the Victorian Public Sector may help you to resolve a privacy complaint in the first instance.

Updated