Privacy policy (National Law)

This policy outlines the requirements for personal information handling practices for the areas of the department that are subject to the Commonwealth Privacy Act.


The Department of Education (the department) is subject to Victorian privacy laws. Generally, corporate staff must act in accordance with the department's Privacy policy and school staff with the Schools' privacy policy, which focuses on information handling in schools.

However, for areas within the department with obligations under national applied laws schemes, the Privacy Act 1988 of the Commonwealth applies as a law of Victoria in place of the Privacy and Data Protection Act 2014 (Vic). For the purposes of this policy, the Privacy Act 1988 of the Commonwealth applied as a law of Victoria is referred to as the "Privacy Act". The Privacy Act requires entities bound by the Australian Privacy Principles (APPs) contained in the Schedule to that Act to have a privacy policy that reflects these obligations.

This Privacy Policy (National Law) outlines the requirements for personal information handling practices for the areas of the department that are subject to the Privacy Act, namely, the Secretary to the department, and in turn, the Quality Assessment and Regulation Division (QARD), in performing its delegated role as the Regulatory Authority under the Education and Care Services National Law (National Law) in the Schedule to the Education and Care Services National Law Act 2010 (Vic).

Health practitioners governed by the Health Practitioner Regulation National Law (Victoria) are subject to the APPs (as applied as a law of Victoria). However, health information collected and managed in Victorian government schools is primarily handled in accordance with the Health Records Act 2001 (Vic) and obligations are, in practice, consistent.

Contact the Privacy team if clarification is required.


Personal (including sensitive and health) information is regulated in Australia under the Privacy Act. In the specific contexts listed above, the department must collect and handle personal information in accordance with the Privacy Act, unless otherwise required by law.

Key definitions

Throughout this policy:

  • Personal information is information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
  • Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an individual's racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, membership of a political association, professional or trade association, or trade union. It also includes health information about an individual.
  • Health information is information or opinion, that is also personal information, about an individual's health, illness, disability or injury, their expressed wishes about the future provision of health services, a health service provided or to be provided to an individual. Health information also includes genetic information, or biometric information used for automated biometric verification or biometric identification or biometric templates.
  • Privacy impact assessment (PIA) is an assessment that identifies and assesses the privacy impacts of any system, software or process that handles personal or sensitive information. The PIA sets out recommendations to manage, minimise or eliminate identified impacts.

Australian Privacy Principles

The Australian Privacy Principles most relevant to the department are summarised as follows:

Collection of personal information

Kinds of personal information collected and held by the department (APP 1.4(a)) and how personal information is collected and held (APP 1.4(b))

The department will only collect personal information if the information is necessary for one of its powers or functions in the National Law.

Where the personal information of an individual is collected, reasonable steps should be taken to ensure that the individual is aware of:

  • the purposes for which the information is being collected
  • any law that requires the particular information to be collected
  • the identity of the department and how to contact it
  • the fact that the individual is able to gain access to the information
  • who the department usually discloses information of that kind to
  • the main consequence (if any) for the individual if all or part of the information is not provided to the department
  • the relevant oversight body
  • how to raise concerns or make a complaint about how the department has handled the information, or if the individual believes there has been a breach of the APPs.

Anonymity and pseudonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with the department, as long as this does not impede the department's ability to carry out its functions.

However, for most functions and activities the department usually needs name and contact information and enough detail to handle a particular matter such as an enquiry, request, or complaint.

Unsolicited personal information

Unsolicited information will be handled with the same care as information deliberately collected. Examples of unsolicited information may be complaints or feedback provided to the department.

Use or disclosure

Purposes for which personal information is collected, held, used and disclosed (APP 1.4(c))

The department must only use or disclose personal information for a particular purpose for which it was collected (known as the 'primary purpose' of collection) unless an exception applies. Where an exception applies the department may use or disclose personal information for another purpose (known as the 'secondary purpose'). Exceptions include:

  • the individual consented to the use or disclosure; or
  • for a related secondary purpose, one the individual would reasonably expect the department to use or disclose the information for that secondary purpose; or
  • the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
  • the department reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • otherwise required, permitted or authorised by law. For example, the department may be required to share information to:
    • fulfil its duty of care to students, staff and visitors
    • provide a safe workplace in accordance with occupational health and safety law
    • assess a risk of family violence or for a child wellbeing or safety purpose
    • meet obligation to report requirements to Department of Home Affairs on international students not in compliance with their visa conditions
    • carry out its functions and powers as the Regulatory Authority under sections 260, 261, 270, 271 and 272 of the Education and Care Services National Law (Victoria)
    • meet obligations to disclose information about education and care services with bodies such as Australian Children's Education and Care Quality Authority, Departments, public or local authorities and Regulatory Authority Support
    • meet obligations under Victorian Child Safe Standards.
  • where a 'permitted general situation' applies. For example, lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety or taking appropriate action in relation to suspected unlawful activity or serious misconduct.

Whether the department is likely to disclose personal information to overseas recipients (APP 1.4(f)), and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4(g))

The department may disclose personal information to overseas recipients if authorised or required by law, or if appropriate assessment has been undertaken.

Quality of personal information

The department values information as an important resource. Accordingly, the department must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up to date and relevant to the department's functions or activities.

For example, it is the department's practice to, where possible, collect personal information from each individual concerned, rather than relying on other data sources, to ensure that names and other details are accurately recorded.

Security of personal information

The department is guided by the principle that all information is well governed and managed. Accordingly, the department must take reasonable steps to protect the personal and/or health information it holds from misuse and loss, unauthorised access, modification or disclosure.

The department requires that a PIA is conducted for all new and significantly changed processes, systems or software that involve personal information. It also requires that information assets recorded in the department's Information Asset Register are assigned data classifications. Data classifications determine what level of security is required for each type of information.

The department will retain or permanently de-identify personal information as long as is required by law, for example if:

  • the personal information is part of a Commonwealth or State record; or
  • the department is required by a court/tribunal order to retain the personal information.

Privacy incidents are confirmed or suspected actions of information handling that are inconsistent with the APPs. The department's response to a privacy incident will focus on protecting personal information and supporting impacted individuals. To report a suspected privacy incident, please email


To support access to government decisions, the department's information should be easy to find, access and use. This means that the department must have, and make available, a clearly expressed APP policy on its management of personal information (which is this Policy).

On request, the department must take reasonable steps to advise individuals, in general terms:

  • what sort of personal information it holds about them
  • for what purposes such information has been collected
  • how it collects, holds, uses and discloses that information.

Access and correction

How an individual may access their personal information and seek its correction (APP 1.4(d))

Individuals have a right to request access to, and to request correction of, their personal information held by the department.

Certain requests to access and/or correct information held by the department are processed in accordance with the Privacy Act or the Commonwealth Freedom of Information Act 1982 as applied as a law of Victoria (FOI Act). This mainly relates to requests for documents held by the department in its role as the Regulatory Authority of education and care services in Victoria under the National Law.

There is no application fee for requests made under the FOI Act. These requests should be made to the FOI Unit, please state that you are making this request under the Privacy Act and the APPs. To make a request, or for more information about the process, contact the FOI Unit by emailing or calling +61 3 7022 0856.

How to make a complaint

How an individual may complain if the department breaches the APPs or any registered binding APP code, and how the complaint will be handled (APP 1.4(e))

The department will investigate and respond to complaints in accordance with the department's information privacy complaints handling process.

Privacy complaints can be made to the Privacy team by emailing, calling +61 3 8688 7967 or lodging your complaint online via the privacy complaint form. For complaints in respect to this policy, please state that the complaint is an APP complaint.

If you are not satisfied with the department's handling of a complaint, you may wish to take your complaint to the following bodies, depending on its nature:

  • for APP complaints relating to the department's functions as a Regulatory Authority around education and care services, please contact the National Education and Care Services Privacy Commissioner online at NECSCOPIC privacy complaints
  • for all other APP complaints, please contact the Office of the Australian Information Commissioner online at OAIC privacy complaints.

Accountable Officer

The Accountable Officer for this policy is the Executive Director, Integrity, Assurance and Executive Services Division (IAESD). The Accountable Officer is responsible for the:

  • development of this policy
  • implementation of any supporting protocols, processes and guidelines
  • ongoing monitoring of compliance with this policy.


This policy will be reviewed and updated from time to time to take account of new laws, technology and processes. The review process will be completed by IAESD, with oversight provided by the department's Information Management and Technology Committee.


For more information about this policy or for assistance in working out whether the State or Commonwealth privacy legislation applies, contact