Protect privacy - Digital Standards

Understand what a digital record is, what to record and store, and for how long.

Before you begin

Digital assets, such as websites or apps, make it easy to collect personal information that must stay private. So, you’ll need to think through what your digital asset collects well before you launch it, and how to protect this information.

This How-to guide’s main objectives are to help make sure you:

  • only collect the personal information you actually need — and no more
  • know how to check your legal obligations when you collect, store and dispose of individuals’ personal information
  • find the best way to publish a legally correct and readable collection notice

The information in this guide is general in nature. It shouldn’t be regarded as legal advice. If you need more specific information, obtain independent legal advice or consult the relevant policy, or do both.

Who should read this and when?

Read this guide when you create a new digital presence (for example, a new website or mobile app) or change how an existing one collects information, for example, you plan to add a new form to a website and start collecting personal information for the first time.

You’ll need to comply with the privacy requirements of the Privacy and Data Protection Act 2014 (PDPA) if your organisation is a Victorian public sector agency. This includes:

  • the Victorian Public Service (including Departments and Administrative Offices)
  • councils
  • public sector agencies
  • Victoria Police

For the full list check the Who has to comply? is on the Office of the Victorian Information Commissioner website.

Your digital asset needs a collection notice — not a privacy policy

The collection notice (often referred to a privacy statement) is provided to an individual when or before your organisation collects personal information from that individual.

For example, you may make a collection notice available on your organisations website where information is collected online.  A collection notice explains to a user how your organisation will handle the personal information you collect about them. As each digital asset usually collects different kinds of personal information, you’ll need to craft a collection notice for each digital asset.

Your Privacy Adviser or legal team need to approve it. Before you can do this, there are two important steps to complete first (explained further on.)

A privacy policy is a general statement about how your organisation as a whole, will manage the personal information it collects. Because it’s general policy, it doesn’t have specific information tailored for an individual digital asset. For example, the information you collect in a website survey is different to the location information a mobile app collects.

What does the Victorian Government recommend?

The Office of the Victorian Information Commissioner has formally adopted ‘Privacy by Design’ as a core policy for how the Victorian Public Sector manages information privacy.

What this means is you should ‘build in’ privacy as a design feature from the start, as you develop, and when you launch your digital product. This is explained in more detail in Privacy by Design (PbD). Methodology for privacy management in the Victorian public sector .

Explain how you protect citizens’ personal information

Victorians are increasingly concerned about the security of their digital data. If your collection statement does not explain in simple language how you protect users’ privacy, users may avoid your service.

Handle personal information sensitively in accordance with the PDPA

Individuals expect you to handle all the information you collect about them sensitively and in accordance with privacy law. Individuals are entitled to complain if they believe your organisation has mishandled their personal information.

What standards must be met?

The Privacy and Data Protection Act 2014 (PDPA) spells out what you must do when you collect personal information. How you manage privacy and personal information you collect is also affected by:

  • the Health Records Act 2001 (Vic) regulates the collection, use, disclosure and storage of individuals’ health information
  • the Charter of Human Rights and Responsibilities Act 2006 (Vic) states that a person has the right not to have their privacy unlawfully or arbitrarily interfered with
  • the Public Records Act 1973 (Vic) affects how long your organisation must hold information, including personal information. The Public Record Office Victoria (PROV) website has information and guidance about these obligations.

Manage public records

The Public Record Office Victoria (PROV) (under Section 12 of the Public Records Act 1973) sets the standards for managing the public records your department or agency create. Always check with your department’s or agency’s records or information management specialist first for the approach to compliance. Refer to the How-to guide: How to manage online records for more information or the PROV website .


Comply with the Privacy and Data Protection Act 2014. Refer to the How-to guide: How to manage security, and the security framework and standards on the Office of the Victorian Information Commissioner website.

Open data policy

Under the Treasury and Finance DataVic Access Policy , your department, agency etc will make data publicly available unless you need to restrict access for reasons of privacy, public safety, security and law enforcement, or public health.

  • Victoria’s Privacy and Data Protection Act 2014 (PDPA) spells out what you must do when you collect personal information.
  • Publish an approved (and therefore legally valid) privacy collection notice (aka ‘privacy statement’) tailored for each of your digital assets. This is a legal document, so you’ll need internal legal advice to craft it.

Getting it (your privacy collection notice) approved

For each digital presence, you’ll need to have your organisation’s Privacy Adviser or legal team review and approve a new or refreshed collection notice. They are familiar with your organisation’s general privacy policy.

They can make sure your draft collection notice complies with the relevant PDPA requirements and is consistent with your organisation’s privacy policy. If you can’t find your Privacy Adviser’s details, contact your legal services team (your intranet has their contact details).

The Privacy and Data Protection Act 2014: a summary

A quick look at Victoria’s privacy and data protection law

This information sheet explains Victoria’s privacy laws .

The Privacy and Data Protection Act 2014 (PDPA) (the successor to the Information Privacy Act 2000) governs the collection and handling of ‘personal information’ by Victorian government agencies. It provides a protective data security regime for the Victorian public sector.

Under the PDPA, ‘personal information’ means information or an opinion recorded in any form and whether true or not, about an individual whose identity can be ascertained, from the information or opinion, but doesn’t include information of a kind to which the Health Records Act 2001 applies.

Examples of personal information include a person’s:

  • name
  • address
  • telephone number
  • photograph
  • bank account details
  • fingerprints
  • sex
  • date of birth
  • address
  • financial details
  • marital status
  • employment history

Some personal information is classed as ‘sensitive information’ and includes information or an opinion about a person’s:

  • racial or ethnic origin
  • political opinions, membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association or trade union
  • sexual preferences or practices
  • criminal record

Reviewed 17 October 2018