Before you begin
Digital assets, such as websites or apps, make it easy to collect personal information that must stay private. So, you’ll need to think through what your digital asset collects well before you launch it, and how to protect this information.
This How-to guide’s main objectives are to help make sure you:
- only collect the personal information you actually need — and no more
- know how to check your legal obligations when you collect, store and dispose of individuals’ personal information
- find the best way to publish a legally correct and readable collection notice
The information in this guide is general in nature. It shouldn’t be regarded as legal advice. If you need more specific information, obtain independent legal advice or consult the relevant policy, or do both.
Who should read this and when?
Read this guide when you create a new digital presence (for example, a new website or mobile app) or change how an existing one collects information, for example, you plan to add a new form to a website and start collecting personal information for the first time.
You’ll need to comply with the privacy requirements of the Privacy and Data Protection Act (PDPA) if your organisation is a Victorian public sector agency. This includes:
- the Victorian Public Service (including Departments and Administrative Offices)
- public sector agencies
- Victoria Police
For the full list check the Who has to is on the Office of the Victorian Information Commissioner website.
The collection notice (often referred to a privacy statement) is provided to an individual when or before your organisation collects personal information from that individual.
For example, you may make a collection notice available on your organisations website where information is collected online. A collection notice explains to a user how your organisation will handle the personal information you collect about them. As each digital asset usually collects different kinds of personal information, you’ll need to craft a collection notice for each digital asset.
Your Privacy Adviser or legal team need to approve it. Before you can do this, there are two important steps to complete first (explained further on.)
What does the Victorian Government recommend?
The Office of the Victorian Information Commissioner has formally adopted ‘Privacy by Design’ as a core policy for how the Victorian Public Sector manages information privacy.
What this means is you should ‘build in’ privacy as a design feature from the start, as you develop, and when you launch your digital product. This is explained in more detail in Privacy by Design (PbD). Methodology for privacy management in the Victorian public.
Explain how you protect citizens’ personal information
Victorians are increasingly concerned about the security of their digital data. If your collection statement does not explain in simple language how you protect users’ privacy, users may avoid your service.
Handle personal information sensitively in accordance with the PDPA
Individuals expect you to handle all the information you collect about them sensitively and in accordance with privacy law. Individuals are entitled to complain if they believe your organisation has mishandled their personal information.
What standards must be met?
The Privacy and Data Protection Act 2014 (PDPA) spells out what you must do when you collect personal information. How you manage privacy and personal information you collect is also affected by:
- the Health Records Act (Vic) regulates the collection, use, disclosure and storage of individuals’ health information
- the Charter of Human Rights and Responsibilities Act (Vic) states that a person has the right not to have their privacy unlawfully or arbitrarily interfered with
- the Public Records Act (Vic) affects how long your organisation must hold information, including personal information. The Public Record Office Victoria (PROV) website has information and guidance about these obligations.
Manage public records
The Public Record Office Victoria (PROV) (under Section of the Public Records Act 1973) sets the standards for managing the public records your department or agency create. Always check with your department’s or agency’s records or information management specialist first for the approach to compliance. Refer to the How-to guide: How to manage online records for more information or the PROV.
Comply with the Privacy and Data Protection Act 2014. Refer to the How-to guide: How to manage security, and the security framework and standards on the Office of the Victorian Information website.
Open data policy
Under the Treasury and Finance DataVic Access, your department, agency etc will make data publicly available unless you need to restrict access for reasons of privacy, public safety, security and law enforcement, or public health.
- Victoria’s Privacy and Data Protection Act (PDPA) spells out what you must do when you collect personal information.
- Publish an approved (and therefore legally valid) privacy collection notice (aka ‘privacy statement’) tailored for each of your digital assets. This is a legal document, so you’ll need internal legal advice to craft it.
Getting it (your privacy collection notice) approved
The Privacy and Data Protection Act 2014: a summary
A quick look at Victoria’s privacy and data protection law
The Privacy and Data Protection Act 2014 (the successor to the Information Privacy Act 2000) governs the collection and handling of ‘personal information’ by Victorian government agencies. It provides a protective data security regime for the Victorian public sector.
Under the PDPA, ‘personal information’ means information or an opinion recorded in any form and whether true or not, about an individual whose identity can be ascertained, from the information or opinion, but doesn’t include information of a kind to which the Health Records Act 2001 applies.
Examples of personal information include a person’s:
- telephone number
- bank account details
- date of birth
- financial details
- marital status
- employment history
Some personal information is classed as ‘sensitive information’ and includes information or an opinion about a person’s:
- racial or ethnic origin
- political opinions, membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association or trade union
- sexual preferences or practices
- criminal record
Related How-to guides
Reviewed 17 October 2018