Privacy laws and principles

The purpose of privacy laws is best described by the following principles underpinning privacy and data protection.

Openness and transparency

Individuals should be made aware of the information held about them and why it is held.


Organisations should only collect personal information as is necessary, and should minimise intrusion into privacy.

Purpose limitation

Generally, personal information should be used for the purpose for which it was collected.

Privacy and Data Protection Act 2014 (PDPA)

The Privacy and Data Protection Act 2014 (Vic) was established on 17 September 2014 and repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005. Under the new Act there is a single privacy and data protection framework. The Information Privacy Principles (IPPs) remain identical in the PDPA and the essential obligation of organisations is to still act in accordance with the IPPs.

The PDPA also introduces the Victorian Protective Data Security Framework, which is designed to monitor and ensure the security of all public sector data.The Protective Data Security Standards set out how public sector agencies must deal with and handle public sector data throughout the lifecycle of the information.The Framework and Standards do not apply to universities at this stage.

The PDPA also incorporates Privacy by Design (based on 7 foundational principles) to embed privacy into every aspect of an organisations activities and ensure that there is a culture of understanding privacy and data security.

The PDPA has resulted in the amalgamation of the Office of the Victoria Privacy Commissioner and the Commissioner for Law Enforcement Data Security to create the new Commissioner for Privacy and Data Protection.

Health Records Act 2001 (Victoria)

The Victorian Health Records Act regulates the collection and handling of health information in both the public and private sector due to the likelihood of individuals receiving treatment and care at various stages of their life from both public and private health services.

The Act establishes 11 Health Privacy Principles referred to as HPPs. Unlike the Privacy and Data Protection Act, the principles of this Act apply not only to the rights of living persons, but also to the rights of deceased persons.

The Act appointed the Victorian Health Services Commissioner to perform a range of functions administered under the Act, including conciliation, investigation and resolution of complaints.

Privacy complaints? Contact our Privacy Officer