Skip to content
State Government of Victoria logo
Service Agreement Information Kit for Funded Organisations

3.17.1 Overview of privacy requirements

The department and the organisations it funds are both subject to a legislative privacy regime that governs the handling of personal and health information when delivering services.

The Privacy and Data Protection Act 2014 (Vic)(PDP Act) (external link, opens in new window) and the Health Records Act 2001 (Vic)(HR Act) (external link, opens in new window) are in place to protect personal and health information. The Acts outline requirements around the collection and handling of personal and health information, including the way information should be disclosed and managed.

Organisations funded through a Service Agreement are required to submit an annual Service Agreement Compliance Certification (SACC) which includes a question about compliance with information privacy. For more information see section 3.8.1 Reporting and accountability (opens in a new window).

The PDP Act covers personal information (excluding health information) which is held by Victorian public sector organisations, and non-government and private sector organisations that are contracted to provide services by the Victorian Government (funded organisations). The HR Act covers health information handled by public, private and community sector organisations.

Clause 17 of the Service Agreement requires funded organisations to comply with both the PDP Act and the HR Act and any applicable code of practice when dealing with personal and health information.

Funded organisations must collect, use and disclose information in accordance with the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) outlined in the PDP Act and HR Act respectively.

An organisation’s privacy policy and procedures should reflect these requirements. Broadly, in delivering services under a Service Agreement, an organisations must:

  • only collect information if it is needed for the performance of one or more of its functions or activities under the Service Agreement;
  • not do anything to breach the HPP or IPP principles
  • ensure that clients know why their information is being collected and how it will be handled (including notifying clients of the matters described under IPP 1.3 or HPP 1.4). Refer to 3.17.3 - Collection and disclosure of personal and health information (opens in a new window) for further information.
  • use and disclose information only for the primary purpose for which it was collected, or a permitted secondary purpose under IPP 2.1 or HPP 2.2 (see below)
  • store information securely and protect it from misuse, loss and unauthorised access, modification or disclosure
  • retain information for the period required by the Victorian Public Records Act 1973 (external link, opens in new window)
  • provide individuals with access to their information and the ability to correct incorrect information.

An organisation under the Service Agreement also needs to:

  • comply with any direction, guideline, determination or recommendation made by the  Commissioner for Privacy and Data Protection or the Health Services Commissioner (clause 17.3(g)
  • make sure that any person (including any subcontractor) who may deal with public sector data, personal information or health information is aware of their obligations in relation to the PDP Act and HR Act (clause 17.3(h))
  • immediately notify the department if it becomes aware of a breach or possible breach by the organisation (or any person acting on behalf of the organisation) of the organisation’s obligations in relation to the PDP Act and the HR Act (clause 17.3(i)
  • in complying with IPP 1.3 and HPP 1.4, ensure that it makes individuals to whom the organisation provides services aware that:
    • the department is an organisation to which it may disclose personal and health information to (clause 17.3k(i)
    • the organisation may collect and disclose information to the department for specific purposes, including for the purpose of providing its services to the individual and for the department’s auditing and monitoring of the organisation’s recordkeeping
    • unless the personal information is destroyed by the organisation, it will ultimately be disposed of to, or at the direction of, the department of the Keeper of Public Records.

In developing privacy policies and processes, organisations should consider any applicable information sharing and security obligations under other legislation, including but not limited to:

Organisations should refer to the Office for the Commissioner for Privacy and Data Protection’s website (external link, opens in new window) and the Office for the Health Services Commissioner’s website (external link, opens in new window) for further information on their privacy obligations.

Further information on the IPPs and HPPs is provided in sections: