In Victoria, if an individual’s privacy is breached, Victorian and Commonwealth privacy laws have to be considered. In this Victorian Privacy Breaches Information Sheet, Stephens Lawyers & Consultants provides information on the Victorian privacy law regime. 

Privacy Breaches in Victoria – Information Sheet

Privacy breaches in Victoria (Vic) involving an individual’s personal and sensitive information can result in psychological and physical damage and financial losses.  An individual affected by a privacy breach may be able to seek compensation and other remedies (including an apology) from the organisation responsible for the breach either under the Victorian privacy laws or the Commonwealth Privacy Act[i]. An individual complainant may also have claims for the information privacy breach based on breach of contract, negligence and/or contravention of the Australian Consumer Law.

A.  Victorian Privacy Laws

The Office of the Victorian Information Commissioner (the ‘Victorian Information Commissioner’)[ii] is the independent statutory authority responsible for overseeing the Privacy and Data Protection Act 2014 (Vic) which deals with privacy in Victoria.

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) protects personal information (including sensitive information[iii]) and applies to :-

  • Victorian public sector organisations including Victorian government departments, Ministers, local councils, statutory offices, government schools, universities, and TAFEs; and
  • other private and not for profit organisations that collect, store and use personal information on behalf of a Victorian public sector organisation – referred to as contracted service providers.

The Victorian Information Commissioner also deals with complaints about alleged breaches by the Victorian public sector of any of the 10 Information Privacy Principles (IPPs)[iv] contained in the PDP Act.  The IPPs set out minimum standards for how the Victorian public sector organisations should handle an individual’s personal information[v]

What type of information is involved?

Under the PDP Act a privacy breach complaint in Victoria must involve an individual’s personal information which can include an individual’s sensitive information[vi].

‘Personal information’ is “information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not”[vii] and can include:-

  • a person’s name, postal or email address, phone number, signature, finger print and other personal details,
  • photographs, images or surveillance video or audio footage of individuals, and
  • a person’s financial details.

‘Personal information’ can also include information or an opinion about an individual’s‘sensitive information’ such as a person’s:-

  • racial or ethnic origin; or
  • political opinions; or
  • membership of a political association; or
  • religious beliefs or affiliations; or
  • philosophical beliefs; or
  • membership of a professional or trade association; or
  • membership of a trade union; or
  • sexual preferences or practices; or
  • criminal record.

However, the PDP Act does not apply to privacy complaints involving health information[viii]

B.  Making a Privacy Breach Complaint in Victoria

In Victoria, if an individual believes that there has been a privacy breach by a Victorian public sector agency or organisation which involves the misuse of their personal or sensitive information the individual can:-

a)     Make a complaint directly to that Victorian agency or organisation that is responsible for the privacy breach and seek to resolve the complaint directly with them. The agency or organisation should respond to an individual’s complaint within approximately 30 days after the complaint is made;

b)     Make a complaint to the Office of the Victorian Information Commissioner where the Privacy Commissioner will seek to resolve the complaint by voluntary conciliation between the parties. The Victorian Privacy Commissioner may choose to decline to consider a privacy complaint against a Victorian public sector agency or organisation where the individual has not first complained to and sought to resolve the complaint directly with that agency/organisation[ix] or if the Privacy Commissioner thinks that the agency/organisation responsible for the breach has already dealt adequately with that complaint.

If the Victorian Privacy Commissioner is unable to resolve the complaint by conciliation, an individual can apply to the Privacy Commissioner to have the complaint referred to the Victorian Civil and Administrative Tribunal (the ‘VCAT’) for a hearing of the matter. Any application to the Victorian Privacy Commissioner for a referral of the complaint to VCAT must be made within 60 days of receiving the Privacy Commissioner’s decision on the complaint.

However, the Victorian Privacy Commissioner does not deal with the following alleged privacy breaches, as they do not fall within the scope of the PDP Act:-

  • Privacy breaches involving health information. If an individual’s privacy complaint involves the handling of health information by a Victorian private or public sector organisation, an individual can make a complaint to the Victorian Health Complaints Commissioner[x];
  • Privacy breaches involving the handling of the individual’s personal information by a Commonwealth Government public agency (or by a private organisation) dealt with under the Privacy Act 1988 (Cth)] which is administered by the Office of the Australian Commissioner (OAIC)[xi]. [To Read the Stephens Lawyers & Consultants’ article titled ‘Compensation and Penalties for Privacy Data Breaches under the Privacy Act 1988 (Cth) SEE HERE

C.    Compensation (and other) Orders by VCAT for Privacy Breach in Victoria[xii]

The Victorian Civil and Administrative Tribunal (VCAT) can only deal with matters involving an alleged privacy breach if the breach comes within the scope of a Victorian Act and, in the case of a privacy breach complaint made under the PDP Act, if the complaint has been referred to VCAT by the Victorian Privacy Commissioner.

In such matters, VCAT may make certain compensation orders for loss or damage suffered as a result of the privacy breach including:-

  1. That the individual complainant is entitled to “up to a maximum amount of $100,000 for loss or damage suffered by the complainant, including injury to the complainant’s feelings or humiliation suffered by the complainant, by reason of the act or practice the subject of the complaint”.[xiii]; and
  2. That the individual complainant is also entitled to “a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with the making of the complaint and the proceedings held in respect of it[xiv]

In addition to awarding compensation VCAT may also order:-

  1. the agency/organisation to provide an apology to the complainant for injury to the complainant’s feelings or humiliation suffered by the complainant as a result of the privacy breach; and
  2. the agency/organisation to perform or carry out any reasonable acts to redress any loss or damage suffered by the complainant, by reason of the act or practice the subject of the complaint. For example, this could be a requirement that the agency/organisation reviews its privacy/information handling policies, practices and procedures to ensure it won’t happen again.

Privacy law can be complex. If a privacy breach complaint cannot be resolved with the agency/organisation responsible for the breach, advice from a privacy law expert should be obtained as to the best options for  the resolution of the privacy breach complaint.


Authored by Rochina Iannella, Lawyer, Stephens Lawyers & Consultants

© Stephens Lawyers & Consultants.  31 January 2022.

This information sheet is not intended to be a substitute for obtaining legal advice. 

For further information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au 

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007


[i] Privacy Act 1988 (Cth)

[ii] For more information and guidance on the Victorian privacy laws see The Office of the Victorian Information Commissioner website: https://ovic.vic.gov.au/

[iii]sensitive information’ is defined in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic).

[iv] The Information Privacy Principles are set out in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic). See https://ovic.vic.gov.au/privacy/information-privacy-principles-full-text/

[v] For a short summary and guide of the IPPs see The Office of the Victorian Information Commissioner website at https://ovic.vic.gov.au/privacy/information-privacy-principles-short-guide/

[vi] The term ‘sensitive information’ is defined in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic) which lists the Information Privacy Principles

[vii] For the full definition of ‘personal information’ see Sec 3 of the Privacy and Data Protection Act 2014 (Vic)

[viii] See the website of the Victorian Health Complaints Commissioner at https://hcc.vic.gov.au/ for more information

[ix] See Sec 62(1)(c) of the Privacy and Data Protection Act 2014 (Vic)

[x] See the website of the Victorian Health Complaints Commissioner at https://hcc.vic.gov.au/ for more information.

[xi] For more information see the website of the Office of the Australian Information Commissioner (OAIC) – https://www.oaic.gov.au/

[xii] See Sec 77 of the Privacy and Data Protection Act 2014 (Vic) for what VCAT may decide and the orders that VCAT can make .

[xiii] See Secs 77(1)(a) (iii) & (iv) of the Privacy and Data Protection Act 2014 (Vic)

[xiv] See Secs 77(1) (d) of the Privacy and Data Protection Act 2014 (Vic)