Support Centre



Law: Privacy and Data Protection Act 2014 (No. 60 of 2014) ('the Act'). Please note that the Act applies to public bodies. Private organisations are subject to the federal Privacy Act 1988.

Regulator: The Office of the Victorian Information Commissioner ('OVIC')

Summary: There is no separate, territorial level private sector data protection law in Victoria. However, while the Act principally applies to public bodies, it also contains provisions that may bring contracted service providers under its scope. The OVIC ensures compliance with the Act. The OVIC is relatively active in producing guidance, although such guidance is primarily focused on the public sector. In addition, the Health Records Act 2001 establishes several requirements for the handling of health information. The Office of the Health Services Commissioner ('OHSC') administers the Health Records Act, including receiving and acting on complaints related to the handling of health information. The OHSC has released extensive guidance on its processes and the scope of its powers.


In the aftermath of lengthy lockdowns across Australia, Australia's states and territories, including New South Wales and Victoria, are progressively re-opening for business, with governments counselling that we must 'learn to live with COVID-19'. In that context, many businesses are considering whether they may lawfully collect vaccination data from employees, customers, and other visitors to their premises and how they may use and disclose the data they collect. Angela Flannery and Clare Giugni, from Holding Redlich, provide answers to questions in the context of COVID-19 vaccination data, its collection, disclosure, and storage.