Privacy policy

On this page:

Policy statement
Scope
DTP's functions
Definitions of personal, health and sensitive information
Collection
Examples of information collected
Use and disclosure
Data release
Information protection
Privacy Impact Assessments
Access to and correction of information
Privacy incidents (breaches/complaints)
Information transferred outside Victoria
Relevant legislation
Responsibilities
Non-compliance with this policy
Summary of changes to latest version

Policy statement

This policy supports the Department of Transport and Planning’s (DTP) need to collect, store and use personal and health information, and the right of the individual to privacy. It ensures that the department can collect personal and health information necessary for its services and functions, whilst recognising the right of individuals to have their information handled in ways they would reasonably expect and in accordance with the law. 
Personal and health information is collected and used by DTP to: 
  • plan, fund, implement, monitor, regulate and evaluate its services and functions
  • fulfil statutory and other legal functions and duties
  • comply with reporting requirements 
  • investigate incidents and/or defend any legal claims against DTP or its employees. 
DTP is subject to the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) set out in the Privacy and Data Protection Act 2014 and the Health Records Act 2001 as minimum standards when dealing with personal and health information. 

Scope

This policy applies to all personal and health information DTP collects, stores, uses and discloses to perform its business functions and activities. This policy applies to all DTP people (Executives, VPS employees and contractors) and third parties whose personal and/or health information may be held by DTP.

DTP’s functions

On 1 July 2019, VicRoads and Public Transport Victoria (PTV) came together with the Department of Transport (DoT) to create an integrated transport department – in step with other global cities. DoT will plan and operate the transport system in a way that responds to the needs of the people and freight that travel on it - focused on where people and goods need to go, rather than what mode they use.

In doing so, DoT is responsible for a range of transport services, including public transport, road management, vehicle registration and driver licensing.  DoT collects, uses, stores and discloses a range of personal and health information for the purposes of providing services and to carry out its statutory functions.

On 1 January 2023, DoT was renamed the Department of Transport and Planning.

Definitions of personal, health and sensitive information

Personal information

‘Personal information’ is defined in the Privacy and Data Protection Act 2014 as information or an opinion that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.  Examples of personal information are your name, date of birth, address, financial details, marital status, education and employment history.

Sensitive information

Some personal information is called ‘sensitive information’ and is given extra protection under the law. This includes information about your:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual preferences, orientation or practices and
  • criminal record.

In this policy, personal information refers collectively to personal information and sensitive information, unless otherwise specified.

Health information

‘Health information’ is defined in the Health Records Act 2001 to include personal information which is also information or an opinion about:

  • the physical, mental or psychological health (at any time) of an individual
  • a disability (at any time) of an individual
  • an individual's expressed wishes about the future provision of health services to him or her
  • a health service provided, or to be provided, to an individual.

Collection

We will only collect personal information or health information from you if it is necessary for us to provide or carry out our services and functions. 
 
We only collect your personal and health information by lawful and fair means, and by methods that are not unreasonably intrusive. If it is reasonable and practicable to do so, we will only collect personal and health information about you directly from you. 
 
When collecting personal information directly from you, or from someone else about you, We will take reasonable steps to ensure that you are aware of:
  • why the information is being collected (including the purposes for the collection and any relevant laws requiring the collection)
  • who the information may be disclosed to
  • the consequences if you do not disclose the information (if we are collecting information directly from the you)
  • how you may contact us and gain access to the information collected. 
We very rarely collect sensitive information. You may always refuse to provide your sensitive information, without adverse consequence.  
 
If you are a licensed driver, we may collect your health information in relation to medical conditions, where that information is relevant to assessing your fitness to drive.  

Examples of information collected

Information from applications

We may collect your personal details and image in order to process a driver’s licence or vehicle registration application, or a disability parking application (among others).  This personal information is kept in a secure system, and only used in accordance with Part 7B of the Road Safety Act 1986.

Complaints under the Australian Towing Services Act 2007

We may collect your personal details and vehicle registration details for the purpose of investigating complaints under the Australian Towing Services Act 2007.  This personal information is kept in a secure system, and only used in accordance with Part 7B of the Road Safety Act 1986.

Credit card information

We may collect your credit card information to process a payment.  Credit card information collected by us will be held in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements for enhancing payment account data security, including requirements for secure network and systems, cardholder data protection, vulnerability management program, access control measures, network monitoring and testing and information security policies.

Employment and recruitment information

If you are employed by, or apply to be employed by, DTP, we may collect and store information about the recruitment process and your application including reference checks, security clearances and criminal history checks undertaken as part of that process. 

Your employment and recruitment information collected by DTP is used or disclosed for people management purposes, including employee relations, human resources, payroll, learning and development, agency and government directory capability development and workforce planning, emergency management, occupational health and safety and public health, safety and welfare, disputes or litigation, and is retained in accordance with the Public Records Act 1973, the Public Administration Act 2004 and other applicable legislation.

Closed Circuit Television (CCTV)

Many Victorian railway stations and train carriages are equipped with Closed Circuit Television (CCTV) cameras. Some trams and buses also have CCTV.

CCTV cameras capture video footage to support passenger safety, law enforcement and the operation of the network. Footage may also provide data to DTP on patronage to support appropriate provision of services. For example, footage may be used to assess passenger congestion to support social distancing, when required. These uses are authorised under the Transport (Compliance and Miscellaneous) Act 1983, and are managed in accordance with the IPPs. 

Select footage may be disclosed to Victoria Police to aid any investigation. Unless secured for an authorised use, footage is generally deleted 30 days after it is captured.

Access to footage of yourself can be sought from DTP under the Freedom of Information Act 1982, by submitting a Freedom of information (FOI) request through the online portal at online.foi.vic.gov.au.

Sensors are also being tested for use in counting passengers and assessing crowding. Those sensors convert images to a deidentified data entry, with only minimal footage retained.

Correspondence

Your correspondence (including email) or complaints addressed to DTP, Victorian Government ministers or agencies, or queries made through our contact centres regarding matters related to the functions of, or services provided by us, may be referred to the relevant program areas undertaking those functions for advice and response. Such correspondence may include your personal information and may be accessed by our staff, subject to operational needs.

Copies of correspondence and applicable responses may be retained by DTP for certain periods of time, in accordance with the Public Records Act 1973 and other applicable legislation.

Use and disclosure

We use and disclose your personal and health information for:

  • the primary purpose for which it was collected, or
  • a purpose related to that for which it was collected (secondary purpose) where the legislative requirements for using or disclosing for a secondary purpose are met.  

The information collected might be shared within DTP to enable efficient and effective delivery of quality services. 

We may transfer your personal information or health information to another person or organisation in limited circumstances, including that the recipient is subject to a law which upholds similar principles to the IPPs or HPPs, or if the transfer is consented to.

We may also provide your personal information or health information to public transport operators and public transport authorities where an issue, query or complaint is raised by you with us and responding to that issue, query or complaint requires information or response directly to you from that party.

We may also share your information with other entities (usually government entities, transport entities, councils or law enforcement agencies) if authorised to do so by Part 7B of the Road Safety Act 1986, the Privacy and Data Protection Act 2014 and other relevant Acts.  

Driver licence and permit information from every state and territory is being shared with the Commonwealth as part of the Commonwealth’s initiative on Identity Matching Services (IMS).  The Premier committed Victoria to the Identity Matching Services when he signed the Intergovernmental Agreement on Identity Matching Services on 5 October 2017. DTP has legal authority to share this information for this purpose under Part 7B of the Road Safety Act 1986. Data and images from driver licences and permits, along with associated biographic information, may be used to confirm your identity and to identify unknown persons. Only certain agencies will be able to access the face matching services, which employs facial recognition technology for approved purposes and under strict conditions.

Data release

As with all Victorian government agencies, DTP is encouraged to make data available to the public as open data when possible. Generally, datasets containing personal information are not suitable for open data releases. 
 
Occasionally, DTP may seek to anonymise a dataset containing your personal information so that it is suitable for data release.  DoT has processes in place to check that any de-identified data contained in a data release cannot be re-identified.

Information protection

DTP has security measures designed to protect your personal information from misuse, loss, unauthorised access, modification or disclosure. We must take reasonable steps to destroy or permanently de-identify your personal information if it is no longer needed for any purpose, in line with the Public Records Act 1973
 
We comply with the Victorian Protective Data Security Framework, which provides direction to Victorian public sector agencies or bodies on their data security obligations. 
 
We take reasonable steps to ensure that any of your personal information we collect, use and disclose is accurate, complete and up to date. 

Privacy Impact Assessments

In the case of any proposed new use of personal information, we will prepare a Privacy Impact Assessment and where applicable, an assessment under the Charter of Human Rights and Responsibilities 2006, to ensure that the proposed new use is consistent with the privacy rights of people affected. 
 
The Privacy Impact Assessment may recommend that the use not proceed, or that protective measures be put in place before the proposed use proceeds.  

Access to and correction of information

We will take all reasonable steps to ensure that your personal information and health information we collect is accurate, complete and up to date.

You are entitled to contact the DTP Privacy Manager and request access to, and correction of, any of your personal information or health information held by us. We will take all reasonable steps to correct and update any of your personal information or health information that is found to be inaccurate, incomplete or not up to date or provide a written statement if such a request is refused.

You may ask for access to your information or request a correction to your information by contacting the DTP Manager, FOI and Information Privacy, at [email protected]

Privacy incidents (breaches/complaints)

You may make a complaint about a potential privacy incident (breach) by contacting [email protected]

We undertake to resolve privacy complaints and breaches in a timely and fair manner.

You may also make a privacy complaint to the Office of the Victorian Information Commissioner, in relation to the use of your personal information. 

You can complain to the Health Complaints Commissioner about an act or practice that may be an interference with the your privacy.

Information transferred outside Victoria

DTP adheres to the requirements of relevant Victorian legislation when transferring personal information outside Victoria. In particular, your personal information may only be transferred to another jurisdiction if:

  • The purpose of the transfer is allowed under enabling legislation (e.g. under Part 7B of the Road Safety Act 1986 for interstate law enforcement), and
  • The recipient jurisdiction offers equivalent privacy protection to Victoria.

Relevant legislation

Responsibilities

The Accountable Officer for this policy is the Director, Privacy and Information Access, DTP. The Accountable Officer is responsible for: 

  • development of the policy
  • implementing any supporting protocols, processes and guidelines, and 
  • ongoing monitoring of compliance with this policy. 

This policy will be reviewed and updated when required to account for new laws, technology and processes. 

Non-compliance with this policy

Suspected breaches of this policy can be reported to the Director, Privacy and Information Access and will be investigated as required. 

Summary of changes to latest version

Content in this policy was developed through the consolidation of former DTP, PTV and VicRoads privacy policies as part of the transition to an integrated department.

This policy replaces the following policies:

  • Privacy Policy (former DTP)
  • Information Privacy Policy (former PTV).