The Environment Protection Authority (EPA) is Victoria’s environmental regulator. EPA’s role is to prevent and reduce the harmful effects of pollution and waste on Victorians and their environment.

EPA is committed to:

  • respecting the privacy of the individuals it interacts with
  • protecting the personal and health information that it collects and handles in carrying out its functions under the Environment Protection Act 2017 (EP Act) and related legislation.

EPA is bound to collect and handle personal information and health information in accordance with the Privacy and Data Protection Act 2014 and the Health Records Act 2001 (collectively, Victorian privacy law) unless otherwise required or authorised by law.

The EPA privacy policy explains how EPA complies with the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) contained in Victorian privacy law and the way information privacy is balanced against EPA’s enforcement activities and functions under the EP Act, including delivering transparent decision making, influencing the behaviours of people whose actions may have an adverse environmental impact, and providing reliable and relevant information to Victorians. 

Review and contact

This policy will be reviewed and updated from time to time to take account of new laws, technology and processes. The review process will be completed by the EPA Privacy Officer. For more information about this policy, or any other privacy queries, contact EPA’s Privacy Officer on

Key definitions

Throughout this policy:

  • health information means personal information or opinion about an individual’s physical, mental or psychological health or disability
  • Health Privacy Principles (HPPs) refers to the set of privacy principles contained in Schedule 1 of the Health Records Act 2001
  • Information Privacy Principles (IPPs) refers to the set of privacy principles contained in Schedule 1 of the Privacy and Data Protection Act 2014
  • personal information means information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion
  • sensitive information means personal information or an opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, membership of a political association, professional or trade association, or trade union
  • Victorian privacy law refers to the Privacy and Data Protection Act 2014 and the Health Records Act 2001.


All EPA staff, contractors and service partners are required to comply with EPA’s privacy policy.

This policy covers the collection and handling of personal information, including sensitive and health information. Most of the information collected by EPA is personal information.

Personal information may be collected and handled by EPA for a range of purposes, including where:

  • individuals choose to subscribe to EPA mailing lists to receive regular bulletins and newsletters
  • community members contact EPA to report pollution (including smoky vehicles, illegal dumping, industry pollution and litter from cars) using the EPA website or via our contact centre
  • EPA authorised officers take statements from individuals in the course of undertaking EPA enforcement activities
  • EPA undertakes surveillance activities to tackle waste crime
  • individuals or organisations make submissions to EPA as part of a consultation process
  • individuals submit applications to EPA as part of its recruitment processes.

Law enforcement functions

The IPPs and the HPPs contained in Victorian privacy law provide minimum standards for EPA’s collection and handling of personal and health information. 

As a regulator, EPA has significant law enforcement functions and powers under legislation, including the EP Act. To exercise its law enforcement functions effectively, the EP Act authorises EPA to collect, use, disclose or handle personal information in ways that may otherwise contravene an IPP or HPP. For example, EPA is not required to let you know when it is undertaking surveillance of high-risk waste sites. 

The privacy principles most relevant to EPA are outlined below. References to ‘personal information’ include sensitive and health information unless otherwise noted.

Collection of personal information

EPA collects personal information if it is necessary for one or more of its functions or activities as set out in: 

  • the EP Act and regulations and other instruments made under it
  • any other relevant laws.

Collection will be undertaken by lawful and fair means. EPA will tell you why your information is being collected and, generally, how the information will be handled.

Sensitive and health information will be collected only with your consent or where a relevant exception applies under the IPPs/HPPs or another law. For example, this may include law enforcement functions under the EP Act. 

Use and disclosure of personal information

EPA uses and discloses personal information for the primary purpose for which it was collected. EPA may use and or disclose information for a permitted secondary purpose, including where:

  • the primary purpose is related to the primary purpose of collection and the individual would reasonably expect EPA to use or the information for the secondary purpose (e.g., quality assurance)
  • the individual consents to the use or disclosure
  • it is necessary for one or more of EPA’s law enforcement functions or activities
  • the disclosure is required or authorised by or under law (including information sharing under the EP Act)
  • there is a serious and imminent threat to an individual’s life, health, safety or welfare or a serious threat to public health, safety or welfare
  • the use of disclosure is necessary for the preparation for, or conduct of, proceedings before any court of tribunal

Consistent with the principles set out in the EP Act, EPA may disclose publicly the names of people who are the subject of infringement notices or breaches of the EP Act, whether such people are involved as owners, directors or officers of businesses responsible for breaching the EP Act or in their capacity as individuals.

Publication of details of the identity and behaviour of individuals involved in environmentally detrimental activity is central to EPA's obligations to enforce the EP Act in a transparent and open manner.

Under the EP Act, EPA seeks to achieve public awareness of matters relevant to enforcement in order to influence the attitude and behaviour of people whose actions may have adverse environmental impacts.

This disclosure is also designed to keep affected communities and the Victorian public aware of the enforcement actions undertaken by EPA.

Any contractors engaged by EPA are bound to comply with EPA’s privacy obligations under contract.

Data quality

EPA requires good quality data to undertake its functions and activities effectively. This includes personal information. EPA takes reasonable steps to ensure personal information is accurate, complete and up to date. Where practicable, EPA collects personal information directly from you rather than third parties.

Data security

EPA has developed, and maintains, systems, policies and processes that protect the security of personal information, including from misuse, loss, unauthorised access, modification or disclosure. EPA is required to comply with the Victorian Protective Data Security Framework and associated standards under the Privacy and Data Protection Act 2014. EPA actively manages any potential information security incidents.


EPA is committed to transparency. EPA publishes the EPA privacy policy on its website and Intranet. This helps to ensure that members of the Victorian community and EPA staff are aware of EPA’s privacy collection and handling obligations and practices.

On request, EPA must take reasonable steps to let you know, generally, what sort of personal information it holds about you, for what purposes, and how it collects, holds, uses and discloses that information.

Access and correction

Individuals have rights to access and correct personal information that EPA holds about them. Where practicable, EPA will provide you with access to the personal information it holds about you. EPA encourages you to keep your contact details up to date.

Most requests to access and/or correct personal information held by EPA are processed in accordance with the Freedom of Information Act 1982 (Vic) (FOI Act). There may be some circumstances where access to information cannot be granted as it may compromise the privacy of another individual or for other reasons set out in the FOI Act.

Futher information is available on our Freedom of information page.


EPA will give you the option of not identifying yourself unless this prevents EPA from undertaking its functions and activities. For example, EPA does not require you to identify yourself when accessing its website.

Transborder data flows

Wherever possible, EPA requires its data – including personal information – to be stored within Australia.

If personal information needs to be transferred beyond Victorian borders, EPA ensures that this is only takes place with your consent or where broadly equivalent privacy protection is provided.


EPA will work to resolve privacy complaints in the first instance. However, if you are not happy with EPA’s response, a formal complaint may be made to the Office of the Victorian Privacy Commissioner (for personal/sensitive information) or the Health Complaints Commissioner (for health information). 

If you have a complaint, contact EPA’s Privacy Officer at Complaints will be managed in accordance with EPA’s privacy complaint process.

Read next

Reviewed 10 December 2021