4. Policy
This policy reflects the privacy principles, both the IPPs and the HPPs..
4.1 Collection
Council will only collect personal and health information that is necessary for specific and legitimate functions and activities of the council. All information will be collected by fair and lawful means and not in an unreasonably intrusive way. Council will only collect sensitive information where consent has been given or as permitted under legislation.
Council will provide details of:
- Why it is collecting personal and health information;
- How that information can be accessed;
- The purpose for which the information is collected;
- With whom the council shares this information;
- Any relevant laws; and
- The consequences for the individual if all or part of the information is not collected.
Under normal circumstances council must collect personal and health information about an individual only from that individual. However, if council collects personal and health information about an individual from someone else, council will take all reasonable steps to ensure that individual is informed of his or her rights relating to the information collected.
This information typically includes but is not limited to the following:
- Name
- Address (postal and email)
- Telephone number (work, home and mobile)
- Date of birth
- Occupation
- Medicare number
- Credit card and bank account numbers
- Motor vehicle registration number.
4.2 Use and disclosure
Council will use personal information for the primary purpose for which it was collected. Examples of this type of use include for levying rates, billing, collection of debts, property valuation, town planning and building approvals, provision of family services, community services, animal management services, and waste management services, enforcement activities and asset management.
Council will only use personal information within council, or disclose it outside council, for a reasonable secondary purpose, if required by law to do so, or in accordance with the Act; for example where the individual has consented or where the individual would reasonably expect this to occur.
For example, the information may be disclosed:
- To council’s contracted service providers who manage the services provided by council, including, garbage collection. Council requires these service providers to comply with the privacy principles when doing so;
- To individuals for the purpose of serving a notice to fence as required by the Fences Act;
- To the Victorian Electoral Commission for compilation of Voters Rolls;
- To Statutory Bodies (e.g. Centrelink, Child Support Agency, Department of Health & Human Services, Department of Education & Training, Transport Accident Commission and WorkCover) for purposes required by relevant legislation.
- To Police, Fire Department or SES for emergency or law enforcement purposes;
- Where appropriate under another Act, including the Freedom of Information Act 1982 (Vic);
- Under the Victorian Government’s Information Sharing reforms dealing with the collection, use and sharing of sensitive information in relation to family violence and child wellbeing and safety;
- In public registers that need to be maintained in accordance with other Acts, as a release of information relevant for the purpose for which the registers exist;
- To an individuals authorised representatives, health service providers or legal advisers;
- To council’s professional advisers, including accountants, auditors, insurers, bankers, valuers, debt collection agents, IT providers and lawyers;
- In building permits and plans to property owners and the Victorian Building Authority; and
- To recipients outside Victoria, only if they are governed by substantially similar privacy legislation or the individual has consented to the transfer or would be likely to give it, if it was practicable to obtain that consent.
- To agencies such as the Victoria Police as part of a background check for employment, including a Working with Children check. Such checks will only be carried out with written authorisation and the results not disclosed to third parties unless authorised by law. As a part of a public submission process a written submission may be included with the published agenda and minutes for a council or committee meeting, and available for inspection and on-line.
In the case of health information in particular, council may disclose health information about someone:
- If council is providing a health service to them and it is necessary to be able to provide that service,
- Where the person is incapable of providing consent and it is not reasonably practicable to obtain the consent of an authorised representative or the person does not have such an authorised person.
Personal information will be disclosed by the council where required to do so by any other legislation. Where there is an inconsistency, all other legislation overrides the PDPA or HRA to the extent of the inconsistency. Other obligations under the PDPA or HRA will remain.
4.3 Quality and security
Prior to the use and disclosure of personal information, reasonable steps will be taken to ensure that the information is relevant, and to the extent necessary, accurate, complete and up-to-date for the purpose for which it is to be used.
Council will endeavour to maintain a secure system for storing personal information and will utilise appropriate technologies, security methods, operational policies and procedures to protect the information from unauthorised access, improper use, alteration, unlawful or accidental destruction and accidental loss.
All personal and health information will be removed from council systems, if it is no longer needed for any purpose, except where it needs to be retained in accordance with the Public Records Act 1973 and any other applicable Act or Regulation.
4.4 Access and correction
Individuals may request access to their personal and health information. Such requests are generally managed under the Freedom of Information Act 1982 (and the Health Records Act 2001 where relevant). Please contact the Privacy Officer in the first instance to discuss your requirements.
Council may charge an access fee for recovering the costs of retrieving the required personal information.
Where council holds personal and health information about an individual and the individual is able to establish that information is incorrect, council will take reasonable steps to correct information as soon as practicable but within 30 days of the request. If, however, council denies access or correction, council will provide reasons.
In the event that council and an individual disagree about the veracity of personal and health information held by council, council will take reasonable steps to record a statement relating to the disputed information if requested by the individual.
4.5 Unique identifiers and anonymity
A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a drivers licence number).
Council will not adopt as its own identifier, an identifier that has been assigned by another government agency.
Council will not use or disclose the identifier assigned to an individual by another government agency, unless the consent of the individual has been obtained or it is permitted by law to do so.
Council will only assign identifiers to records if it is necessary to enable council to carry out a function efficiently.
Whenever it is lawful and practicable, individuals may exercise the option of not identifying themselves when dealing with the council. However, in some cases, what council can do in response may be limited. For example, it may not be possible to investigate an anonymous complaint without further information.
4.6 Transborder data flows
Council will only transfer personal or health information outside of Victoria in accordance with the provisions outlined in the PDPA and HRA.
While council uses cloud computing services based outside Victoria, it has taken all reasonable steps to ensure that the information which it transfers will not be held, used or disclosed by the host of the information inconsistently with the privacy principles. It also ensures the hosts/recipients are subject to laws and/or binding contractual arrangements that provide similar protections to that afforded under the PDPA.
4.7 Sensitive information
Council will not collect sensitive information about an individual except by consent or when required by legislation.
4.8 Health Records Act
If council’s health services were to be transferred or closed, council would take reasonable steps to notify recipients of health services and notify them of the options to transfer their information to the new health service provider or a health service provider nominated by themselves or retain their own health records.
Council will upon consent by an individual, provide a copy of or written summary of their health information to a specified health service provider, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations.
4.9 Complaints
If an individual feels aggrieved by council's handling of their personal, sensitive or health information, they may make a complaint to the council’s Privacy Officer (Telephone: 02 6022 9300).
The complaint will be investigated as soon as possible (but no later than five business days) and a written response will be provided to the individual.
Alternatively, the individual may make a complaint to the Office of the Victorian Information Commissioner (OVIC) in relation to personal information or to the Health Complaints Commissioner in relation to health information.
OVIC: www.ovic.gov.au
enquiries@ovic.vic.gov.au
1300 006 842
HCC: hcc.vic.gov.au
1300 582 113
Both OVIC and HCC are able to receive complaints about possible privacy breaches and work with the respective parties to conciliate a resolution. Please note that the Commissioners may decline to hear the complaint if the individual has not first made a complaint to the council.