Privacy Policy

Purpose

Council recognises that, whilst the right to privacy is not absolute, it has an obligation to protect the privacy of its community as far as practicable and to inform its community of the circumstances where personal or health information may be disclosed to third parties.

Scope

This Policy applies to Councillors, council staff and other bodies providing services to Council through third party contracts or agreements. The right to privacy may be reinforced in program specific policies or procedures.

Definitions

Personal Information:
“Information or an opinion…that is recorded in any form and whether true or not, about an individual whose identity…can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies.”

Health Information:
Information or an opinion about

• The physical, mental, psychological health or disability (at any time) of an individual; or
• An individual’s expressed wishes about the future provision of health services to him or her; or
• A health service provided, or to be provided, to an individual – that is also personal information; or
• Other personal information collected to provide, or in providing, a health service, an organ or body part donation or genetic condition.

Sensitive Information:
“Sensitive Information means information or an opinion about an individual’s racial or ethnic origin; political opinions; membership
of professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record that is also personal information.”

Public Registers:
Public Registers are documents which Councils are required to make publicly available pursuant to State Government legislation.

Policy

Council will comply with the Information and Health Privacy Principles as detailed in Schedule 1 of both the Privacy and Data Protection Act and Health Records Act in the collection, use and disclosure, access and correction, security and other principles as outlined below for personal and health information. Detailed Procedures relating to Privacy will be developed and will be complied with as part of the Policy.

1. Information Collected
   Council will only collect personal and health information that is necessary for its functions and activities. In some instances, Council is required by law to collect this information. Council will only collect sensitive information where you have consented or as permitted under the Act.
   If it is reasonable and practicable to do so, Council will collect information about you directly from you. When doing so, it will inform you of the matters set out in the Act, including the purpose(s) for which the information is collected, and will use lawful and fair means. If Council collects information about you from someone else, it will take reasonable steps to make you aware of these matters.
2. Use and Disclosure
   Council will only use personal information within Council, or disclose it outside Council, for the purpose for which it was collected or for a secondary purpose in accordance with the Act.
3. Data quality and security
   Council will take reasonable steps to ensure the information it holds is accurate, complete and up-to-date. Council will maintain secure systems for storing personal or health information in accordance with its relevant policies, procedures and the Victorian Protective Data Security Framework (VPDSF). Information will be archived or destroyed in accordance with the standards issued under the Public Records Act 1973.
4. Openness
   Council shall be open in the way it handles personal and health information by making available clearly stated policies on its management of your information; statements on the type of information collected and held in the performance of its functions and activities; and guidelines on the use and disclosure of your information.
5. Access and correction
   Council will, subject to appropriate identity verification, update ratepayer or customer contact details upon written request. Complex requests for access or correction to documents or systems containing personal or health information held by Council will be handled in accordance with the provisions of the Freedom of Information Act 1982 and should be addressed to the FOI Officer, c\o Swan Hill Rural City Council, PO Box 488, Swan Hill Vic 3585.
6. Unique identifiers
   A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a driver’s licence number). Council will not assign, adopt, use, disclose or require the use of unique identifiers for individuals except if it is reasonably required in conducting normal Council business or if required by law.
7. Anonymity
   Where lawful and practicable, Council will give you the option of not identifying yourself when supplying information or entering into transactions with it. However, remaining anonymous may hinder Council’s ability to process a request for service or other matter, in which case, Council reserves the right to take no action on a matter where further clarification or evidence is necessary.
8. Transfer of information outside of Victoria
   Council will only transfer personal or health information outside Victoria in accordance with the Act.
9. Making information available to another health service provider
   Council’s health services will make health information relating to an individual available to another health service provider if requested to do so by the individual. Council reserves its right to charge a fee for this service in accordance with the Health Records Regulations 2012.  Council’s services: Community Care; Immunisation Services; and Maternal & Child Health are deemed to be ‘health services’ as defined under the Health Records Act 2001.
10. Contracts
    Contracts will include appropriate Clauses to ensure Contractors are bound to compliance with the principles within the Privacy and Data Protection Act 2014 and/or Health Records Act 2001 and are subject to any penalties or sanctions for breach of the privacy principles in the same way as Council would be if the breach was committed by Council.
11. Privacy impact assessment
    A Privacy Impact Assessment will be undertaken where:
    • Council is planning for, or is introducing, a new service, function or computer application which would involve the collection, use and/or disclosure of sensitive information;
    • Council is proposing to make a public register available on council’s website;
    • There is a proposal to introduce location-based technology, whether or not the location-based information is used.
12. Complaints and breach notification
    Complaints received from individuals and privacy breaches identified internally will be handled in accordance with the Privacy Breach/Complaint Handling Procedure PRO/CORP211A. A breach may involve mandatory notification under the VPDSF.
    Alternatively, a complaint may be made directly to the relevant Commissioner about the handling of personal or health information.
    The relevant Commissioner may decline the complaint if the complainant has not first contacted Council for resolution.

    Office of the Victorian Information Commissioner PO Box 24274 MELBOURNE VIC 3001 enquiries@ovic.vic.gov.au www.ovic.vic.gov.au 1300 006 842

    Office of the Health Complaints Commissioner http://hcc.vic.gov.au/make-complaint 1300 582 113

13. General
    Council’s Privacy Officer should be consulted on the development, review or update of all Policies and Procedures which impact on the personal and/or health information of council staff and volunteers or its citizens and service recipients.
14. Review
    Council may amend this Policy periodically but no later than every 3 years.

Related Policies / Procedures / Documents

• Privacy & Confidentiality Policy 3.2 (Home & Community Care and Packaged Care)
• POL/PRO219 IT Security
• POL/CORP207 Freedom of Information
• POL/CORP216 Risk Management
• CPOL/GOV024 Protective Data Security Plan Policy

Enabling Legislation

• Privacy and Data Protection Act 2014
• Health Records Act 2001
• Privacy Act 1988 (Cmwlth)
• Charter of Human Rights and Responsibilities Act 2006
• Freedom of Information Act 1982
• Aged Care Act 1997 (Cmwlth) & related Principles & Guidelines
• Public Records Act 1973

Signed: John McLinden (CEO)
Date: 28/10/2020