Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 1 of 7
Privacy and Health
Information Policy
1. Policy aim and objectives
The Privacy and Data Protection Policy aims to provide:
1.1 A framework for the responsible collection, storage, handling and disclosure of personal
and health information;
1.2 Individuals with rights of access to personal and health information about themselves
which is held by Council;
1.3 Individuals with the right to request Council to correct and amend information about
them held by Council; and
1.4 An accessible framework for the resolution of complaints regarding the handling of
personal and health information.
2. Definition of terms being used
Key Terms
Definitions
The Acts
Means the Privacy and
Data Protection Act 2014
(‘PDP Act’) and
Health Records Act
2001
(‘HR Act’)
Consent
Means express or implied consent
Contracted
Service Provider
Is a service provider which is required to comply with the Acts due to entering into a
contract with Council.
Council
Means the Brimbank City Council
Councillor
Means the elected members of Council
Document
Is anything on which or in which information is recorded. It may be in writing or a
video or a photograph. It includes electronic or hard copy formats and may refer to
reports, letters, photographs, emails, documents stored in a physical file, database
or spread sheet.
Health
Information
Means health information as defined in the
Health Records Act 2001
and includes
personal information or opinion about:
- An individuals’ physical, mental or psychological health
- An individual’s disability
- Preferences about future provision of health services to them
- Health services provided, or to be provided, to an individual
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 2 of 7
For example, Council holds health information on clients who use aged care services
or maternal and child health services.
Health Privacy
Principles (HPPs)
Health Privacy Principles (HPPs) is a set of principles contained in the
Health Records
Act 2001
that regulates the handling of health information.
The Health Privacy Principles (HPP’s) are as follows:
1. Collection
2. Use and Disclosure
3. Data Quality
4. Data Security& Data Retention
5. Openness
6. Access and Correction
7. Identifiers
8. Anonymity
9. Transborder Data Flows
10. Transfer or Closure of the Practice of a Health Service Provider
11. Making Information Available to Another Health Provider
Information
Privacy
Principles (IPPs)
Information Privacy Principles (IPPs) is a set of principles contained in the
Privacy
and Data Protection Act 2014
that regulates the handling of personal information.
The Information Privacy Principles (IPPs) are as follows:
1. Collection
2. Use and Disclosure
3. Data Quality
4. Data Security
5. Openness
6. Access and Correction
7. Unique Identifiers
8. Anonymity
9. Transborder Data Flows
10. Sensitive Information
Personal
Information
Means personal information as defined in the
Privacy and Data Protection Act 2014
and includes information or an opinion (including information or an opinion forming
part of a database), that is recorded in any form and whether true or not, about an
individual whose identity is apparent, or can reasonably be ascertained, from the
information or opinion (excluding health information).
The types of information collected by Council may include, but is not limited to the
following:
- Name
- Address and/or email address
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 3 of 7
- Telephone number/mobile phone number
- Date of birth
- Occupation and annual salary
- Medicare number
- Credit card and bank account numbers
- Details of any Council services used by you.
Council may also request personal information to provide health and other
community services such as aged care, immunisation services, kindergarten
services, maternal and child health and school holiday programs.
In some instances, personal information may be contained on a public register. For
example, register of building permits and food premises.
Primary Purpose Means the main reason/s the personal information was collected and used by
Council.
Privacy Impact
Statement
Is an assessment of any actual or potential effects that a Council activity or proposal
may have on individual’s privacy and the ways in which any adverse effects may be
mitigated.
Public Registers Council keeps registers that are open to inspection by members of the public and
contain information required or permitted by legislation.
For example, register of building permits, food premises and planning registers.
Reasonable
Secondary
Purpose
Must be related to the primary purpose of collection and be consistent with what an
individual would reasonably expect. In the case of sensitive information, the
secondary purpose must be directly related.
Would the individual whose information was collected reasonably expect the use or
disclosure?
For example, Council collects information from ratepayers in relation to property
ownership. The primary purpose of collection relates to levying rates and charges,
however, disclosure of this information to emergency authorities for the secondary
purpose of public safety against bushfire, flood or extreme weather would be a
related and reasonably expected secondary purpose.
Sensitive
Information
Sensitive information has the meaning given to it in the
Privacy and Data Protection
Act 2014
, and includes information or opinion about an individual’s racial or ethnic
origin or heritage, political views, religious beliefs, sexual preferences and
membership of groups or criminal record.
Social media
Is a broad term that refers to the various activities that integrate technology, social
interaction and the construction of words, pictures, video and audio. For example,
blogs, instant messaging, podcasts, forums and postings.
Third Party
In relation to personal information, means an individual or body other than the
organisation holding the information and the individual to whom the information
relates.
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 4 of 7
3. Policy statement and principles
This Policy applies to Council staff, Councillors, Contracted Service Providers and Volunteers.
3.1.
What type of Information does Council collect?
3.1.1 Council collects personal information that is necessary for its statutory and core
functions and activities, including those relating to:
• planning and building;
• rates and valuations;
• waste and environment, including recycling and waste management;
• community health services, including maternal and child health and immunisation;
• regulation of parking and roads;
• recreation and arts programs;
• library services; and
• local business support.
3.1.2 Council may also collect sensitive and health information but will only do so where the
person has given prior consent or as permitted under the Acts.
3.1.3 The types of personal information collected by Council is listed in the preceding table.
3.1.4 When collecting the information, Council will take reasonable steps where practicable
to inform the person what information is being sought, the purposes for which the
information is being collected, whether any law requires the collection, what use it will be
put to, to whom the information may be disclosed, how you can gain access to the
information and the consequences if the information is not provided.
3.1.5 Where reasonable and practicable to do so, Council will collect personal information
directly from the individual. However, Council may also collect information about you from
others, such as Contracted Service Providers, emergency services or health service
providers and from publicly available sources of information or pursuant to other laws which
permit information sharing.
3.1.6 Where lawful and practicable, a person may be anonymous when interacting with
Council.
3.1.7 Council’s website can be visited anonymously as the site does not record or collect
personal information other than information a person may choose to provide by email or
online requests, surveys and payments.
3.2 What does Council do with the information?
3.2.1 Council will only use and disclose personal, sensitive or health information for the primary
purpose for which it was collected or for permitted secondary purposes under the Acts. For
example, Council may use this information for:
• levying rates;
• billing for services provided;
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 5 of 7
• town planning and building approval processes; and
• the provision of aged services and maternal and child health services.
3.2.2 Sometimes, a person’s consent may be sought to use or provide the information to
another organisation or for another purpose.
3.2.3 Unique identifiers (for example, Medicare number) created by another organisation will
not be used as reference numbers or identifiers within Council. However, Council may use its
own unique identifiers where necessary to enable Council to carry out any of its functions
efficiently.
3.2.4 Council ensures that any transfer of personal, sensitive or health information outside
Victoria is in accordance with the Acts.
3.2.5 Council may also disclose the information to:
- Contracted Service Providers that undertake works or manage services on Council’s behalf,
such as garbage collection and leisure centres;
- Government departments and agencies for statutory purposes;
- Water, gas and electricity utilities for the purposes of ensuring data is accurate;
- The Police, Fire and Emergency Services for emergency, public safety or law enforcement
purposes;
- Integrity agencies, such as the Victorian Inspectorate, the Independent Broad-based Anti
Corruption Commission, and the Victorian Information Commissioner for their statutory
purposes; and
- Council’s legal advisors, insurance claims agents and insurance providers, for the purposes of
complaints or insurance claims investigation and resolution.
3.2.6 Council is also required to maintain a number of public registers, such as election
campaign donation returns under the
Local Government Act 2020
and planning permit decisions
under the
Planning and Environment Act 1987
.
3.2.7 Where information is disclosed to Contracted Service Providers, they may contact
individuals where relevant for the purpose for which they are engaged. Council requires
Contracted Service Providers to comply with the Acts.
3.3 How does Council ensure that information is accurate, up-to-date and secure?
3.3.1 Council will take reasonable steps to ensure the information it holds is accurate, complete
and up-to-date for the purposes for which it is to be used. If your details change, you are
encourage to contact Council so that its records can be updated.
3.3.2 A number of procedural, physical, software and hardware safeguards are used, together
with access controls, secure methods of communication and back up and disaster recovery
systems, to safely and securely store the information and protect it from misuse and loss,
unauthorised access, modification and disclosure.
3.3.3 Stored information is kept in accordance with the
Public Records Act 1971
, which
determines when it is appropriate to retain or securely dispose of it.
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 6 of 7
3.4 How you can access or correct your personal information held by Council?
3.4.1 Where appropriate, an individual may ask for access to their personal or health
information informally with the relevant Council department.
3.4.2 Where this is not appropriate, formal requests for access to documents will be handled in
accordance with the
Freedom of Information Act 1982
. Enquiries should be addressed to:
Senior Freedom of Information and Privacy Officer
Brimbank City Council, PO Box 70, Sunshine Victoria, VIC, 3020
or via email to info@brimbank.vic.gov.au
4. Responding to a Privacy Complaint
4.1 How does Council handle Privacy Complaints?
4.1.1 If a person is dissatisfied with Council’s handling of their personal, sensitive or health
information, a complaint may be made to Council’s Privacy Officer. Complaints should be made
in writing to:
Senior Freedom of Information and Privacy Officer
Brimbank City Council, PO Box 70, Sunshine Victoria, VIC, 3020
or via email to: privacy@brimbank.vic.gov.au
4.1.2 A complaint will be investigated in a timely, fair and reasonable way. A written response
will be provided. All complaint details will be handled confidentially.
4.1.3 If resolution is not satisfactorily achieved, complaints may be re-submitted to the Office of
the Victorian Information Commissioner (OVIC) (in respect of personal and sensitive
information) or the Health Complaints Commissioner (in respect of health information). Please
note, the Commissioners may decline to hear your complaint if you have not made a complaint
to Council first.
To make a complaint to OVIC email privacy@ovic.vic.gov.au
To make a complaint to Health Complaints Commissioner visit www.hcc.vic.gov.au and
complete the online complaint form.
5. Responding to a Privacy Breach
5.1 How does Council handle a Privacy Breach?
5.1.1 All privacy complaints and breaches will be referred to Council’s Privacy Officer on 9249
4000 or email privacy@brimbank.vic.gov.au .
5.1.2 A privacy breach occurs when personal, sensitive or health information of an individual is
misused, lost or subjected to unauthorised access, modification or disclosure by Council.
5.2 Council's Privacy Breach Procedure
5.2.1 Council’s Privacy Breach Procedure sets out the process to be followed by Council staff if a
privacy breach occurs or if staff suspect that a privacy breach has occurred.
5.2.2 This procedure involves a four-step process in responding to a privacy breach:
Step 1
Contain the breach and make a preliminary assessment;
Privacy and Health Information Policy
Governance
18 July 2023 | 1.08
19/210857 – Page 7 of 7
Step 2
Evaluate the risks for individuals associated with the breach;
Step 3
Consider breach notification to affected individuals and others (not all breaches
warrant notification). Is there a risk of serious harm? Risk assessment to be undertaken on a
case by case basis;
Step 4
Review the incident and take action to prevent future breaches; fully investigate
the cause of the breach and implement prevention strategies and a prevention action plan.
6. Relevant Legislation
-
Privacy and Data Protection Act 2014
- Freedom of Information Act 1982
- Health Records Act 2001
- Local Government Act 2020
- Public Records Act 1973
- Victorian Charter of Human Rights and Responsibilities Act 2006
History of amendment
Rev Review date
Reason for amendment
Next review date
1.08 18/7/2023
Review by Council
18/7/2025
1.07 26/04/2023
Reviewed by ELT
18/07/2023
1.06 8/11/2016
Annual Review
11/11/2017
1.05 11/11/2014
Legislative Update
11/11/2016
1.04 30/6/2013
Annual Review
30/6/2014
1.03 30/6/2012
Annual Review/New Format
30/6/2013
1.02 1/5/2009
Review
1.01 22/5/2007
Review
Approved by council:
Yes
Date approved by council: 23 May 2006