Introduction

Purpose

To meet the requirements of the Privacy and Data Protection Act 2014 and the Health Records Act 2001 in regard to the management and handling of personal information.

The object of this policy is to ensure that when the City collects an individuals personal information the City stores it appropriately and that we maintain the individuals privacy to the standard required by the Privacy and Data Protection Act 2014 and the Health Records Act 2001

Scope

The scope of this policy includes personal information of people both internal and external to the City.

The policy applies to both the City as an organisation, and elected Councillors in their capacity as a person holding office. This means that the policy applies to all employees of the City, as well as individual Councillors representing their constituents.

External contractors that have been engaged to provide a service or function on behalf of the City will have the same obligations as the City under this policy.

Definitions

City - The City of Greater Geelong organisation led by the CEO.

Consent - Consent means express consent or implied consent. Implied consent is consent that can only be inferred by the actions of the person from whom the consent is sought.

Health information - has the same meaning as given in the Health Records Act 2001.

Health service - Health service has the same meaning as given in the Health Records Act 2001.

Health service provider - Health service provider has the same meaning as given in the Health Records Act 2001.

Identifier - Identifier has the same meaning as given in the Privacy and Data Protection Act 2014.

Part 4 - Part 4 refers to a section of the Privacy and Data Protection Act 2014 which provides for the development of a protective data security framework and standard.

Personal information - Personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Public register - Public register has the same meaning as given in the Privacy and Data Protection Act 2014.

Public sector data - Public sector data has the same meaning as given in the Privacy and Data Protection Act 2014.

Public sector data system - Public sector data system has the same meaning as given in the Privacy and Data Protection Act 2014.

Sensitive information - Sensitive information means personal information that is information or an opinion about an individual's:

1. racial or ethnic origin or
2. political opinions or
3. membership of a political association or
4. religious beliefs or affiliation; or
5. philosophical beliefs or
6. membership of a professional trade association or
7. membership of a trade union or
8. sexual preferences or practices or
9. criminal record.

Unique identifier - identifier has the same meaning as given in the Privacy and Data Protection Act 2014.

Policy

The City values the privacy of every individual and is committed to handling personal information in accordance with the privacy principles contained in the Privacy and Data Protection Act 2014 and the Health Records Act 2001.

The City is bound by the 10 Information Privacy Principles and 11 Health Privacy Principles (principles) that outline how we manage an individual’s personal and health information in regards to their interactions with the City. Protecting the privacy of individuals by handling their personal information in accordance with the principles is an important aspect of  the City’s activities. How the City will comply with each of these privacy principles is explained below.

Information privacy principles and health privacy principles Principle 1 - Collecting information(IPP1/HPP1)

Collection notice

When collecting personal or health information, the City will take reasonable steps to advise the individual of what information is being sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.

This information is set out in a collection statement, which is included on relevant forms, including registration forms and any other document or mechanism used to collect personal or health information.

Information collected

The City will only collect personal information that is necessary for carrying out its functions or activities.

The City will endeavour to ensure that it only collects personal and health information that is necessary and relevant to the statutory functions, duties, powers, and administration of the City and the municipality under the Local Government Act 2020 and other Acts.

If it is reasonable and practicable to do so, personal information will be collected directly from an individual, however, there are situations where the City may need to collect an individual’s information from someone else.

Photographs

Photographs are at times taken on the City’s premises and in public places. The photographs may be used by the City for publicity or for enforcement purposes.

Where practicable consent will be obtained through a photo release and permission form. When photographs are taken in a public space (for example: during a community event) and obtaining the individual consent via the forms is not practicable, the City will use other methods to inform individuals that photographs are being taken and how they will be used. The other methods could include signs or a public announcement.

These methods will inform the individual that the photo may be taken, and the individual has the opportunity to approach and advise City staff or the photographer that they do not want the photos to be used.

Anonymity on the web

Individuals can visit the City’s website anonymously because the site does not collect or record personal information other than information individuals choose to provide by email or internet forms

Principle 2 - Using and disclosing information (IPP2/HPP2)

Using information

Staff members are required to handle all personal and health information with discretion and to comply with the provisions of the Privacy and Data Protection Act 2014 and Health Records Act 2001.

Disclosing information

We will not use or disclose the individuals personal information other than for the primary purpose for which it was collected and unless one of the following apply:

• For a secondary purpose that you would reasonably expect
• Where we have the individual's consent
• For law enforcement purposes and to protect safety; or
• Where the City is otherwise required or authorised by law to disclose the information

Disclosure

• The City may be required by law (including under the Freedom of Information Act 1982) to make information available to the community. In this case the City will comply with the relevant legislation in doing so. This includes disclosing information to the City’s contracted service providers who perform various services for, and on behalf, of the City.
• Personal information in applications for employment with the City may be supplied to agencies such as Victoria Police, as part of a background check. Such checks will only be carried out with the individual’s written authorisation and the results will not be disclosed to a third party unless authorised by law.

Principle 3 - Keeping information accurate (IPP3/HPP3)

The City takes reasonable steps to ensure the information it holds is accurate, complete, and up-to-date. The City relies on individuals to provide accurate and current information in the first instance, and to inform the City of changes to their details.

Principle 4 - Keeping information secure (IPP4/HPP4)

The City uses a number of procedural, physical, software and hardware safeguards. Together with access controls, secure methods of communication, back up and disaster recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure.

Principle 5 - Openness (IPP5/HPP5)

This principle requires organisations to have a Privacy Policy. The policy details the City’s management of personal and health information.

Principle 6 - Accessing and correcting information (IPP6/HPP6)

The City of Greater Geelong is subject to the Freedom of Information Act 1982 (Vic) (FOI Act). Access of the individuals personal affairs information is managed under this legislation.

Under the FOI Act the individual is also entitled to seek correction or amendment of a document containing  their  personal affairs information, where the individual believe the information is inaccurate, incomplete, out of date or would give a misleading impression.

Requests for amendment must be made in writing and addressed to [email protected]. The request for amendment must:

• Specify an address or email address to which a decision notice can be sent
• Specify matters in which the person making the request believes personal information is incomplete, misleading or inaccurate
• Specify the amendments to be made

There is no application fee for amendments to personal information.

Principle 7 - Unique identifiers(IPP7/HPP7)

A unique identifier is defined in the Privacy and Data Protection Act 2014 as number assigned by an organisation to an individual uniquely to identify that individual. The City will only assign identifiers to records if it is necessary to enable the City to carry out a function efficiently.

Principle 8 - Anonymity(IPP8/HPP8)

Where practicable and lawful, individuals may choose to remain anonymous when contacting the City for example: when making general inquiries about services. In some cases, if individuals wish to maintain anonymity, the City may not be able to provide services or respond to complaints.

Principle 9 - Transborder Data Flows (IPP9/HPP9)

If the individuals personal information travels outside of Victoria, the protection of the individuals privacy should travel with it.

The City will only transfer the individual's personal information outside of Victoria where:

• the disclosure is authorised by law
• the individual consents
• if the recipient receiving the information is subject to a law binding scheme or contract similar to the principles of the Privacy and Data Protection Act 2014

Principle 10 - Sensitive information (IPP10/HPP10)

The City will not collect sensitive information about the individual except in circumstances outlined in the Privacy and Data Protection Act 2014.

HPP 10

If the practice or business of a health provider is sold or transferred or if the provider is deceased steps must be taken to notify individuals who have received health services from the provider. If this was to occur, the City will publish that the practice or business is about to be sold, transferred or closed down, as the case may be.

The City will also publish the manner in which it proposes to deal with the health information held by the practice or business about individuals who have received health services from the provider, including whether the provider proposes to retain the information or make it available for transfer to those individuals or their health service providers. No earlier than 21 days after the City publishes the above information, the City must elect to retain or transfer information to either the health services provider, if any, who takes over the practice or business, or the individual or health service provider nominated by the individual.

Health privacy principal 11- Making information available to another service provider (HPP11)

If an individual:

1. requests a health service provider to make health information relating to the individual held by the provider available to another health service provider; or
2. authorises another health service provider to request a health service provider to make health information relating to the individual held by that provider available to the requesting health service provider -
   • a health service provider to whom the request is made and who holds the information about the individual must, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations, provide a copy or written summary of that health information to that other health service provider.

The City must comply with the requirements of this Principle as soon as practicable.

How to make a complaint or enquiry concerning privacy

The individual has a right to make a complaint if the individual believes the City has breached privacy or if the individual has any concerns about the way the City has applied the Act.

A privacy complaint can be made using our online form.

Alternatively you can mail your complaint to:

Designated Complaints Officer
City of Greater Geelong
PO Box 104 Geelong 3220

Complaints through Office of the Victorian Information Commissioner

Under the Privacy and Data Protection Act 2014, if the individual is not satisfied with how the City has handled the complaint the individual is entitled to make a complaint to the Office of the Victorian Information Commissioner.

The contact details for the Office are as follows:

Office of the Victorian Information Commissioner
PO Box 24274
MELBOURNE VIC 3001
Email: [email protected]

Additional information is available on the Commissioner’s website.

Implementation of this Policy

Monitoring and reporting

The Governance Unit is responsible for the implementation of this policy.

Reporting to the Audit and Risk Committee will take place annually or when a privacy breach occurs.

Advice and assistance

The Responsible Officer for this policy manages the provision of advice to the organisation regarding this policy.

A person who is uncertain how to comply with this policy should seek advice from this person or from their Manager.

Records

The City must retain records associated with this policy and its implementation for at least the period shown below. Refer Retention and Disposal Authority for Records of Common Administrative Functions PROS 07/01 VAR 4.

Review

The City should review and, if necessary, amend this policy within four years of the approval date. This policy must also be reviewed any time relevant legislation is amended.

References

• Privacy and Data Protection Act 2014
• Freedom of Information Act 1982
• Health Records Act 2001
• Privacy Act 1988
• Victorian Charter of Human Rights and Responsibilities Act 2006
• Local Government Act 1993