Approved: 23 May 2016
Latrobe City Council (Council) believes that the responsible handling of personal information is a key aspect of democratic governance and is strongly committed to ensuring that personal information received by the Council is collected and handled in a responsible manner.
The Council demonstrates its commitment through implementing the Information Privacy Principles(“IPPs”) in the Privacy and Data Protection Act 2014 (Vic) and the Health Privacy Principles (“HPPs”) in the Health Records Act 2001 (Vic) (jointly the “Privacy Principles”).
In fulfilling the objectives of the Privacy Principles, Council is mindful of the need to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal and health information.
To meet the IPPs and HPPs in relation to managing and handling personal and health information within the Council.
This policy applies to all employees, Councillors and contractors of the Council.
This policy applies to all personal information and health information held by the Council, including personal information sourced by the Council from third parties.
The scope of this policy may be limited where Council has obtained a Public Interest Determination, Information Usage Agreement or Certification (“three mechanisms”) of an act or practice of Council from the Commissioner for Privacy and Data Protection (“Commissioner”). In those circumstances, the Council’s obligations under the Privacy and Data Protection Act 2014 will change to reflect the Commissioner’s approval of one of the three mechanisms.
Principles of Management
Council is committed to providing quality, effective and efficient services to citizens in a manner which values and respects the individual. Due to the nature of providing personal services to citizens, staff will have access to a range of sensitive personal information and in-depth knowledge about those citizens.
Council recognises that upholding a citizen’s right to privacy and confidentiality is an integral component to providing a quality service. The aim of this policy is to outline the client’s right to confidentiality, and the measures that are to be undertaken by staff to uphold this right.
Citizens have the right to challenge how the organisation deals with their information.
Citizens usually are more willing to provide correct information if satisfied the organisation will protect their privacy.
This policy is not intended to prevent legitimate use of personal information or prohibit the collection of such information.
The Privacy and Data Protection Act 2014 came into effect in 2014 and sets new standards for the way government organisations, statutory bodies and local Councils collect and handle personal information. The Act is to:
(a) balance the public interest in the free flow of information in respecting privacy and protecting information in the public sector;
(b) promote responsible handling of personal information in the public sector and awareness of these practices.
The Privacy and Data Protection Act 2014 consists of 10 Information Privacy Principles. These principles regulate the handling of personal information and compliance is required in order to meet the requirements of the Act. The Principles are as follows:
PRINCIPLE 1 – Collection of Personal or Health Information
Council will only collect personal or health information that is necessary for its specific and legitimate functions and activities. In some instances Council is required by law to collect personal or health information.
The personal information collected by Council typically includes, but is not limited to, the following types of information:
- address (postal and e-mail),
- telephone number (work, home and mobile),
- date of birth,
- credit card and bank account number,
- motor vehicle registration number
When Council collects personal or health information it will do so by fair and lawful means and not in an unreasonably intrusive way. Where it is practicable to do so at the time Council collects the personal or health information, Council will provide details of:
- why it is collecting the information;
- how that information can be accessed by the individual it was collected from;
- the purpose for which the information is collected;
- with whom the Council shares this information;
- any relevant laws; and
- the consequences for the individual if all or part of the information is not collected.
By way of example, when Council receives unsolicited information such as a complaint, petition or submission, it is not practicable for Council to provide these types of details.
If it is reasonable and practicable to do so, Council will collect personal or health information about you directly from you. If Council collects personal or health informational about you from someone else, it will take reasonable steps, if practicable, to make you aware of these matters.
Council will, from time to time, use this information to contact you directly on a range of issues in the performance of its functions and the exercise of its powers under various Acts and Regulations and Local Laws, to also issue accounts and for permitted purposes.
All areas of Council that collect personal or health information will (at the very least) provide notice of the purpose of collecting the personal or health information on the form, similar to the example below. This example is provided only as an illustration and may differ depending upon the content.
Latrobe City Council will only collect personal or health information for municipal purposes as specified in the Local Government Act 1989 or other legislation. Personal and or health information will be used by Council for the purpose for which it was collected or for a directly related purpose. The intended recipients of the information are authorised Council staff, Council contractors and Council consultants. Council may disclose the information to law enforcement agencies, court and other organisations if required by law. Individuals may apply to Council for access to and / or amendment of their information using the
There are some specific requirements that Council must meet when it is collecting health information. For example, Council will only collect health information where it has obtained consent, or the law provides for the collection or another exception applies (for instance for a law enforcement functions).
There are also some specific requirements where health information is given to the Council when it is providing health services. In some situations a person giving health information about another individual, for example a family member, may request the Council to keep the information confidential. In such a situation, the Council will:
- confirm with the person giving the information that it is to remain confidential;
- record it only if required to give health services;
- take reasonable steps to ensure the health information is accurate and not misleading; and
- take reasonable steps to record that the information is given in confidence and is to remain confidential.
PRINCIPLE 2 - Use and Disclosure of Personal or Health Information
Council will only use personal or health information within Council, or disclose it outside Council, for the purpose for which it was collected or in accordance with the Privacy and Data Protection Act 2014 or the Health Records Act 2001. For example, the Council may use or disclose your personal or health information where you have consented to the disclosure, where a person would reasonably expect the disclosure to occur, or where the use or disclosure is specifically authorised by law.
Council will take all necessary measures to prevent unauthorised access to or disclosure of your personal or health information.
Council discloses personal or health information to external organisations such as Council’s contracted service providers who perform various services for and on behalf of the Council. Council contractors agree to be bound by the provisions of the Privacy and Data Protection Act 2014 just as the Council is bound. Additionally, the Council limits the personal or health information provided to its contractors by only providing them with that necessary to provide services to you on behalf of Council.
The law may authorise Council to disclose personal or health information to:
- Debt collection agencies.
- Government agencies.
- law enforcement agencies, including the courts and the Victoria Police, in instances where Council is required to respond to a subpoena or provide information to assist a police investigation.
We have listed some examples of where personal or health information may be disclosed by Council below. Personal information in applications for employment with Council will be supplies to agencies such as the Victoria Police, where required by law (for instance, under the Working with Children Act 2005) as part of a background check. Background checks will only be carried out on applications for selected positions prior to employment with Council. Such checks will only be carried out with your written authorisation and the results will not be disclosed to third parties unless authorised by law.
Personal information provided by you as part of a public submission to a Council or committee meeting may be included with the published agenda papers and minutes of the meeting. The published agenda papers and minutes are displayed online and available in hardcopy format.
Personal information may also be contained in Council’s Public Registers that are required or permitted by law to be made available for inspection in particular circumstances.
Personal or health information may be disclosed in certain circumstances, such as where it is necessary for the Council to establish or defend a legal claim or where there is a serious and imminent threat to an individual’s health safety or welfare, or a serious threat to public health, public safety or public welfare. Where the information is health information there are additional disclosure requirements
PRINCIPLE 3 - Data Quality
Council will take reasonable steps to make sure that the personal or health information it collects uses or discloses is accurate, complete and up-to-date. In addition, where the information is health information, Council will take steps that are reasonable in the circumstances and, having regard to the purpose for which the health information is to be used, to ensure that it is relevant to the Council’s functions and activities.
PRINCIPLE 4 - Data Security
Council will take all necessary steps to protect all personal or health information it holds from misuse, loss, unauthorised access, modification or disclosure. This applies regardless of the format in which the information is held.
Council will take reasonable steps to lawfully and responsibly destroy or permanently de-identify personal or health information when it is no longer needed for any purpose, subject to compliance with the Public Records Act 1973, the Health Records Act 2001 and any other applicable law.
PRINCIPLE 5 - Openness
Council will make publicly available its policies relating to the management of personal or health information. Council will on request, take reasonable steps to provide individuals with general information on the types of personal or health information it holds about the individual making the request, for what purpose the information is held, and how it collects, holds, uses and discloses that information.
Council’s Privacy Officer is positioned with the Corporate Services Department.
PRINCIPLE 6 - Access and Correction
As the Council is subject to the Freedom of Information Act 1982, access or correction of personal or health information about you is managed under that legislation.
PRINCIPLE 7 - .Unique Identifiers
A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a drivers licence number).
Council will not assign, adopt, use, disclose or require unique identifiers from individuals unless it is necessary to enable the Council to carry out any of its functions more efficiently. Council will only use or disclose unique identifiers assigned to individuals by other organisations if the individual consents to the Council doing so, or there are legal requirements for the Council to do so, or the conditions for use and disclosure set out in the Privacy and Data Protection Act 2014 or Health Records Act 2001 are satisfied.
PRINCIPLE 8 - Anonymity
Where it is both lawful and practicable, Council will give you the option of not identifying yourself when supplying information or entering into transactions with it.
Anonymity may limit Council’s ability to process a complaint or other matter. Therefore, if you choose not to supply personal or health information that is necessary for the Council to perform its functions, then Council reserves the right to take no further action on that matter.
PRINCIPLE 9 - Transborder Data Flows
Council may transfer personal or health information about you to an individual or organisation outside Victoria only in the following instances:
- if you have provided your consent; or
- if disclosure is authorised by law; or
- if the recipient of the information is subject to a law, scheme or contract with principles that are substantially similar to the Privacy and Data Protection Act 2014; or
- where the information is health information, the specific provisions of the HPPs are met.
By way of example, Council may use cloud computing services based outside Victoria, in which case Council must ensure comply with the Victorian IPPs and HPPs in engaging with those services.
PRINCIPLE 10 - Sensitive Information
Council will not collect sensitive information about you except where:
- you have provided your consent; or
- the law requires the information to be collected; or
- it is necessary to collect the sensitive information for establishing, exercising or defending a legal claim; or
- in certain prescribed circumstances where:
- the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; or
- it is impracticable to obtain consent and there is no reasonable alternative to collecting the sensitive information for the purpose of research or government funded targeted welfare and educational services.
Accountability and Responsibility
Accountability and responsibility for this policy is outlined below.
- Responsibility to ensure this Policy is consistent with Latrobe City Council Strategic Direction and any other Latrobe City Council Policy
- Responsibility for the decision to approve this Policy by Council Resolution
1.2. Chief Executive Officer
- Overall responsibility for compliance with this policy
- Overall responsibility for enforcing accountability
- Overall responsibility for providing resources
- Overall responsibility for performance monitoring
1.3. General Manager
- Responsibility for compliance with this policy
- Responsibility for enforcing accountability
- Responsibility for providing resources
- Responsibility for performance monitoring
- Develop frameworks and procedures in compliance with this policy
- Enforce responsibilities to achieve compliance with frameworks and procedures
- Provide appropriate resources for the execution of the frameworks and procedures
1.5. Employees, Contractors and Volunteers
- Participate where required in the development of frameworks and procedures in compliance with this policy.
- Comply with frameworks and procedures developed to achieve compliance with this policy.
Evaluation and Review
This policy will be reviewed on request of Council, in the event of significant change in the Executive team, significant changes to legislation applicable to the subject matter of the policy or, in any other case, during each Council term (generally four years).
Citizen / Client Includes a person receiving a service provided by the Mayor, any Councillor or staff member performing their duty as an employee or contractor of the Latrobe City Council. This definition also includes prospective and past clients.
Confidentiality Respect for personal or sensitive information gained in a professional capacity or relationship with a client who no one outside of the helping or assisting relationship has a right to know.
Personal Information Means information or an opinion about an individual who can be identified from the information, or whose identity can reasonably be ascertained from the information. The information can be recorded in any form and does not need to be true. This includes information the Council has collected in any format including correspondence, in person, over the phone, and via our various web sites, or information or an opinion that forms part of a database. However, where the information is health information, it need not be recorded and, where the individual has been dead for more than 30 years, the information is no longer considered to be personal information. Examples of personal information: Names; addresses; contact details; work addresses; signatures; attendances at meetings; and opinions (particularly where those opinions would identify the person). Personal information on a public register, in complaints records, in records of telephone calls, on building plans, in meeting minutes and many, many other types of records held by the Council.
Sensitive Information Council may also hold sensitive information in order to provide education, welfare and other services. Sensitive information is personal information that is information or an opinion about an individual’s:
- Race or ethnic origin;
- Political opinions;
- Membership of a political association;
- Religious beliefs or affiliations;
- Philosophical beliefs;
- Membership of a professional trade association;
- Membership of a trade union;
- Sexual preferences or practice;
- Criminal record.
Health Information Includes information or an opinion about the physical, mental, psychological health of an individual, disability of an individual or a health service provided or to be provided to an individual where that information is also personal information. Heath information includes other personal information that is collected to provide or in providing a health service. Examples of health information: The view of a maternal child health nurse on a database that a mother may have postnatal depression, records held by Council of attendees at immunisation sessions; requests for home support to be provided to a person living in the municipality made by family members outside the municipality.
Health Services Means an activity that is intended or claimed to assess, maintain or improve the individual’s health, to diagnose the individual’s illness, injury or disability or to treat the individual’s illness, injury or disability
Information Privacy Principles: (IPPs) Set of principles established by the Privacy and Data Protection Act 2014 that regulate how organisations such as the Council collects, holds, manages, uses, discloses or transfers personal information.
Health Privacy Principles (HPPs) Set of principles established by the Health Records Act 2001 that regulate how a Council when it is a health service provider collects, holds, manages, uses, discloses or transfers health information.
Public Registers Documents that are held by the Council and:
- Are open to inspection by members of the public;
- Contain information that a person or body was required or permitted by legislation to give the Council under an Act or regulation; and
- Contain information that would be personal information if the document was not a generally available publication.