Search

Privacy policy

Purpose

The Privacy and Data Protection Act 2014 is intended to strengthen the protection of personal information and other data held by the Victorian public sector. The Act provides a single privacy and data protection framework with clear privacy standards applying to all government departments and most public agencies.

About this policy

This Privacy Policy has been prepared by IV for the purpose of describing how staff are required to collect, use and store personal and sensitive information in a manner that is consistent with the Information Privacy Principles (IPPs) in the PDP Act.

IV’s Privacy Policy operates in conjunction with its Information Security Policy and the Victorian Public Service (VPS) Code of Conduct.

In addition to the PDP Act, the following legislation also regulates public servants’ use of information:

  • Public Records Act 1973
  • Freedom of Information Act 1982
  • Public Administration Act 2004
  • Health Records Act 2001
  • Infrastructure Victoria Act 2015.

Definitions

De-identify means the removal of any information by which an individual may be identified from a record.

Health Information means personal information or an opinion about: 

  • the physical, mental or psychological health (at any time) of an individual;
  • a disability (at any time) of an individual; or
  • an individual’s expressed wishes about the future provision of health services to him or her; or
  • a health service provided, or to be provided, to an individual. 

Information Privacy Principles or IPPs means the ten principles set out in the PDP Act. 

Personal Information means information or an opinion (including information or an opinion forming part of a database) that is recorded in any form, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (excluding health information). 

Policy means this Privacy Policy. 

PDP Act means the Privacy and Data Protection Act 2014

Privacy Statement means a document which explains (for the benefit of individuals whose information is collected) how IV collects and handles personal information. 

Sensitive Information is a subset of personal information which means information relating to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record.

(Examples of personal and/or sensitive information include postal, residential or email addresses, banking details, information on forms or job applications that identifies ethnicity, telephone numbers and dates of birth)

Unique Identifier means a unique combination of letters and numbers such as a tax file number, driver’s licence or Medicare number that is allotted to an individual.

Victorian Information Commissioner is the person appointed under the PDP Act whose functions include promoting an understanding and acceptance of the IPPs, receiving complaints and advising government on legislation and policies relating to information privacy as well as data protection.

A guide to the Information Privacy Principles

The following is a summary of the Information Privacy Principles (IPPs). These must be complied with whenever personal information is being handled. For the full version contained in the PDP Act, please visit the Victorian Law Today Library at www.legislation.vic.gov.au

IPP

Subject

Principles

1

Collection

Collect only what you need. Tell people you are doing it. Do it lawfully and fairly and don’t intrude unreasonably.

2

Use and disclosure

Use and disclose people’s personal information only for the purpose you collected it, or a related purpose they would reasonably expect. Some important interests, such as protecting health and safety or a legal requirement, can justify use and disclosure without consent. Otherwise, seek consent.

3

Data quality

Keep personal information accurate, complete and up to date.

4

Data security

Keep personal information secure. 

5

Openness

Be open about what you do with people’s personal information. 

6

Access and correction

In general, let people see their information and correct it if necessary. 

7

Unique identifiers

Minimise creating and sharing ID numbers that can be used to match your information about people with information about them from other sources.

8

Anonymity

People must be given the option of dealing with organisations anonymously, where this is lawful and practicable.

9

Trans border data flows

The transfer of personal information to someone who is outside Victoria can only occur in specific circumstances, or when the privacy protection travels with it.

10

Sensitive information

Sensitive information about people has special protection under law. Don’t collect it without checking the rules first.

The Health Records Act 2001 also establishes standards called Health Privacy Principles (HPPs) for the collection, handling and disposal of health information in the public and private sectors which are similar to the IPPs. For further details, visit the Health Services Commissioner’s website: www.health.vic.gov.au/hsc/.

Types of personal information collected 

The types of personal information collected and held by IV fall into two main categories:

  • Human Resources (HR) related 
    • Any personal information relating to the provision of HR services for IV staff, and contained in documents such as staff files, CVs, job applications, emergency contact lists, performance appraisals etc.
    • The responsibility for collecting and holding HR related personal information lies with HR Shared Services and the Director Corporate & People and Culture, Infrastructure Victoria.
  • Non-HR related 
    • Any personal information relating to individuals such as tenderers, contractors, purchasers of government property, authors of letters, Board appointees, and information collected in the course of undertaking stakeholder activities.
    • Any personal information contained in documents such as the gifts and benefits register, conflict of interest declaration forms, etc.
    • Any personal information related to travel, OHS, gym memberships, etc.
    • The responsibility for collecting and holding non-HR related personal information lies with the relevant IV staff member.

Managing personal information

  • IV staff who are authorised to access and use personal information that is collected and held by HR Shared Services or Director Corporate & People and Culture must ensure this information is managed as follows: 
    • staff must not retain local copies of personal information that is available from HR Shared Services
    • where local copies of personal information have been created for specific activities, such as the staff selection process, performance appraisals etc., these copies must be either destroyed, returned to HR Shared Services once the specific activity has been finalised, or securely stored in IV’s EDRMS (Electronic Document Retrieval Management System), with the appropriate security controls.
    • staff must ensure that all documents containing personal information are securely stored when not in use or when left unattended.
  • IV staff who are responsible for the collection, use and storage of non-HR related personal information must comply with the following requirements.
    • Staff must ensure that each item of personal information they collect is actually needed for the purpose they are collecting it
    • Staff must ensure that all individuals who provide their personal information are made aware of the following:
      • the purpose for collecting the information
      • the identity and contact details of IV
      • the fact that they can have access to their information
      • to whom the information is usually disclosed
      • any law that requires the information to be collected
      • the main consequences of not providing the information.
    • The IV Privacy Statement explains how IV collects and handles personal information and covers the information outlined above.  It must be provided in the circumstances described in (d) below, and whenever anyone asks for a statement of IV’s personal information management policies. The privacy statement will be linked here shortly. In the meantime please see IV’s corporate team.
    • The information outlined above needs to be included in relevant documents as follows:
      • information collected by form:
        • include this information on the form; 
      • information volunteered in writing (e.g. letter of complaint):
        • include this information in the acknowledgement letter; 
      • information collected at interview:
        • provide a copy of the Privacy Statement prior to proceeding with the interview;
      • information collected over the phone:
        • provide a verbal statement and/or follow up by sending a copy of the Privacy Statement to the person. 
  • Staff must not use or disclose personal information for purposes other than the primary purpose of collection or a related secondary purpose that the person would reasonably expect their personal information to be used for, or where use or disclosure is required by law.
  • Where personal information is used or disclosed as required by law, a written record should be made of this use or disclosure.
  • Staff must ensure that personal information they handle is accurate, complete and up to date before using it. This requirement of the PDP Act aims to prevent the adverse consequences for people that might result from an organisation collecting, using or disclosing inaccurate, incomplete or out of date information.

Note: As a general rule, if the personal information is used shortly after it is collected from the individual, it is unlikely to need checking. If, however, it was collected from the individual some time ago, or from another person, there may be a greater need to confirm that the information is accurate, complete and up to date. A judgement will need to be made by the user of the information, taking into account the type of personal information involved.

  • Staff must ensure that personal information is stored securely when not in use. This means that there must be appropriate access controls on computer files and that all hard copy information is securely stored when not in use or when left unattended.
  • Staff must ensure that personal information is not held in their possession once the information is no longer needed. Official files containing personal information must be returned to Document Management as soon as the activity requiring the personal information has been completed. If personal information is not contained on an official file, and therefore not required to be retained for any legal purpose, such as the Public Records Act 1973, the information must be destroyed or permanently de-identified once it is no longer needed.
  • Staff must not assign unique identifiers (such as tax file numbers, Medicare numbers etc.) to individuals unless this is necessary to carry out IV functions.
  • Staff must allow individuals the option of not identifying themselves wherever this is lawful and practicable. If an individual can interact anonymously with IV, and it is legal and practical, they must be allowed to do so.
  • Staff must not transfer personal information outside Victoria except in the following circumstances:
    • the recipient is subject to similar privacy standards to Victoria’s IPPs or the individual consents;
    • the transfer is necessary for the performance of a contract between the individual and IV, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
    • the transfer is necessary for the performance of a contract which is in the interests of the individual; or
    • the transfer is for the benefit of the individual and it is both impracticable to obtain the individual’s consent and, if it were practicable to obtain consent, the individual would likely consent; or
    • IV has taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.
  • Staff must not collect sensitive information without the consent of the individual except under prescribed conditions, such as where the individual is physically or legally incapable of giving consent to the collection. 
  • Staff must not include personal information, or records, in any IV  datasets released in accordance with the DataVic Access Policy Standards and Guidelines. IV datasets that would otherwise be suitable for release, but for the inclusion of such information, can be released provided that the personal information has been de-identified and/or aggregated.

Access and correction to personal information

  • Individuals are entitled to gain access to their own personal information and to seek correction if it is incorrect.
  • In the majority of cases it is expected that requests for access or correction can be handled informally.
  • Requests should be directed to the staff member who has responsibility for storing the personal information.
  • Staff receiving requests for access or correction to personal information must obtain satisfactory proof of identity from the individuals asking for the information.
  • In providing an individual with access to their personal information, staff must ensure that the documentation does not reveal another individual’s personal information. If this is not possible, access must be declined, and the person advised to lodge a formal Freedom of Information (FoI) request. If in doubt, contact the IV corporate team.
  • Staff should decline an informal request for access or correction when provision of access or correction to that personal information would breach an existing IV policy, procedure or legislation. In these situations, the individual should be advised to make a formal FoI application.
  • Requests from staff for access or correction to their own personal information should be directed to HR Shared Services. 
  • Past employees requesting personal information should be advised to contact IV’s Corporate team in the first instance. If a more formal process is required, the past employee may lodge a formal Freedom of Information (FoI) request. 

Complaints concerning ‘personal privacy’ breach

  • All complaints regarding a personal privacy breach should be made in writing to: 

Victoria Thaine, Director, Corporate & People and Culture
Infrastructure Victoria
e: victoria.thaine@infrastructurevictoria.com.au

  • If IV fails to deal with the complaint to the individual’s satisfaction, the person can lodge a formal complaint with the Office of the Victorian Information Commissioner.
  • The Commissioner may deal with the complaint informally and/or conciliate the complaint. If this should fail, or the Commissioner considers conciliation an inappropriate method to resolve the complaint or declines to hear the complaint, the matter can be taken to the Victorian Civil Administrative Tribunal (VCAT). VCAT may hear or dismiss the complaint, order redress, or order compensation.
  • If an organisation breaches one or more of the IPPs, VCAT can make an order requiring the organisation to make an apology, change a procedure, correct or delete personal information, or pay compensation of up to $100,000 for any harm suffered, including humiliation.

Checklist for identifying privacy issues in current work practices 

The following checklist should be used by IV staff to gauge the impact of information privacy requirements when assessing current work practices relating to personal information.

Yes/No

1

Is the information that I am requesting related to the activity or function that needs to be done?

2

Have I disclosed the identity and contact information of IV to the individual?

3

Have I informed the individual that they can have access to their personal information?

4

Have I informed the individual of the purpose for collecting, using and storing the personal and/or sensitive information?

5

Have I informed the individual about who will use or store their personal information and/or sensitive information?

6

Have I informed the individual of any law that requires them to provide the information?

7

Have I informed the individual of any consequences if all or part of the information is not provided?

8

Have I ensured that personal and/or sensitive information already kept is accurate and up to date?

9

Have I stored the information so that I minimise the risk of misuse, modification, loss or unintended disclosure?

If you have answered ‘no’ to any of the above questions, you will need to review your procedures. 

For assistance with any issues arising from the above checklist, please seek advice from the corporate team.

Frequently asked questions

Why is privacy legislation important?

Privacy and the proper management of personal information is important to people required to provide such information. Personal information can reveal a lot about a person and people increasingly want to exercise a degree of control over the collection, use and disclosure of their personal information.

The PDP Act addresses people’s increasing sensitivity about the privacy of their personal information by enshrining enforceable standards in law and committing the public sector to follow them. The PDP Act has been drafted to complement equivalent Commonwealth legislation that covers Commonwealth Government agencies.

What rights do people have under the PDP Act?

The PDP Act provides individual legal rights when it comes to the type and quantity of personal and sensitive information, how it is collected, stored and used. It is every VPS employee’s obligation to uphold the privacy of personal and sensitive information that they collect, store and have access to.

Under the PDP Act, people have the right to:

  • access information about them held by organisations, including information held by contracted service providers
  • require an organisation to correct information about them that is held by the organisation, including information held by contracted service providers
  • pursue remedies for any interference with their information privacy.

How will information privacy affect me?

As a member of the VPS, you must ensure that your workplace practices comply with the PDP Act. 

The main areas that you will need to be aware of are:

  • data collection
  • use and disclosure of information
  • contracts with service providers regarding the collection and use of information.

Does the PDP Act apply only to documents?

No, it deals with recorded personal information that can be in many forms, including film, video, still photography, audio and digital forms for storage and display on desk and laptop computers. Personal information can also be recorded on telephones.

The PDP Act defines personal information as information or opinion, that is recorded in any form about a readily identifiable individual. 

Does the PDP Act apply to email?

Yes.

Does the PDP Act apply to public registers?

Yes. As far as is reasonably practicable, a public sector agency or council must administer a public register consistently with the IPPs.

What is considered a privacy breach under the PDP Act?

A privacy breach is an act or practice that interferes with the privacy of an individual by being contrary to, or inconsistent with, one or more of the IPPs.

Where do I go for further information about the PDP Act?

If you have specific questions about your day-to-day work practices, contact IV’s corporate team.

For more general information about privacy, visit the Office of the Victorian Information Commissioner’s website at https://www.ovic.vic.gov.au/.