Approved: May 2022
Latrobe City Council (Council) believes that the responsible handling of personal information is a key aspect of democratic governance and is strongly committed to ensuring that personal information received by the Council is collected and handled in a responsible manner.
The Council demonstrates its commitment through implementing the Information Privacy Principles(“IPPs”) in the Privacy and Data Protection Act 2014 (Vic) and the Health Privacy Principles (“HPPs”) in the Health Records Act 2001 (Vic) (jointly the “Privacy Principles”).
In fulfilling the objectives of the Privacy Principles, Council is mindful of the need to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal and health information.
This policy explains the IPPs and HPPs in relation to Council managing and handling personal and health information within the Council, including collection, use, disclosure, protection, personal access, correction and complaints.
This policy applies to all employees, Councillors and contractors of the Council, including volunteers and members of Council committees.
This policy applies to all personal information and health information held by the Council, including personal information sourced by the Council from third parties.
The scope of this policy may be limited where Council has obtained a Public Interest Determination, Information Usage Agreement or where there is applicable legislation that requires actions contrary to the policy (and as confirmed and approved by Manager Governance).
Council is committed to providing quality, effective and efficient services to our community in a manner which values and respects the individual. Due to the nature of providing personal services, staff will have access to a range of sensitive personal information and in-depth knowledge about those the services are provided to.
Council recognises that upholding a person’s right to privacy is an integral component to providing a quality service. Individuals should be able to feel satisfied the organisation will protect their privacy and be empowered to raise any queries or concerns they may have about how the organisation deals with their information.
The aim of this policy is to outline the right to privacy of individuals accessing Council services, and the measures that are to be undertaken by staff to uphold this right.
This policy is not intended to prevent legitimate use of personal information or prohibit the collection of such information.
The Privacy and Data Protection Act 2014 sets the standards for the way government organisations, statutory bodies and local Councils, collect and handle personal information. This Act consists of 10 Information Privacy Principles.
The Health Records Act 2001 provides standards for relevant bodies, in relation to health information. It also contains Health Privacy Principles.
These principles regulate the handling of personal information and health information and compliance is required in order to meet the requirements of the Acts.
What constitutes personal information and health information is set out in the definition sections below.
|Information Privacy Principles
|Health Privacy Principles
|2. Use and Disclosure
|2. Use and Disclosure
|3. Data Quality
|3. Data Quality
|4. Data Security
|4. Data Security and Retention
|6. Access and Correction
|6. Access and Correction
|7. Unique Identifiers
|7. Unique Identifiers
|9. Transborder Data flows
|9. Transborder Data flows
|10. Sensitive Information
|10. Transfer/Closure of a Health Service Provider
|11. Making information available to another Health Service Provider
An overview of how the Principles apply to Council is as follows:
PRINCIPLE 1 – Collection of Personal or Health Information
Council will only collect personal or health information that is necessary for its specific and legitimate functions and activities. In some instances, Council is required by law to collect personal or health information.
When Council collects personal or health information it will do so by fair and lawful means and not in an unreasonably intrusive way. Where it is practicable to do so at the time Council collects the personal or health information, Council will provide details of:
the consequences for the individual if all or part of the information is not collected.
If it is reasonable and practicable to do so, Council will collect personal or health information about a person directly from that person. If Council collects personal or health informational about a person from someone else, it will take reasonable steps, if practicable, to make the person aware that has occurred. For example, when Council receives unsolicited information such as a complaint, petition or submission, it is not practicable for Council to provide these types of details.
Council may collect personal and/or health information in the following ways:
Council will, from time to time, use this information to contact a person directly on a range of issues in the performance of its functions and the exercise of its powers under various Acts, Regulations and Local Laws, to issue accounts and for other permitted purposes.
All areas of Council that collect personal or health information will, wherever possible, provide notice of the purpose of collecting the personal or health information, whether in writing or verbally, as circumstances allow.
The Act does not specify an age after which an individual can make their own privacy decisions. For consent to be valid, an individual must have capacity to consent, which means they have the maturity to understand what is being proposed. If Council is unable to assess capacity of an individual, as a general rule, Council may assume an individual over the age of 15 has capacity, however regard will always be given to the nature of the information proposed to be collected and the circumstances in which collection is to occur. Where the individual is assessed not to have the capacity to consent, it may be appropriate for a parent or guardian to consent on the person’s behalf.
There are some specific requirements that Council must meet when it is collecting health information. For example, Council will only collect health information where it has obtained consent, the law requires the collection or another exception applies (for instance for law enforcement functions).
There are also some specific requirements that apply to health information given to the Council when it is providing health services. In some situations, a person giving health information about another individual, for example a family member, may request the Council to keep the information confidential, including that the information not be communicated to the person to whom it relates. In such a situation, the Council will:
Where Latrobe City Council’s website contains links to other websites, we cannot be held responsible for these sites’ privacy practices and users are advised to check the privacy statement of a linked website before providing any personal information.
PRINCIPLE 2 – Use and Disclosure of Personal or Health Information
Council will only use personal or health information within Council, or disclose it outside Council, for the purpose for which it was collected or otherwise in accordance with the Privacy and Data Protection Act 2014 or the Health Records Act 2001. For example, Council may use or disclose a person’s personal or health information where that person has consented to the disclosure, for a related secondary purpose (personal information) or directly related secondary purpose (health information and sensitive personal information) where a person would reasonably expect the disclosure to occur, or where the use or disclosure is specifically authorised by law.
Council will take all necessary measures to prevent unauthorised access to or disclosure of an individual’s personal or health information.
Council discloses personal or health information to external organisations, such as Council’s contracted service providers who perform various services for and on behalf of the Council. Council contractors are generally required to agree to be bound by the provisions of the Privacy and Data Protection Act 2014 and the Health Records Act as applicable, just as Council is bound. There are occasional exceptions where the contractor is already bound by the relevant act or other equivalent legislation. Additionally, the Council limits the personal or health information provided to its contractors by only providing them with the information necessary to provide services on behalf of Council.
The law may authorise Council to disclose personal or health information to:
Some examples of where personal or health information may be disclosed by Council include:
PRINCIPLE 3 – Data Quality
Council will take reasonable steps to make sure that the personal or health information it collects, uses or discloses is accurate, complete and up-to-date. In addition, where the information is health information, Council will take steps that are reasonable in the circumstances and, having regard to the purpose for which the health information is to be used, to ensure that it is relevant to Council’s functions and activities.
PRINCIPLE 4 – Data Security
Council will take all necessary steps to protect all personal or health information it holds from misuse, loss, unauthorised access, modification or disclosure. This applies regardless of the format in which the information is held.
Council will take reasonable steps to lawfully and responsibly destroy or permanently de-identify personal or health information when it is no longer needed for any purpose, subject to compliance with the Public Records Act 1973, the Privacy and Data Protection Act 2014, the Health Records Act 2001 and any other applicable law.
PRINCIPLE 5 – Openness
Council will make publicly available its policies relating to the management of personal or health information and how individuals can access the information held about them. This will include easy English, accessible versions of information, where practicable. Council will on request, take reasonable steps to provide individuals with general information on the types of personal or health information it holds about the individual making the request, for what purpose the information is held, and how it collects, holds, uses and discloses that information.
PRINCIPLE 6 – Access and Correction
Where Council holds personal or health information about a person, that person has the right to access the information on request unless certain exceptions set out in IPPs and HPPs apply, such as where providing access may prejudice investigation of unlawful activity. If the person establishes that any information is inaccurate, incomplete, misleading or not up to date, Council will take reasonable steps to correct it.
Where an individual wishes to access their personal information, they can contact the relevant Council department directly or contact Council’s Privacy Officer.
As the Council is subject to the Freedom of Information Act 1982, formal requests for access to, or correction of personal or health information is managed under that legislation. However, requests can often be managed outside of the FOI Act, whether through administrative processes or through other legislation. Before a person lodges a formal request for access or correction under the FOI Act, it is recommended that they contact Council’s Privacy Officer to discuss what is being sought.
PRINCIPLE 7 – Unique Identifiers
A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a driver’s licence number).
Council will not assign, adopt, use, disclose or require unique identifiers from individuals unless it is necessary to enable the Council to carry out any of its functions more efficiently. Council will only use or disclose unique identifiers assigned to individuals by other organisations if the individual consents to the Council doing so, there are legal requirements for the Council to do so, or the conditions for use and disclosure set out in the Privacy and Data Protection Act 2014 or Health Records Act 2001 are satisfied.
PRINCIPLE 8 – Anonymity
Where it is both lawful and practicable, a person will be given the option of not identifying themselves when supplying information to or entering into transactions with Council.
Anonymity may limit Council’s ability to process a complaint or other matter. Therefore, if an individual chooses not to supply personal or health information that is necessary for the Council to perform its functions, then Council reserves the right to take no further action on that matter.
PRINCIPLE 9 – Transborder Data Flows
Council may transfer personal or health information about a person to an individual or organisation outside Victoria, only where allowed by the relevant Act. Some examples of that are:
By way of example, Council may use cloud computing services based outside Victoria, in which case Council must ensure the cloud computing service provider complies with the Victorian IPPs and HPPs or substantially similar controls when engaging such a service.
PRINCIPLE 10 (IPP) – Sensitive Information
Council will not collect personal information about a person that is sensitive information, except where:
PRINCIPLE 10 (HPP) –Transfer/Closure of a Health Service Provider
Where Council discontinues a health service in accordance with the HPP 10, it will give notice of the closure to past service users, including whether health information is to be transferred to a new provider or retained by council.
PRINCIPLE 11 (HPP) – Making information available to another Health Service Provider
Where Council acts as a health service provider, it will make health information relating to an individual available to another health service provider if required to do so by that individual or by law.
Change of Process and Privacy Impact Assessment
When altering systems or processes that collect, store or transfer personal information, Council staff will have regard to the implications of the change on compliance with this policy, and consult with relevant areas of the organisation, where appropriate (including Privacy Officer, Corporate Information, Information Technology, Customer Focus, and any other effected teams or areas).
Where significant changes or new systems or processes are proposed, a Privacy Impact Assessment (PIA) should be undertaken, using the Office of the Victorian Information Commission (OVIC) template and guide.
Where an individual feels aggrieved by Council’s handling of their personal or health information, they may make a complaint to Council by contacting the Privacy Officer or Manager Governance within Council’s Governance team.
Externally, individuals may contact OVIC with privacy related queries or the Health Complaints Commissioner for health information complaints.
Council recognises that privacy, including information privacy, is a human right and takes every reasonable measure to prevent privacy and data breaches. Some data breaches can have no or minimal impact, while others can have serious consequences, including physical, financial, emotional or reputational damage.
Some examples of harm to an individual include embarrassment or humiliation, emotional distress, identity theft or fraud, loss of employment or business opportunities, family violence, other physical harm or intimidation, unwanted marketing and spam emails.
A data breach can also have serious consequences for Council, including financial, legal and resource implications, service disruption, reputational damage and loss of public trust.
If a breach does occur, Council will act to contain, assess, notify and review the incident, in line with OVIC guidelines and requirements, as set out below:
Assessment and investigation shall be carried out by Governance in consultation with the relevant area/s. Council’s ‘Privacy Breach Response and Investigation’ form or OVIC’s ‘Information Security and Privacy Incident Notification Form’ shall be completed.
Council shall notify OVIC or the Health Complaints Commissioner of the breach where required or otherwise considered appropriate.
Reporting on privacy breaches and responses shall also be provided to Council’s Executive Team quarterly.
Accountability and responsibility for this policy is outlined below.
This policy will be reviewed on request of Council, in the event of significant change in the Executive team, significant changes to legislation applicable to the subject matter of the policy or, in any other case, during each Council term (generally four years).
Health Information Includes information or an opinion about the physical, mental, psychological health of an individual, disability of an individual or a health service provided or to be provided to an individual where that information is also personal information. Health information includes other personal information that is collected to provide or in providing a health service.
Examples of health information:
The view of a maternal child health nurse on a database that a mother may have postnatal depression, records held by Council of attendees at immunisation sessions; requests for home support to be provided to a person living in the municipality made by family members outside the municipality.
Health Privacy Principles (HPPs) Set of principles established by the Health Records Act 2001 that regulate how a Council when it is a health service provider collects, holds, manages, uses, discloses or transfers health information.
Health Services Means an activity that is intended or claimed to assess, maintain or improve the individual’s health, to diagnose the individual’s illness, injury or disability or to treat the individual’s illness, injury or disability
Information Privacy Principles: (IPPs) Set of principles established by the Privacy and Data Protection Act 2014 that regulate how organisations such as the Council collects, holds, manages, uses, discloses or transfers personal information.
Personal Information Means information or an opinion about an individual who can be identified from the information, or whose identity can reasonably be ascertained from the information. The information can be recorded in any form and does not need to be true. This includes information the Council has collected in any format including correspondence, in person, over the phone, and via our various web sites, or information or an opinion that forms part of a database. It does not include health information as defined in the Health Records Act 2001. Where an individual has been deceased for more than 30 years, information about that person is no longer considered to be personal information.
Examples of personal information:
Public Registers Documents that are held by the Council and:
Contain information that would be personal information if the document was not a generally available publication.
Sensitive Information Council may also hold sensitive information in order to provide education, welfare and other services. Sensitive information is personal information that is information or an opinion about an individual’s:
Records Management Operational policy
Privacy and Data Protection Act 2014
Health Records Act 2001
Freedom of Information Act 1982
Child Wellbeing and Safety Act 2005
Child Wellbeing and Safety Amendment (Child Safe Standards) Act 2015
This is what it means to visit, work, invest and live in Latrobe City. It’s what Latrobe City is and what it will be.
Sign up to get the latest from
Latrobe City Place