Privacy Policy

Privacy Policy

Approved: May 2022

Background

Latrobe City Council (Council) believes that the responsible handling of personal information is a key aspect of democratic governance and is strongly committed to ensuring that personal information received by the Council is collected and handled in a responsible manner.

The Council demonstrates its commitment through implementing the Information Privacy Principles(“IPPs”) in the Privacy and Data Protection Act 2014 (Vic) and the Health Privacy Principles (“HPPs”) in the Health Records Act 2001 (Vic) (jointly the “Privacy Principles”).

In fulfilling the objectives of the Privacy Principles, Council is mindful of the need to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal and health information.

Objectives

This policy explains the IPPs and HPPs in relation to Council managing and handling personal and health information within the Council, including collection, use, disclosure, protection, personal access, correction and complaints.

Scope

This policy applies to all employees, Councillors and contractors of the Council, including volunteers and members of Council committees.

This policy applies to all personal information and health information held by the Council, including personal information sourced by the Council from third parties.

The scope of this policy may be limited where Council has obtained a Public Interest Determination, Information Usage Agreement or where there is applicable legislation that requires actions contrary to the policy (and as confirmed and approved by Manager Governance). 

Principles of Management

Council is committed to providing quality, effective and efficient services to our community in a manner which values and respects the individual.  Due to the nature of providing personal services, staff will have access to a range of sensitive personal information and in-depth knowledge about those the services are provided to.

Council recognises that upholding a person’s right to privacy is an integral component to providing a quality service. Individuals should be able to feel satisfied the organisation will protect their privacy and be empowered to raise any queries or concerns they may have about how the organisation deals with their information.

The aim of this policy is to outline the right to privacy of individuals accessing Council services, and the measures that are to be undertaken by staff to uphold this right.

This policy is not intended to prevent legitimate use of personal information or prohibit the collection of such information.

Privacy Principles

The Privacy and Data Protection Act 2014 sets the standards for the way government organisations, statutory bodies and local Councils, collect and handle personal information. This Act consists of 10 Information Privacy Principles. 

The Health Records Act 2001 provides standards for relevant bodies, in relation to health information. It also contains Health Privacy Principles.

These principles regulate the handling of personal information and health information and compliance is required in order to meet the requirements of the Acts. 

What constitutes personal information and health information is set out in the definition sections below.

Information Privacy Principles	Health Privacy Principles
1. Collection	1. Collection
2. Use and Disclosure	2. Use and Disclosure
3. Data Quality	3. Data Quality
4. Data Security	4. Data Security and Retention
5. Openness	5. Openness
6. Access and Correction	6. Access and Correction
7. Unique Identifiers	7. Unique Identifiers
8. Anonymity	8. Anonymity
9. Transborder Data flows	9. Transborder Data flows
10. Sensitive Information	10. Transfer/Closure of a Health Service Provider
	11. Making information available to another Health Service Provider

An overview of how the Principles apply to Council is as follows:

PRINCIPLE 1 – Collection of Personal or Health Information

Council will only collect personal or health information that is necessary for its specific and legitimate functions and activities. In some instances, Council is required by law to collect personal or health information.

When Council collects personal or health information it will do so by fair and lawful means and not in an unreasonably intrusive way. Where it is practicable to do so at the time Council collects the personal or health information, Council will provide details of:

• why it is collecting the information
• how that information can be accessed by the individual it was collected from
• the purpose for which the information is collected
• with whom the Council shares the information
• any relevant laws; and

the consequences for the individual if all or part of the information is not collected.

If it is reasonable and practicable to do so, Council will collect personal or health information about a person directly from that person. If Council collects personal or health informational about a person from someone else, it will take reasonable steps, if practicable, to make the person aware that has occurred. For example, when Council receives unsolicited information such as a complaint, petition or submission, it is not practicable for Council to provide these types of details.

Council may collect personal and/or health information in the following ways:

• During a conversation with a Council representative at a Service Centre or over the phone
• From the Council website, social networking sites or sending messages (SMS/MMS)
• Council’s online payment portal i.e. rates, permits, animal registrations, fines and infringements
• The completion of online or hard copy applications, enrolment forms, and surveys
• From other third parties e.g. a referral from a community health service

Council will, from time to time, use this information to contact a person directly on a range of issues in the performance of its functions and the exercise of its powers under various Acts, Regulations and Local Laws, to issue accounts and for other permitted purposes.

All areas of Council that collect personal or health information will, wherever possible, provide notice of the purpose of collecting the personal or health information, whether in writing or verbally, as circumstances allow.

The Act does not specify an age after which an individual can make their own privacy decisions. For consent to be valid, an individual must have capacity to consent, which means they have the maturity to understand what is being proposed. If Council is unable to assess capacity of an individual, as a general rule, Council may assume an individual over the age of 15 has capacity, however regard will always be given to the nature of the information proposed to be collected and the circumstances in which collection is to occur. Where the individual is assessed not to have the capacity to consent, it may be appropriate for a parent or guardian to consent on the person’s behalf.  

There are some specific requirements that Council must meet when it is collecting health information. For example, Council will only collect health information where it has obtained consent, the law requires the collection or another exception applies (for instance for law enforcement functions).

There are also some specific requirements that apply to health information given to the Council when it is providing health services. In some situations, a person giving health information about another individual, for example a family member, may request the Council to keep the information confidential, including that the information not be communicated to the person to whom it relates. In such a situation, the Council will:

• confirm with the person giving the information that it is to remain confidential;
• record it only if required to give the health services;
• take reasonable steps to ensure the health information is accurate and not misleading; and
• take reasonable steps to record that the information is given in confidence and is to remain confidential.

Where Latrobe City Council’s website contains links to other websites, we cannot be held responsible for these sites’ privacy practices and users are advised to check the privacy statement of a linked website before providing any personal information.

PRINCIPLE 2 – Use and Disclosure of Personal or Health Information

Council will only use personal or health information within Council, or disclose it outside Council, for the purpose for which it was collected or otherwise in accordance with the Privacy and Data Protection Act 2014 or the Health Records Act 2001. For example, Council may use or disclose a person’s personal or health information where that person has consented to the disclosure, for a related secondary purpose (personal information) or directly related secondary purpose (health information and sensitive personal information) where a person would reasonably expect the disclosure to occur, or where the use or disclosure is specifically authorised by law.

Council will take all necessary measures to prevent unauthorised access to or disclosure of an individual’s personal or health information.

Council discloses personal or health information to external organisations, such as Council’s contracted service providers who perform various services for and on behalf of the Council. Council contractors are generally required to agree to be bound by the provisions of the Privacy and Data Protection Act 2014 and the Health Records Act as applicable, just as Council is bound. There are occasional exceptions where the contractor is already bound by the relevant act or other equivalent legislation. Additionally, the Council limits the personal or health information provided to its contractors by only providing them with the information necessary to provide services on behalf of Council.

The law may authorise Council to disclose personal or health information to:

• Debt collection agencies
• Government agencies
• Law enforcement agencies, including the courts and the Victoria Police, in instances where Council is required to respond to a subpoena or provide information to assist a police investigation
• Other prescribed Information Sharing Entities as per the Information Sharing Scheme under the Child Wellbeing and Safety Act 2005

Some examples of where personal or health information may be disclosed by Council include:

• Personal information in applications for employment with Council will be supplied to agencies such as the Victoria Police, where required by law (for instance, under the Worker Screening Act 2020) as part of a background check. Such checks will only be carried out with an individual’s written authorisation and the results will not be disclosed to third parties unless authorised by law.
• Personal information provided by a person as part of a public submission to a Council and Delegated Committee meeting may be included with the published agenda papers and minutes of the meeting. The published agenda papers and minutes are displayed online and available in hardcopy format.
• Personal information may also be contained in Council’s Public Registers that are required or permitted by law to be made available for inspection in particular circumstances.
• Personal or health information may be disclosed in certain other circumstances, such as where it is necessary for the Council to establish or defend a legal claim or where there is a serious and imminent threat to an individual’s health safety or welfare, or a serious threat to public health, public safety or public welfare. Where the information is health information there are additional disclosure requirements.

PRINCIPLE 3 – Data Quality

Council will take reasonable steps to make sure that the personal or health information it collects, uses or discloses is accurate, complete and up-to-date. In addition, where the information is health information, Council will take steps that are reasonable in the circumstances and, having regard to the purpose for which the health information is to be used, to ensure that it is relevant to Council’s functions and activities.

PRINCIPLE 4 – Data Security

Council will take all necessary steps to protect all personal or health information it holds from misuse, loss, unauthorised access, modification or disclosure. This applies regardless of the format in which the information is held.

Council will take reasonable steps to lawfully and responsibly destroy or permanently de-identify personal or health information when it is no longer needed for any purpose, subject to compliance with the Public Records Act 1973, the Privacy and Data Protection Act 2014, the Health Records Act 2001 and any other applicable law.

PRINCIPLE 5 – Openness

Council will make publicly available its policies relating to the management of personal or health information and how individuals can access the information held about them. This will include easy English, accessible versions of information, where practicable. Council will on request, take reasonable steps to provide individuals with general information on the types of personal or health information it holds about the individual making the request, for what purpose the information is held, and how it collects, holds, uses and discloses that information.

PRINCIPLE 6 – Access and Correction

Where Council holds personal or health information about a person, that person has the right to access the information on request unless certain exceptions set out in IPPs and HPPs apply, such as where providing access may prejudice investigation of unlawful activity. If the person establishes that any information is inaccurate, incomplete, misleading or not up to date, Council will take reasonable steps to correct it.

Where an individual wishes to access their personal information, they can contact the relevant Council department directly or contact Council’s Privacy Officer.

As the Council is subject to the Freedom of Information Act 1982, formal requests for access to, or correction of personal or health information is managed under that legislation. However, requests can often be managed outside of the FOI Act, whether through administrative processes or through other legislation. Before a person lodges a formal request for access or correction under the FOI Act, it is recommended that they contact Council’s Privacy Officer to discuss what is being sought.

PRINCIPLE 7 – Unique Identifiers

A unique identifier is a number or code that is assigned to someone’s record to assist with identification (similar to a driver’s licence number).

Council will not assign, adopt, use, disclose or require unique identifiers from individuals unless it is necessary to enable the Council to carry out any of its functions more efficiently. Council will only use or disclose unique identifiers assigned to individuals by other organisations if the individual consents to the Council doing so, there are legal requirements for the Council to do so, or the conditions for use and disclosure set out in the Privacy and Data Protection Act 2014 or Health Records Act 2001 are satisfied.

PRINCIPLE 8 – Anonymity

Where it is both lawful and practicable, a person will be given the option of not identifying themselves when supplying information to or entering into transactions with Council.

Anonymity may limit Council’s ability to process a complaint or other matter. Therefore, if an individual chooses not to supply personal or health information that is necessary for the Council to perform its functions, then Council reserves the right to take no further action on that matter.

PRINCIPLE 9 – Transborder Data Flows

Council may transfer personal or health information about a person to an individual or organisation outside Victoria, only where allowed by the relevant Act. Some examples of that are:

• the person has provided their consent; or
• if disclosure is authorised by law; or
• if the recipient of the information is subject to a law, scheme or contract with principles that are substantially similar to the IPPs or HPPs as applicable; or
• where the information is health information, the specific provisions of the HPPs are met.

By way of example, Council may use cloud computing services based outside Victoria, in which case Council must ensure the cloud computing service provider complies with the Victorian IPPs and HPPs or substantially similar controls when engaging such a service.

PRINCIPLE 10 (IPP) – Sensitive Information

Council will not collect personal information about a person that is sensitive information, except where:

• the person has provided their consent;
• collection is authorised or required by law;
• it is necessary to collect the sensitive information for establishing, exercising or defending a legal claim;  
• the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; or
• the sensitive information is necessary for research on or provision of government funded welfare or educational services and there is no reasonably practicable alternative to collecting the information for that purpose.

PRINCIPLE 10 (HPP) –Transfer/Closure of a Health Service Provider

Where Council discontinues a health service in accordance with the HPP 10, it will give notice of the closure to past service users, including whether health information is to be transferred to a new provider or retained by council.

PRINCIPLE 11 (HPP) – Making information available to another Health Service Provider

Where Council acts as a health service provider, it will make health information relating to an individual available to another health service provider if required to do so by that individual or by law.

Change of Process and Privacy Impact Assessment 

When altering systems or processes that collect, store or transfer personal information, Council staff will have regard to the implications of the change on compliance with this policy, and consult with relevant areas of the organisation, where appropriate (including Privacy Officer, Corporate Information, Information Technology, Customer Focus, and any other effected teams or areas).  

Where significant changes or new systems or processes are proposed, a Privacy Impact Assessment (PIA) should be undertaken, using the Office of the Victorian Information Commission (OVIC) template and guide. 

Privacy Complaints  

Where an individual feels aggrieved by Council’s handling of their personal or health information, they may make a complaint to Council by contacting the Privacy Officer or Manager Governance within Council’s Governance team.

Externally, individuals may contact OVIC with privacy related queries or the Health Complaints Commissioner for health information complaints.

Data Breaches

Council recognises that privacy, including information privacy, is a human right and takes every reasonable measure to prevent privacy and data breaches. Some data breaches can have no or minimal impact, while others can have serious consequences, including physical, financial, emotional or reputational damage.    

Some examples of harm to an individual include embarrassment or humiliation, emotional distress, identity theft or fraud, loss of employment or business opportunities, family violence, other physical harm or intimidation, unwanted marketing and spam emails.

A data breach can also have serious consequences for Council, including financial, legal and resource implications, service disruption, reputational damage and loss of public trust.

If a breach does occur, Council will act to contain, assess, notify and review the incident, in line with OVIC guidelines and requirements, as set out below:

1. Contain the breach immediately to prevent any further compromise of personal information
2. Assess the risk of harm to affected individuals by investigating the circumstances of the breach
3. Notify affected individuals if deemed appropriate in the circumstances
4. Review the breach and the organisation’s response to consider longer-term action to prevent future incidents of a similar nature and improve the organisation’s handling of future breaches.

Assessment and investigation shall be carried out by Governance in consultation with the relevant area/s. Council’s ‘Privacy Breach Response and Investigation’ form or OVIC’s ‘Information Security and Privacy Incident Notification Form’ shall be completed.

Council shall notify OVIC or the Health Complaints Commissioner of the breach where required or otherwise considered appropriate. 

Reporting on privacy breaches and responses shall also be provided to Council’s Executive Team quarterly.

Accountability and Responsibility

Accountability and responsibility for this policy is outlined below.

1.1.    Council

• Responsibility to ensure this Policy is consistent with Latrobe City Council Strategic Direction and any other Latrobe City Council Policy
• Responsibility for the decision to approve this Policy by Council Resolution

1.2.    Chief Executive Officer

• Overall responsibility for compliance with this policy
• Overall responsibility for enforcing accountability
• Overall responsibility for providing resources
• Overall responsibility for performance monitoring

1.3.    General Manager

• Responsibility for compliance with this policy
• Responsibility for enforcing accountability
• Responsibility for providing resources
• Responsibility for performance monitoring

1.4.    Manager

• Develop frameworks and procedures in compliance with this policy
• Enforce responsibilities to achieve compliance with frameworks and procedures
• Provide appropriate resources for the execution of the frameworks and procedures

1.5.    Governance Department

• Responsibility to ensure this policy is maintained and reviewed in accordance with the requirements as set
• Manage and respond to breaches of privacy and notification to OVIC where required
• Ensure training and support is provided to staff as required
• Maintain a register of privacy breaches
• Prepare and provide reporting and monitoring of privacy requirements  

1.6.    Employees, Contractors and Volunteers

• Participate where required in the development of frameworks and procedures in compliance with this policy.
• Comply with frameworks and procedures developed to achieve compliance with this policy.

Evaluation and Review

This policy will be reviewed on request of Council, in the event of significant change in the Executive team, significant changes to legislation applicable to the subject matter of the policy or, in any other case, during each Council term (generally four years).

Definitions

Health Information Includes information or an opinion about the physical, mental, psychological health of an individual, disability of an individual or a health service provided or to be provided to an individual where that information is also personal information. Health information includes other personal information that is collected to provide or in providing a health service.

Examples of health information:

The view of a maternal child health nurse on a database that a mother may have postnatal depression, records held by Council of attendees at immunisation sessions; requests for home support to be provided to a person living in the municipality made by family members outside the municipality.

Health Privacy Principles (HPPs) Set of principles established by the Health Records Act 2001 that regulate how a Council when it is a health service provider collects, holds, manages, uses, discloses or transfers health information.

Health Services Means an activity that is intended or claimed to assess, maintain or improve the individual’s health, to diagnose the individual’s illness, injury or disability or to treat the individual’s illness, injury or disability

Information Privacy Principles: (IPPs) Set of principles established by the Privacy and Data Protection Act 2014 that regulate how organisations such as the Council collects, holds, manages, uses, discloses or transfers personal information.

Personal Information Means information or an opinion about an individual who can be identified from the information, or whose identity can reasonably be ascertained from the information. The information can be recorded in any form and does not need to be true. This includes information the Council has collected in any format including correspondence, in person, over the phone, and via our various web sites, or information or an opinion that forms part of a database. It does not include health information as defined in the Health Records Act 2001. Where an individual has been deceased for more than 30 years, information about that person is no longer considered to be personal information.

Examples of personal information:

• Names
• addresses
• contact details
• work addresses
• signatures
• attendances at meetings
• opinions (particularly where those opinions would identify the person).
• personal information on a public register, in complaints records, in records of telephone calls, on building plans, in meeting minutes and various other types of records held by the Council.

Public Registers Documents that are held by the Council and:

• Are open to inspection by members of the public;
• Contain information that a person or body was required or permitted by legislation to give the Council under an Act or regulation; and

Contain information that would be personal information if the document was not a generally available publication.

Sensitive Information Council may also hold sensitive information in order to provide education, welfare and other services. Sensitive information is personal information that is information or an opinion about an individual’s:

• Race or ethnic origin;
• Political opinions;
• Membership of a political association;
• Religious beliefs or affiliations;
• Philosophical beliefs;
• Membership of a professional trade association;
• Membership of a trade union;
• Sexual preferences or practice; or
• Criminal record.

Related Documents

Records Management Operational policy

Reference Resources

Privacy and Data Protection Act 2014

Health Records Act 2001

Freedom of Information Act 1982

Child Wellbeing and Safety Act 2005

Child Wellbeing and Safety Amendment (Child Safe Standards) Act 2015