Privacy and Data Protection Policy

Transcription

1 Privacy and Data Protection Policy Policy CP017 Prepared Reviewed Approved Date Council Minute No. Manager Corporate Administration SMT Council 25 February /0032 Trim File: 18/02/01 To be reviewed: February 2019 Document Owner: General Manager Corporate Review Frequency: 3 years 1. The Purpose of this Policy is To ensure Council complies with the provisions of the Privacy and Data Protection Act 2014 in relation to the management, handling and storage of personal information. 2. Policy Statement This policy has been developed in order to: Establish a regime for the responsible collection, storage, handling and disclosure of personal information; Provide individuals with right of access to information about themselves which is held by the organisation; Provide individuals with the right to request correction and amendment of information about themselves held by Council, including information held by contracted service providers. Council will comply with the ten Information Privacy Principles (IPPs) as set out in the Privacy and Data Protection Act The IPPs establish standards for the handling of personal and/or sensitive information including collection, use, disclosure, storage, security, accessibility and disposal. (See below for the IPPs in more detail). Council will provide Information Privacy training to all new staff as part of the Corporate Induction Program, and refresher training where applicable. 3. Principles 3.1 Scope of the Policy This policy applies to all employees, Councillors, members of committees, contractors and sub-contractors of Mildura Rural City Council. This policy covers all personal information held by Council. This includes information collected in any format including correspondence, in person, over the phone, and over the Internet. Privacy and Data Protection Policy Page 1 of 6 CP017

2 Council collects, stores, amends, discloses and destroys personal information by lawful and fair means and not in an unreasonably obtrusive way. The types of personal information collected generally include name, address, age group, gender, contact details (including phone, fax and ) and information collected as a result of a person or persons using or acquiring Mildura Rural City Council products or services eg maternal and child health services, aged and disability services, rates, garbage collection service. The policy covers personal information that has been sourced from third parties and covers the privacy of individuals. 3.2 Information Privacy Principles 1. Collection (Principle 1) Council will only collect personal information that is necessary for specific and legitimate functions of the Council. Information will be collected by fair and lawful means. Council will advise individuals, where possible, of the purposes for which their personal information is being collected and of those third parties to whom the information is usually disclosed. Where it is reasonable and practicable to do so, Council will collect personal information about an individual from that individual. 2. Use and Disclosure of Information (Principle 2) Council will take all necessary measures to prevent unauthorised access to, or disclosure of your personal information. Council will not use or disclose information about an individual other than for the primary purpose for which it was collected unless one of the following applies: It is for a related (secondary) purpose that the individual would reasonably expect; Where Council has the consent of the individual to do so; If the use or disclosure is necessary for research, or the compilation/analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual; If the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual s life, health, safety or welfare; If the use or disclosure is necessary to lessen or prevent a serious threat to public health, public safety or public welfare; If Council has reason to suspect that unlawful activity has been, is being or may be engaged in; The use or disclosure is required or authorized by or under law; The use or disclosure is reasonably necessary for use by or behalf of a law enforcement agency; The Australian Security Intelligence Organisation or the Australia Secret Intelligence Service has requested Council to disclose the information As required or permitted by the Privacy and Data Protection Act 2014 or any other legislation. Privacy and Data Protection Policy Page 2 of 6 CP017

3 3. Data Quality (Principle 3) Council will take reasonable steps to ensure that all personal information collected, used or disclosed is accurate, complete and up to date. 4. Data Security and Retention (Principle 4) Council will take reasonable steps to prevent personal information from misuse and loss and from unauthorised access, modification or disclosure. This applies regardless of the format in which the information is held. Personal information will be managed confidentially and securely and destroyed or archived in accordance with the Victorian Local Government General Disposal Schedule. Council will monitor and implement reasonable and appropriate technical advances or management processes, to provide an up to date ongoing safeguard for personal information. 5. Openness (Principle 5) Council will make publicly available its policies relating to the management of personal information. On request, Council will take reasonable steps to let a person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. 6. Access and Correction (Principle 6) Individuals have a right to request access to any personal or health information held about them, and may request any incorrect information be corrected. If an individual and Council disagree about whether the information is accurate, complete and up to date, the individual can ask Council to associate with the information a statement claiming that the information is not accurate, complete or up to date. Council must provide reasons for denial of access or refusal to correct personal information. Council may decide not to allow access to personal information in accordance with the exemptions contained within the Privacy and Data Protection Act 2014 at Schedule 1 Item 6. Council will process requests for access to personal information as soon as practicable, but no later than 45 days after receiving the request. Privacy and Data Protection Policy Page 3 of 6 CP017

4 7. Unique Identifiers (Principle 7) Council will not assign, adopt, use, disclose or require unique identifiers from individuals except in the course of conducting normal business or if allowed or required by law. Council will not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorized by law or the provision is in connection with the purpose for which the unique identifier was assigned. 8. Anonymity (Principle 8) Council will, where it is lawful and practicable, give individuals the option of not identifying themselves when entering into transactions with Council. Council will ensure that individuals are aware of all, if any, limitations to services if the information required is not provided. This may include Council taking no action on a matter if you choose not to supply relevant personal information. 9. Transborder Data Flows (Principle 9) Council may transfer personal information about you to an individual or organisation outside Victoria only in the following instances: You have provided your consent; If the disclosure is authorised by law; If the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual s request; The organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles; If the recipient of the information is subject to law binding scheme or contract with similar principles as the Privacy and Data Protection Act Or, if all of the following circumstances apply: 1. The transfer is for the benefit of the individual; and 2. It is impracticable to obtain the consent of the individual to that transfer; and 3. If it were practicable to obtain that consent, the individual would be likely to give it. 10. Sensitive Information (Principle 10) Council will not collect sensitive information about you except in circumstances prescribed in the Privacy and Data Protection Act 2014 or in circumstances where the information is both directly pertinent and necessary to one of its functions. Privacy and Data Protection Policy Page 4 of 6 CP017

5 3.3 Privacy Collection Statement A general statement outlining Council s position on the handling of personal information will be used at all points of collection and all outgoing correspondence that may request personal. Forms collecting information that will be used for a specific purpose will include the privacy collection statement on the form detailing the purpose of collection. 3.3 Complaints If a person is aggrieved by Council s handling of personal information, they may make a complaint, in the first instance, to Council s Privacy Officer. The complaint will be investigated as soon as possible (but no later than 30 business days) and a full response provided. If a person is not satisfied with that response they can seek an internal review by the Chief Executive Officer. Alternatively a person can make a complaint directly to the Commissioner for Privacy and Data Protection (although the Commissioner may decline to hear the complaint if a complaint has not been made to Council in the first instance); or following the internal process. 4. Who is responsible for implementing this policy? General Manager Corporate. 5. Definitions Personal Information Information Privacy Principles (IPPs) Sensitive Information Information or an opinion (including information or an opinion forming part of a database), whether true or not about an individual whose identity is apparent, or can be reasonably ascertained, but does not include information of a kind to which the Health Records Act 2001 applies. from the information or opinion, but does not include information about an individual who had been dead for more than 30 years. A set of principles that regulate the handling of personal information as set out in the Privacy and Data Protection Act Information or an opinion about an individuals: race or ethnic origin; or political opinion; or membership of a political association; or religious beliefs or affiliations; or philosophical beliefs; or membership of a professional or trade association; or membership of a trade union; or sexual preferences or practice; or criminal record. Privacy and Data Protection Policy Page 5 of 6 CP017

6 Privacy Officer That is also personal information Manager Corporate Administration Governance Coordinator 6. Legislation and other references 6.1 Legislation If the Information Privacy Act conflicts with another Act, the other Act overrides the Information Privacy Act in so far as the inconsistency. For further information related to this policy see: Privacy and Data Protection Act 2014; Freedom of Information Act 1982; Health Records Act 2001; Victorian Charter of Human Rights and Responsibilities Act 2006; Public Records Act 1973; and Local Government Act Documents This Policy is implemented in conjunction with the following documents: Local Government Privacy Guide 6.3 Risk Assessment Reference Risk Category Risk Category Asset Management Financial Sustainability Committees Human Resource Management Compliance Legal & Regulatory Leadership & Organisational Culture Contract Management Occupational Health & Safety Contract Tendering & Procurement Organisational Risk Management Corporate Governance Project Management Environmental Sustainability Public Image and Reputation Privacy and Data Protection Policy Page 6 of 6 CP017