Our Privacy Responsibilities
Background
There are two Victorian acts that impose privacy responsibilities on us:
Information Privacy Act 2000
Health Records Act 2001
The first covers personal information and the second covers health information.
Personal information means facts or opinions that are recorded and that identify someone or allow them to be identified.
Health information is information about a person’s physical or mental health, any disability they may have and any treatment they may have received.
These definitions are summaries: the detailed definitions can be found in the Privacy Policy
The key piece of legislation for the day-to-day work of most of us is the Information Privacy Act 2000 (‘Act’).
The Act has 10 Information Privacy Principles that we are all required to implement when relevant in our day-to-day work. These are summarised at the end of this document.
Essentially, our responsibilities fall under three headings:
Collection of Personal Information
Use and Disclosure of Personal Information
Management of Personal Information
Collection
Whenever we collect personal information we should do so directly, if possible, and we should tell the person:
- Who we are and how to contact us;
- Why we are collecting it (a specific reason);
- That the person can have access to it;
- To whom we usually disclose it;
- Any law that requires us to collect it; and
- The consequences (if any) of not providing it.
The University requires a collection notice covering all this to be included in any on-line or hard copy form. There is also a longer detailed statement about the collection of either staff and student information on the Privacy web site.
Use and Disclosure
Personal Information collected can be used and disclosed only:
- For the primary purpose for which it was collected (the specific reason given for collection); or
- For a secondary purpose that is related to the primary purpose and which the person would reasonably expect it to be used for; or
- With the person’s consent.
Management
Whenever we have collected personal information, we must have procedures and policies in place to make sure that the personal information:
- Is accurate and up-to-date;
- Is destroyed if no longer needed;
- Is protected from misuse and unauthorised access;
- Is made available to the person whose personal information it is; and
- Is not transferred out of Victoria unless the organisation to which it is going has privacy law or policy similar to those in Victoria.
Sensitive Information
The Act has a category of personal information called sensitive information. This means information or opinion about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual preferences or practices; or
- criminal record
We may not collect sensitive information about an individual unless:
- the individual has consented;
- the collection is required by law; or
- the collection is necessary to prevent or lessen a serious threat to the life or health of any individual.
Health Information
The Health Records Act treats health information like sensitive information described above and it may not be collected unless the same criteria apply.
Consent
Getting a person’s consent is one of the easiest ways to make sure that we are complying with the Act. But the consent must be:
- voluntary;
- informed;
- specific; and
- current.