POLICY AND PROCEDURE
|Policy Name:||Privacy |
|Section: ||General |
|Approved By:||September 2013|
|Last Reviewed:||June 2013|
SECTION 1 – INTRODUCTION
To establish organisational guidelines which must be observed by all employees to protect employee, and client privacy and confidentiality.
To outline the minimum standards of conduct overarching for the organisation related to the policy topic. This policy is complimentary to specific standards and codes outlined in the organisation’s underpinning Government contracts / agreements.
This policy is guided by the legislation and principles of protecting the privacy of clients, employees and the organisation, and compliance with privacy laws and standards.
This policy and procedure applies to E- focus (“the organisation”?) and subsidiaries and activities
Information Privacy Act (Vic.) 2000
Privacy Act (Commonwealth) 1988
Health Records Act (Vic.) 2001
Freedom of Information Act (Vic.) 1982
Public Records Act (Vic.) 1973.
National Privacy Principles
Word / Term
Is information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes information such as a person’s name, address, financial information, marital status or billing details
Is a subset of personal information. It includes information about a person’s racial or ethic origin, political opinion or membership, religious beliefs or affiliations, sexual preferences, criminal records or health records. A higher level of privacy protection applies to sensitive information.
Means personal information about an individual that includes
(a) Information or opinion about –
i. The physical, mental or psychological health (at any time) of an individual; or
ii. A disability (at any time) of an individual
Includes information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not (eg hard copy, audio tapes, photographs, micro-fiche and computerised records including electronically derived databases and directories), about a person whose identity is apparent, or can reasonably ascertained, from the information or opinion.
A primary purpose is one for which the individual concerned would expect their information to be used. Using the information for this purpose would be within their reasonable expectations.
A secondary purpose may or may not be apparent to the individual concerned, or within their reasonable expectations. Collecting information may be mandatory (because required by law) or optional. The main distinction is that the eservice could still be provided even if the secondary purpose were not serviced.
A statement related to the privacy of personal information which appears on all documents and forms generated by the organisation and used for the collection of information, and that is appropriate to the information being collected. This excludes documents used by the organisation to collect information which are generated by Government departments and used under contractual obligation.
SECTION 2 – POLICY
1. Collection of Information
The organisation will only collect personal information about a person if it is necessary for one or more of its functions or activities. At the time of collection, the organisation will explain to the person the purpose, proposed use, disclosure and rights of access.
Information (personal and sensitive) will only be collected with the consent of the individual. Personal information from a person or legally authorised representative will be required in accordance with contractual and legislative requirements.
2. Use and Disclosure
Personal information is used and disclosed only for the purposes for which it was collected and is protected from misuse. Personal information can be shared if:
Â§ It is necessary for the purpose it was collected, or a secondary purpose directly related to that purpose;
Â§ The person consents to the discloser of their information, or the disclosure is necessary to lessen/prevent a serious and imminent threat to life, health or safety;
Â§ The disclosure is authorised by law, or for law enforcement or investigation.
3. Data Quality
The organisation will ensure that all personal information collected, used or disclosed is accurate, complete and up to date.
4. Data Security
All personal information collected is protected from misuse or loss and from unauthorised access, modification or disclosure. Information stored electronically is kept on a secure server and access is restricted to authorised employees. Paper based documents containing personal information are stored securely. Where documents are required to be transferred to anther location, personal information is transported securely in an envelope, folder or document bag. Reasonable steps will be taken to destroy or permanently de-identify personal information when it is no longer required for any purpose.
6. Access & Correction
Access to information by an individual held on that particular individual will be granted should it be requested. If this information is deemed inaccurate by the individual, and this is established, the organisation will take the appropriate steps to correct the information so that it is accurate, complete and up to date.
Where lawful and practicable, individuals have the option of not identifying themselves when entering in to transactions with the organisation.
8. Direct Marketing
The personal information collected by the organisation may be used to send individuals direct marketing communication. Sensitive information will not be used for this purpose. Individuals have the option of opting out of direct marketing communications by contacting the Privacy Officer and where practicable, this will be noted on the information being sent.
SECTION 3 – PROCEDURE
| ||Procedure Steps ||Responsibility|