NORTH Link believes that the responsible handling of personal and health information is a key aspect of governance and is strongly committed to protecting an individual’s right to privacy.
This policy applies to both personal and health information held by NORTH Link.
Personal Information means information or an opinion, whether true or not and recorded in any form, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For example, NORTH Link holds personal information about its staff (eg addresses) in order to carry out its functions. It may also request personal information in order to provide services, eg superannuation.
Health Information is broadly defined to include information or an opinion about the physical, mental or psychological health of an individual, a disability, an individual’s expressed wishes for future provision of health services or any health service provided to an individual, or other information collected to provide or in providing a health service. For example, NORTH Link holds health information on its staff for personnel administration purposes.
Some personal information may also be ‘sensitive information’ as defined in the Privacy Act. Sensitive information includes information like an individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.
NORTH Link will only collect personal and health information that is necessary for its functions and activities and in doing so will use lawful and fair means. NORTH Link will only collect sensitive information where consent has been given or otherwise as permitted by law. If it is reasonable and practicable to do so, NORTH Link will collect personal and health information direct from the individual. When doing so, NORTH Link will inform the individual of the purpose/s for which the information is collected. If NORTH Link collects personal and health information about an individual from someone else, it will take reasonable steps to make the individual aware of these matters. Individuals will have the option of not identifying themselves when supplying information or entering into transactions with NORTH Link wherever it is lawful and practicable.
NORTH Link will only use or disclose personal and health information for the purpose for which it was collected. NORTH Link staff will treat personal and health information confidentially. If NORTH Link needs to share information for any other purpose than for which it was collected, agreement will be sought before doing so (unless otherwise required by law).
NORTH Link will maintain secure systems for storing personal and health information. NORTH Link will also maintain operational policies and procedures to protect personal and health information from misuse and loss and from unauthorised modification or disclosure. NORTH Link will destroy or de-identify personal and health information if it is no longer needed for any purpose or as required by law.
Individuals have a right to seek access to their personal and health information and make corrections. Access and correction will be handled under the Victorian Freedom of Information Act 1982. Some limits may apply where particular circumstances prevent NORTH Link from releasing information. If any limits apply, this will be explained.
If personal and health information is inaccurate, incomplete, misleading or out of date, the individual may request NORTH Link to correct this information. Personal and health information cannot be removed from records, but a correcting statement may be added. Requests for access and/or correction of personal and health information should be made to NORTH Link’s Executive Director.
NORTH Link contracts out some of its functions to third party contractors. All third party contractors will be required to comply with the Acts in all respects.
Complaints in relation to privacy and confidentiality will be handled by NORTH Link’s Executive Director. Complaints will be investigated and a written response will be provided as soon as possible (but no later than 45 days). If an individual is not satisfied with the way in which NORTH Link handles information or deals with a complaint, a formal complaint can be made to the relevant Commissioner.
Information Privacy Principles
Ten Information Privacy Principles (IPPs) are the practical core of the Information Privacy Act. With limited exemptions, all Victorian government agencies, statutory bodies and local councils must comply with the IPPs. The full text of the Information Privacy Principles can be found in Schedule 1 of the Information Privacy Act 2000 (Vic). This is a short summary of the IPPs, provided by Privacy Victoria:
IPP 1 Collection
Collect only personal information that is necessary for performance of functions. Advise individuals that they can gain access to personal information.
IPP 2 Use and disclosure
Use and disclose personal information only for the primary purpose for which it was collected or a secondary purpose the person would reasonably expect. Use for secondary purposes should have the consent of the person.
IPP 3 Data quality
Make sure personal information is accurate, complete and up to date.
IPP 4 Data security
Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.
IPP 5 Openness
Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.
IPP 6 Access and correction
Individuals have a right to seek access to their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.
IPP 7 Unique identifiers
A unique identifier is usually a number assigned to an individual in order to identify the person for the purposes of an organisation’s operations. Tax File Numbers and Driver’s Licence Numbers are examples. Unique identifiers can facilitate data matching. Data matching can diminish privacy. IPP 7 limits the adoption and sharing of unique identifiers.
IPP 8 Anonymity
Give individuals the option of not identifying themselves when entering transactions with organisations, if that would be lawful and feasible.
IPP 9 Transborder data flows
Basically, if your personal information travels, your privacy protection should travel with it. Transfer of personal information outside Victoria is restricted. Personal information may be transferred only if the recipient protects privacy under standards similar to Victoria’s IPPs.
IPP 10 Sensitive information
The law restricts collection of sensitive information like an individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.