VicHealth is committed to protecting personal and health information. VicHealth has adopted the Information and Health Privacy Principles in the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) as minimum standards when dealing with personal and health information.
When collecting personal or health information, VicHealth takes reasonable steps to advise individuals of what information is sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.
Collection of Personal and Health Information - general principles
Where it is necessary, VicHealth collects personal and health information about individuals for the purposes of carrying out the following functions or activities:
- Research and surveys
- Stakeholder consultations, events and capacity building activities
- Campaigns and health promotion programs, and evaluation of these
- Dissemination of email newsletters and publications of interest
- Management of general operations, such as supplier management
- Personnel Management
Where possible, VicHealth collects data anonymously. However, if identifying personal or health information is required, this will only be collected with the informed consent of the individual(s) involved. VicHealth is open and transparent about how it collects, holds, manages, uses, discloses and transfers personal and health information. The organisation adopts tools such as collection notices, terms and conditions and consent forms to inform individuals and ensure they are able to give informed consent.
For the collection of web-based information, the Privacy Statement provides guidance on the management of this information, and is included on all websites and online tools.
Collection of personal and health information - VicHealth Staff
VicHealth collects and holds computer records and personnel files containing personal and health information relating to Staff for the following purposes:
- to evaluate applications for employment and Board/Committee membership.
- for personnel, administration and management purposes.
The personal and health information includes, without limitation, employment applications, probation reviews, references, bank details, performance appraisals and professional development plans, holiday and sickness records, exit checklists, surveys, professional memberships, salary reviews and remuneration details and other records. This information is collected with the consent of the relevant staff member.
VicHealth processes such personal information for personnel, administration and management purposes and to comply with its obligations regarding the processing of Staff records.
Use and Disclosure of Personal and Health Information
At the time of personal and health information collection, VicHealth must provide notice of how the information will be used, and who it will be disclosed to. VicHealth may disclose personal and/or health information to:
- VicHealth advisers
- parties providing products and/or services to VicHealth (including, without limitation, IT systems suppliers, superannuation, benefits and payroll administrators)
- Australian Government Departments
- regulatory and statutory authorities (including, without limitation, Australian Taxation Office and the police)
- Public sector entities.
- VicHealth funded organisations
- Other third parties where the use or disclosure is required, permitted or authorised by law.
Maintaining the quality of Personal and Health Information
VicHealth takes reasonable steps to ensure Personal and Health Information is accurate, complete and up-to-date, and will endeavour to make appropriate corrections if informed that personal or health information is incorrect.
VicHealth destroys or permanently de-identifies personal and health information once it is no longer required, unless it is necessary to retain this information longer because it is a public record subject to a Public Record Office Victoria retention and disposal authority, or because of other legislative or legal requirements.
Security of Personal and Health Information
VicHealth takes reasonable steps to ensure the security of personal and health information from such risks as loss or unauthorised access, destruction, use, modification or disclosure. VicHealth’s IT systems are password protected and comply with VicHealth security standards, and if personal information is held on paper files, it is stored in locked files. VicHealth only permits personal information to be accessed by authorised personnel. The Victorian Protective Data Security Standard and Records Storage Standard provide additional guidance on information security and storage.
Access to information and making corrections
Individuals have the right by law to access the personal and health information VicHealth holds about them and to update and/or correct it, subject to certain exceptions. If an individual wishes to access or correct their personal Information they should contact the Privacy Officer or the person within VicHealth who holds the personal information.
Unique identifiers in the form of an employee number are assigned to VicHealth staff. Unique identifiers are also assigned to the primary contact persons of VicHealth funded organisations in VicHealth’s grants management system. Both instances are used for internal purposes, and not shared externally. Unique identifiers created by other organisations will not be requested or subsequently disclosed unless required by law.
Transfer of Information outside Victoria
VicHealth primarily stores personal and health information onsite or in Victorian-based systems and storage facilities. For any data storage that is not Victorian based VicHealth endeavours wherever possible to ensure data is in a jurisdiction with equivalent Privacy laws
Sensitive information relating to individuals is not routinely collected. VicHealth will only collect sensitive information with consent or where required by law.
Enquiries or complaints
Any enquiries or complaints should be directed to the VicHealth Privacy Officer, either via email at email@example.com, or via telephone at (03) 9667 1333. If a complaint cannot be resolved, the Privacy Officer will refer the complaint to the Commissioner for Privacy and Data Protection or the Health Services Commissioner (for health information).