The Office of the Victorian Information Commissioner (OVIC) respects the privacy of every individual’s personal and health information.
This policy has been written in accordance with Information Privacy Principle 5 (Openness), which requires an organisation to set out in a document clearly expressed policies on its management of personal information.
For clarity, we use the words ‘personal information’ to include personal information and health information. OVIC does not intentionally collect health information but we may receive it in the course of our normal business processes.
Any personal information collected by OVIC, whether from a member of the public, an agency or an OVIC employee, will be handled according to this policy.
- OVIC collects personal information provided by applicants, complainants, government agencies, members of the public, employees and other third parties in compliance with its functions and obligations under the Freedom of Information Act 1982 (FOI Act) and Privacy and Data Protection Act 2014 (PDP Act).
- OVIC collects personal information on behalf of the Information Commissioner, Public Access Deputy Commissioner and the Privacy and Data Protection Deputy Commissioner for the purpose of carrying out their statutory functions and associated activities under the FOI Act and the PDP Act.
- In summary, these functions and activities include:
- undertaking reviews under the FOI Act and the PDP Act
- handling complaints under the FOI Act and the PDP Act
- conducting investigations under the FOI Act and the PDP Act
- making reports or recommendations under the FOI Act and the PDP Act
- conducting reviews or audits under the PDP Act
- promoting understanding and acceptance:
- by agencies and the public of the FOI Act and the object of that Act
- of the Information Privacy Principles and the object of those Principles under the PDP Act.
- OVIC will keep personal information received or obtained by the Office confidential, except when it is necessary or appropriate to disclose the information in the performance of its statutory functions under the FOI Act or PDP Act, or as otherwise authorised or required by law.
- Information collected by OVIC may include but is not limited to the form of hard copy or electronic documents, or voice or video recordings.
- OVIC uses, discloses and holds the personal information it collects in accordance with the PDP Act, in particular the Information Privacy Principles (IPPs). Where health information is collected by OVIC, OVIC handles that information in accordance with the Health Records Act 2001 (HR Act). OVIC will not otherwise use or disclose personal information unless permitted by law.
- OVIC takes reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure. In protecting personal information OVIC complies with the Victorian Protective Data Security Framework.
- OVIC will provide an individual with reasonable access to their personal information held by OVIC and will take reasonable steps to correct such information when requested by that person, in order to ensure that its records are accurate.
- OVIC may use de-identified information about enquiries, complaints and reviews for educational purposes, to encourage and support state government agencies to improve their compliance with information access, privacy and data security obligations under the FOI Act and PDP Act.
- Information that OVIC obtains is retained and stored in accordance with the requirements of the Public Records Act 1973, associated Public Record Office Victoria standards and OVIC’s internal records policy. OVIC destroys individuals’ personal information once it is no longer needed, and destroys or returns personal information it collects from agencies when it is no longer needed.
‘Personal information’ is defined in section 3 of the PDP Act as “information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion”.
‘Health information’ is regulated under the HR Act and is information that can be linked to an identifiable individual (including a deceased person), which concerns that individual’s physical, mental or psychological health, disability or genetic make-up.
OVIC may receive health information in the course of receiving the details of an enquiry, complaint or application for a review. Health information of OVIC staff may also be collected from time to time, for example, in the course of approving personal leave.
When collecting personal or health information from an individual, OVIC will take reasonable steps to advise that individual of what information is being sought, for what purpose(s), whether any law requires the collection of the information, how the individual can contact OVIC, and the main consequences, if any, of not providing the information.
As far as is practicable, OVIC will inform an individual of how it intends to use their personal or health information and to whom their information may be disclosed.
OVIC will collect personal or health information directly from the relevant individual, where possible. However, OVIC may also collect information about an individual from an agency, third party or a publicly available source. Where reasonably practicable, OVIC will notify individuals when information about them has been collected from third parties.
OVIC may use its coercive powers under Part VIC of the FOI Act and Part 3 of the PDP Act to require an individual to provide information or produce information.
Use and disclosure of information
OVIC staff will only use or disclose personal or health information in carrying out the functions and activities of the Office. Generally, this means that OVIC staff will not use or disclose information except for the primary purpose for which the information was collected. In some cases, OVIC staff may also use or disclose information for a secondary purpose that an individual may reasonably expect, or with the individual’s consent.
Details of a review application or a complaint will be given to the organisation complained against, as required by the FOI Act and PDP Act, to allow the organisation an opportunity to respond.
When OVIC discloses or transfers information to another individual or body, it will take reasonable steps to preserve the privacy of the individual to whom the information relates (for example, by only providing information relevant to a matter or de-identifying information prior to its disclosure).
Some de-identified information from reviews and complaints is used in awareness programs, public statements and training, but never in a way that would compromise an individual’s identity.
In certain circumstances, and in accordance with law, documents related to a complaint may be referred to the Victorian Civil and Administrative Tribunal (VCAT) or to another appropriate complaint handling body, such as the Health Complaints Commissioner or Victorian Ombudsman.
Some personal information related to the management of the Office might be disclosed to the Victorian Auditor-General where there is a lawful reason.
Other disclosures may be made with an individual’s consent, or otherwise in accordance with the use and disclosure provisions of the PDP Act and the HR Act.
Access to and correction of personal information
OVIC will make information it holds reasonably accessible to the individual to which it relates, and will provide such information on request. In some circumstances, OVIC may ask that the request be submitted in writing to assist in identifying relevant information or documents.
OVIC will endeavour to maintain accurate records. When an error is identified (either internally or by an external party) OVIC will correct the information promptly.
OVIC takes steps to verify the identity of any individual who requests access, or a correction, to their information held by OVIC before considering the request.
OVIC will not release or provide access to information to any other person or body, unless:
- it has been authorised to do so by the person to whom the information relates;
- it is permitted or required to do so by law; or
- it is appropriate or required in the performance of a function of the Office.
Requests for access to and/or correction of documents containing personal information held by the Office will be handled in accordance with the FOI Act and should be addressed in writing to:
Office of the Victorian Information Commissioner
PO Box 24274
Melbourne VIC 3001
Data quality and security
OVIC takes reasonable steps to ensure the information it holds is accurate, complete and up-to-date. Where possible, OVIC staff will check the accuracy of personal or health information with the individual before using it.
OVIC uses a combination of people, process and technology safeguards across information, ICT, personnel and physical security to protect information from misuse and loss, and unauthorised access, modification and disclosure. As of September 2018 all information and data is managed entirely by OVIC in Melbourne, Australia, except for OVIC’s own payroll and financial data, which is managed via services shared with other Victorian Government agencies.
Information is destroyed or permanently de-identified when it is no longer required in accordance with the Public Records Act 1973 and the relevant Retention and Disposal Authorities.
If OVIC becomes aware that an individual’s information has been inappropriately handled, OVIC will take steps to inform the individual of the incident, and will take appropriate action to ensure that such a breach does not occur again.
OVIC does not assign unique identifiers to individuals. Each complaint, request or enquiry that OVIC receives is given a number so that it can be managed efficiently, but not each individual.
OVIC will not request a unique identifier created by another organisation unless required by law, nor will OVIC use or disclose a unique identifier created by another organisation unless there is a lawful basis for doing so.
When seeking general information from OVIC, you do not have to identify yourself. If you wish to make an enquiry, no personal information will be collected or recorded unless OVIC staff need this information to get back to you with an answer to your enquiry.
However, if you wish to make an application for review under the FOI Act or a complaint under the FOI Act or PDP Act, you will be required to provide your personal information, including your name, contact details, and particulars of the matter.
Transfer of information outside Victoria
Generally, OVIC will not send your personal information outside Victoria. In the rare cases that this may be necessary, for example if you ask OVIC to transfer a complaint to the Office of the Australian Information Commissioner, OVIC will only send this personal information if the recipient of the information is bound by a scheme that is substantially similar to the IPPs or OVIC has obtained your consent. In some cases, this consent may be implied.
Any other transfers of information outside Victoria will be made in accordance with the provisions of the PDP Act.
Complaints about privacy
If you wish to make a privacy complaint against OVIC you can do so:
By phone on 1300 006 842
By email at firstname.lastname@example.org
By post at PO Box 24274 Melbourne, VIC 3001
OVIC treats complaints seriously and will try to resolve them fairly and quickly. If you make a complaint, OVIC will work with you to resolve your complaint and keep you informed of its progress.
If you are not satisfied with how OVIC deals with your privacy complaint, your complaint will be referred to an external, independent conciliator, who will attempt to resolve the complaint. If conciliation is inappropriate or unsuccessful, the Information Commissioner can refer the matter to VCAT.
If you wish to make a complaint against OVIC for a breach of privacy in relation to health information, you should contact the Office of the Health Complaints Commissioner.