Information sheet for Class B Cemetery Trusts: Considering third-party providers
Why is this important?
Class B cemetery trusts have obligations under Part 4 of the Privacy and Data Protection Act 2014 (Vic) to ensure the right people have access to the right information at the right time.
This includes third-party providers that are engaged by cemetery trusts. It is important to ensure that any third-party providers your trust has engaged have the correct protections in place to ensure cemetery trust information isn’t lost, destroyed, or compromised.
Protecting the information of any living persons is also critical. Your trust must consider the security of medical records, credit card information, and next of kin information that you give to any third-party provider. If there was a data breach, the information leaked could cause harm to living people including a breach of privacy, or it could have domestic violence, witness protection, or family dispute implications.
What is a third-party provider?
A third-party provider can be any person or organisation outside your cemetery trust that may store or manage any or all your cemetery trust information on your behalf. This could include an individual, a system, a software package, a company, or a business.
Example: records management solutions stored on the internet or another organisation who may be storing your hard copy information on their premises.
How do I choose a third-party provider?
Asking the third-party provider questions can help determine whether their products or services are the right fit. Make sure you ask questions before you buy any of their products or sign any contracts.
It’s a good idea to get answers from the third-party provider in writing. Before you get a third-party provider involved, ask yourself what the problem is you are trying to solve. This will help your assessment or decision making.
What questions should I ask the third-party provider?
The following questions are a starting point to help determine what information security protections the third-party provider has in place to protect your cemetery trust’s information:
- what measures do they have in place to protect your cemetery trust information from being accessed by the wrong people, tampered with, changed incorrectly, or lost or stolen?
- if something were to happen to their company, service, or product, what contingency measures do they have in place to ensure the protection of your cemetery trust information?
- where will the information be stored and what other parties will have access to your information?
Getting satisfactory answers to these questions is important and will provide you with greater confidence. You have the right to know how your cemetery trust’s information will be protected.
Do I have to use a third-party provider?
It’s up to your cemetery trust to determine whether a third-party provider is right for your cemetery trust. You should consider the information provided in this information sheet as a starting point.
I’ve chosen a third-party provider, now what?
If you’re happy to proceed with a third-party provider, there are a few things to keep in mind to ensure the ongoing protection of your cemetery trust’s information. You should:
- consider what information you will store with them, e.g., some or all of it;
- consider how your cemetery trust information is being backed up;
- consider your contract arrangement with the third-party provider e.g., including confidentiality clauses, subcontracting and legislative requirements;
- regularly review the arrangement between your trust and the third-party provider to ensure your cemetery trust information is still being protected;
- ensure you follow Public Records Office of Victoria (PROV) guidance regarding retention, archiving, and destruction of cemetery trust information (some trust information cannot be destroyed and must be retained as state records);
- notify OVIC at email@example.com if the third-party provider has a data breach or cyberattack; and
- consider privacy obligations if the third-party provider will handle personal information.
Who can I contact for more information?
- OVIC’s Information Security Unit, firstname.lastname@example.org or (03) 8684 1616
- OVIC Privacy Guidance team, email@example.com
- Department of Health’s Class B Cemetery Trust Manual
- Public Records Office of Victoria for relevant recordkeeping guidelines for Class B Cemetery Trusts