Child Information Sharing Scheme and Privacy
The Child Information Sharing Scheme (the Scheme) operates under Part 6A and 7A of the Child Wellbeing and Safety Act 2005 (CWS Act). The Scheme allows organisations and services prescribed by regulation as information sharing entities and restricted information sharing entities to share confidential information to support child wellbeing or safety.
The Scheme is designed to improve early identification of risk to children’s safety and wellbeing, increase collaboration between services involved in supporting children and families, promote earlier and more effective intervention and integrated service provision, and improve outcomes for children and families.
To facilitate the Scheme, the Information Privacy Principles (IPP) contained in the Privacy and Data Protection Act 2014 (PDP Act), and the Health Privacy Principles (HPP) contained in the Health Records Act 2001 (HR Act) have modified application.
This resource provides guidance for practitioners1 who have a role in promoting the wellbeing and safety of children and is designed to provide an overview of how the PDP Act and HR Act operate in the context of the Scheme.
The Scheme has been designed to operate within existing privacy obligations under the PDP Act and the HR Act.
Victorian public sector organisations, including contracted service providers of Victorian government and local councils, have ongoing obligations to protect personal information under the PDP Act.2 Where these organisations collect, hold, use or disclose personal information, they must adhere to the 10 IPPs.
Victorian public sector organisations and private organisations holding health information have obligations to protect that information under the HR Act.3 The HR Act contains 11 HPPs that set out obligations for the handling of health information throughout its lifecycle.
For further information on any of the topics covered in this document, please refer to the Child Information Sharing Scheme Ministerial Guidelines (the Guidelines) published by the Department of Health. The Guidelines are issued by the responsible Minister under Part 6A of the CWS Act and are legally binding, applying to all information sharing entities except courts and tribunals.4
PRIVACY OBLIGATIONS UNDER THE SCHEME
Do the Information Privacy Principles and Health Privacy Principles apply under the scheme?
Yes. Practitioners should always have regard to their existing obligations under their enabling legislation, the PDP Act and the HR Act when sharing information, under the Scheme and more broadly. However, the scheme intends for information sharing entities to give precedence to the wellbeing and safety of children over the right to privacy.
If an information sharing entity was able to share information in accordance with their existing obligations under the PDP Act or HR Act, they may continue to do so. The Scheme does not affect the collection, use or disclosure of information that is already permitted under the PDP Act or the HR Act.
One of the guiding legislative principles of the Scheme is that information sharing entities only share confidential information to the extent necessary to promote the wellbeing or safety of a child or a group of children, consistent with their best interests.5
The Scheme does however provide for modifications and exceptions to the IPPs and HPPs.
How does the Scheme modify the application of the Information Privacy Principles and Health Privacy Principles?
The PDP Act and the HR Act contain exceptions and modifications to the existing IPPs and HPPs, when sharing information under Parts 6A and 7A of the CWS Act.
- Information sharing entities are exempt from collecting information directly from the relevant individual under IPP 1.4 for the purposes of Part 6A of the CWS Act, and concurrently HPP 1.3, in relation to health information.6 Child Link users are also exempt from IPP 1.4 and HPP 1.3 when collecting personal information for the purposes of the Child Link Register.7This means that information sharing entities and Child Link users are not required to collect personal or health information about a person directly from them, and can instead collect the information from another information sharing entity.
- Information sharing entities are exempt from notifying individuals when personal information has been collected from another person under IPP 1.5 and HPP 1.5 when collecting personal information or health information for the purposes of Part 6A of the CWS Act, to the extent that compliance with IPP 1.5 or HPP 1.5 would be contrary to the promotion of the wellbeing or safety of a child (to whom the information relates).8 These exceptions remove the obligation on information sharing entities to take reasonable steps to notify individuals that their personal or health information has been collected from another information sharing entity.
- Child Link users are exempt from IPP 1.5 and HPP 1.5 where personal or health information is collected for the purposes of Part 7A of the CWS Act.9 These exceptions also remove the requirement of Child Link users to notify individuals of indirect collection, where providing notice would be contrary to the promotion of a child’s wellbeing or safety.
- Information sharing entities may refuse to disclose confidential information under IPP 6 and HPP 6, where an individual has requested access to information about them, if they believe on reasonable grounds that access to the information would result in an increased safety risk to children.10
- Information sharing entities are exempt from IPP 10.1 when collecting sensitive information under Part 6A of the CWS Act. Concurrently, Child Link users are also exempt from IPP 10.1 when collecting sensitive information under Part 7A of the CWS Act.11 This means that sensitive information can be collected despite the restrictions under IPP 10.1.
- When sharing information under Parts 6A and 7A of the CWS Act, the IPPs and HPPs do not apply to the collection, use or disclosure of personal, sensitive or health information by an information sharing entity, to the extent that the IPP or HPP requires the consent of the person to whom the information relates.12 In practice, information sharing entities are not be required to obtain consent from any person prior to collecting information, including sensitive information under IPP 10.1, if they are sharing in accordance with the Scheme.
- The Secretary of the Department of Education and Training is exempt from complying with HPP 4.3 regarding the deletion of health information for the purposes of Part 7A of the CWS Act (Child Link Register).13
It is important to note that the notice requirements under IPP 1.3 and HPP 1.4 continue to apply to information sharing entities. When an information sharing entity is collecting information directly from an individual, they are required to take reasonable steps to make the individual aware of particular matters at or before the time the information is collected, or as soon as practicable after.14
For more information on the relationship of the Scheme with other laws, practitioners should refer to the Guidelines
How does the Scheme apply to information sharing entities that do not already have privacy obligations?
Information sharing entities or restricted information sharing entities that are not already bound by the information privacy provisions of the PDP Act or the Commonwealth Privacy Act 1988 are required to handle personal information and unique identifiers in accordance with Part 3 of the PDP Act, including adherence to the IPPs. Information sharing entities subject to the Commonwealth Privacy Act 1988 will continue to be bound only by that Act.15
This ensures that appropriate privacy protections are applied consistently under the Scheme and that all information sharing entities are subject to the complaints provisions of either the PDP Act or the Commonwealth Privacy Act 1988 (where applicable) in relation to alleged interferences with privacy. Victorian entities holding health information continue to be bound by the HR Act.
As part of these privacy obligations, information sharing entities need to comply with IPP 4, requiring them to take reasonable steps to protect the information (including personal information) they access or hold.
Reasonable steps include undertaking the following activities across the information lifecycle:
- identifying and understanding information types;
- assessing and determining the value of the information;
- identifying the security risks to the information;
- applying security measures to protect the information; and
- managing the information risks.
For more information on these requirements, refer to the information security resources available on OVIC’s website.
For further information on privacy complaints under the Scheme, practitioners should refer to the Guidelines.
SHARING INFORMATION UNDER THE SCHEME
How do information sharing entities respond to a request to share information under the Scheme?
Information sharing entities may share confidential information with other information sharing entities under the Scheme, where certain thresholds for sharing have been met.16
Where an information sharing entity receives a request for confidential information, they must respond to the request, if:
- the disclosure is for the purpose of promoting the wellbeing or safety of a child or group of children;
- the information sharing entity reasonably believes that the disclosure may assist the requesting agency to do one or more of the following activities:
- make a decision, assessment or plan relating to a child or group of children
- initiate or conduct an investigation relating to a child or group of children
- provide a service relating to a child or group of children
- manage any risk to a child or group of children;17 and
- the information being disclosed is not excluded information under the Scheme.
For more information on the thresholds for sharing information or responding to requests to share information under the Scheme, practitioners should refer to the Guidelines.
‘Excluded information’ is information that cannot be collected, used or disclosed under the Scheme.18 In determining whether information is excluded information under the Scheme, practitioners should refer to the list of types of excluded information in the Guidelines or seek independent legal advice where necessary.
Other information sharing permissions and obligations
Where an information sharing entity has the existing legal authority to collect, use or disclose information under their own enabling legislation, another Act, the PDP Act or the HR Act, they may continue to do so under those laws.
For example, practitioners can rely on provisions that require or permit information sharing in their own enabling legislation, or the authorisations under IPP 2.1 and HPP 2.2 to share the relevant information. Recipients of the information should also ensure that they have the legal authority to collect it, either under their own enabling legislation, the PDP Act or the HR Act.
Practitioners should note that relevant secrecy and confidentiality provisions continue to apply unless expressly overridden for the purposes of the Scheme.
For a list of provisions that are overridden by the Scheme, practitioners should refer to the Guidelines.
Can an information sharing entity voluntarily share information under the Scheme?
Yes. The Scheme encourages the proactive sharing of information between information sharing entities for the purpose of promoting the wellbeing or safety of a child or group of children. An information sharing entity may voluntarily disclose confidential information on its own initiative19 to another information sharing entity where relevant thresholds have been met (see the thresholds for sharing under the Scheme in the Guidelines).
An information sharing entity may also voluntarily disclose confidential information to a child, a person with parental responsibility of a child or a person with whom the child is living, for the purpose of managing a risk to a child’s safety.20
What record keeping requirements do information sharing entities have under the Scheme?
Information sharing entities are required to keep accurate and complete records of information sharing and any complaints received under the Scheme.21 Record keeping obligations under the Scheme apply to both written and verbal sharing of information, as well as reasons for refusal to provide information to another information sharing entity.
Many information sharing entities will already record much of this information under existing record-keeping practices, although information sharing entities will need to review whether their current practices meet the requirements under the Scheme. These standards and the record keeping obligations are outlined in further detail in the Guidelines.
It is important to note that the Scheme does not affect mandatory reporting and reportable conduct obligations created under other legislation, such as mandatory reporting obligations under the Children, Youth and Families Act 2005.
IMPORTANT CONSIDERATIONS WHEN SHARING INFORMATION UNDER THE SCHEME
Does the Scheme require a person’s consent before sharing information about them?
In short, no. One of the key reforms of the Scheme is that consent is not required to share information where the practitioner considers the sharing would promote the wellbeing or safety of a child.
If the thresholds for sharing (outlined in the Guidelines) have been met, information sharing entities do not require consent from any person to share relevant information with other information sharing entities. However, practitioners should seek to take into account the views of the child and their family members about sharing confidential information where it is safe, appropriate and reasonable to do so.
As the Scheme does not displace the collection notice requirements under IPP 1.3 and HPP 1.4, information sharing entities should still take reasonable steps to notify a person where information has been collected from the person about them, as soon as practicable. Relevant considerations in providing notice to individuals are outlined in the Guidelines.
For more information on informing children and families about information sharing, see the Guidelines.
How does the Scheme deal with the mishandling of confidential information or false claims that a person is an information sharing entity?
In order to protect confidential information, the Scheme includes offences for unauthorised, intentional, or reckless use or disclosure of confidential information. Falsely claiming to be an information sharing entity or an authorised representative of an information sharing entity is an offence that applies to both individuals and organisations under the Scheme.
However, it is a defence to the charge of the unauthorised use and disclosure of confidential information collected under the Scheme if a person can demonstrate that they acted in good faith and with reasonable care when sharing the information.
A practitioner will not have committed an offence merely for sharing information in a way that is inconsistent with the Guidelines. However, non-compliance may lead to an entity being removed from the list of prescribed information sharing entities and may also be taken into account where a privacy complaint is made to OVIC or the Health Complaints Commissioner (HCC).
For further information on offences and complaints regarding the scheme, please refer the Guidelines.
What can an individual do if they believe their information has been shared inappropriately?
If an individual believes that their personal information or health information has been mishandled under the Scheme, they can make a privacy complaint to OVIC or the HCC.
OVIC can deal with complaints concerning a breach of one or more of the IPPs under the PDP Act. Individuals can complain to the HCC where they suspect a breach involving their health information. Complaints should be directed to the relevant information sharing entity in the first instance before a formal, written complaint is lodged with either OVIC or the HCC.
OVIC and the HCC can only deal with complaints about an entity that falls within the scope of the PDP Act or the HR Act, respectively. If a person has a privacy complaint regarding the handling of their personal information or health information by an entity covered by the Privacy Act 1988, the complaint should be directed to the Office of the Australian Information Commissioner.
Child Link is an information technology platform that will draw together information from existing government information management systems that hold information relevant to child wellbeing and safety. The platform will be developed for the systematic sharing of information about children’s participation in services. Child Link will not become operational until the end of 2021.
Child Link User is a person who is authorised to access the Child Link register as specified in the Part 7A of the CWS Act.
Confidential information includes:
- health information and identifiers for the purposes of the HR Act
- personal information for the purposes of the PDP Act, including sensitive information (such as a criminal record), and unique identifiers.
Excluded information is information that is specifically excluded from being shared under the Scheme as defined in section 41Q of the CWS Act. For the full list of excluded information, please see the Guidelines.
Information sharing entity is defined under section 41R of the CWS Act to be a person or body, or class of person or body, prescribed to be an information sharing entity.
Restricted information sharing entity is defined under section 41S of the CWS Act to be a person or body, or a class of person or body, prescribed to belong to a category of restricted information sharing entity specified in the regulations.
- The term ‘practitioner’ is used throughout this resource to refer to workers who have a role in assessing and responding to the wellbeing and safety needs of children.
- ‘Personal information’ is defined in section 3 of the PDP Act.
- ‘Health information’ is defined in section 3 of the HR Act.
- Courts and tribunals that are prescribed are not required to comply with the Guidelines or the record-keeping obligations under the Regulations.
- Under section 41U(2)(b) of the CWS Act.
- Under section 15B(1) of the PDP Act and section 14C(1) of the HR Act, respectively.
- The Secretary to the Department of Education and Training is also exempt.
- Under section 15(B)(2) of the PDP Act and the section 14C(2) of the HR Act.
- Under section 15B(3) of the PDP Act and section 14C(3) of the HR Act, respectively.
- Under section 41ZF of the CWS Act.
- Under section 15B(4) of the PDP Act.
- Under section 15B(5) of the PDP Act and section 14C(5) of the HR Act, respectively.
- Under section 14C(4) of the HR Act.
- See the Guidelines.
- Under section 41ZG of the CWS Act.
- See the Guidelines.
- Under section 41W of the CWS Act.
- Under section 41Q of the CWS Act.
- Under section 41V of the CWS Act.
- Under section 41Y of the CWS Act.
- Under section 41ZC of the CWS Act.