Information Sharing and Privacy – Guidance for Sharing Personal Information
This resource provides practical guidance to Victorian public sector organisations (organisations) on how to share personal information under the Privacy and Data Protection Act 2014 (PDP Act).1 It also outlines some examples of information sharing schemes operating in Victoria.
This resource focuses on sharing personal information in accordance with the 10 Information Privacy Principles (IPPs) in Schedule 1 of the PDP Act. The term ‘information sharing’ in this document refers to sharing ‘personal information’ as defined in the PDP Act.2
This resource does not discuss health information or the Health Privacy Principles (HPPs) contained in the Health Records Act 2001 (HR Act). The HR Act is administered by the Health Complaints Commissioner. For guidance on sharing health information, refer to the Health Complaints Commissioner.
This resource will:
- introduce different ways that organisations can share personal information;
- discuss the benefits of sharing personal information and explain how to establish an information sharing culture;
- suggest matters to consider before sharing personal information and the preferred content of an Information Sharing Agreement (ISA);
- examine what steps to take if a data breach occurs while sharing personal information; and
- give examples of information sharing schemes that may be relevant to organisations.
Introduction to information sharing
Victorian public sector organisations collect and handle a large amount of personal information. Responsible, efficient and effective information sharing in the public sector can deliver significant benefits for both organisations and the public. It can help address complex policy issues, improve delivery of services by organisations and support research and development.
Information sharing refers to the collection, use and disclosure of personal information either within an organisation or between organisations. Information sharing can occur in many ways including:
- one organisation disclosing information (the disclosing organisation) to another (the receiving organisation);
- multiple organisations combining information in a database and making it available to each other; and
- the reciprocal exchange of information between organisations.
The authority to share information can come from an organisation’s enabling legislation, specific information sharing laws or privacy law such as the PDP Act. Before sharing personal information under a specific information sharing law, organisations should carefully consider whether that law applies to them. For example, the Family Violence Information Sharing Scheme (FVISS) only applies to entities prescribed under that scheme; not all organisations will be permitted to share information under the FVISS.
Where personal information is shared within the same organisation, the organisation uses the information that it holds. However, where personal information is shared with another legal entity, the organisation discloses the information it holds. When the organisation discloses information to another organisation, the receiving organisation necessarily collects that information.
Large government bodies are often comprised of multiple business units. Where different business units are established under different statutory frameworks, they may be considered separate organisations under the PDP Act. Personal information shared between these business units will be considered disclosure of information as the information is being shared with separate organisations.
Further information on the collection, use and disclosure of personal information under the IPPs is contained in the Guidelines to the Information Privacy Principles. Those guidelines can assist organisations in understanding whether they can lawfully collect, use or disclose personal information.
Systematic information sharing
Systematic, or ongoing, information sharing is the routine exchange of personal information between two or more organisations for a specified purpose. It can involve organisations sharing particular sets of data on a routine basis or organisations combining their information in a shared database for a specific purpose.
Systematic information sharing should be governed by a written agreement or protocol between the organisations that sets out the rules and process for access to, and use of, the personal information. ISAs are discussed later in this resource.
Ad-hoc information sharing
Ad-hoc information sharing is a one-off disclosure, or collection, of personal information. The disclosing organisation must decide whether or not it is appropriate to share the information. The receiving organisation should determine its legal basis for collecting the information.
Ad-hoc information sharing is not usually governed by a written agreement or pre-existing arrangement. However, organisations should make a written record of all ad-hoc requests for personal information regardless of whether the organisation decides to share the information.
Information sharing versus information release
It is worth noting the distinction between information sharing and information release.
Information sharing involves making information available to other organisations, or individuals, under specified conditions. For example, conditions around how the information is used or who can access the information.
Information release involves making information openly available (sometimes publicly) with few or no restrictions on how the information may be used and who may access it. Victoria’s open data platform is an example of an information release scheme, aimed at enabling public access to information.3
Benefits and barriers to information sharing
Benefits of information sharing
Sharing personal information between, and within, public sector organisations can benefit the organisations and members of the public. This section discusses some of the key benefits of information sharing.
Better informed government decisions
Information sharing can lead to better informed government decisions by giving government a more holistic understanding of, and approach to, an issue. Sharing information also provides insights that result in better policy making. The Victorian Centre for Data Insights’ (VCDI) work in bringing together data across government to answer policy questions is an example of the value in information sharing.
Greater trust and confidence in government
Information sharing can lead to greater trust and confidence in government by demonstrating that organisations are committed to being transparent about the information they collect and use, and the processes they have in place for handling that information.
For example, legislative information sharing schemes, such as the FVISS, inform organisations and the public about the kind of information that will be shared, the purposes for sharing the information, and who is authorised to handle the information shared under the scheme. This openness and transparency about information sharing practices builds trust and confidence that personal information will be handled and governed appropriately.
Streamline government processes
Information sharing can help streamline government processes by enabling personal information to be collected once (at a single collection point) and then used multiple times across organisations, where lawful. This removes the need for different organisations to collect the same information from individuals.
More efficient services for members of the public
Members of the public can enjoy the convenience of efficient services as information sharing across organisations can negate the need for individuals to provide the same information to organisations each time they access a service.
Enhanced protections for vulnerable people
Information sharing can provide enhanced protections for vulnerable people, such as victims of family violence, by increasing collaboration between organisations that provide support services. It can also protect vulnerable people from having to repeat traumatic events to multiple services. For example, where information is shared between information sharing entities under the FVISS, the victim is able to receive support from multiple services without having to approach each service separately and share their story several times.
Barriers to information sharing
Although information sharing can have numerous benefits, there are often a range of factors that prevent organisations from sharing information. This section discusses some of those barriers to information sharing.
Secrecy and confidentiality provisions in enabling legislation
Many organisations’ enabling legislation has secrecy or confidentiality provisions that set out when an organisation’s officers can use or disclose information, usually including personal information. Breaching these secrecy or confidentiality provisions is often an offence with penalties. These secrecy and confidentiality provisions override any permission an organisation may have to disclose personal information under the PDP Act.
Restrictions in privacy law
Privacy law sets out the circumstances in which personal information can be collected, used and disclosed. For example, under the PDP Act, organisations can only use and disclose personal information for the primary purpose for which it was collected, or for one of the eight secondary permitted purposes outlined in IPP 2.1.4 Privacy law restricts information sharing to ensure that organisations’ information handling practices are fair, reasonable and in line with what an individual would expect.
Misconception about constraints in privacy law
Conversely, sometimes privacy law is incorrectly perceived as creating a barrier to information sharing. How privacy laws interact with an organisation’s legislation or policies is sometimes complex or confusing to navigate, thereby creating a risk-averse culture to information sharing. Often, organisations choose not to share personal information because it is viewed as the safer option. This misconception prevents organisations from realising the value of sharing information.
Leadership that does not understand the value of sharing information
If leadership does not understand the value of information sharing or know how to responsibly share personal information this may prevent organisations from realising the benefits of effective information sharing. It can create a workforce that does not know how to share personal information appropriately and is unaware of broader privacy considerations that apply to information sharing.
Inadequate governance and accountability measures
Inadequate governance and accountability measures can be a barrier to information sharing. This includes organisations not having a decision-making framework for assessing and responding to requests for personal information, or having poorly developed processes for handling such requests. This can lead to ineffective information sharing practices.
Interoperability and compatibility issues
Interoperability and compatibility issues due to an organisation’s outdated information technology systems and software can also make it difficult to share information. These issues can also be caused by differences in organisations’ information management systems and storage standards that create technical barriers to sharing information.5 Organisations may not have the technical infrastructure to share personal information securely and so choose not to share at all.
Establishing an information sharing culture
A culture of information sharing within an organisation drives information sharing initiatives. Having an information sharing culture means that an organisation is open to sharing information in the appropriate circumstances and has created mechanisms that facilitate information sharing.
This section discusses some of the principles that are relevant to establishing an information sharing culture within an organisation.
Governance and accountability
Organisations should have a framework for information sharing that sets out clear roles, responsibilities and processes that are in line with applicable legislation. A framework facilitates organisational understanding of information sharing, creates reassurance that personal information will be shared appropriately by authorised staff and embeds a culture of responsible information sharing practices across the organisation.
Where organisations enter into an Information Sharing Agreement (ISA), each party to the agreement should have a designated officer responsible for overseeing the information sharing arrangement and accountable for the disclosure of information. This role may be an additional function of an existing role; it does not need to be a new role created specifically to oversee the ISA.
The responsibilities of an information owner in an information sharing arrangement are different to the responsibilities of an information custodian. The information owner is the entity that has legal possession of the information being shared and is accountable for the security, disposal and sharing of that information. On the other hand, the information custodian is responsible for ensuring the information is managed appropriately in accordance with rules set by the information owner, legislation or policy. This distinction in roles and responsibilities may be relevant depending on the nature of the information sharing arrangement.
Organisations should also consider having an information sharing policy that details how information will be shared in various circumstances, such as emergency situations. This will clearly set out how the organisation is likely to use and disclose personal information and the factors that will be taken into account in deciding whether or not to share information.
Organisations should be transparent about their information handling practices. Organisations can demonstrate they have adequate information handling practices by clearly stating the type of information they collect from individuals and other organisations, and the privacy and security measures implemented to manage information appropriately. These matters are typically outlined in privacy and security policies and collection statements. Transparency helps build trust in an organisation’s ability to handle information responsibly, making it more likely that other organisations will share information with them. Transparency also gives the community confidence in an organisation’s ability to handle their information responsibly.
Training and awareness
In particular, training and awareness programs should clearly indicate the risk management process governing the sharing, identify the authorising process and responsible decision makers, and specify the permitted uses of personal information. One of the risks in information sharing is inadequate training leading to poor implementation of controls.
Considerations when sharing personal information
This section discusses the factors that organisations should take into account when deciding whether or not to share personal information. It also discusses factors that organisations should consider once they have decided to participate in an information sharing initiative. The factors detailed in this section apply to systematic or ad-hoc information sharing.
Considerations before sharing personal information
Type of personal information to be shared and value of the information
Organisations should identify the type of personal information that will be shared and the value 6 of that information. This will help determine whether it is appropriate to share that type of information. For example, the PDP Act limits the collection and handling of sensitive information 7 because this type of information can have a greater effect on individuals’ human rights than other types of information. 8 Further guidance on how to manage sensitive information is available in the Guidelines to the Information Privacy Principles.9
Determining the value of the information will also help organisations establish the measures that need to be implemented to protect the information. In addition, knowing the value of information will help organisations manage security incidents that compromise the confidentiality, integrity or availability of the information. This will be discussed later in this resource.
Purpose of sharing
Organisations should consider the purpose for sharing the personal information. There must be a clear purpose for sharing information that is linked to the organisation’s functions or activities. Additionally, the purpose needs to be specific to ensure that the information is not used for a broad range of purposes that go beyond the scope of the information sharing initiative. The purpose of sharing must also not breach a secrecy or confidentiality provision.
Example: Assessing a request for information from a government Department
A local council received a request from a Department for the names and addresses of ratepayers in an area so as to consult with them about a road project. The Department also said it would use the information for ‘other purposes’ from time to time.
In assessing the request, the council considered whether its residents would reasonably expect it to pass their personal information to the Department for these purposes. It decided that, given the proposed broad range of uses, its residents would not reasonably expect their information to be disclosed to the Department.
The council decided, instead, to promote the public consultation on behalf of the Department by placing a notice on its website.
Permission to share personal information
Organisations should establish that they are permitted to disclose, and collect, personal information. This may be determined by enabling legislation, specific information sharing legislation, privacy law or a combination of these.
The disclosing organisation needs to be certain that it has a lawful basis for disclosing the personal information. Similarly, the recipient organisation needs to be certain that it collects personal information in a lawful manner, in line with what is necessary for its functions or activities. Further guidance on collecting personal information is available in the Guidelines to the Information Privacy Principles. 10
Organisations should first consider their enabling legislation to determine whether they are permitted to share personal information for the specified purpose. If their enabling legislation does not contain any relevant provisions, and there is no specific information sharing scheme that authorises the sharing (such as the FVISS or the Victorian Data Sharing Act 2017 (VDS Act)) then organisations can consider whether privacy legislation, such as the PDP Act, authorises the information sharing.
Enabling legislation may also expressly prohibit or restrict the sharing of certain information such as information that is subject to secrecy provisions or confidentiality provisions. Organisations will need to ensure that information is handled in accordance with these provisions, despite other authorities under privacy legislation.
Information Privacy Principle 2 – Use and Disclosure
The Use and Disclosure principle (IPP 2) in the PDP Act prohibits organisations from using and disclosing personal information for a purpose other than the primary purpose of collecting that information, unless one of the eight permitted secondary purposes applies.
The permitted secondary purposes include circumstances such as where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare,11 or where the individual has provided consent.12 Further information on the permitted secondary purposes see the Guidelines to the Information Privacy Principles.13
EXAMPLE: Sharing information with a law enforcement agency
A school received a request from a Department for personal information about an individual for an unidentified purpose. The school believed that the request was in relation to a family violence incident. In responding to the request, the school considered its legal authority to share the personal information.
Personal information may be used or disclosed for a purpose other than the primary purpose if such use or disclosure is required or authorised by or under law, as set out in IPP 2.1(f).
Further, an organisation may use or disclose personal information where it reasonably believes the use or disclosure is reasonably necessary for any of five specified purposes undertaken by or on behalf of a law enforcement agency as set out in IPP 2.1(g):
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
- the enforcement of laws relating to the confiscation of the proceeds of crime;
- the protection of the public revenue;
- the prevention, detection, investigation or remedying or seriously improper conduct; or
- the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
If an organisation is disclosing personal information under IPP 2.1(g), it must make a written record of that use or disclosure. The PDP Act does not specify the content of the record, but it should include information that explains why the information was disclosed and should record the circumstances of the disclosure.14
In this case, the school asked the Department for more information on why it needed the individual’s personal information. The Department provided further information and the school was satisfied that disclosing the individual’s personal information was reasonably necessary for the law enforcement agency’s investigation. The school also recorded the disclosure as required by IPP 2.2.
Where organisations decide to seek consent from individuals to share their personal information with other organisations, they must ensure that the consent is valid. For consent to be valid, the individual must have capacity to consent. Additionally, the consent must be voluntary, informed, specific and current.15
However, where organisations intend to disclose personal information under an alternative legal authority, it is not appropriate to seek consent from individuals, as the individuals would not have genuine choice as to whether or not their information is shared. That is, where legal authority exists to share personal information, an organisation can share individuals’ information even where individuals do not give consent to their information being shared. In this case, it would be more appropriate for organisations to provide notice to individuals of the intention to disclose their information to other organisations.16
Example: Considering a request for information from a utility provider
A council received a request to share personal information with a utility provider who needed to decommission a utility on a specified property. The utility provider knew the property owner’s name and address but asked the council to share that individual’s phone number.The council authority considered whether the individual would reasonably expect it would pass their personal information on to the utility provider, or whether it should seek consent from the individual to disclose their phone number.The council decided to seek consent from the individual to disclose the information to the utility provider.
Charter of Human Rights and Responsibilities
Organisations must consider human rights when they make decisions, deliver services, develop policies and projects, manage risks and manage complaints.17 They must ensure that any decision to share, or not share, personal information is consistent with human rights under the Charter of Human Rights and Responsibilities Act 2006.18
Other information handling obligations under the IPPs
Organisations should also consider their adherence to other IPPs that are relevant to an information sharing initiative.
- Collection (IPP 1) – Organisations seeking access to information held by another organisation must ensure that they have a clear purpose for collecting the information. Organisations must not collect the information unless it is necessary for their functions or activities.Additionally, organisations are required to notify individuals of the matters set out in IPP 1.3 when collecting information about them. This includes taking reasonable steps to inform individuals of the law that requires that particular information to be collected, what the information will be used for, whether it will be shared with other parties, and that individuals can gain access to their information.19 Providing notice to individuals promotes transparency and respect for the autonomy and dignity of individuals and their personal information.20
- Data Quality (IPP 3) – Organisations must take reasonable steps to ensure that the information they collect, use and disclose as part of the information sharing initiative is accurate, complete and up to date.21
- Data Security (IPP 4) – Organisations must take reasonable steps to ensure that the information that is shared is protected from misuse, loss, unauthorised access, modification or disclosure. Appropriate security measures must be implemented to ensure that the information is shared safely and that it is not accessed by individuals who do not need to access it.22
- Transborder data flows (IPP 9) – IPP 9 applies if any party to the information sharing initiative is located outside Victoria, or if information will be stored outside Victoria. Where information leaves Victoria, the disclosing organisation must ensure that the transfer of information is permitted by one of the exceptions under IPP 9.23 For example, the disclosing organisation can transfer information outside Victoria if the receiving organisation is bound by privacy obligations that are substantially similar to the IPPs.24
Risks involved in sharing personal information
Organisations should undertake a risk assessment when deciding whether to share personal information. The outcome of the risk assessment will help organisations decide whether it is appropriate to share personal information and identify any risk mitigation strategies required to enable information sharing.
For example, each organisation involved in an information sharing initiative should undertake a Privacy Impact Assessment (PIA) to identify any privacy risks associated with the initiative. Organisations may identify different risks depending on their role in the information sharing initiative. It may be useful for organisations to undertake a joint PIA to form a holistic view of the risks involved in sharing the information.
A PIA is not an authorising or decision-making document, but rather a tool designed to help organisations develop risk mitigation strategies for any privacy risks identified while undertaking the PIA. The PIA will need to be reviewed and updated periodically, particularly if elements of the information sharing initiative change (for example, if new parties are added to the initiative). Further guidance on undertaking a PIA is available on OVIC’s website.25
Organisations should also undertake a security risk assessment before deciding to share information.26 Similar to the privacy risk assessment, the security risk assessment will need to be routinely reviewed and updated where necessary.
Both types of risk assessment should be aligned with the organisation’s risk management practices and managed accordingly.
Organisations should seek legal advice if there is uncertainty about either whether they are authorised to disclose or collect personal information. OVIC can provide general guidance to organisations about the IPPs but does not give legal advice.
Organisations should identify whether their systems can support the information sharing initiative. As mentioned above, interoperability can be a barrier to sharing information. Organisations should be able to share information securely and ideally audit unit level access to the information. Organisations should address any interoperability issues before sharing information with other organisations.
Considerations once organisations decide to share information
Some organisations are required to comply with protective data security obligations in Part 4 of the PDP Act.27 These obligations apply to all ‘public sector data’ that organisations hold, not just personal information. OVIC developed the Victorian Protective Data Security Framework (VPDSF) to monitor and assure the security of public sector data and information systems, across the Victorian Government. The VPDSF includes 12 Victorian Protective Data Security Standards (VPDSS) that set out measures that organisations should implement to protect public sector data across five security domains: governance, information, personnel, Information Communications Technology and physical security.28
Organisations should ensure they consider each of these security domains when identifying the security requirements for their information sharing initiative.
Record keeping obligations
An important element of managing personal information appropriately is effective record keeping. The Public Records Act 1973, administered by the Public Record Office Victoria, sets out standards for the efficient management of public records. Organisations must ensure that their record keeping practices are in line with these standards. There are also record keeping obligations under the PDP Act. Specifically, IPP 3 and IPP 4, which outline requirements for the quality and the security of the information held by organisations.
It is good practice to document all information sharing initiatives whether they are ad-hoc or ongoing. Comprehensive documentation is a key element of accountability and can serve to build trust in an organisation’s information handling practices. Documentation will also enable organisations to properly review and evaluate their information sharing practices.
Information Sharing Agreement
If organisations intend to share personal information on an ongoing basis, they should set out the terms of the information sharing initiative in a written document. An ISA sets out all the core elements of the information sharing arrangement and must be approved and signed by all participating organisations.
Information Sharing Agreements
An ISA helps ensure that all elements of an information sharing initiative are considered and documented. It provides evidence of organisations’ decision to share information, the purpose for sharing and the authority to share the information. It also documents organisations’ commitments to each other and can be used to ensure that organisations work together to manage the risks involved in the information sharing initiative.
Organisations must ensure that all terms of the ISA are upheld and that, in practice, the ISA facilitates effective and responsible information sharing.
An ISA can sometimes also be referred to as a Memorandum of Understanding (MOU). ISAs and MOUs generally do not create new legal obligations for organisations, but outline the particulars of the arrangement within existing legal frameworks.
Content of an Information Sharing Agreement
The content of an ISA will depend on factors such as the nature of the information sharing initiative, the type of information being shared, and the risks involved in sharing that information. There is no one-size-fits-all approach to an ISA so they should be customised to suit each information sharing initiative.
The details that could be included in an ISA are:
- The parties to the agreement and their specific roles and responsibilities in the information sharing initiative. For example, the ISA should specify whether a party will be disclosing the personal information or will be the organisation receiving the personal information. In some cases, both parties may be disclosers and recipients.
- The process for adding parties to the ISA, and the process for dealing with circumstances where an organisation needs to be excluded from information sharing initiative.
Purpose and description of the information sharing initiative
- The purpose of sharing the personal information. For example, research and development, delivery of government services etc.
- A description of the information sharing initiative, its benefits, the expected outcome(s) of the initiative and any outputs that will be produced from the initiative.
- The legislative authority that enables each organisation to participate in the information sharing initiative.
Duration and termination
- The duration of the agreement and the periods when personal information will be shared. It is good practice to have ISAs with a specified duration in order to ensure the ISA remains appropriate.
- How often the ISA will be reviewed.
- How each party to the ISA can terminate the agreement and what will happen to the personal information once the agreement is terminated.
Type of information being shared
- A description of the type of personal information that will be shared and the security value of the information.
Method of sharing
- How the personal information will be shared and the measures to be implemented to ensure the information is shared securely.
Access and use
- The specific persons or roles within each organisation that are permitted to access and use the personal information. This could include a minimum level of seniority or security clearance.
- Details of whether individuals who will be handling the personal information are required to undertake any training or meet certain requirements before being permitted to access and use the information.
- The purposes for which the personal information can and cannot be used.
- Whether a PIA has been undertaken and any privacy risks identified as a result of the PIA. Also include information on whether a security risk assessment has been completed and the outcomes.
- The mechanisms that will be implemented to enable the disclosing organisation to gain assurance that the shared information has been handled by the receiving organisation in accordance with the ISA and know how often the personal information has been handled. This could include the ability to audit unit level access to personal information, or the requirement to conduct annual external audits.
- Where and how personal information will be transferred and stored, including the security measures that the receiving organisation has in place to protect the personal information from misuse, loss, unauthorised access, modification or disclosure.
Retention and Disposal
- Details of how long the shared information will be retained by relevant organisations.
- Details of how and when the shared information will be destroyed once it is no longer required for the information sharing initiative, if applicable.
Complaints and incident management processes
- Details of how parties to the ISA will manage any data breaches or complaints related to the information sharing initiative and promptly notify the other party of the breaches or complaints. An ISA should also set out which organisation bears the responsibility of notifying OVIC and affected individuals (if appropriate) of any information security incidents that may occur.
- Organisations should agree upfront on the consequences of one of the organisations, or an officer of the organisation, breaching the ISA.
Breach of the ISA
- Organisations should agree on the consequences of one of the organisations, or an officer of an organisation, breaching the terms of the ISA. These consequences should be set out in the ISA.
This is not an exhaustive list of what should be documented in an ISA. At a minimum, an ISA needs to clearly set out the obligations of each organisation involved in the information sharing initiative.29 Organisations may wish to seek legal advice in preparing an agreement.
Information Usage Arrangement
It is important to note that an ISA is not the same as an Information Usage Arrangement (IUA). An ISA requires organisations to handle personal information in accordance with existing privacy obligations under the PDP Act.
An IUA, on the other hand, is a mechanism in the PDP Act that allows an organisation to engage in information handling acts or practices that either do not comply with specified IPPs or modify the application of specified IPPs.30 An organisation may seek approval for an IUA from the Information Commissioner, who will consider whether the public interest in handling information under an IUA substantially outweighs the public interest in complying with the relevant IPPs.31
Detailed guidance on IUAs and other ‘flexibility mechanisms’ in the PDP Act is available on OVIC’s website.32
Data breaches and complaints
Data breaches occur when public sector data held by organisations (often including personal information) is misused, lost or subject to unauthorised access, modification or disclosure. Some common causes of data breaches include human error, ineffective information management processes and systems, or inadequate employee training. Data breaches can cause significant harm to the individuals whose information is impacted by the breach and to the organisation involved.
Organisations should have a data breach management process to ensure that any data breaches affecting information sharing initiatives are responded to efficiently. If a data breach occurs, organisations should take immediate steps to minimise the risk of harm that may arise from the breach.33
Information Security Incident Notification Scheme
Under the Information Security Incident Notification Scheme, organisations are required to notify OVIC within 30 days of information security incidents that compromise the confidentiality, integrity or availability of public sector data, which includes personal information.
Notably, the incidents are not limited to compromises of electronic information held on government systems and services. It can include verbal discussions and information held in physical format, such as photographs, printed documents and audio or video recordings.
The Incident Notification Scheme applies to incidents that have a Business Impact Level 2 – ‘limited’ or higher effect on government operations, organisations or individuals.34
As mentioned above, where an information sharing initiative involves multiple organisations, it should be clear which organisation is responsible for notifying OVIC of the incident.
Complaints and enquiries
Organisations should have a clear process for handling complaints and enquiries about the information sharing initiative. Individuals should be able to easily find the contact details of the responsible individual, or team, within the organisation. Typically, this will be the organisation’s privacy officer.
Sharing information in emergencies
During emergencies, personal information held by one organisation can significantly benefit other organisations involved in responding to the emergency, such as the police, ambulance services or health services. Sharing personal information can help:
- identify individuals involved in the emergency;
- help individuals access services such as medical treatment, financial assistance and housing assistance;
- assist law enforcement; and
- ensure that relevant persons such as next of kin are kept informed of the emergency response given to the affected individuals.
Organisations should have an emergency response policy to ensure that the response to requests for personal information is efficient and effective. This policy may be part of an existing information sharing policy or can be a separate policy. By anticipating the range of circumstances that may result in requests for information and by establishing policies before an emergency occurs, organisations can respond confidently and quickly to emergencies and minimise the risks of personal information being handled inappropriately during an emergency.
Personal information collected, used and disclosed during an emergency should be limited to personal information necessary to respond to the emergency.
The factors that will be relevant to sharing personal information during an emergency are discussed below.
The Collection principle (IPP 1)
Organisations should ensure that any personal information collected during an emergency, either from individuals or from another organisation, is limited to personal information that is necessary to manage the emergency.
IPP 1.3 requires organisations to take reasonable steps to notify individuals that their personal information has been, or will be, collected, and to inform them of other matters such as which organisation collected the information and why it was collected. Notice can be provided before, during, or as soon as practicable after the personal information has been collected.
The reasonable steps that organisations should take to provide notice depends on the circumstances of the emergency. Importantly, IPP 1.3 does not specify how notice should be provided, thereby allowing organisations to consider various options. For example, depending on the nature of the emergency, providing notice verbally may be appropriate, followed later by a written notice.
If organisations collect information about individuals from a third party, the organisations must take reasonable steps to ensure the individual is aware of the matters set out in IPP 1.3, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.35
Providing notice should not stop organisations from responding to the emergency in a timely manner.
The Use and Disclosure principles (IPP 2)
IPP 2.1 states that organisations must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection unless one of the permitted secondary purposes outlined in IPP 2.1(a) – (h) applies.
Organisations will often need to rely on one of the permitted secondary purposes to share personal information during an emergency. Some of the secondary purposes that may be relevant include:
IPP 2.1(d) – Reasonable belief that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare or to public health, public safety or public welfare
This exception allows organisations to use and disclose personal information where the organisations:
- reasonably believe there is a serious threat to an individual’s life, health, safety or welfare or to public health, public safety or public welfare; and
- the use or disclosure of personal information is necessary to lessen or prevent the serious threat.36
If an employee is unconscious after an accident at work, the employer may provide their personal information to first respondents. The employer should only provide the amount of personal information necessary for medical treatment.
IPP 2.1(a) – Reasonably expected secondary purpose
Organisations may share personal information about an individual for a secondary purpose if:
- the secondary purpose is related to the primary purpose for which the personal information was originally collected; and
- the individuals would reasonably expect the organisation to use or disclose the information for the secondary purpose.
Organisations should consider whether a secondary use of personal information would be reasonably expected on a case-by-case basis.37
IPP 2.1(b) – Consent
Organisations can share personal information about an individual where the individual has provided their consent. However, in some cases such as family violence situations, seeking consent may increase the risk of harm to individuals. Further, where organisations have another legal authority to share the information and intend on sharing it regardless of whether or not the individual consents, organisations should rely on the other legal authority to share information rather than seeking consent.
IPP 2.1(f) – Required or authorised by or under law
Organisations can share personal information about individuals where it is required or authorised by law. The PDP Act is ‘default’ legislation meaning where another piece of legislation expressly permits or prohibits information sharing, that legislation will override the PDP Act to the extent of the inconsistency. For example, if the FVP Act allows personal information to be shared in an emergency situation, the sharing would be permitted by IPP 2.1(f).
IPPs 2.1(e) and (g) – Law enforcement agencies
Organisations can share personal information for law enforcement purposes. For example, where organisations suspects that unlawful activity has been engaged in and personal information is disclosed as a necessary part of investigating the unlawful activity or reporting it to authorities.
Notably, law enforcement agencies are exempt from complying with some of the IPPs where they reasonably believe that non-compliance is necessary for their activities.38
The Health Privacy Principles
Depending on the nature of the emergency, organisations may also have obligations under the HR Act. Personal information shared during an emergency that is considered health information will need to be handled in accordance with the HPPs in the HR Act.39
APPENDIX A – Information Sharing Flowchart
Information Sharing Flowchart (PDF)
APPENDIX B – Examples of legislative information sharing schemes
This section discusses some information sharing schemes introduced to facilitate easier, more efficient sharing of information between organisations. Before sharing personal information under a specific information sharing scheme, organisations should carefully consider whether the relevant law applies to them.
Family Violence Information Sharing Scheme and Child Information Sharing Scheme
In March 2016, the Royal Commission into Family Violence (the Commission) delivered a report with 227 recommendations to reform Victoria’s family violence system.
The Commission found that despite the necessity of sharing information to keep victims safe and hold perpetrators to account, agencies in the family violence system were not sharing information routinely or systematically.40 The Commission identified barriers preventing organisations from sharing information and recommended a specific family violence information sharing regime under the Family Violence Protection Act 2008 (FVP Act).41
The Family Violence Information Sharing Scheme (FVISS) was established by Part 5A of the FVP Act and commenced in February 2018. The FVISS enables authorised information sharing entities (ISEs)42 to share confidential information43 either for a family violence assessment purpose or for a family violence protection purpose. To facilitate the sharing of personal information, the FVP Act amended the PDP Act to exempt ISEs from complying with some of the IPPs.44
The Child Information Sharing Scheme (CISS) was created by the Children Legislation Amendment (Information Sharing) Act 2018 and commenced in September 2018. It enables ISEs that are prescribed by the Child Wellbeing and Safety (Information Sharing) Regulations 2018 to share confidential information45 to promote the wellbeing and safety of children. 46 It expands the circumstances in which ISEs can share information so that child welfare and family violence services can work together to improve outcomes for children and families. The CISS and FVISS share a similar model and are designed to complement each other, to enable services to share information to respond to the range of needs and risks facing children and families.47 Like the FVISS, the CISS amended the PDP Act to enable ISEs to share personal information.48
Importantly, the FVISS and the CISS only provide limited exceptions to existing privacy obligations under the PDP Act. ISEs must always consider other privacy obligations under the PDP Act when sharing information. Detailed guidance on the interaction of the FVISS, the CISS and privacy law is available on OVIC’s website.49
Health Legislation Amendment and Repeal Act 2019
The Health Legislation Amendment and Repeal Act 2019 (HLARA Act) amends the Health Services Act 1988 (HS Act) to enable information sharing about the quality and safety of health service entities. The information sharing provisions under Part 6B of the HS Act, which commenced in August 2020, permit health service entities to share confidential information50 about individuals with other organisations for quality and safety purposes.
The HLARA Act also amends the PDP Act to exempt specified health service entities from complying with some of the IPPs. Detailed guidance on HLARA Act and the changes to the PDP Act is available on OVIC’s website.51
Victorian Data Sharing Act 2017
The Victorian Data Sharing Act 2017 (VDS Act), which commenced in December 2017, promotes sharing and use of public sector data to achieve better outcomes for Victorians. The VDS Act creates a clear framework for data sharing and data use within government for the purposes of policy making, service planning and design.52 It also establishes the statutory role of the Chief Data Officer (CDO) of Victoria, who leads the Victorian Centre for Data Insights (VCDI).See section 1(a) of the VDS Act.The CDO is responsible for helping government use data more effectively. Their statutory functions include helping organisations conduct data analytics projects, working with organisations to build data analytics capabilities, and enabling data sharing.53
The VDS Act permits a data sharing body54 to share:
- identifiable data (personal and health information) with the CDO upon request and with data analytics bodies;55 and
- data that is subject to secrecy provisions where the CDO requests this data.56
Where an organisation receives a request for data or information about data from the CDO, the organisation must either provide the data or information or provide written reasons for refusing the CDO’s request, with a copy provided to the Secretary of the Department of Premier and Cabinet.57
The VDS Act includes protections around data sharing and use to uphold the privacy of individuals, and to ensure that data is shared safely. For instance, the VDS Act includes offences for unauthorised access, use or disclosure of information.58 There are also restrictions around only using identifiable data for data integration purposes, and taking reasonable steps to de-identify data before using it for data analytics work.59
The VDS Act works within existing privacy laws authorising sharing and using identifiable data. Further guidance on the VDS Act is available on the Victorian Government website.60
National Data Sharing Scheme
In 2016, the Productivity Commission reviewed government data availability and use in Australia to identify options for improvement.
The Productivity Commission found that the availability and use of identifiable data was limited by a wide range of secrecy provisions and policies, many of which were likely no longer fit for purpose.61 It found that many areas of Australia’s public sector were reluctant to share or release information due to factors such as a lack of trust in existing data access processes and protections as well as an entrenched culture of risk aversion.62 It also found that Australia’s data infrastructure needed comprehensive reform to facilitate active data sharing and release.63
In May 2018, following recommendations made by the Productivity Commission, the Australian Government committed to reforming data governance within government to better realise the value of public sector data. Legislative reform is one of the key government initiatives aimed at streamlining the sharing of public sector data for better service delivery. The Office of the National Data Commissioner was established in 2018 to promote improved data sharing and use within the public sector.
- The term ‘organisations’ refers to those listed in section 13 of the PDP Act.
- ‘Personal information’ is defined in section 3 of the PDP Act.
- Further information on Victoria’s Open Data platform is available at https://www.vic.gov.au/data-sharing-open-data.
- IPP 2.1 is set out in Schedule 1 of the PDP Act.
- Office of the Information and Privacy Commissioner of Alberta, Government Information Sharing: Is Data Going out of the Silos into the Mines? 2015, p.2.
- This refers to the security value of the information. For further guidance, see OVIC’s resource on Assessing the Security Value of Public Sector Information.
- ‘Sensitive information’ is defined in Schedule 1 of the PDP Act.
- Council of Europe, Explanatory Report to the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 28 January 1981 (ETS No.108), explanatory note to Article 6 (Special categories of data), para 43.
- See the IPP 10 chapter of the Guidelines to the Information Privacy Principles at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See the IPP 1 chapter of the Guidelines to the Information Privacy Principles at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- IPP 2.1(d)(i).
- IPP 2.1(b).
- See the IPP 2 chapter of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/
- For guidance on information that may be included in a written record, see the IPP 2 chapter of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- For a detailed discussion on the elements of consent see the ‘Key Concepts’ chapter of the Guidelines to the Information Privacy Principles available on at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- Providing ‘notice’ refers to a notice of collection, as required by IPP 1.3.
- The Charter of Human Rights and Responsibilities: A Guide for Victorian Public Sector Workers, June 2019, p 5.
- See section 38, Charter of Human Rights and Responsibilities Act 2006.
- Further guidance on collection notices is available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/
- See Jurecek v Director, Transport Safety Victoria  VSC 285, .
- See the IPP 3 chapter of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See the IPP 4 chapter of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See the IPP 9 chapter of the Guidelines to the Information Privacy Principles and in the Model Terms for Transborder Data Flows available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See IPP 9.1(a).
- See OVIC’s PIA template and guide available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- Detailed guidance on information security risk management is available in OVIC’s Practitioner Guide: Information Security Risk Management.
- Section 84 lists the organisations that must comply with Part 4 of the PDP Act.
- Detailed guidance and additional resources on the VPDSF and VPDSS are available on OVIC’s website.
- To see an example of what an ISA may look like, see the draft Data Sharing Agreement template designed by the Office of the National Data Commissioner available at https://www.datacommissioner.gov.au/resources/draft-data-sharing-agreement-template.
- Section 45(1) of the PDP Act.
- Section 47 of the PDP Act.
- See the guidance on Public Interest Determinations, Temporary Public Interest Determinations, Information Usage Arrangements and Certification available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- Further guidance on managing the privacy impacts of a data breach is available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- Further guidance on the Incident Notification Scheme is available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See IPP 1.5.
- For detailed guidance on the threshold that must be satisfied in IPP 2.1(d), see Chapter 2 of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- For detailed guidance on ‘reasonable expectation’, see Chapter 2 of the Guidelines to the Information Privacy Principles available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See section 15 of the PDP Act.
- Health information is defined in section 3 of the HR Act.
- Royal Commission into Family Violence, Summary and Recommendations, 2016, p.20.
- Royal Commission into Family Violence, Summary and Recommendations, 2016, p.46.
- ISEs are prescribed by the Family Violence Protection (Information Sharing) Regulations 2018.
- Confidential information is defined in section 144A of the FVP Act and includes personal and health information.
- Section 15A in the PDP Act contains the exemptions for ISEs.
- Confidential information is defined in section 5 of the Children Legislation Amendment (Information Sharing) Act 2018 and includes personal and health information.
- See section 1 of the Child Legislation Amendment (Information Sharing) Act 2018.
- Child Information Sharing Scheme Ministerial Guidelines: Guidance for Information Sharing Entities, September 2018, p.23.
- See section 15B of the PDP Act.
- See the Family Violence Information Sharing Scheme and Privacy guide and Child Information Sharing Scheme and Privacy guide available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- Confidential information is defined in s134V of the HS Act and includes personal and health information.
- See Information sharing for quality and safety purposes guide available at https://ovic.vic.gov.au/privacy/privacy-guidance-for-organisations/.
- See sections 1(b) and 5 of the VDS Act.
- See section 7(1) of the VDS Act.
- Data sharing body broadly refers to government departments and agencies (other than independent and oversight bodies) and is defined in section 3 of the VDS Act.
- Data analytics body broadly refers to government departments and is defined in section 3 of the VDS Act.
- See section 20 of the VDS Act.
- See sections 9 and 12 of the VDS Act.
- See sections 26 and 27 of the VDS Act.
- See sections 17 and 18 of the VDS Act.
- See Victorian Data Sharing Act 2017 – Guidance for Victorian Government departments and agencies at https://www.vic.gov.au/sites/default/files/2019-03/Victorian-Data-Sharing-Act-2017-web-guidance.pdf.
- Australian Government Productivity Commission, Data Availability and Use Inquiry Report, No.82, March 2017, p. 33.
- Australian Government Productivity Commission, Data Availability and Use Inquiry Report, No.82, March 2017, p. 34.
- Australian Government Productivity Commission, Data Availability and Use Inquiry Report, No.82, March 2017, p.35.