Family Violence Information Sharing Scheme and Privacy

INTRODUCTION

The Family Violence Information Sharing Scheme (the Scheme) operates under Part 5A of the Family Violence Protection Act 2008 (FVP Act). The Scheme allows organisation and services prescribed by regulation as information sharing entities (ISEs) (key organisations and services) to share information related to assessing or managing family violence risk.

The Scheme forms part of the legislative response to the recommendations of the Royal Commission into Family Violence. The Scheme is designed to minimise the legislative barriers that had previously prevented the timely and effective sharing of information in cases of family violence.

To facilitate the Scheme, the Information Privacy Principles (IPP) contained in the Privacy and Data Protection Act 2014 (PDP Act), and the Health Privacy Principles (HPP) contained in the Health Records Act 2001 (HR Act) have modified application.

This resource provides guidance for practitioners¹ who have a role in in assessing and managing family violence risk, and is designed to provide an overview of how the PDP Act and HR Act operate in the context of the Scheme.

The Scheme has been designed to operate within existing privacy obligations under the PDP Act and the HR Act.

Victorian public sector organisations, including contracted service providers of Victorian government and local councils, have ongoing obligations to protect personal information under the PDP Act.² Where these organisations collect, hold, use or disclose personal information, they must adhere to the 10 IPPs.

Victorian public sector organisations and private organisations holding health information have obligations to protect that information under the HR Act.³ The HR Act contains 11 HPPs that set out obligations for the handling of health information throughout its lifecycle.

For further information on any of the topics covered in this document please refer to the Ministerial Family Violence Information Sharing Guidelines (the Guidelines) published by Family Safety Victoria. The Guidelines are issued by the responsible Minister and are legally binding, applying to all ISEs

PRIVACY OBLIGATIONS UNDER THE SCHEME

How does the Scheme operate?

Part 5A of the FVP Act relates specifically to information sharing and includes provisions that require and permit the collection, use or disclosure of confidential information (including personal information and health information) for family violence assessment or protection (risk management) purposes. These purposes are defined in the FVP Act and discussed later in this resource. The information may relate to victim survivors, perpetrators or alleged perpetrators, and third parties⁴ (such as previous partners, friends or neighbours of either a victim survivor, perpetrator or alleged perpetrator).

As an initial point of reference, if information could already be shared under existing arrangements or laws, including privacy laws, then entities prescribed under the Scheme may continue to share under these laws and the provisions of Part 5A do not need to be met before sharing the information. For example, a law enforcement agency with the authority to share personal information under section 15 of the PDP Act can continue to share that information for relevant purposes without needing to rely on Part 5A of the FVP Act.

Do the Information Privacy Principles and Health Privacy Principles apply under the Scheme?

Yes. The Scheme only provides limited exceptions or modifications from the IPPs and HPPs. Practitioners should always have regard to their existing obligations under their enabling legislation and the PDP Act and HR Act when sharing information under the Scheme and beyond a family violence context.

How does the Scheme modify the application of the Information Privacy Principles and Health Privacy Principles?

The PDP Act and the HR Act contain exceptions and modifications to the existing IPPs and HPPs, when sharing information under the Scheme.

• ISEs and the Central Information Point (CIP)⁵ are exempt from complying with IPPs 1.4 and 1.5⁶ when collecting information about perpetrators (including alleged perpetrators), and concurrently from HPPs 1.3 and 1.5.⁷ The purpose of these exceptions is to ensure that ISEs are not required to collect personal information directly from a perpetrator or alleged perpetrator, nor provide notice of collection where information about a perpetrator or alleged perpetrator has been collected from a third party. These changes recognise that it may not always be safe, reasonable or appropriate for practitioners to collect information directly from a perpetrator or alleged perpetrator, and that there may be safety risks involved with notifying these individuals that their information has been collected from another source.
• The CIP is expressly exempt from IPP 6 and HPP 6,⁸ meaning that the CIP is not required to provide access to or correct personal information and health information about an individual that the CIP has collected for the purposes of Part 5A of the FVP Act. The CIP is designed to act as a conduit for information held by other ISEs, who are better placed to determine whether a request for access or correction could pose a risk of harm to victim survivors.
• An ISE may refuse access to information under IPP 6 or HPP 6 where a family violence risk has been established, if the individual making the request is a perpetrator or alleged perpetrator.⁹ This change provides ISEs with a greater ability to ensure that victim survivors are not unduly exposed to increased risk by way of perpetrators accessing information about them.¹⁰

In addition to the above exceptions from the IPPs under the Scheme, the Victorian Data Sharing Act 2017 makes an amendment to IPP 10.1(b), which allows entities to collect sensitive information where either authorised or required by law. In the context of family violence information sharing, this means that ISEs are not required to obtain consent from a perpetrator or alleged perpetrator before collecting sensitive information about them (such as criminal record information). ISEs are also not required to gain consent from any person before collecting sensitive information about them in relation to a child victim survivor.

What about ISEs that are bound by the Commonwealth Privacy Act 1988?

If an ISE has obligations under the Commonwealth Privacy Act 1988, they must continue to comply with the Australian Privacy Principles (APPs) when sharing information under Part 5A. Practitioners should refer to the Guidelines for more detail on sharing information in accordance with the APPs under the Scheme.

How does the Scheme apply to information sharing entities that do not already have privacy obligations?

ISEs not already bound by the information privacy provisions of the PDP Act or the Commonwealth Privacy Act 1988 are required to handle personal information and unique identifiers in accordance with Part 3 of the PDP Act, including adherence to the IPPs. ISEs subject to the Commonwealth Privacy Act 1988 will continue to be bound only by that Act.¹¹

This ensures that appropriate privacy protections are applied consistently under the Scheme and that all ISEs are subject to the complaints provisions of either the PDP Act or the Commonwealth Privacy Act 1988 (where applicable) in relation to alleged interferences with privacy. Victorian entities holding health information continue to be bound by the HR Act.

As part of these privacy obligations, ISEs need to comply with IPP 4, requiring them to take reasonable steps to protect the information (including personal information) they access or hold.

Reasonable steps include undertaking the following activities across the information lifecycle:

• identifying and understanding information types;
• assessing and determining the value of the information;
• identifying the security risks to the information;
• applying security measures to protect the information; and
• managing the information risks.

More information on these requirements is available on OVIC’s website.

How does the Scheme modify the application of the Information Privacy Principles and Health Privacy Principles in relation to Support and Safety Hubs?

Notice of collection

Support and Safety Hubs, known as ‘The Orange Door,’ help women, children and young people experiencing family violence and families who need support with the wellbeing and development of their children. The Support and Safety Hubs also deliver perpetrator services, aimed at challenging and changing perpetrators’ behaviour.

Support and Safety Hubs are not required to comply with IPPs 1.3, 1.4 and 1.5 and concurrently HPPs 1.3, 1.4 and 1.5 when collecting personal or health information (respectively) for the purposes of Part 5B of the FVP Act (relating to information sharing by Support and Safety Hubs).¹² In practice, this means that Support and Safety Hubs will not be required to provide notice of collection to an individual when collecting their personal or health information, either directly from them or from a third party.

Access to information

Support and Safety Hubs may refuse access to confidential information under IPP 6 or HPP 6 where the Support and Safety Hub believes on reasonable grounds that granting an individual access to the information would increase a risk to the safety of a child or group of children, or if the information is confidential information about a perpetrator or alleged perpetrator and giving the individual access to the information would increase the risk to a victim survivor’s safety from family violence.¹³

INFORMATION SHARING UNDER THE SCHEME

What if an entity is not a prescribed ISE but wishes to share information about family violence risk?

In some cases, a Victorian public sector organisation that is not a prescribed ISE under the Scheme may wish to share family violence information that they hold with another entity, whether that entity is a prescribed ISE or not. Similarly, an ISE may wish to share family violence information with an entity that is not a prescribed ISE under the Scheme. If an organisation is not a prescribed ISE, this does not necessarily mean that they cannot share or receive family violence information.

In these cases, practitioners can rely on provisions that require or permit information sharing in their own enabling legislation, or the authorisations under IPP 2.1 and HPP 2.2 to share the relevant information. Recipients of the information should also ensure that they have the legal authority to collect it, either under their own enabling legislation, the PDP Act or the HR Act.

Who can share information under the Scheme?

There are a number of entities prescribed as ISEs. Practitioners should refer to the list of prescribed ISEs in the relevant regulations.

ISEs that are prescribed under the regulations as risk assessment entities (RAEs) can request and disclose information for a family violence risk assessment purpose, that is, to establish and assess a risk of family violence. All ISEs are permitted to share information with RAEs for a family violence assessment purpose.¹⁴

RAEs are a subset of ISEs, prescribed based on their functions. Examples of ISEs that are prescribed as RAEs include specialist family violence services, Victoria Police, and services forming part of The Orange Door (the Support and Safety Hubs).

All ISEs under the Scheme will be able to share information for a family violence protection purpose, that is, to manage a risk of family violence. Examples of key entities that can share information for a protection purpose include Magistrates’ Court officials, Children’s Court officials, Corrections Victoria and the Adult Parole Board.

It is important to note that courts and tribunals prescribed as ISEs are exempt from Part 5A in relation to their judicial or quasi-judicial functions.

What types of information can be shared?

ISEs can share ‘confidential information’ under Part 5A of the FVP Act. Confidential information is an umbrella term that includes:

• health information and identifiers for the purposes of the HR Act
• personal information for the purposes of the PDP Act, including sensitive information (such as a criminal record), and unique identifiers.

However, section 144C of the FVP Act sets out types of information deemed to be ‘excluded information’ under the Scheme, which cannot be shared. Examples of when information will be deemed excluded information include if the collection, use or disclosure of the information could be reasonably expected to:

• endanger a person’s life or result in physical injury
• contravene a court order or legal professional privilege, or
• be contrary to the public interest, amongst others.¹⁵

In determining whether information is excluded information under the Scheme, practitioners should refer to the list of excluded information in the Guidelines, or seek independent legal advice where necessary.

How can practitioners determine quickly when to share information?

Some tips to assist practitioners to determine if and when they can share information include:

• verify the identity of the ISE before sharing – this can be done by confirming that the requesting ISE has been prescribed under the Regulations¹⁶
• consider whether the information is relevant to assessing or managing a family violence risk¹⁷
• consider whether the information is excluded information¹⁸
• ensure that the relevant consent thresholds have been met¹⁹
• refer to any obligations under enabling legislation and privacy laws to ensure that any sharing of information under the Scheme is done in accordance with the relevant privacy requirements
• check that the information does not contravene other laws²⁰
• seek to align existing internal information management policies and practices with the Scheme to facilitate quick decision making.²¹

For further guidance practitioners should refer to the Guidelines and resources available on Family Safety Victoria’s website.

How can practitioners share information under the Scheme?

Family violence risk assessment purpose

A RAE can request information about a victim survivor, a perpetrator or alleged perpetrator, and a third party from an ISE for a family violence assessment purpose. The primary focus when sharing information for a family violence assessment purpose is establishing whether a risk of family violence is present, assessing the level of risk the alleged perpetrator or perpetrator poses to the victim survivor, and correctly identifying the parties as perpetrator or victim survivor.²²

ISEs must disclose confidential information to a RAE that has requested the information about an individual for a family violence assessment purpose.²³ This means that ISEs will be required to share information, provided that:

• the information is not excluded information
• the disclosure does not contravene another law
• the relevant consent provisions have been adhered to²⁴
• the ISE is not acting in their judicial or quasi-judicial function.

Family violence protection purpose

An ISE may request and share confidential information with another ISE for a family violence protection purpose. Under the Scheme, ‘family violence protection purpose’ means managing the risk of the perpetrator committing family violence, or the risk of the victim survivor being subjected to family violence.²⁵ An ISE that receives a request must share relevant information provided the ISE reasonably believes that the disclosure is necessary for a protection purpose and:

• the information is not excluded information
• the disclosure does not contravene another law
• the relevant consent provisions have been adhered to
• the ISE is not acting in in their judicial or quasi-judicial function.

Sharing information about alleged perpetrators is not permitted for a protection purpose.²⁶ This is because the family violence risk should already be established and the identity of the perpetrator known. When sharing information about a perpetrator for a protection purpose, an ISE will need to have established who the perpetrator is and clearly distinguish them from the victim survivor. In determining the identity of a perpetrator, ISEs should refer to the Guidelines.

Can ISEs voluntarily share information with other ISEs or victim survivors?

Yes. The Scheme encourages the proactive sharing of information between ISEs. An ISE may voluntarily disclose confidential information to a RAE for a risk assessment purpose²⁷ and may voluntarily disclose confidential information to another ISE for a protection purpose.²⁸ Any information shared must not be excluded information and disclosures must be permitted under the consent provisions in Division 5, Part 5A of the FVP Act.

An ISE may also voluntarily disclose confidential information about a perpetrator to a victim survivor (including a child victim survivor or parent of a child victim survivor, so long as the parent of the child is not a perpetrator), to allow the victim survivor to manage the risk of the person of concern committing family violence.²⁹ However, a victim survivor may only use this information to manage the risk of family violence.

Additionally, ISEs may proactively disclose confidential information to the CIP in a number of circumstances. For further information on the CIP, see Family Safety Victoria’s website.

IMPORTANT CONSIDERATIONS WHEN SHARING INFORMATION

Does the Scheme require a person’s consent before sharing information about them?

Not in every case. Practitioners should refer to the Guidelines to help determine whether there is a need to seek consent before sharing information. As an overview:

• Consent is not required for ISEs to share information about a perpetrator or alleged perpetrator.³⁰
• When sharing information about a victim survivor who is an adult, an ISE should seek the consent of the adult before sharing information.³¹However, consent is not required if the ISE reasonably believes that the collection, use or disclosure of the confidential information is necessary to lessen or prevent a serious threat to life, health, safety or welfare.
• An ISE should seek the consent of a third party before sharing confidential information about them.³² However, this can be done without consent where an ISE reasonably believes that the disclosure of information is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare.
• ISEs may share information without the consent of any person where the victim survivor is a child, and the information is relevant to assessing or managing the risk of family violence posed to the child victim survivor. In this instance, the sharing of information must be necessary for a family violence risk assessment or protection purpose concerning a child victim survivor. An ISE must comply with the Guidelines when sharing confidential information about a child, and practitioners should have regard for the agency of the child and other family members at risk of family violence before sharing information, by ensuring their views are sought and taken into account.³³

It is important to note that under the relevant regulations, ISEs are required to keep a record of disclosures of confidential information under the Scheme, including a record of whether or not consent was gained from a victim survivor who is an adult or a third party, before sharing confidential information about them. ISEs are also required to keep a record of whether the views of a child victim survivor or their parent were taken into account before sharing information under the Scheme. Practitioners should refer to the Guidelines for further information on recordkeeping.

How does the Scheme deal with unauthorised sharing of confidential information?

In order to protect confidential information, the Scheme includes offences for unauthorised, or intentional or reckless sharing of confidential information.³⁴ Unauthorised sharing of information carries a fine of 60 penalty units for individuals (300 for a body corporate), and intentional or reckless sharing of information carries a fine of 600 penalty units and/or up to 5 years imprisonment for individuals (and 3000 penalty units for a body corporate).

Practitioners will be protected from these offences under the Scheme if they acted in good faith and with reasonable care in sharing the confidential information. This protection applies only to individuals and not to organisations. A practitioner who acts in good faith and with reasonable care when sharing information will also not be held to have breached any code of professional ethics or to have departed from accepted standards of professional conduct.³⁵

A practitioner will not have committed an offence merely for sharing information in a way that is not compliant with the Guidelines. However, non-compliance with the Guidelines may be taken into account where a privacy complaint is made to OVIC or to the HCC.

The enforcement provisions in Division 9 of Part 3 of the PDP Act apply to organisations. Where a privacy complaint raises a serious or flagrant breach of privacy by an ISE, OVIC may issue a compliance notice to that ISE under section 78 of the PDP Act. It is an offence for an organisation not to comply with a compliance notice, carrying a fine of 600 penalty units for an individual or 3000 penalty units for a body corporate.³⁶

The HCC may also serve a compliance notice on organisations for serious or flagrant contraventions of the HR Act under section 66 of the HR Act. It is an offence not to comply with a compliance notice, carrying a fine of 3000 penalty units for a body corporate or 600 penalty units in any other case.³⁷

What can an individual do if they believe their information has been shared inappropriately?

If an individual believes that their personal information or health information has been mishandled under the Scheme, they can make a privacy complaint to OVIC or the HCC.

OVIC can deal with complaints concerning a breach of one or more of the IPPs under the PDP Act. Individuals can complain to the HCC where they suspect a breach involving their health information. Complaints should be directed to the relevant information sharing entity in the first instance before a formal, written complaint is lodged with either OVIC or the HCC.

OVIC and the HCC can only deal with complaints about an entity that falls within the scope of the PDP Act or the HR Act, respectively. If a person has a privacy complaint regarding the handling of their personal information or health information by an entity covered by the Privacy Act 1988, the complaint should be directed to the Office of the Australian Information Commissioner.

KEY TERMS

An alleged perpetrator is a person who is alleged to pose a risk of committing family violence.

The Central Information Point (CIP) is a secure, state-wide service that will collate information relevant to family violence risk assessment and risk management.

Confidential information includes health information and identifiers for the purposes of the HR Act and personal information for the purposes of the PDP Act, including sensitive information, identifiers and unique identifiers, under section 144A of the FVP Act.

Family violence assessment purpose is defined under section 144A of the FVP Act to mean the purpose of establishing or assessing the risk of a person committing family violence or a person being subjected to family violence.

Family violence protection purpose is defined under section 144A of the FVP Act to mean the purpose of managing a risk of a person committing family violence (including the ongoing assessment of the risk of the person committing family violence) or a person being subjected to family violence (including the ongoing assessment of the risk of the person being subjected to family violence).

Information sharing entity (ISE) is defined under section 144D of the FVP Act to be a person or body prescribed, or a class of person or body prescribed, to be an information sharing entity.

Perpetrator is defined as a person of concern under section 144B of the FVP Act if an information sharing entity reasonably believes that there is a risk that the person may commit family violence.

A risk assessment entity (RAE) is an information sharing entity prescribed to be a risk assessment entity. Risk assessment entities can request and receive voluntary disclosures from ISEs for a family violence assessment purpose.

Share, for the purposes of this document and the Guidelines, means the collection use and disclosure of information.

Support and Safety Hubs, known as ‘The Orange Door’, help women, children and young people experiencing family violence and families who need support with the wellbeing and development of their children. Support and Safety Hubs also provide services aimed at perpetrators, to challenge and change their behaviour.

Third party (defined as a linked person under section 144A of the FVP Act) is any person whose confidential information is relevant to a family violence assessment purpose or family violence protection purpose other than a person who is a victim survivor, or a perpetrator or alleged perpetrator.

Victim survivor is defined in section 144E of the FVP Act as a person that an information sharing entity reasonably believes as at risk of being subjected to family violence. Victim survivors are referred to as primary persons (adult or child) under the Amending Act.

1. The term ‘practitioner’ is used throughout this resource to refer to workers who have a role in assessing and responding to the wellbeing and safety needs of children.
2. ‘Personal information’ is defined in section 3 of the PDP Act.
3. ‘Health information’ is defined in section 3 of the HR Act.
4. ‘Perpetrator’ is defined as ‘person of concern’ in section 144B of the FVP Act. Third parties are defined as ‘linked persons’ under section 144A of the FVP Act. ‘Victim survivor’ is the terminology adopted by the Royal Commission into Family Violence and the Guidelines to describe a ‘primary person’, which is defined in section 144E of the FVP Act as a person that an information sharing entity reasonably believes as at risk of being subjected to family violence.
5. The CIP is a secure, state-wide service that will collate information relevant for family violence risk assessment and risk management purposes, operated by Family Safety Victoria. For more information on the CIP, please visit Family Safety Victoria’s website.
6. Under section 15A of the PDP Act.
7. Under section 14B of the HR Act.
8. Under section 15A of the PDP Act and s 14B of the HR Act, respectively.
9. Under section 144QA of the FVP Act.
10. Where it is safe to do so, an ISE may grant a request for access or correction under IPP 6 from a perpetrator (for example, where a person has been incorrectly identified as a perpetrator of family violence and wishes to correct any records accordingly). Where a perpetrator has been incorrectly identified and does not present a risk of committing family violence, their rights of access and correction will be the same as for any other person under the Scheme. See the Guidelines for more information.
11. See, section 144QB of the FVP Act and the Guidelines.
12. Under section 15A(1A) of the PDP Act and section 14B(2A) of the HR Act, respectively. More information about Support and Safety Hubs can be found on Family Safety Victoria’s website.
13. Under sections 144SG(1) and (2) of the FVP Act.
14. See the Guidelines.
15. See section 144C of the FVP Act and the Guidelines for a full list of the types of information deemed ‘excluded information’.
16. See the Guidelines.
17. See the Guidelines.
18. See the Guidelines.
19. Practitioners should refer to the Guidelines for more information regarding consent provisions.
20. See the Guidelines.
21. See the Guidelines for an overview of Part 5A. Other matters practitioners should have regard to include; available staff training and the Family Violence Risk Assessment and Risk Management Framework.
22. See the Guidelines. The Guidelines also provide checklists for practitioners, that provide guidance on considerations that ISEs must take into account when making or responding to a request for information under the Scheme.
23. See Division 2 of Part 5A of the FVP Act.
24. Under Division 5 of Part 5A of the FVP Act.
25. See the Guidelines.
26. See the Guidelines.
27. See section 144KA of the FVP Act.
28. See section 144LA of the FVP Act.
29. See section 144M of the FVP Act.
30. Under section 144N of the FVP Act.
31. The five elements of consent for the purposes of the Scheme are contained in the Guidelines.
32. See section 144NB of the FVP Act.
33. Under section 144J(3)(a) of the FVP Act.
34. See Division 9 of Part 5A of the FVP Act.
35. See the Guidelines.
36. Under section 82 of the PDP Act.
37. Under section 71 of the HR Act.