The Victorian community expects the public sector to act with integrity, accountability and transparency in all aspects of our roles in serving the Government and the people of Victoria. Core to our role is, delivering on government policy objectives, having a regard to prevailing circumstances and achieving value for money.
The purpose of this policy is to establish requirements for the way the Victorian Fisheries Authority (VFA) collects, stores, uses and discloses personal information in accordance with the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).
All VFA employees are responsible for the security of information under their control. They are expected to use good judgement that is consistent with the VFA's values to ensure its information is secured appropriately in the workplace.
The policy covers all VFA employees, and Board members, and Committee members.
For this policy, an "employee" is a person employed under the Public Administration Act or is a consultant or contractor (including agency on-hire employees) to the VFA.
3. POLICY STATEMENT
This policy supports the VFA’s need to collect, store and use personalinformation, and the right of the individual to privacy. It ensures that the VFA can collect personal information necessary for its services and functions, whilst recognising the right of individuals to have their information handled in ways they would reasonably expect and in accordance with the law.
Personal information is collected and used by the VFA to:
- plan, fund, implement, monitor, regulate and evaluate the VFA's services and functions
- fulfil statutory and other legal functions and duties
- comply with reporting requirements, and
- investigate incidents in and/or defend any legal claims against the VFA or its employees.
The VFA is subject to the Information Privacy Principles and Health Privacy Principles set out in the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) as minimum standards when dealing with personal information.
These principles regulate the way the VFA collects, stores, provides access to, uses, discloses and corrects personal information. Subject to certain exceptions, the VFA must not do or refrain from doing, an act, or engage in a practice that contravenes an Information Privacy Principle and/or Health Privacy Principle.
Means a natural person. Corporations and other types of “legal persons” do not have privacy rights under the Privacy and Data Protection Act 2014 (Vic).
Means recorded information or opinion, whether true or not, about a person whose identity is apparent, or can be reasonably inferred. It does mean information of a kind to which the Health Records Act 2001 (Vic) may apply.
Means information or opinion about a person’s race or ethnicity, political opinions, religious or philosophical beliefs, religious affiliations, sexual preferences or practices, criminal record or membership of trade, trade union, professional or political associations.
Transborder data flows
Means the transfer of data containing personal or sensitive information from an organisation for one state/country to another organisation in a different state/country.
Means a code consisting of alphabet characters and numbers (not a person’s name) which is applied to an individual and distinguishes them from other individuals, for example, a driver’s licence number.
Victorian privacy law
Means the Privacy and Data Protection Act 2014 and the Health Records Act 2001.
The VFA must only collect personal information if that information is necessary for its functions or activities and:
- the VFA has gained consent from the individual, or
- collection of that information is necessary to prevent or lessen a serious or imminent threat to the well-being of an individual.
Where the personal information of an individual is collected, reasonable steps should be taken to ensure that the individual is aware of:
- the purposes for which the information is being collected
- the identity of the VFA and how to contact it
- the fact that the individual can gain access to the information
- to whom that information will be disclosed
- the legislation which requires that information to be collected, and
- the main consequences for the individual if all or part of the information is not provided to the VFA.
5.2 Use and Disclosure
The VFA will only use and disclose the informationfor the primary purpose for which it is collected, unless:
- use or disclosure is for a related secondary purpose and is reasonably expected
- the individual has provided consent
- use or disclosure is reasonably necessary to carry out a law enforcement function, or
- use or disclosure is required, permitted or authorised by law.
In limited circumstances, the VFA is required or authorised by law to release information to other government agencies and law enforcement bodies to lessen or prevent:
- a serious and imminent threat to an individual’s life, health, safety or welfare, or
- a serious threat to public health, public safety or public welfare.
5.3 Data Quality
The VFA values information as an important resource. Accordingly, the VFA should take reasonable steps to ensure that all personal information it collects, uses or discloses is accurate, complete, up to date.
Generally, the VFA relies upon individuals to provide accurate and complete information and to advise the VFA if the information collected has recently changed.
5.4 Data Security
The VFA is guided by the principle that all information is well governed and managed.
The VFA seeks to protect personal information from misuse, loss or unauthorised access, modification or disclosure.
The VFA will take reasonable steps to securely destroy or de-identify personal information when it is no longer needed in accordance with the Public Records Act 1973.
The VFA will maintain and make accessible clearly expressed policy on its management of personal information. On request by an individual, the VFA should take reasonable steps to let the person know:
- what sort of personal information it holds
- for what purposes such information has been collected, and
- how it collects, holds, uses and discloses that information.
5.6 Accessing and Correction
Individuals have the right to access and correct their personal information held by the VFA.
In most cases, requests for access will be administered in accordance with the access and correction provisions of the Information Privacy Principles particularly requests that may affect the privacy of another individual or where the personal information relates to a commercial activity.
The VFA may deal with requests to access and correct information informally if the request is straightforward and only relates to the individual.
An individual may request formal access or correction to their personal information by contacting the VFA’s Freedom of Information Unit by mail:
Manager Corporate Operations - (FOIOfficer),
Victorian Fisheries Authority
Level 19, 1 Spring Street
Melbourne VIC 3000
or email: firstname.lastname@example.org
The VFA must provide written reasons for refusal of access or to correct private information.
5.6 Unique Identifiers
The VFA does not assign, use or disclose unique identifiers to individuals unless it is necessary to enable it to carry out its functions efficiently.
Where lawful and practicable, individuals have the option of not identifying themselves when entering into transactions with the VFA.
5.8 Transborder Data Flows
If an individual’s personal information travels outside Victoria, their privacy protection should travel with it.
The VFA should only transfer personal information about an individual to someone who is outside Victoria if:
- the individual consents to the transfer
- the VFA reasonably believes that the recipient of the information is subject to a law binding scheme or contract which effectively upholds principles for fair handling of the information which are substantially similar to the Information Privacy Principles
- the transfer is necessary for the performance of a contract between the individual and the VFA, or for the implementation of pre-contractual measures taken in response to the individual's request, or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the VFA and a third party.
5.9 Sensitive Information
The VFA must only collect sensitive information in limited circumstances. For example, the VFA may collect sensitive information if the individual has consented or if the collection is required by law.
Victorian Privacy Law stipulates certain situations where the VFA does not need to comply with or where an exception is permissible under the Information Privacy Principles.
Consultation is recommended to determine whether the particular facts require an approval, and if so, whose approval is required.
Should certain situations arise, exceptions to the privacy principles should be referred to the Chief Operating Officer (COO).
Where an individual believes that their personal information has been mishandled or misused by the VFA they may lodge a complaint with the VFA’s Manager Corporate Operations by emailing email@example.com / firstname.lastname@example.org
The VFA should be efficient and fair when investigating the complaint and aim to respond within approximately 30 days.
6. POLICY REQUIREMENTS
This policy provides information on:
- the circumstances under which the VFA collects, stores, uses and discloses personalinformation
- how the VFA manages collected information
- the circumstances allowing the VFA to disclose personal information to organisations and/or individuals outside of Victoria
- how an individual may access their personal information or seek the correction of such information, and
- how an individual may complain about a possible misuse of their personal information by the VFA, and how the VFA will handle their complaint.
7. BREACHES OF THE POLICY
Suspected breaches of this policy must be reported to the VFA Chief Operating Officer(COO) and will be investigated by the VFA as required.
VFAemployees who are found to be in breach of this policy will be managed in accordance with relevant VFA and Victorian Public Services (VPS) policies, as well as any relevant legislation or regulations. If the user is a VPS employee then a breach of this policy may lead to action under DEDJTR’sManaging Misconduct Policy (VFA policy to be developed) which may result in outcomes up to and including dismissal.
- The VPS Code of Conduct
- Public Administration Act 2004
- DEDJTR Managing Misconduct Policy