Privacy Policy for the Office of the Commissioner for Privacy and Data Protection

Collection Notice

When collecting personal or health information, the Commissioner for Privacy and Data Protection will take reasonable steps to advise you of what information is being sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.

Information Collected

Personal information is information or an opinion that is recorded in any form, about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion, but not including health information. Health information is information that can be linked to an identifiable individual, including deceased individuals, which concerns that individual’s physical, mental or psychological health, disability or genetic make-up.

Broadly speaking, the Commissioner for Privacy and Data Protection collects personal and health information related to the statutory functions and administration of the Office.
The Office of the Commissioner for Privacy and Data Protection is a complaints handling body and is required to collect information related to alleged breaches of privacy by Victorian public sector organisations, local councils and contracted service providers. When receiving complaints, the Office may be provided with personal or health information contained in complaint forms, assessment reports, witness accounts and photographs.

Sometimes the Commissioner for Privacy and Data Protection invites submissions from the general public and collects contact details for the purpose of responding to submissions.
Contact details, usually work details, are also collected from individuals interested in being informed about and participating in the Privacy Victoria Network, programs and events. Similar details are also collected from individuals who wish to receive publications and those consulting on policy and legislative matters.

You can visit our website anonymously because the site does not collect or record personal information other than information you choose to provide by email or internet forms.

Use and Disclosure

Our staff is only provided with the information necessary for them to carry out the functions and activities of the Office. Staff members are required to handle all personal and health information with discretion and to comply with the secrecy provisions of the Privacy and Data Protection Act 2014.

Some de-identified personal information from enquiries and complaints is used in awareness programs, public statements and training, but never in a way that would compromise your privacy. De-identified information may be shared with other privacy regulators and for awareness and reporting functions.

Details of a complaint will be given to the organisation complained against, as required by the Privacy and Data Protection Act and in accordance with the principles of natural justice. For more information about the complaints process, see our Guide for Complainants.

In certain circumstances, and in accordance with law, documents related to a complaint may be referred to the Victorian Civil and Administrative Tribunal (VCAT) or to another appropriate complaints handling body such as the Health Services Commissioner or Ombudsman.

Some personal information related to the management of the Office might be disclosed to the Auditor-General where there is legitimate lawful reason. Written submissions on policy matters (but not complaints) may be disclosed in reports that are made public unless the submission has been accepted on a confidential basis.

Specific disclosures will be made with consent or otherwise in accordance with the use and disclosure standards of the Privacy and Data Protection Act and the Health Records Act.

Data Quality and Security

The Office of the Commissioner for Privacy and Data Protection takes reasonable steps to ensure the information it holds is accurate, complete and up-to-date. Where possible we will check the accuracy of personal or health information with you before we use it.

We use a number of procedural, physical, software and hardware safeguards, together with access controls, secure methods of communication and back-up and disaster recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure.

Generally, information is destroyed or permanently de-identified when it is no longer required. However, most information held by the Office is subject to the Public Records Act 1973 and is required to be disposed of under the relevant Retention & Disposal Authority.

Access and Correction

Requests for access to and/or correction of documents containing personal information held by the Office will be handled in accordance with the Freedom of Information Act 1982 and should be addressed to the FoI Officer, PO Box 24014, Melbourne 3000.

Unique Identifiers

We do not assign or adopt from another organisation unique identifiers for an individual. Each complaint or enquiry is given a number, but not each individual.

Unique identifiers created by another organisation will not be requested unless required by law. Nor will we use or disclose a unique identifier unless there is a lawful basis for doing so.

Anonymity

When seeking general information from us, you do not have to identify yourself. If you wish to make an enquiry, no personal information will be collected or recorded unless we need it to get back to you with an answer. However, if you wish to make a complaint under the Privacy and Data Protection Act, identification is necessary.

Transfer of Information Outside Victoria

Generally, we will not send your personal or health information outside Victoria without obtaining your consent. In some cases this consent may be implied, for example if you ask us to transfer a complaint to the
Office of the Australian Information Commissioner.

Sensitive Information

Generally, we will only collect sensitive information with your consent or where required by law.

Complaints Against the Commissioner for Privacy and Data Protection

If you wish to make a complaint against us for a breach of privacy under the Privacy and Data Protection Act, you should complain in writing to the Commissioner for Privacy and Data Protection. Following an initial assessment, such complaints will immediately be forwarded to an external, independent conciliator, who will attempt to resolve the complaint. If conciliation is inappropriate or unsuccessful, the Commissioner can be required to refer the matter to the Victorian Civil and Administrative Tribunal (VCAT).

If you wish to make a complaint against us for a breach of privacy in relation to health information, you should contact the Office of the Health Services Commissioner.