The Privacy and Data Protection Act 2014 and the Health Records Act 2001 regulate the information handling of personal and health information. It includes standards for information collection, storage, access, transmission, disclosure, use and disposal.

The Complaints, Integrity and Privacy Unit (CIPu) supports department and funded agency compliance with information privacy legislation. CIPu provides advice, training and tools to support privacy compliance and promote best practice within the department and public agencies. CIPu are also responsible for coordinating the department's response to privacy complaints.

Privacy policy

1. The Department of Health and Human Services is committed to protecting the privacy of personal information which we and our funded service partners handle. Personal information is information which directly or indirectly identifies a person.
2. We collect and handle a range of personal information for the purposes of providing services or to carry out our statutory functions. We also collect some personal information for planning, funding, monitoring and evaluating our services and functions, but where practicable we remove identifying details from information used for these purposes.
3. In accordance with our responsibilities, the services and functions which we and our service partners provide relate primarily to the areas of health, community support and the protection of public health and safety. They include in particular primary and community health, public hospitals, mental health, disability, family support, child protection, youth justice, housing, homelessness support, and public health. We are committed to providing coordinated care to our clients.
4. We recognise that the nature of these services means that much of the information we handle is particularly sensitive.
5. We recognise that privacy principles protect personal information both as a matter of individual right, and to support the public interest in ensuring government can collect information necessary for its services.
6. We recognise the essential right of individuals to have their information handled in ways which they would reasonably expect protected on the one hand, and made accessible to them on the other.
7. These privacy values are reflected in and supported by our corporate values: collaborative relationships, professional integrity and respect, quality, responsibility and client focus.
8. We are bound by the Victorian privacy laws, the Privacy and Data Protection Act 2014 and the Health Records Act 2001, as well as other laws which impose specific obligations in regard to handling information.
9. We have adopted the respective Privacy Principles contained in the Victorian privacy laws as minimum standards in relation to handling personal information. 

In broad terms this means that we:

• Collect only information which we need for a specified primary purpose
• Ensure that the person knows why we collect it and how we will handle it
• Use and disclose it only for the primary or a directly related purpose, or for another purpose with the persons consent (unless otherwise authorised by law)
• Store it securely, protecting it from unauthorised access
• Retain it for the period authorised by the Public Records Act 1973
• Provide the person with access to their own information, and the right to seek its correction.

For information in our possession, this right is available through the Freedom of Information Act 1982. See Freedom of Information on the Health.vic website for more.

For information in the possession of our service partners, this right is available through privacy legislation.

This policy is complemented by high-level departmental guidelines intended to assist the department and its funded service partners to put the policy and law into practice.

Privacy principles

Key privacy principles in summary

Health Privacy Principles (HPP)

1. Collection - Only collect health information if necessary for the performance of a function or activity and with consent (or if it falls within HPP 1). Notify individuals about what you do with the information and that they can gain access to it.
2. Use and disclosure - Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect. Otherwise, you generally need consent.
3. Data quality - Take reasonable steps to ensure health information you hold is accurate, complete, up-to-date and relevant to the functions you perform.
4. Data security and retention - Safeguard the health information you hold against misuse, loss, unauthorised access and modification. Only destroy or delete health information in accordance with HPP 4.
5. Openness - Document clearly expressed policies on your management of health information and make this statement available to anyone who asks for it.
6. Access and correction - Individuals have a right to seek access to health information held about them in the private sector, and to correct it if it is inaccurate, incomplete, misleading or not up-to-date.*
7. Identifiers - Only assign a number to identify a person if the assignment is reasonably necessary to carry out your functions efficiently.
8. Anonymity - Give individuals the option of not identifying themselves when entering transactions with organisations where this is lawful and practicable.
9. Transborder data flows - Only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to the HPPs.
10. Transfer/closure of practice of health service provider - If you're a health service provider, and your business or practice is being sold, transferred or closed down, without you continuing to provide services, you must give notice of the transfer or closure to past service users.
11. Making information available to another health service provider - If you're a health service provider, you must make health information relating to an individual available to another health service provider if requested by the individual. 

Information Privacy Principles (IPP)

Collection - Collect only personal information that is necessary for performance of functions. Advise individuals that they can gain access to personal information.

Use and disclosure - Use and disclose personal information only for the primary purpose for which it was collected or a secondary purpose the person would reasonably expect. Use for secondary purposes should have the consent of the person.

Data quality - Make sure personal information is accurate, complete and up-to-date.

Data security - Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.

Openness - Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.

Access and correction - Individuals have a right to seek access to their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.

Unique identifiers - A unique identifier is usually a number assigned to an individual in order to identify the person for the purposes of the organisations operations. Tax File Numbers and Drivers Licence Numbers are examples. Unique identifiers can facilitate data matching. Data matching can diminish privacy. IPP 7 limits the adoption and sharing of unique numbers.

Anonymity - Give individuals the option of not identifying themselves when entering transactions with organisations if that would be lawful and feasible.

Transborder data flows - Basically, if your personal information travels, your privacy protection should travel with it. Transfer of personal information outside Victoria is restricted. Personal information may be transferred only if the recipient protects privacy under standards similar to Victorias IPPs.

Sensitive information - The law restricts collection of sensitive information like an Individuals racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.

Website privacy statement

See the Website privacy statement for information about how any personal information about you will be treated as you access and interact with this website.

Relevant legislation

The Victorian Legislation website provides free access to all relevant Acts and Regulations.

Search for the following:

• Freedom of Information Act 1982
• Ombudsman Act 1973
• Privacy and Data Protection Act 2014
• Health Records Act 2001
• Whistleblowers Protection Act 2001
• Whistleblowers Protection Regulations 2001
• Financial Management Act 1994
• Charter of Human Rights and Responsibilities Act 2006
• Disability Act 2006.