Privacy Manual :Deleted

From Privacy Manual

(Difference between revisions)
(Examples of Privacy Statements)
m (Privacy Manual :Community Portal moved to Privacy Manual :Deleted)
 
(8 intermediate revisions not shown)
Line 1: Line 1:
-
SECTION 1 Introduction to Manual
 
-
=Section 1=
 
-
=Structure of privacy within the Department=
 
-
 
-
The Departments privacy reporting structure sees informal and formal reporting between business units Privacy Coordinators and the Senior Privacy Advisor located within Executive Services. The Senior Privacy Advisor reports to the Manager of FOI & Privacy Coordination who reports to the Director Executive Services who in turn reports to the Executive Director, Corporate Services and subsequently to the Secretary. This reporting structure is reflected in the Diagram below.
 
-
 
-
Each business unit assigns an individual responsible for privacy issues. This person is required to act as a liaison between the business unit and the Senior Privacy Advisor on privacy matters.
 
-
 
-
This structure ensures that accountability for privacy remains with business units who manage individuals' personal and health informationon a day to day basis. This also ensures privacy issues are considered throughout the Department reflecting the fact that personal and health information flows everywhere within our organisation.
 
-
 
-
Privacy Coordinators located throughout the Department are able to alert the Senior Privacy Advisor and managers to emerging privacy issues, and call on additional resources to prevent small issues from becoming major issues.
 
-
 
-
The Privacy Coordinator is responsible for:
 
-
 
-
• Organising and delivering privacy training to staff within their business unit;
 
-
 
-
• Responding to privacy questions from both staff and the public;
 
-
 
-
• Responding to complaints and coordinating the Business Unit's response in the event of a complaint to the Privacy Commissioner;
 
-
 
-
• Identifying privacy issues in the Business Unit and raising these regularly with Business Unit Managers and staff;
 
-
 
-
• Attending Privacy Co-ordinator meetings and training;
 
-
 
-
• Maintaining and updating their knowledge of privacy issues, developments and guidelines relevant to your Business Unit;
 
-
 
-
• Participating in the privacy impact assessment process, privacy compliance audits and reviews as required;
 
-
 
-
• Maintaining a professional relationship with Executive Services including the return of quarterly monthly statistics by the due date;
 
-
 
-
• Forwarding requests for access to personal information to the Freedom of Information Group, Executive Services; and
 
-
 
-
• Performing the role of Privacy Co-ordinator in a way that is consistent with the Departments’s guidelines and policies in relation to privacy which can be found on J-NET>Our Business>Knowledge Management>Information Privacy
 
-
 
-
 
-
----
 
-
 
-
=What a Privacy Coordinator does in performing these responsibilities:=
 
-
 
-
• Categorise information in your business unit. Information will either be personal, health, or sensitive. Refer to section 3 (Definitions) contained in the IPA and HRA.
 
-
 
-
• Be familiar with the 10 IPPs and 11 HPPs. Refer to the FAQs Privacy Legislation: Information Privacy Principles available from J-NET>Our Business>Knowledge Management>Information Privacy>FAQs
 
-
 
-
• Understand your business unit's regular disclosures to external agencies. Make sure any information released complies with IPP2/HPP2. Always ensure staff make a written record of disclosures to law enforcement agencies. See section 2 of this manual for standard wording.
 
-
 
-
• Ensure all forms in use have a  privacy collection statement. A collection statement generator has been developed and included in section 2 of this manual.
 
-
 
-
• Examine your security arrangements. Make sure you have storage, transfer and disposal systems for paper and electronic records. Folders on shared drives should have appropriate access controls. For example your business unit's human resource records should not be accessible to all.
 
-
 
-
• Display privacy posters and materials. The Department and the Privacy and Health Services Commissioners have various privacy promotional materials available.
 
-
 
-
• Follow procedures for complaint handling. Refer to the Guideline for Complaint handling and the Protocol for handling Commissioner correspondence in section 4 of this manual.
 
-
 
-
• Review and evaluate privacy compliance. Periodically check whether staff  are complying with privacy policies. Understand that when there is a complaint or incident there may need to be changes to policies or procedures.
 
-
 
-
• Complete the prescribed reporting form J-NET>Our Business>Knowledge Management>Information Privacy> Forms , every quarter, which captures the level of privacy activity across the Department. The forms are to be returned to the Senior Privacy Advisor by emailing ________
 
-
 
-
----
 
-
 
-
= Section 2=
 
-
=Meeting Compliance Obligations &Pursuing Best Practice=
 
-
 
-
The IPPs and the HPPs are the key to complying with the IPA and HRA. There are 10 IPPs and 11 HPPs. As a Coordinator you are expected to be familiar with all privacy principles.
 
-
 
-
The IPPs are interconnected and guide the handling of personal information. For example, collection (IPPs 1 and 10) may involve consideration of whether anonymity is an option (IPP8) or whether a unique identifier is necessary (IPP7).
 
-
 
-
To simplify the discussion of the privacy principles it is possible to categorise them into distinct actions. These actions cover the life cycle of information from its initial collection, use, disclosure and management through to its access, correction and destruction.
 
-
 
-
It is therefore helpful to think of the IPPs in these four broad categories:
 
-
 
-
4 Broad Categories of IPPs
 
-
 
-
1. Collection (IPPs 8, 1, and 10);
 
-
 
-
2. Use and Disclosure (IPPs 2 and 9);
 
-
 
-
3. Management of personal information (IPPs 3, 4, 5, and 7); and
 
-
 
-
4. Access and Correction (IPP 6 and FOI Act)
 
-
 
-
The four broad categories will assist your staff to remember key concepts in relation to privacy. The Privacy Commissioner also uses this grouping when training.We will therefore use these four broad categories to organise the information in this section of the manual.
 
-
 
-
=1. Collection Practices=
 
-
 
-
Action box
 
-
It is expected that business unit Privacy Coordinators will bring to the attention of the Department’s Senior Privacy Advisor any forms in use that do not have a collection statement.  The Senior Privacy Advisor, in consultation with business unit Privacy Coordinators, will assist in drafting collection statements.
 
-
 
-
Everyone who has direct contact with members of the public may have some role in collecting personal and health information. Those not involved in external service provision, such as human records personnel, may also collect personal and health information from members of staff.
 
-
 
-
When a person collects personal and health information an organisation must take reasonable steps to make the person aware of the reasons for collection and the agencies we usually may share this information with.
 
-
Specifically you must advise an individual of:
 
-
 
-
==How to provide the information:==
 
-
The Act does not prescribe how this information should be provided to an individual. In practice there are several approaches you can use to ensure your business complies with IPP1/HPP1. These approaches include:
 
-
 
-
• through a website privacy statement;
 
-
 
-
• verbal reinforcement or explanation of the information where necessary;
 
-
 
-
• privacy poster and counter notices displayed in reception and public areas;
 
-
 
-
• information included as a statement on any forms; and,
 
-
 
-
• by asking third parties to assist individuals in letting people know what has happened with their personal information.
 
-
 
-
Please share any ideas you might have for other ways of providing this info…
 
-
 
-
 
-
----
 
-
 
-
=Examples of Privacy Statements=
 
-
What follows are some examples of the different approaches taken to communicate the collection statement.
 
-
 
-
Examples include
 
-
 
-
1. A website privacy principle website privacy statement which is displayed as a link at the foot of every open page of our website.
 
-
 
-
2. Suggested wording as a footer to letterhead. This can be found on J-NET>Communications>Templates A-Z
 
-
 
-
3. A business unit within the Department has prepared a standard verbal reinforcement of the collection principle which can be use as a pre-recorded voice message. The explanation is at J-Net location & see below
 
-
 
-
=Best practice=
 
-
 
-
Ideally, in keeping with common business practices all forms that collect personal and health information should include a privacy notice which is sometimes referred to as a collection or privacy statement. 
 
-
 
-
The Department has a collection statement generator template which can be used by Privacy Coordinators and members of staff. The collection statement generator is
 
-
A suggested generic privacy collection statement has also been created for correspondence templates which appears as an instruction to the electronic letterhead under the communication templates on J-NET>Our Business>Knowledge Management>Information Privacy> Forms.
 
-
 
-
 
-
----
 
-
 
-
 
-
=Verbal reinforcement of collection principle=
 
-
 
-
The following format may be of assistance in drafting a collection statement to be provided as a standard telephone script. Additional notification can also be given using brochures, posters and signs on counters.
 
-
 
-
Introduction
 
-
"Thank you for calling [name of agency] at the Department.  This service provides [ state the purpose of the recorded message e.g. general information about fairer and firmer fines].  It does not provide legal advice and it is not a substitute for referring to the legislation.  For legal advice about your specific circumstances, please consult a solicitor. 
 
-
Information about [x] can be found online at www.... Please press one (1) to hear a brief privacy statement or press two (2) to hear this message again. Otherwise please wait and your call will transferred to the next available officer."
 
-
 
-
Time: 38 seconds
 
-
 
-
"The Department respects your privacy and is bound by Victorian privacy laws. During this call you are not required to provide your personal details.  However, if your personal details are collected during the call, it will be for the purposes of responding to your query, providing further information and continuous quality improvement.  Any disclosure of these details will only be where required or authorised by law.  Please advise the information officer if you wish to discuss how you may request access to those details.
 
-
For information about privacy in relation to the [specify details of the process] or to access the Department’s privacy policy, please refer to our website at www.....
 
-
 
-
----
 
-
 
-
=2. Use & Disclosure=
 
-
 
-
action box
 
-
The IPA and the RHA contain many of the exceptions to the general rule that  you should only use or disclose the personal or health info for the reason you collected it. You should familiarise yourself with  all of these exceptions to the general rule
 
-
 
-
Terms of Reference
 
-
In general terms, a use of personal and health information refers to the communication or handling of personal and health information within the Department.
 
-
 
-
A disclosure refers to the communication or transfer of information outside a Department. 
 
-
 
-
Examples of how a disclosure can occur include:
 
-
• giving information to another organisation or individual;
 
-
 
-
• allowing another individual or organisation to have access to the information; and,
 
-
 
-
• giving out summaries, or communicating the information in any other way.
 
-
 
-
Note: Use and disclosure are generally treated the same under the IPA 2000 and the HRA 2001.
 
-
 
-
==Meeting Use and Disclosure Requirements==
 
-
 
-
It is helpful when asked to explain the use and disclosure principle that you speak about it in terms of 3 broad categories which will enable staff to share personal or health information
 
-
 
-
----
 
-
 
-
There are three broad categories of use and disclosure authorised under privacy law:
 
-
 
-
• where information is used or disclosed for a secondary purpose for which it is collected and an individual would reasonably expect it;
 
-
 
-
• where information is used or disclosed for another secondary purpose and one of the criteria listed in IPP2 or HPP2 applies; or,
 
-
 
-
• where the use or disclosure of the information is lawfully authorised.
 
-
 
-
action box
 
-
Technique for responding to requests for use or disclosure of personal and health information
 
-
As Privacy Coordinator it is expected that you know and understand to whom your business unit regularly discloses personal and health information.
 
-
For routine disclosures it is advisable that you ensure staff are given appropriate guidance as to how to respond to third party requests for information. An appropriate form of guidance is through a privacy FAQ.
 
-
 
-
 
-
----
 
-
Disclosures to law enforcement agencies
 
-
IPP2.1(g) permits the Department to disclose personal information to a law enforcement agency including for the purpose of prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law.  Law enforcement agencies include agencies which perform law enforcement functions and may include the Department of Human Services when performing child protection work or the Sheriff when pursuing fine defaulters. 
 
-
Where the Department discloses personal information to a law enforcement agency it must make a written note of the disclosure pursuant to IPP2.2. IPP2.2. does not prescribe what should be contained in the written record.
 
-
The following format may be of assistance when recording a disclosure to a law enforcement agency. Consider:
 
-
 
-
• asking the officer to indicate why the requested information is necessary and how non supply might impact on the enforcement function;
 
-
• recording the date of the use or disclosure;
 
-
• recording what was used or disclosed ;
 
-
• recording to whom the information was provided; and
 
-
• recording the name of the person who made the disclosure.
 
-
 
-
=3. Management of Personal Information of Non-employees=
 
-
Overview
 
-
This section of the manual contains the tools you need to responsibly manage the information within your business unit
 
-
The Department is required to have policies on its management of personal information (IPP5) and to be responsible for the quality of the personal information it holds (IPP3). The Department is further responsible for the security of personal information which is accessible to staff (IPP4) and must be careful when assigning, using or disclosing unique identifiers (IPP7). A unique identifier is a number or code which replaces the name of an individual e.g. employee number.
 
-
 
-
=Privacy Policy=
 
-
You must ensure your business unit is covered by a privacy policy.  For ‘getting started’ purposes a business unit might initially adopt the Departmental Privacy Policy which sets out the policy position for the Department as a whole. A copy of the Departmental Privacy Policy is attached at J-Net or Web . The policy is also available on the DOJ website and J-NET.
 
-
However, given the general nature of the Departments privacy policy your business unit may choose to develop or adapt its own privacy policy. This is recommended if your business unit administers particular laws or deals with a number of inquires from members of the public. 
 
-
 
-
Examples of Business Unit Privacy Policies
 
-
 
-
The Human Resource management policy explains how personal information about current and former staff members
 
-
• Personal information policy HR
 
-
• HR FAQ privacy
 
-
• HR Electronic Media
 
-
• Asset Confiscation Operations Privacy Policy
 
-
• Enforcement Management Privacy Policy
 
-
• Consumer Affairs Victoria Privacy Statement
 
-
• Corrections Victoria Privacy Policy
 
-
[BC to collate summaries from privacy coordinators of these business units]
 
-
 
-
 
-
----
 
-
 
-
=Frequently Asked Questions about Privacy=
 
-
 
-
action box
 
-
It is expected that privacy coordinators identify patterns of regular questioning  about privacy laws and bring this to the attention of the Senior Privacy Adviser.  The Senior Privacy Adviser, in consultation with the relevant privacy coordinator will then draft an appropriate FAQ.
 
-
 
-
To assist privacy coordinators when responding to privacy questions from staff and the public a series of FAQs has been developed.
 
-
The aim of the FAQs is to provide easily accessible information concerning the collection, use and disclosure of personal and health information. The Frequently Asked Questions webpage located on J-NET contain discussions of various privacy issues such as:
 
-
 
-
=Data Security=
 
-
Terms of Reference
 
-
What are "reasonable steps" for the protection of data security must be considered in the context of the particular Business Unit.  While the policies of Records Management and Information Technology set the standards for the DOJ as a whole, Business Units need to ensure that they have appropriate measures in place tailored to their specific circumstances.
 
-
 
-
=Overview=
 
-
The data security principle (IPP4) requires organisations to take reasonable steps to protect the personal and health information we hold from misuse, loss or unauthorised access, modification or disclosure.
 
-
 
-
In addition to the data security obligations under the IPA, the Department is subject to obligations under the Public Records Act to retain records.  Therefore, both the requirements for security of documents containing personal information and retention of records must be observed.
 
-
 
-
Data security relates to both paper documents and information stored electronically. Ensuring data security in relation to paper documents relates mainly to physical security of premises, established records-management procedures and common-sense measures (such as not leaving documents on desks or in busy areas, implementing ‘clean-desk’ policies and locking filing cabinets etc at the end of the day).  Ensuring the security of electronically held information is more complex, as information stored electronically is easily replicated, and threats to security are both internal and external.  Access control is a key aspect of IT security.
 
-
Examples of policy that strengthen data security
 
-
The Department has provided data security guidelines that you can follow as a privacy coordinator in your business unit to secure information.
 
-
Data Security guidelines written from a privacy perspective in order to clarify IPP4 are at Appendix E.
 
-
 
-
 
-
----
 
-
Related documents or
 
-
Further Reading
 
-
Document and Records Management Policies and Procedures Manual
 
-
DOJ General IT Security Summary
 
-
Clean desk policy
 
-
Electronic Media Usage Policy
 
-
Email policy
 
-
Summarise – reasons reader might want to look at them & link
 
-
 
-
Disclaimers as a security tool
 
-
 
-
The Privacy Commissioner recommends using disclaimers as part of our communications because they are a useful shorthand way of addressing the requirements of three Information Privacy Principles:
 
-
 
-
• IPP 4 requires organisations to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure;
 
-
• IPP 5 requires organisations to document clearly expressed policies on management of personal information and provide the policies to anyone who asks;
 
-
• IPP 6 gives individuals a right to seek access to their personal information and seek correction, mostly under the Victorian Freedom of Information Act.
 
-
 
-
The Department has developed two standard disclaimers for use in its communications.
 
-
 
-
Internet Email Disclaimer
 
-
This is a standard statement appended to the end of all DOJ email correspondence with external parties. It is not used for email within the DOJ email environment.
 
-
The internet email disclaimer text is automatically attached to the end of all emails originating within the DOJ Email System being sent to email addresses outside of Victorian Government or to SMTP addresses within Victorian Government. A copy of the standard email disclaimer in use is at the end of this section/below
 
-
 
-
Facsimile Disclaimer
 
-
A misdirected facsimile may lead to an authorised disclosure under the IPA. It is therefore important that pursuant to IPP4, data security, the Department take reasonable steps to protect personal information when transmitting information through facsimile.
 
-
 
-
To reduce the risk of accidentally disclosing personal information when using a facsimile machine all faxes sent by the Department should be accompanied by a standardised cover sheet containing the name, title and organisation of both the sender and the intended recipient, along with a notation indicating the total number of pages faxed.
 
-
 
-
The Department has a standard facsimile cover sheet which can be downloaded from J-NET>Our Business>Communications>Templates A-Z.
 
-
 
-
Further reading /info on E-privacy
 
-
Electronic Media Usage Policy
 
-
Email policy
 
-
 
-
 
-
----
 
-
 
-
=Outsourced Service Providers=
 
-
 
-
The IPA makes an organisation liable for the privacy compliance of its contracted service providers, unless a contract clause is inserted to pass the liability to the contracted service provider.
 
-
 
-
Where a contract that involves the transfer of personal information to a contracted service provider is entered into, a privacy clause should be inserted into the contract to ensure that liability is transferred away from the Department.
 
-
 
-
The Victorian Government Purchasing Board (VGPB) contracts have been amended to incorporate a privacy clause. When using standard VGPB contracts check to make sure you have the latest version of the contract that contains the privacy clause.
 
-
For all other contracts, a standard contract clause has been developed by the Victorian Government Solicitor’s Office and should be inserted as an amendment to any existing contracts.  Web link
 
-
 
-
=Personal Information Standard Contract Clause=
 
-
The following clause has been developed by the Victorian Government Solicitor’s Office for insertion in standard contracts.
 
-
1. The Provider—
 
-
(a) must comply with any applicable legislation or other law relating to the Services;
 
-
(b) must obtain all necessary approvals needed to perform the Services; and
 
-
(c) is bound by the Information Privacy Principles and any applicable code of practice with respect to any act done, or practice engaged in, by the Provider for the purposes of the Contract in the same way and to the same extent as the State would have been bound by them in respect of that act or practice had it been directly done or engaged in by the State.
 
-
 
-
----
 
-
 
-
The standard e-mail disclaimer in use is:
 
-
PRIVATE & CONFIDENTIAL
 
-
The content of this e-mail and any attachments may be private and confidential, intended only for use of the individual or entity named. If you are not the intended recipient of this message you must not read, forward, print, copy, disclose, use or store in any way the information this e-mail or any attachment contains.
 
-
If you are not the intended recipient, please notify the sender immediately and delete or destroy all copies of this e-mail and any attachments.
 
-
Our organisation respects the privacy of individuals.  For a copy of our privacy policy please go to our website or contact us.
 
-
 
-
 
-
----
 
-
Privacy Impact Assessments
 
-
The Department of Justice began conducting Privacy Impact Assessments (PIAs) in March 2006 and is committed to completing PIAs on all its major projects to assess compliance with privacy laws.
 
-
 
-
PIAs are used to describe the personal information that will be collected and/or disclosed, information flows, its purpose(s) and any privacy issues. Highlighted privacy issues require action to be taken to remedy the situation prior to the implementation of the project.
 
-
 
-
PIA templates are available from the information privacy homepage under compliance tools. Copies of the templates and explanatory materials are at J-Net>our business>knowledge management> information management > compliance tools
 
-
Your Role in the PIA Process
 
-
Sometimes as a privacy coordinator you may have to complete a PIA for a project within your business unit as privacy subject matter expert. At other times you will need to make staff within your business unit aware of the PIA process and have them complete the PIA.
 
-
 
-
Training and PIA support
 
-
Periodically employees will be offered training in the use of the Department’s PIA templates. In addition, the Office of the Victorian Privacy Commissioner occasionally offers training in how to conduct a PIA. The training schedule and information about PIA workshops is located on the training section of the information privacy home page.
 
-
 
-
A summary of completed PIAs are posted quarterly under the Compliance tools section of the information privacy home page. Jnet location
 
-
 
-
=Access & Correction of Personal Information=
 
-
Terms of reference
 
-
Section 12 of the IPA provides that nothing in IPP6 applies to documents covered by the FOI Act. 
 
-
Overview
 
-
IPP6 is the access principle.  It states that organisations must provide individuals with access to information on request and must take reasonable steps to correct information.  Once again, the Business Unit Privacy Co-ordinator is the key point of contact for requests for direct access to personal information.  The FOI Act provides the mechanism for formal requests for access to personal information.
 
-
 
-
The Department's policy on access to personal information
 
-
The Department's overriding policy is that wherever possible, individuals should be provided with direct access to their own personal information without the need to make a formal FOI request. Pre-existing Business Unit direct-access policies will continue to apply.
 
-
 
-
The Department’s policy related to access to personal information is provided in detail at Jnet location.
 
-
 
-
Informal access
 
-
In general, direct access is appropriate where a document concerns only the individual’s personal information, is easy to find and, as a general rule of thumb, is less than 20 pages in length.
 
-
Requests for direct access to personal information should usually be in writing with proof of identification.  Fees should not be charged for providing direct access to personal information.
 
-
Note: Please remember that Privacy Co-ordinators should record the number of access requests, noting whether they refer to rights under the Information Privacy Act, and provide a quarterly privacy statistics return to the Senior Privacy Advisor.
 
-
 
-
When an FOI request is necessary
 
-
Where it is not appropriate to release documents directly, a formal request for access must be made under the FOI Act.
 
-
 
-
=FOI Process=
 
-
 
-
In circumstances where it is not appropriate to provide direct access to documents, you will need to explain to the individual that an FOI application is necessary and outline the requirements.  These are that the request:
 
-
 
-
• is in writing;
 
-
• is addressed to the Manager, FOI, Department of Justice;
 
-
• identifies the documents being sought;
 
-
• encloses a cheque for the current fee or outlines reasons for seeking a waiver of the fee; and
 
-
• encloses a copy of their driver's licence or some other form of identification.
 
-
 
-
The FOI Unit continues to manage the processing of FOI requests on behalf of Business Units, with the exception of Corrections Victoria.
 
-
 
-
 
-
----
 
-
 
-
SECTION 3
 
-
 
-
=Common Privacy Issues=
 
-
 
-
Overview
 
-
Privacy Coordinators in each business unit may face privacy issues which they consider are unique to their core business. But more often than not privacy issues will be shared across business units. This part of the operations manual concerns some of the common privacy issues which have been encountered by business units and the policy advice developed in response. Let the Senior Privacy Advisor  know if you have any common privacy issues to add.
 
-
 
-
Handling Correspondence
 
-
The correct handling of correspondence is essential to the Department.  Therefore the Department has written guidelines for the handling of correspondence. These guidelines will most benefit staff who write and respond on behalf of Ministers and refer members of the public's enquiries to external agencies
 
-
 
-
Terms of Reference 
 
-
IPP1 (Collection) requires Dept to notify an individual when it collects personal information about the individual from him or her (IPP1.3) or when personal information about an individual is provided by someone else (IPP1.5). (For example, a letter talks about the writer and also about the writer’s daughter.  IPP1.3 requires notification to be provided to the writer, while IPP1.5 requires notification to be provided to the daughter.)
 
-
A lot of unsolicited correspondence containing personal information is received by various Business Units in the Dept.  This correspondence may relate to the writer’s own affairs or may mention or make allegations about other people.This means that the DOJ has ‘collected’ the personal information (for the purposes of the Act), and therefore has obligations under IPP 1.3 or 1.5 to provide notification to the individuals named in the correspondence
 
-
 
-
 
-
----
 
-
 
-
=The Issues=
 
-
We are aware that there are many situations where providing notification would not be appropriate for a number of reasons.
 
-
 
-
When providing information might be inappropriate: three most common situations are:
 
-
• correspondence received from an individual which provides only their own information;
 
-
• correspondence received from an individual which also provides information or allegations about other individuals; or
 
-
• correspondence received from an individual which needs to be referred
 
-
 
-
Correspondence guides have been developed in consultation with the Business Units to deal with each of these situations:
 
-
 
-
The Correspondence Procedures include the following Information Privacy Guides:
 
-
a:  Collecting personal information in correspondence (IPPs 1 & 10, HPP 1)
 
-
b:  Indirect collection privacy notifications (IPP 1.5)
 
-
c:  Referring correspondence (IPP 2 & HPP 2)
 
-
 
-
The Correspondence handling guides and procedures which include templates documents and letters to streamline the process of handling correspondence are at Jnet Location.
 
-
 
-
=Use & Disclosure – Ministerial Briefing=
 
-
Terms of reference
 
-
The Minister is defined as a separate organisation for the purposes of the privacy legislation. As a result, the transfer of information between the Department and the Minister is technically a "disclosure" under IPP 2 and requires both the Department and the Minister's Office to be compliant with the IPP2.
 
-
Issues
 
-
In addition, as the Minister is a separate organisation, when the Minister's office receives information from the Department, they are technically "collecting" the information and therefore have obligations under IPP 1 - in relation to notification.
 
-
 
-
 
-
There are two distinct privacy compliance issues that arise in the preparation of Ministerial Briefings:
 
-
 
-
The Disclosure of personal information from the Department to the Minister's Office
 
-
 
-
The Collection of additional personal information for the purposes of providing a briefing to the Minister on a specific issue
 
-
 
-
 
-
----
 
-
The Guidelines on the following pages have been developed to enable you to ensure that when providing briefings to your Minister you are doing so in compliance with the privacy legislation.
 
-
 
-
Use of Photographs
 
-
 
-
Terms of reference
 
-
Photographs and film taken for official departmental use of readily identifiable individuals will be covered by privacy legislation.
 
-
Process
 
-
Privacy complaints regarding use of photographs and film will be minimised if permission to use a person’s image is sought.
 
-
 
-
Where it may be impracticable to seek a person’s written permission, notice that photography and filming is occurring in the area should be given either by a written notice to that effect and/or distribution of a photo card. The Department has developed specific photography consent guidelines which are available from J-NET > Our Business > Communications > Publishing.   
 
-
 
-
Requests for current records for IT testing purposes
 
-
Terms of reference
 
-
IPP4 Data Security is of particular significance in that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
 
-
Process
 
-
The Department provides an employee with access to appropriate and specified personal information only when required for the employee’s job responsibilities.
 
-
 
-
Technology Services in consultation with the Senior Privacy Adviser, has developed a policy and procedure to control access to live client’s personal information for test runs. Business Units and individuals need to ensure that such requests involving personal information, do not breach the IPA (VIC) 2000. 
 
-
 
-
Privacy Coordinators need to ensure that their staff are made aware that if they are requesting live client’s personal information they will now be required to present the reasons for their request to their Business Unit Manager (at Director or CEO level), ensuring that he/she will be responsible for the requested data and that the request is made in compliance with the requirements under the IPA. The Business Unit manager will then be required to make contact with the TS Business Unit Director, to authorise the request.
 
-
 
-
The following  needs to be taken into consideration before a request is made:
 
-
• Reasons for the request. (Can test data be used instead of live data?)
 
-
• How will the information be protected? (physically and electronically)
 
-
• Who will have access to the data? 
 
-
• What levels of Privacy Training have the users of the information had?
 
-
• What will happen to the information when it is no longer required? (eg. de-identification and permanently destroyed). 
 
-
 
-
 
-
This process includes a form for signature and questions similar to the above and is available from Technology Services. The policy is at Jnet location
 
-
 
-
 
-
----
 
-
 
-
SECTION 4
 
-
 
-
Complaints Handling
 
-
 
-
Under the IPA, individuals wishing to complain about an interference with their privacy will usually be asked by the Privacy Commissioner whether they have first complained to the Department. This is in keeping with the Commissioner conciliatory approach to complaint handling. 
 
-
 
-
Process
 
-
It may be possible to resolve some complaints informally, for example by explaining DOJ procedures or providing a copy of the Depts privacy policy.  If not, a formal complaint must be made, either in writing or using the Dept privacy complaints form.
 
-
 
-
The Depts complaints-handling procedure is a two-tier process, with complaints being considered by both an Investigating Officer and a Determining Officer.  Privacy Co-ordinators will be at the frontline of complaints handling.  They will be the primary contact for the complainant and, as Investigating Officer, will investigate the complaint at first instance, form a view on it and brief the Determining Officer about it.  There is a 20-working-day timeframe for responding to complaints.
 
-
 
-
=Complaints Made to the Privacy Commissioner=
 
-
Process box
 
-
If a complaint comes to DOJ from the Privacy Commissioner, the Secretary has requested that those complaints be directed to her in the first instance.
 
-
 
-
The usual requirements for responding to Executive correspondence apply.  Business Units should ensure that timelines imposed by the Privacy Commissioner are met. A copy of the correspondence from the Privacy Commissioner and the final responses should be provided to the Senior Privacy Adviser.
 
-
 
-
=Complaint Handling Policy and Procedure=
 
-
 
-
The Department of Justice’s privacy complaint handling process is at Jnet location.
 
-
 
-
=Experience with Complaints=
 
-
 
-
At each Privacy Coordinators' meeting the Senior Privacy Adviser and Coordinators discuss in a de-identified manor the Departments experiences with privacy complaints. This assists privacy coordinators to perform their complaint handing functions and ensures consistency in interpretation.
 
-
To further educate coordinators about  privacy matters the Department engages a consultant to prepare privacy case summaries of the complaints which are heard by the VCAT. These case summaries are distributed at the coordinators meetings.
 
-
 
-
The Privacy Commissioner also publishes case notes on her website: www.privacy.vic.gov.au.
 
-
 
-
 
-
----
 
-
SECTION 5
 
-
 
-
=Maintaining Continuing Staff Awareness and Training=
 
-
 
-
 
-
As a privacy coordinator you have an obvious responsibility to make sure that staff in your business unit know what you expect them to do in relation to how they handle personal and health information.
 
-
 
-
Staff awareness
 
-
All staff need to be aware of privacy obligations because most will be handling personal and/or health information when performing their duties.
 
-
Privacy Coordinators can raise staff awareness by displaying the Department’s branded privacy materials on pin boards, in lunch rooms, utility rooms and break out areas. Suitable privacy materials for display can also be obtained from the Office of the Victorian Privacy Commissioner’s website www.privacy.vic.gov.au and the Office of the Health Servcies Commissioner’s website www.health.vic.gov.au/hsc .
 
-
 
-
=Privacy Awareness Week=
 
-
Background
 
-
Privacy Awareness Week (PAW) was initiated by the Victorian Privacy Commissioner in 2003 to mark the first year anniversary of the commencement of the Victorian IPA 2000. PAW is held in the last week of August. It is now celebrated by the Offices of the Federal, NSW, Northern Territory and New Zealand Privacy Commissioners.
 
-
PAW within the Department
 
-
The Department supports PAW and over the week the Senior Privacy Adviser organises and runs several activities for the Department aimed to raise privacy awareness. Privacy Coordinators are encouraged to participate in the activities and promote them to their staff. During this week Privacy Coordinators may be expected to volunteer to usher, stuff information kits and display privacy related materials.
 
-
In addition to the scheduled PAW activities Privacy Coordinators are encouraged to organise spin off events for their staff. Examples of such spin off events include an office clean up day, guest presenter at a branch meeting or eye catching montage of privacy themed cartoons, drawings or quotes on a pin board. 
 
-
Planing for PAW begins in April each year. The schedule of PAW events and activities for the upcoming year are displayed on the Information Privacy homepage from June of each year. 
 
-
 
 
-
Privacy Post
 
-
The Senior Privacy Adviser produces a monthly communiqué on privacy matters called ‘Privacy Post’. The communiqués carries news about upcoming training and events activities, added privacy resources to J-NET, the library and Commissioner’s websites, privacy decisions of the tribunals and courts and a Privacy Tip. The privacy post although targeted at Privacy Coordinators is perfect for distributing to all staff primarily because it is a single page and the privacy tip is often relevant for improving general privacy awareness and compliance.
 
-
 
-
Training
 
-
Face to Face Training (?)
 
-
The Department of Justice makes its employees aware of the importance of maintaining the privacy of individuals through a privacy training program and various other mechanisms for communicating information about the Department’s privacy policies and procedures.
 
-
The Senior Privacy Adviser ensures that each new employee receives a copy of the Privacy Induction Manual and Quick Reference Guide when attending the mandatory staff induction program. As part of induction training staff also hear from Executive Services about freedom of information and privacy laws.
 
-
 
-
The Senior Privacy Advisor is available to deliver privacy presentations to staff on Tuesday and Thursdays 10am -11am. Outside of these designated day and times the Senior Privacy Advisor can be booked to attend forums, planning and strategy days and team meetings to deliver privacy presentations. Where the Senior Privacy Advisor addresses staff of a business unit it is expected that the Privacy Coordinator be in attendance to raise their profile, observe the types of privacy dilemmas faced within their business unit and answer any questions which may require program specific knowledge.
 
-
Staff not directly involved in the initial roll out of privacy legislation are likely to need periodic reminders and small-scale training exercises to keep awareness up.
 
-
Employee Workshops regarding specific privacy topics are also offered through the year.
 
-
 
-
The Privacy Commissioner's Office also provides free privacy training to all the Department employees. It is recommended that if you are new to the role of privacy coordinator you should embark on this training.
 
-
 
-
Online Training 
 
-
The Department has an online training tool.  The tool consists of a short privacy tutorial which is followed by a quiz which tests participants' basic understanding of privacy laws. The online training tool can be assessed on J-Net.
 
-
 
-
'Action'
 
-
 
-
The training schedule and information about PIA workshops is located on the training section of the Information Privacy home page
 
-
How to book yourself in for
 

Current revision as of 03:35, 19 October 2006

Personal tools