The Privacy and Data Protection Act 2014 and the Health Records Act 2001 permit information sharing in particular circumstances.
Where there are no specific provisions in the CYFA relevant to a specific circumstance, and the situation is not covered by either the Child Information Sharing Scheme (CIS) or Family Violence Information Sharing Scheme (FVISS), the Information Privacy Principles contained in Schedule 1 of the Privacy and Data Protection Act and the Health Privacy Principles contained in Schedule 1 of the Health Records Act provide guidance about how information is to be collected, used and disclosed.
Unless otherwise provided for in law (such as under the CYFA, the CIS, or the FVISS), information may only be used or disclosed in accordance with the Information Privacy Principles or the Health Privacy Principles.
These privacy principles are set out in the Privacy and Data Protection Act and the Health Records Act. A key purpose of both Acts is to provide for responsible collection and handling of personal and health information. They govern the collection, use and disclosure of personal and health related information in Victoria (where this is not provided for elsewhere in law). Both Acts apply to the Department of Health and Human Services, as a public sector organisation, and therefore to Child Protection.
The Health Records Act deals with health information and the Privacy and Data Protection Act deals with all other personal information, including sensitive information.
- 'Personal information' is information or an opinion that is recorded in any form about a person whose identity is apparent, or can be reasonably ascertained, from the information or opinion.
- 'Sensitive information' is more tightly regulated personal information and includes racial, ethnic, political, religious, trade union, sexual or criminal information about an identifiable person.
- ‘Health information’ is information or opinion about an individual’s physical, mental or psychological health, disability, or health services.
An organisation must not use or disclose personal information or health information for purposes other than the primary purpose for which it was collected, unless one of the permitted exceptions applies.
The table below sets out a summary of the principles from the Privacy and Data Protection Act and the Health Records Act.
Note: this is not a full set or form of the principles and is intended for quick reference only. Seek legal advice if the circumstance you face is not addressed elsewhere in this manual, you have consulted your supervisor, and you remain uncertain about whether information sharing is permitted in the instance you are considering.
The following is a summary of each Health Privacy Principle (HPP) and Information Privacy Principle (IPP), including notes regarding relevance to child protection practice.
HPP 1.1 Health information may only be collected for the performance of a function or activity where one of a number of circumstances applies (paragraphs (a) to (i)).
This includes where the person consents, where the collection is required, authorised or permitted under law, such as under the CYFA, the CIS, or the FVISS, or the collection is by or on behalf of a law enforcement agency.
1.1 to 1.6 regulate how information is to be collected.
People should be informed about how the information will be used, and given access to it unless it was given in confidence.
1.7 deals with protecting information given in confidence.
IPP 1.1 Allows collection of personal information if necessary for an organisation’s functions or activities and in a manner that complies with the Privacy Principles.
Child Protection functions or activities include, for example, protecting a child from harm, providing care for the child, and arranging services for a child or family.
IPP 1.3 sets the need to take reasonable steps to make individuals whose information is collected aware of how to contact the organisation, why their information is being collected, their right to access and correct it, the people or groups with whom such information is usually shared.
The standard privacy notices to children, parents and professionals assist with complying with this principle.
2. Use and disclosure
An organisation may use or disclose health information for the primary purpose for which it was collected in accordance with HPP 1.1.
An organisation must not use or disclose personal information for a purpose (the secondary purpose) other than the primary purpose of collection, unless one of the permitted exceptions in HPP 2.2(a) to (l) applies.
Many of the secondary purposes relevant to sharing information with Child Protection are similar to those in the Information Privacy Principles.
In some circumstances a health service provider may disclose health information about an individual to an immediate family member of the individual.
Child Protection must not use or disclose personal information for a purpose (the secondary purpose) other than the primary purpose of collection, unless one of the permitted exceptions in IPP 2.1(a) to (h) applies.
Personal information can be used or disclosed for a secondary purpose in the following circumstances:
- if the secondary purpose is related (and for sensitive information, directly related) to the primary purpose and the individual would reasonably expect the information to be used or disclosed for that purpose;
- the individual has consented to the use or disclosure;
- the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:
- a serious threat to an individual's life, health, safety or welfare; or
- a serious threat to public health, public safety or public welfare;
- the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation or in reporting it to, for example, the police;
- the use or disclosure is required or authorised by or under law;
- the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency –
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
- the enforcement of laws relating to the confiscation of the proceeds of crime;
- the protection of the public revenue;
- the prevention, detection, investigation or remedying of seriously improper conduct;
- the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal;
- ASIO or ASIS, in connection with its functions, has requested the organisation to disclose the personal information.
If an organisation uses or discloses personal information to a law enforcement agency, it must make a written note of the use or disclosure.
3. Data quality
An organisation must take reasonable steps to ensure health information it collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to its functions or activities.
An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.
4. Data security and retention
An organisation must take reasonable steps to protect the health information it holds against misuse, loss, unauthorised access, modification or disclosure. Health information may only be deleted in accordance with HPP 4.2.
An organisation must take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.
An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.
An organisation must set out in a document clearly expressed policies on its management of health information and the steps an individual must take in order to obtain access to their health information. The organisation must make the document available to anyone who asks for it.
On request by an individual, an organisation must take reasonable steps to let the individual know whether the organisation holds health information about them and the steps the individual should take if they wish to obtain access to the information. The organisation is to let the individual know in general terms the nature of the information, the purpose for which the information is used, and how the organisation collects, holds, uses and discloses the information.
An organisation must set out in a document clearly expressed policies on its management of personal information and make the document available to anyone who asks for it.
On request by an individual, an organisation must take reasonable steps to let the individual know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
6. Access and correction
Individuals have a right to access their health information held by a private health service provider, unless one of the paragraphs in HPP 6.1(a) to (l) applies. An individual may request that an organisation corrects the information it holds if the individual is able to establish that the information is not accurate, is incomplete or misleading, or is not up to date.
Individuals have a right to access to their personal information, unless one of the paragraphs in IPP 6.1(a) to (j) applies. An individual may request that an organisation corrects the information it holds if the individual is able to establish that the information is not accurate. Access and correction will be handled mostly under the Victorian Freedom of Information Act.
An organisation may only assign an identifier to individuals if the assignment is reasonably necessary to enable it to carry out any of its functions efficiently.
An organisation must not assign unique identifiers to individuals unless the assignment of unique identifiers is necessary to enable it to carry out any of its functions efficiently.
(A unique identifier is usually a number assigned to an individual in order to identify the person for the purposes of the organisation's operations, for example, tax file numbers and driver's licence numbers. Unique identifiers can facilitate data matching.)
Individuals must have the option of not identifying themselves when entering transactions with an organisation, wherever it is lawful and practicable.
Individuals must have the option of not identifying themselves when entering into transactions with an organisation, wherever it is lawful and practicable.
(For instance, reporters may opt not to provide their name or other details. Reports must still be accepted from them.)
9. Transborder data flows
HPP 9.1 provides for circumstances when an organisation may transfer health information about an individual to someone who is outside Victoria.
An organisation may transfer personal information about an individual to someone who is outside Victoria, only in certain circumstances provided for under IPP 9.1.
(If your personal information travels, the protection from unauthorised use or disclosure should travel with it. The transfer of personal information outside Victoria is restricted. Most transfers of information by child protection take place under the scheme set out in Schedule 1 of the CYFA.)
10. Transfer or closure of health service provider / Sensitive information
HPP - Transfer or closure of health service provider
HPP 10 provides for what happens to an individual’s health information in the event of the transfer or closure of the practice of a health service provider. The provider must give notice of the transfer or closure to individuals who have received a health service from the provider.
IPP – Sensitive information
An organisation must not collect sensitive information about an individual unless the individual has consented, the collection is required under law, the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual is incapable of consenting, or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
Sensitive information means information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record, that is also personal information. The collection of sensitive information is more tightly regulated, as described in IPP 10.1 above. Despite IPP 10.1, an organisation may collect sensitive information about an individual if the collection—
- is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
- is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and
- there is no reasonably practicable alternative to collecting the information for that purpose and it is impracticable for the organisation to seek the individual's consent to the collection
11. Making information available to another health service provider
If an individual requests a health service provider to provide their health information to another health service provider, or authorises another health service provider to request a health service provider to provide health information relating to the individual to the requesting health service provider, a health service provider to whom the request is made must, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations, provide a copy or written summary of that health information to that other health service provider.
(IPP 10, above, is the final IPP principle.)