- personal information - which means ‘information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion’.
- health information - which is a type of personal information that relates to the health or disability of an individual, the provision of health services to the individual or the individual’s expressed wishes about the provision of health services. It also includes information collected in providing a health service, in connection with organ donation or genetic information.
- sensitive information - which is a type of personal information. It includes information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices and criminal record.
In this document, 'personal information', includes 'health information' and reference to 'WorkSafe' also includes 'Agent' where applicable.
18.104.22.168 Privacy & Agents
Privacy is our business – everyday
Privacy is everyone’s business and not a matter left to one person. Agents collect and handle large amounts of personal, sensitive and health information about workers, other members of the public, our employees and people who assist us in the work that we do.
We operate within a rigorous legal framework designed to protect privacy and confidentiality. The WIRC Act Workplace Injury Rehabilitation & Compensation Act 2013 and the Occupational Health and Safety Act 2004 both impose limits on collection, use and disclosure of information obtained in connection with the performance of our functions.
Compliance with PDP Act & HR Act
Victorian privacy legislation also applies to private sector organisations carrying out functions under a State contract. This means that Victorian privacy laws apply to Agents managing workers claims on behalf of WorkSafe under their Agency Agreement.
The Federal Privacy Act 1988 and the Australian Privacy Principles (APPs) do not apply to WorkSafe and/or the Agents. This means any legislative changes to the Federal law and APPs also have no effect on WorkSafe or its Agents.
Privacy by design – embed privacy into everyday practice
Privacy by Design is a framework to address growing change and the impacts of technology and networked information and data systems. It involves embedding privacy right from the outset into information technologies, business practices and networked infrastructures to mitigate privacy concerns when developing information technology systems across the information life cycle. It is based on the following seven principles:
- Proactive not reactive, preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality, positive sum not zero sum
- End to end security, full life cycle protection
- Visibility and transparency – keep it open
- Respect for user privacy - keep it user centric
In Victoria, the Information Commissioner has formally adopted Privacy by Design 'to underpin information privacy management in the Victorian public sector'.
In its simplest form, Privacy by Design involves considering and undertaking privacy impact assessments before adopting new technology solutions or implementing new programs. The Privacy Impact Assessment (PIA) template is a key tool to assist and guide Agents to embed privacy into new processes and systems early to mitigate privacy concerns when developing these systems across the information life cycle. At WorkSafe, the PIA is part of the Information Security and Technology Risk The probability of the worker not returning to work is known as the risk or risk factor. For example: if a worker is likely to return to work, the claim is categorised as low risk. Assessment.
Any employee, case or program manager or executive, can use the PIA. No privacy knowledge, familiarity or legal expertise is required to complete a PIA. The most appropriate person to complete a PIA is the program owner with knowledge of the issues and information or process flows. It involves a simple checklist-based template to help Agents identify privacy issues or impacts when contemplating or implementing a new project or program or when reviewing existing processes.
- senior management commitment and governance of the privacy program
- pro-actively and systematically identifying impacts by taking precautions and building tailored safeguards before resources are committed or systems implemented (such as using a PIA)
- reconciling privacy with technology, including mobile devices
- understanding the impact on individuals in the event of errors or misuse of information
- regular, relevant employee education and training
- demonstrating accountability and continual process improvements.
WorkSafe scheme privacy framework
WorkSafe has developed a framework with a number of controls to ensure that privacy protection and risks are recognised and managed pro-actively by Agents. The framework includes:
- privacy induction – mandatory for all new employees at Agents
- employee training – annual mandatory refresher for all employees
- awareness - privacy employee communications and/or events
- Privacy/Compliance Officer – appointed within each Agent to:
- act as primary point of contact
- provide advice and operational support regarding privacy
- manage and report suspected privacy incidents and complaints and
- monitor privacy compliance
- reporting of privacy incidents and complaints to WorkSafe
- monitoring incidents and complaints at Agent management level
- Agent Privacy Forum – regular meeting of Agent representatives
- review of the privacy component of the Claims Manual to ensure it remains relevant and up to date.
Embedding privacy into the culture and corporate framework takes effort and includes all people, processes, business operations, training and continual improvement. Key areas Agents need to focus on are:
- systematic, senior management monitoring and continual process improvements
- Privacy by Design approach in practices and processes, including impact assessments and
- training and awareness, communication.
Training & awareness
This manual cannot, by itself, enhance privacy practices or prevent incidents and breaches from occurring. Employee training and familiarity with the manual and controls and regular review of practices is essential to ensure privacy compliance and best practice.
For example Awareness of good record keeping, appropriate use of email/fax and attachments, not taking files outside office environment or using non-secure devices or new technologies for communications and storage, not considering/assessing impacts of new processes prior to implementation.
Agents should consider opportunities, such as Privacy Awareness Week (May), Data Privacy Day (28 January), topical issues (media stories, surveys) and recent incidents as information to include in communications for greater impact and relevance to employees.
The mandatory employee training module – both content and format – must be reviewed at least once every two years to ensure compliance and to ensure that it reflects developments and reforms and expectations set by regulators and/or WorkSafe.
The employee induction and mandatory refresher module need not deal with each one of the information and health privacy principles in detail. It must cover IPP/HPP 1-4 (Collection, Use and Disclosure, Data Quality and Data Security), as well as the Incident Reporting process and template and incident or breach preparation and response processes.
Agents must also ensure they remain educated and up to date with developments and good practice relevant to privacy. Accordingly, they should support their Privacy Officers to participate in professional development opportunities related to privacy and risk management, compliance or governance.