1.2.11 Privacy principles
1.2.11.1 Collection (IPP/HPP 1) | 1.2.11.2 Use & disclosure (IPP/HPP 2) | 1.2.11.3 Data quality (IPP/HPP 3) | 1.2.11.4 Data security (IPP/HPP 4) | 1.2.11.5 Open access & correction (IPP/HPP 5&6)
The Information Privacy Principles (IPPs) are contained in the PDP Act Privacy and Data Protection Act 2014 and the Health Privacy Principles (HPPs) are contained in the HR Act Health Records Act (collectively referred to as the Privacy Principles).
The privacy principles in everyday language
It is not always necessary to seek people's personal information - people can often deal with each other anonymously (Principle 8).
If you do need to collect or handle a person's personal information:
- collect only what you need and do so lawfully and fairly, without unreasonable intrusion. Advise the person that you are collecting their personal information (Principle 1)
- ensure that the information remains accurate, complete, up-to-date and secure (Principles 3 & 4)
- only use or disclose the personal information for the purpose you collected it or for a related purpose which would be reasonably anticipated by the person. Otherwise, seek consent (Principle 2)
- allow people to access their personal information and correct it if necessary (Principle 6)
- be open about what you do with other people's personal information (Principle 5)
- minimise creating/sharing ID numbers that can be matched with information about individuals from other sources (Principle 7)
- if you allow people's information to cross borders, make sure the privacy protection travels with the information (Principle 9)
- do not collect any sensitive information without firstly checking the rules. Sensitive information, ie ethnicity, religion, political views, sexual preference or criminal record, has special protection under law (Principle 10)
Privacy pitfalls
- collecting or keeping more personal information than is required/necessary
- not confirming/checking proof of ID or authority/consent
- assuming intended use and actual use are the same
- poor record keeping or file management
- not familiar with or trained on, Agent policies and procedures
- poor control of disclosure or sharing of information
- lack of checking (double-checking) recipient details and correct attachments on emails/letters
- losing track of where personal information is located or stored
- disposing of personal information without ensuring permanent destruction
- disposal of personal information without authority or not in line with a disposal schedule
- failing to respond to changing circumstances, processes or technologies
- failing to report an incident or respond to a complaint
- poor or lack of incident preparation at Agent/business team level.
Summary of IPPs & HPPs
For the full text of the IPPs or HPPs, please consult the relevant legislation.
| Principle | Description Privacy and Data Protection Act | Description Health Records Act |
|---|---|---|
| 1. Collection | Only collect personal information that is necessary for performance of functions. When collecting personal information from an individual, advise the individual that they can gain access to that information. | Only collect health information if necessary for the performance of a function or activity and either with consent or where required by law or one of the other criteria within HPP1). Advise individuals about what you may do with the information explain that they can gain access to their information. Keep confidential all information provided in confidence. |
| 2. Use and disclosure | Only use or disclose personal information for the primary purpose for which it was collected. You may also use or disclose personal information for a secondary, related purpose that the person would reasonably expect or where consent has been provided. | Only use or disclose health information for the primary purpose for which it was collected or for a directly related secondary purpose the person would reasonably expect. Otherwise, consent is required. |
| 3. Data quality | Make sure personal information is accurate, complete and up-to-date. | Take reasonable steps to ensure the health information you hold is accurate, complete, up-to-date and relevant to the functions you perform. |
| 4. Data security | Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification and disclosure. Destroy or de-identify personal information that is no longer required. | Take reasonable steps to protect health information from misuse, loss, unauthorised access, modification and disclosure. Only destroy or delete health information in accordance with this Principle. |
| 5. Openness | Document clearly expressed policies regarding the management of personal information. Provide the policies to anyone who requests them. | Document clearly expressed policies regarding the management of health information. Provide the policies to anyone who requests them. |
| 6. Access and correction | Individuals generally have a right to seek access to their personal information and to make corrections, although there are some exceptions. Access and correction of injury claim records, is handled administratively or under the WIRC Act. | Individuals have a right to seek access to health information held about them and to correct any inaccuracies, incomplete, misleading or out of date information. Access and correction of injury claim records is handled administratively or under the WIRC Act. |
| 7. Unique identifiers | Do not assign unique identifiers to individuals, unless necessary. A unique identifier is a number assigned to an individual for identifying purposes, related to the organisation’s operations (eg Tax File Numbers and Driver’s Licence Numbers). Unique identifiers facilitate data matching, which can diminish privacy. | Only assign a number to identify a person where reasonably necessary to efficiently carry out your functions. |
| 8. Anonymity | Where lawful and practical, provide individuals with the option of not identifying themselves when entering into transactions with the organisation. | Where lawful and practical, provide individuals with the option of not identifying themselves when entering into transactions with the organisation. |
| 9. Transborder data flows | Where personal information travels across borders, privacy protection travels with it. Transfer of personal information outside Victoria is restricted. Personal information may only be transferred where the recipient protects its privacy under standards similar to Victoria’s IPPs. | Only transfer health information outside Victoria if the organisation receiving the information is subject to laws which are substantially similar to the HPPs. |
| 10. Sensitive information | Do not collect sensitive information unless consent has been provided or where the collection is required by law or is necessary to either address a threat or establish/defend a legal claim. | |
| 11. Transfer/closure of practice of health service provider |
If a health service business is being sold, transferred or closed down, without continuing to provide services, it must give notice of the transfer or closure to past service users. Not applicable to Agents |
|
| 12. Making information available to another health service provider |
A health service provider must make health information about an individual available to another health service provider, if requested to do so by the individual. Not applicable to Agents |
1.2.11.1 Collection (IPP/HPP 1)
Everyone who has direct contact with the management of worker claims or contact with other members of the public is involved in the collection of personal and health information of individuals.
Collection statement
When an organisation such as WorkSafe or an Agent collects personal and health information about an individual, the law requires that they take reasonable steps to ensure the individuals are aware of:
- their organisation’s identity and contact details
- the fact that the individual is able to gain access to the information
- the purpose for which the information is collected
- the persons or entities to which information of that kind is usually disclosed
- any law that required the information to be collected and
- the main consequences, if any, for the person if all or part of the information is not provided.
The Worker’s Injury Claim form contains a general collection statement WorkSafe's Worker's Claim Form contains a page explaining the privacy policy in relation to the management of a claim. This text is titled 'Collection of personal and health information to manage your claim'. informing workers of the type of information that might be collected by WorkSafe and its Agents and shared with other persons and organisations when managing their claim.
How notice is provided
Privacy laws do not prescribe how information is provided to an individual. In practice, there are several approaches to ensure Agent compliance, including:
- through a website privacy statement (e.g. WorkSafe privacy statement)
- verbal reinforcement or explanation of the information where necessary
- information included as a statement on forms (eg Worker’s Injury Claim form published by WorkSafe) or contained in correspondence and referral letters
- asking third parties to assist individuals in letting people know what has happened with their personal information (eg workers’ employers, representatives, OR Occupational Rehabilitation providers, IMEs)
- providing individuals with a copy of the Privacy Policy or this Claims Manual when requested.
Why we collect personal & health information
WorkSafe and Agents collect personal and health information from workers who make a claim. Information is also collected from employers, medical practitioners, health service providers, occupational rehabilitation providers, investigators and assessors for the purposes of receive, assess and manage claims, assess suitability for rehabilitation and return to work to meet obligations under the Act.
Anonymity (IPP/HPP 8)
If practicable, individuals may be anonymous when contacting WorkSafe or Agents, eg when making general inquiries about services. In some cases, if individuals wish to maintain anonymity, WorkSafe will not be able to provide services and support, process or respond to complaints.
Unique identifiers (IPP/HPP 7)
WorkSafe does not assign unique identifiers to individuals unless necessary to perform its functions. Claimant A person who applies for WorkCover benefits. and claim numbers are assigned to manage claims effectively, efficiently and economically.
1.2.11.2 Use & disclosure (IPP/HPP 2)
Everyone who has direct contact with the management of claims or is likely to be involved in the collection of personal information from others or the use or disclosure of personal information.
Generally, a 'use' of personal or health information refers to the communication or handling of personal or health information within the Agent or WorkSafe.
A disclosure refers to the communication or transfer of information outside the Agent. A disclosure can occur in a number of ways, including but not limited to:
- sharing, emailing or reporting information to another person or organisation
- allowing another person or organisation to view/have access to information or
- providing a summary or communicating the information in another way.
Use & disclosure of personal information
Agents are to use and/or disclose information for the purposes they collect it to receive, assess and manage claims, arrange rehabilitation services and facilitate return to work. The Collection Statement contained within the Worker’s Injury Claim form informs workers of the most common purposes for collecting their personal and health information.
Agents may use or disclose personal or health information to another person, body or agency for a secondary purpose if:
- it is necessary and relevant to perform their claims management obligations and functions under the WIRC Act Workplace Injury Rehabilitation & Compensation Act 2013 and the individual affected would reasonably expect the use or disclosure for the secondary purpose
- the individual worker has provided consent
- the use or disclosure is required, authorised or permitted by the WIRC Act or another law (eg court orders, subpoenas, statutory demands by agencies such as Centrelink, ATO Australian Tax Office, Child Support Agency)
- the use or disclosure is necessary for the enforcement of a criminal law, law imposing a financial penalty or the protection of public revenue (eg an investigation by WorkSafe for providing false or misleading information or to detect and prevent fraud).
This list is not exhaustive and the above uses/disclosures are not mutually exclusive. More than one purpose or exception may be applicable.
See: Health Records Act 2001 | Privacy and Data Protection Act 2014
Ultimately, a consideration of the circumstances of each case is important to determine whether use or disclosure is lawful and complies with privacy principles.
An example of a related secondary purpose may involve the use of reports. As part of managing an injury claim, a worker’s rehabilitation or return to work, Agents may disclose information from an IME Independent Medical Examiner / Independent Medical Examination or other health reports to OR providers.
Before disclosing information contained in an IME report or any other health assessment to an OR service provider, the Agent must first review the relevant information and form a reasonable view that the provision of the information is necessary for the management of the claim, the worker’s rehabilitation or return to work. Unless the whole report is relevant and necessary, generally, this can be achieved by providing a summary or an extract.
Some of the factors Agents need to consider when determining what information to disclose to approved providers include the nature of the injury, the content of the report, the OR’s professional background and expertise, any particular circumstances involved, including previous communications or explanations provided to workers and whether they would reasonably expect the use or disclosure for an OR purpose.
Inappropriate or unauthorised access and disclosure refers to access to personal information without a reasonable related purpose. This could include viewing/browsing of information on a screen or in hard copy, making a record of the information (for example, printing the material) and/or disclosing the information to third parties.
Database access or browsing
Access or browsing claims files, ACCtion, Novus or any other database or system without authority is inappropriate and unauthorised.
Unauthorised access or disclosure must be immediately reported to the privacy or compliance officer, who will report the incident to WorkSafe in accordance with the Escalation Framework.
Cross-border disclosure
An Agent may disclose personal information outside Victoria in very limited circumstances.
Agents must ensure that the recipient will not hold, use or disclose the information in a manner that is inconsistent with WorkSafe’s Privacy Policy and the privacy principles.
Tax file numbers
Tax File Numbers (TFNs) are a special category of personal information which is afforded strict protection. WorkSafe does not require and nor does it request TFNs, unless for direct payee arrangements in line with the guidelines for dealing with 'Taxation of direct payees'.
Taxation laws provide for confidentiality and protection of TFNs in line with the TFN Rules issued by the Australian Information Commissioner, ie by authorised personnel with need to know authority only. Unauthorised use or disclosure of TFNs can constitute a breach of privacy and an offence under the taxation laws and can attract penalties.
Research proposals
A proposal for research involving use or disclosure of personal or health information is required to obtain Human Research and Ethics Committee (HREC) approval prior to any such use/disclosure.
Once HREC approval is granted, the Agent is to provide a written request to WorkSafe, including the research proposal and a copy of the HREC approval from the relevant body. This request should include the following information, confirming:
- the necessity for research purposes, compilation or analysis of statistics in the public interest
- the impracticability of seeking consent from affected individuals
- that the research purpose cannot be served without the disclosure of the identity of individuals
- compliance with the Health Services Commissioner’s guidelines on research and any other applicable law or code
- publication of the research in non-identifiable form (ie cannot be identifiable or re-identifiable) and
- research benefits to the Community and WorkSafe.
Any approval by WorkSafe will be conditional upon an agreement that the researcher will comply with the above and an assurance that the research conforms with the National Statement on Ethical Conduct in Human Research issued by the National Health and Medical Council and further, that the researcher will maintain confidentiality, security and will audit the control processes.
1.2.11.3 Data quality (IPP/HPP 3)
Privacy laws require Agents to take reasonable steps to ensure that the personal and health information they collect, use or disclose, is accurate, complete and up to date.
Integrity of information
Agents need to take reasonable steps to ensure that the integrity of the information remains intact during all phases of its handling, from collection, recording and transcription through to storage and any transfer to another Agent or WorkSafe. Such steps could include periodic checks to assess the accuracy of data or saving documents in read-only format so that electronic versions cannot be altered by an unauthorised person.
Incorrect filing of documentation
Incorrect filing of documentation may inadvertently lead to unauthorised use or disclosure. Agents must ensure that incorrectly filed documentation is removed from the incorrect file as quickly as possible.
The risk The probability of the worker not returning to work is known as the risk or risk factor. For example: if a worker is likely to return to work, the claim is categorised as low risk. of unauthorised disclosure increases where workers have identical or similar names or names with varied spellings but which sound the same. This could result in data being entered on the wrong claim or information being misplaced or the mismanagement of a claim.
Nature or type of personal information
The nature or type of personal information and the consequences that may flow from poor data quality is particularly important. Some information, if incorrect when used or disclosed, will merely irritate until it is corrected, such as misspelling a name or using an incorrect title. Small inaccuracies will not normally result in a privacy breach. However, as well as a breach of privacy, using the wrong name or address could result in the intended recipient missing crucial information or a deadline due to them not receiving the information or a delay in receipt of the information.
Where information can have adverse consequences
Greater care is required where the relevant information may cause adverse consequences for an individual. Agents must confirm the accuracy of information, especially where the information is collected from other sources, before making a decision or carrying out an action, that will deprive individuals of benefits or entitlements or otherwise result in serious adverse consequences.
1.2.11.4 Data security (IPP/HPP 4)
Agents are required to undertake reasonable steps to protect the personal and health information they manage from misuse, loss or unauthorised access, modification or disclosure. Whilst records management and information technology policies set standards, Agents must also ensure that they have appropriate internal procedures and other measures in place, which are tailored to their specific circumstances.
Paper documents & information stored electronically
Data security relates to all documents, in any format, including hard copy documents and information stored electronically. Agents must ensure they take reasonable steps to keep data secure and regularly review their security measures. The following questions should be asked:
- Are fax machines, printers or copiers secure?
- Are employees leaving documents on desks, utility rooms or in busy areas?
- Is it possible or practicable to implement a ‘clean desk’ approach?
- Do employees place files in designated file storage areas at the end of the day?
- Are faxes and printing cleared from the fax machine and printer trays in a timely manner?
Security of electronic information is more complex, as the information is easily replicated and threats to security are both internal and external. Access control is a key aspect of technology security.
Misdirected facsimile or email
A misdirected fax or email may lead to an unauthorised disclosure. Agents must take reasonable steps to protect personal information when transmitting information via fax or email. At a minimum, Agents must:
- ensure fax messages have the authorised facsimile cover sheet/template with the number of pages to be faxed clearly identified, along with the contact details of the relevant employee
- label fax/email with their security classification if it contains sensitive, confidential or protected information
- take care to ensure the correct fax number/email address is used (check auto-completing email addresses and pre-programmed numbers for accuracy and currency and always check to ensure you have not mistakenly used a 'reply all' feature)
- confirm any new or unfamiliar fax addresses or email addresses by telephone before they are used
- ensure the receiver of any security classified information is on hand (check by phone) to receive it before the fax is sent. Consider whether fax or email is the appropriate method for sending secure information
- confirm with the recipient that the fax/email has been received by a telephone call, read receipt or by printing a facsimile transmission report and
- ensure the facsimile cover sheet or email has the standard warning/disclaimer that if the receiver is not the intended recipient, to immediately inform the sender and return or destroy the information.
Courier deliveries
Agents must take reasonable steps to protect individuals’ privacy when using couriers to deliver notices or documents. Before using a courier, particularly in small towns/areas, consider whether the closest regional office can be used for any delivery arrangements. Also, an unsealed envelope left in an open space or an envelope left with another person (eg a friend or neighbour) to pass on to the worker, may lead to an unauthorised disclosure and security breach.
The Agent/courier should:
- place documents in a sealed courier envelope or bag
- ensure the contents of documents are not visible through the window or opening of the envelope or bag
- check the address is correct/intended delivery address
- check that the worker has not previously provided a different delivery address or instructions for notices
- deliver the package to the worker personally and obtain their signature as evidence of receipt or if the worker is not available, leave the envelope in the mailbox.
1.2.11.5 Open access & correction (IPP/HPP 5&6)
Agents are required to be open about what they do with other people's personal information. Upon request, an Agent must advise, generally, what sort of personal information it holds, for what purpose it is held and how it collects, holds, uses and discloses that information.
In most cases, this can be achieved by providing individuals with access to the privacy policy or to this section of the Claims Manual in a timely and appropriate manner.
Individuals may also be referred to WorkSafe's website, via hyperlink or attachment to an email or by providing a hard copy via post as soon as possible (no later than 10 business days from receipt of a request).
Failure to respond in the manner requested and within 10 business days, would constitute a breach of the openness principle.
Requests for access and correction of personal information are processed administratively or in line with the access to information provisions of the WIRC Act and the procedures outlined in the first part of the Claims Manual.