An individual can complain to an Agent, WorkSafe, the Information Commissioner or the Health Services Commissioner about an alleged interference with their privacy.
If WorkSafe receives a complaint about an act or practice of an Agent, WorkSafe will refer the complaint to the Agent’s Privacy or Compliance Officer to investigate and respond directly to the person who lodged the complaint.
Complaints can highlight systemic issues in relation to policies, procedures and/or practice and can identify opportunities for improvement. Privacy complaints or incidents, including breaches and suspected breaches, must be recorded, investigated and responded to in a timely manner.
WorkSafe aims to minimise disputes by consistently applying the privacy principles during its claims assessment and management processes. If a dispute does arise, it is in everyone’s interest to resolve the dispute quickly, fairly and preferably without litigation.
Under privacy laws and in keeping with the Information Commissioner’s conciliatory approach to complaint handling, individuals with a privacy complaint are usually asked to first lodge a complaint with the relevant organisation.
Privacy or compliance officer
The Agent’s Privacy or Compliance Officer is the primary contact for the complainant and they will investigate the complaint when it is first received. Agents must record and manage complaints promptly.
Privacy incidents and complaints (other than those listed as exemptions below) must be reported to WorkSafe immediately or no later than three business days after becoming aware of the incident. If the incident involves significant/strategic or scheme-wide impact, WorkSafe must be immediately notified. Otherwise, incidents are to be reported within two to three business days.
This reporting requirement applies to all developments and updates about complaints. Updates include notification of escalation to: a privacy regulator or the Victorian Civil and Administrative Tribunal (VCAT Victorian Civil Administrative Tribunal) or a Court.
Incidents reporting tool
Incidents and updates are reported using the Incidents Reporting template issued by WorkSafe. The template provides auto-fill sections in all but two fields - description and action taken. Do not include personally identifiable information in the report. Provide initials and/or claim number if necessary. The 'Description' must be clear and address 'What', 'How' and 'Why'.
Reportable privacy incidents include:
- allegations of disclosure of personally identifiable information to an unauthorised/third party, whether identified by an internal employee/process or following a complaint or notification from a third party
- allegations of non-compliance with any one or more privacy principle.
What - document for worker AB sent in email to Worker CD or organisation E
How – printed multiple documents for 2 clients. Documents got mixed up.
Why – working on multiple clients at one time or not following process
Contacted worker CD and confirmed incorrect documents have been returned.
Spoke with worker AB and apologised for incident. Explanation and apology letter sent to worker AB. Worker AB satisfied with action taken by Agent.
What – payment made to wrong worker/provider and personal information disclosed following a request for payment of medical/travel expenses
How – name and injury date same for both workers but different date of birth which wasn’t checked.
Why – details were uploaded to the wrong worker record. Not all fields checked to validate correct record
The cheque payment was returned, though had been opened and personal information disclosed.
Spoke with worker and apologised for breach. Worker satisfied with explanation and does not want to take issue any further.
How – employee not aware of process/action
Why – lack of employee training and awareness of privacy principles and claims manual
Worker was told that case manager not authorised to disclose information and needed to make a formal request for access to information.
An exempt or a non-reportable event is an event that does not involve an individual’s identifiable information or where no disclosure was made outside the Agent/WorkSafe or where the allegation is against a third party or organisation.
Exemptions to the general requirement to use the privacy incident report include incidents or complaints:
- not involving personal or health information
For example An email sent to the wrong recipient that does not contain personal or health information of another individual.
- against third parties (eg employer organisations). Complainants should be informed to contact the third party. This includes IMEs, OR Occupational Rehabilitation and other approved providers who are also subject to privacy laws and obligations. For contracted service providers, however, Agents must follow the relevant WorkSafe escalation process, if any.
- where an employee working on a file identifies and rectifies a foreign record on the file. No information has been disclosed outside the Agent.
- collecting or viewing another employee’s print out/fax in error in a shared facility/utility room. No information has been disclosed outside the Agent.
- an employee identifying and remedying an incorrect, outdated address or incorrect enclosures before sending/posting correspondence. No information has been disclosed outside the Agent.
- an audit identifying an area/issue for improvement about privacy. No information has been disclosed outside the Agent.
It is important that Agents notify WorkSafe of potential privacy risks due to technology failures or other widespread issues. This could include ACCtion malfunction, Novus faults, standard letters and mail merge errors that could affect other Agents or the scheme.
Note: Lost, missing or misplaced files or records, including failure to locate in response to an ATI request, must be recorded in the Missing Files Register in accordance with the Claims Record Keeping Requirements and Agent Records Management Policy and Procedures Manual.
Complaint handling & reporting requirements
When an Agent becomes aware of an incident or receives a complaint involving personal or health information, they are required to ensure that reporting and response timelines are met. Documentation associated with each incident/complaint must be maintained by the Agent to monitor and audit the complaint, as/if required.
For example Response letter, explanation or apology, letter of demand, awareness communication or activity, relevant minutes of team/employee meeting, training attendance sheet.
For most incidents, particularly notifications by third parties, the incident report template is adequate as it forms the main communication and reporting tool and provides documentary evidence. This could include a copy of the complaint and your response. In other cases where more documentation is required, you may need to keep a copy of the explanation or apology letter, letter of demand for return or destruction of documents, a meeting or discussion note, training attendance and change in procedure.
Agents are required to close complaints or incidents within 28 days from the date of receipt. This does not apply where more information or steps are required by the complainant/informant that might cause delays, such as a request for more information or the return of documents, an extension granted or technology upgrade requirements. If a request for return of documents is refused, consider a letter of demand to return or confirm destruction of such documents. Documentation (electronic or hard copy) must be kept by Agents.
The response to complainants, ie individuals alleging a breach involving their personal information, must inform them of their right to complain to the Victorian Information Commissioner (or Health Services Commissioner if the complaint relates to health information).
Personal information of complainants in complaint handling
Agents should respect an individual's right to remain anonymous, where lawful and practicable. However, it may not be practicable to provide complainants with the option of remaining anonymous for complaint handling purposes. This could include when a complaint concerns the treatment by an employee or a service provider.
Personal information provided as part of a complaint is collected for processing, investigating and attempting to reach an outcome about the complaint.
Information that a complainant provides or a copy of their complaint may be disclosed to the business unit, organisation and/or persons named to ensure fairness and transparency. Details of a complaint and associated communication may also be disclosed to others who have relevant information or who can assist to resolve a complaint. A complaint may be provided, in full or in part, based on necessity and relevance, to another Agent/organisation, such as IME Independent Medical Examiner / Independent Medical Examination or OR provider named in the complaint, unless the complainant expressly states otherwise.