1.2.13 Privacy protection authorities & VCAT
Referrals from a regulator
If an Agent receives notice of a privacy complaint by the Information Commissioner, Health Services Commissioner or VCAT Victorian Civil Administrative Tribunal, the Agent must notify WorkSafe using the Incident Reporting Template and process. The Agent must update WorkSafe of their progress at each stage of the process. If WorkSafe or the scheme could potentially be affected, Agents must consult with WorkSafe. WorkSafe reserves the right to give directions or take over the management of any complaint or litigation.
Agents must respond promptly and adequately to privacy regulators and must approach each referral with a view to assist the regulator in reaching an informed opinion/decision.
Agents must take all reasonable steps to ensure a quick and reasonable resolution of complaints.
Who is responsible for complaints handling, dispute resolution or litigation
The Agent is responsible for the management and conduct of any conciliation and/or litigation of complaints under privacy laws, regarding their acts or practices.
See: Dispute resolution & litigation
1.2.14 Respond to privacy incidents
Notify WorkSafe
Non-compliance with privacy laws or privacy breaches can occur for a number of reasons including, poor training, a misunderstanding of the law, a deliberate act, a technical problem or human error. The potential for a privacy breach to occur can be reduced by implementing sound practices in relation to the handling of personal information and also by implementing ongoing privacy training for all staff.
Employees must take responsibility for reporting privacy complaints and incidents and to improve practices. They must be prepared to respond to complaints and incidents in a timely and appropriate manner and to restrict information on a need-to-know basis.
Agents must take each incident or complaint seriously and immediately make inquiries or investigate. The decision on how to respond should be made on a case by case basis in consultation with the Privacy/Compliance Officer.
All privacy complaints and incidents must be reported to the Privacy/Compliance Officer.
Response process
WorkSafe has adopted the Victorian Information Commissioner’s four step approach when responding to a breach or suspected breach.
See: Responding to Privacy Breaches
| Step | Agent Action |
|---|---|
|
Breach containment and preliminary assessment |
Contain the incident or breach and undertake preliminary assessment Recover/retrieve the information or reconstruct as much as possible, if lost Prevent further disclosure or misuse |
|
Evaluation of the risks associated with the breach |
Evaluate risks and impacts Report to your manager and privacy officer immediately |
| Notification | Notify affected individuals in line with the Information Commissioner's guidelines |
| Prevention |
Mitigate risks and prevent further incidents Regularly review systems and practices to:
|
Note: Not all steps may be necessary and some steps may be combined.
Notify individuals
There is no legal requirement to notify individuals that a breach of their privacy has occurred.
However, WorkSafe promotes accountability and transparency and requires Agents to consider notifying individuals whose privacy is affected in line with the Victorian Information Commissioner's guidelines. Notification of affected individuals may not be appropriate where notification could cause risk The probability of the worker not returning to work is known as the risk or risk factor. For example: if a worker is likely to return to work, the claim is categorised as low risk. or harm to the individual or another person or where it would not be in the ‘public interest’ or appropriate to notify in the particular circumstances.