The Information and Health Privacy Principles most relevant to the department are summarised as follows:
The department will only collect personal information if the information is necessary for one of its functions or activities as set out in the Education and Training Reform Act 2006 (Vic), relevant Ministerial Orders and other applicable legislation.
Where the personal information of an individual is collected, reasonable steps should be taken to ensure that the individual is aware of:
- the identity of the department and how to contact it
- the fact that the individual is able to gain access to the information
- who the department usually discloses information of that kind to
- the purposes for which the information is being collected
- any law that requires the particular information to be collected
- the main consequence (if any) for the individual if all or part of the information is not provided to the department.
The department will only collect health information if the information is necessary for one of its functions or activities and:
- the department has gained consent from the individual; or
- collection is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual; or
- collection is necessary to prevent or lessen a serious threat to public health, safety or welfare; or
- collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
Where the health information of an individual is collected, reasonable steps are taken to ensure that the individual is aware of:
- the identity of the department and how to contact it
- the fact that the individual is able to gain access to the information
- the purposes for which the information is being collected
- who the department usually discloses information of that kind to
- any law that requires the particular information to be collected
- the main consequence (if any) for the individual if all or part of the information is not provided to the department.
Use and disclosure
The department must only use or disclose personal and health information for the primary purpose for which it was collected, unless it falls within an exception, including where use and disclosure is:
- for a related secondary purpose and the individual would reasonably expect the department to use or disclose the information for that secondary purpose; or
- with the consent of the individual; or
- necessary for research, or the compilation of statistics, in the public interest; or
- reasonably necessary to carry out a law enforcement function; or
- otherwise required, permitted or authorised by law. For example, the department may be required to share information to:
- fulfil its duty of care to students, staff and visitors;
- provide a safe workplace in accordance with occupational health and safety law; or
- assess a risk of family violence or for a child wellbeing or safety purpose.
In cases where the use or disclosure is necessary for research or the compilation of statistics in the public interest, the department will seek consent of each of the individuals involved.
Where it is impracticable to seek the individual's consent and when the research or the compilation of statistics cannot be undertaken with de-identified information, the research or compilation of statistics will be carried out in accordance with the National Health Medical Research Council's National Statement on Ethical Conduct in Research Involving Humans, or for health information, in accordance with the Statutory Guidelines on Research.
Data quality
The department values information as an important resource. Accordingly, the department must take reasonable steps to ensure that the personal and/or health information it collects, uses or discloses is accurate, complete, up to date and relevant to the department’s functions or activities.
For example, it is the department’s practice to collect personal information from each individual concerned, rather than relying on other data sources, to ensure that names and other details are accurately recorded.
Data security
The department is guided by the principle that all information is well governed and managed. Accordingly, the department must take reasonable steps to protect the personal and/or health information it holds from misuse and loss, unauthorised access, modification or disclosure. The department will destroy or permanently de-identify personal and/or health information if the department no longer needs the information.
The department requires that a Privacy Impact Assessment is conducted for all new and significantly changed processes that involve personal, sensitive or health information. It also requires that information assets recorded in the department’s Information Asset Register are assigned data classifications. Data classifications determine what level of security is required for each type of information.
Privacy incidents are confirmed or suspected actions of information handling that are inconsistent with the IPPs and/or HPPs. The department’s response to a privacy incident will focus on protecting personal and sensitive information and may require support by the information security team and other areas of the department in order to resolve the incident. To report a suspected privacy incident, please email privacy@education.vic.gov.au.
Openness
To enable greater access to government decisions, the department’s information should be easy to find, access and use. This means that the department must have, and make available, clearly expressed policies on its management of personal and health information.
On request, the department must take reasonable steps to advise individuals, in general terms:
- what sort of personal information it holds about them
- for what purposes such information has been collected
- how it collects, holds, uses and discloses that information.
Access and correction
Individuals have a right to request access to, and to correct, their personal and health information held by the department. Most requests to access and/or correct information held by the department are processed in accordance with the Freedom of Information Act 1982 (Vic).
Parents, guardians and informal carers of students at Victorian government schools are, in most instances, entitled to school reports and other school communications ordinarily provided to a parent, unless a court order restricts this right. For more information, see Requests for information about students.
If a parent, guardian or informal carer wishes to request other types of documents held by Victorian government schools (for example staff diary notes, incident reports, counselling notes) the individual should be advised to make a Freedom of Information request.
In some cases, a student may be determined by a Principal (or nominee) to be a mature minor and able to make decisions independently about their own information. For more information, see Decision making by mature minors.
Unique identifiers
The department limits its adoption and sharing of unique identifiers. The preferred unique identifier for the department is the Victorian Student Number (VSN).
The department will:
- not assign unique identifiers to individuals unless the assignment is necessary to enable it to carry out its functions efficiently or is otherwise required by law
- only adopt (as its own unique identifier of an individual), use or disclose a unique identifier assigned by another organisation in limited circumstances.
Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with the department and the entities covered by the scope of this policy, as long as this does not impede the department’s ability to carry out its functions.
As an example, people can request a policy or other non-sensitive document from the department without having to provide their name, as long as they have supplied a means by which the department can send them the document.
The department will only transfer personal and/or health information about an individual to someone who is outside Victoria in limited circumstances. Specifically, the department should only transfer personal and/or health information outside Victoria if:
- the individual consents to the transfer;
- the department reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which is very similar to the Victorian privacy law; or
- the department has taken reasonable steps to ensure that the transferred information will not be held, used or disclosed inconsistently with the Victorian privacy law.
In cases where personal and/or health information is being transferred to a jurisdiction whose privacy requirements are inconsistent with Victorian privacy law, the department requires that a Privacy Impact Assessment be undertaken before the data is sent.
The department will only collect sensitive information in limited circumstances. For example, the department can collect sensitive information if the individual has consented or if the collection is required or authorised by law.
Charter of Human Rights and Responsibilities
When any decision is made in relation to personal, health or sensitive information, such as to use or disclose of that information, the decision-maker should give proper consideration to the Charter of Human Rights and Responsibilities Act 2006.
Guidance on how to apply the Charter when making a decision is available in the The Charter of Human Rights and Responsibilities – A guide for Victorian public sector workers and other departmental guidance.