Privacy Policy | City of Casey
Skip to main content
Adopted 19 February 2019

Privacy Policy

Version 5.0

Purpose

Council believes that the responsible handling of personal information is a key aspect of democratic governance and is strongly committed to protecting an individual's right to privacy. Accordingly, Council is committed to full compliance with its obligations under the Privacy and Data Protection Act 2014 and the Health Records Act 2001(Vic).

This Privacy Policy explains these principles and how they apply to Councillors, Council officers, contractors and members of Council committees. The Privacy Policy also explains how the City of Casey will collect, store, use and disclose personal information of individuals, how individuals can gain access to their personal information and correct inaccuracies and how an individual may complain about possible breaches of the Privacy and Data Protection Act 2014 and the HealthRecords Act 2001.

Definitions

Council means Casey City Council, being a body corporate constituted as a municipal Council under the Local Government Act 1989
Councillors means the individuals holding the office of a member of Casey City Council
Council Officer means the Chief Executive Officer and staff of Council appointed by the Chief Executive Officer.
The Acts Privacy and Data Protection Act 2014 Health Records Act 2001
Personal Information

means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (excluding health information). For example, "personal information” includes:

  • name, date of birth

  •  income, purchases and spending habits

  • race, and ethnic origin

  • blood type, DNA code, fingerprints

  • marital status and religion

  • education

  • home address and phone number

This includes personal information relating to both clients of Council and Council officers. For example, Council holds personal information on its ratepayers (e.g. names and addresses) in order to carry out its functions (e.g. planning, valuation and property services). It may also request personal information in order to provide education, welfare and other community services. In some instances, personal information may be contained on a public register (register of building permits, food premises and animal registration details).

"Third party", in relation to personal information, means an individual or body other than the organisation holding the information and the individual to whom the information relates.

Health Information

includes personal information or opinion about:

  • an individual's physical, mental or psychological health (at any time)

  • an individual's disability (at any time)

  •  expressed wishes about the future provisions of health services to him or her

  • health services provided, or to be provided, to an individual

  • an individual, collected to provide a health service to him or her (e.g. disability or aged care service, immunisation service or maternal and child health service).

For example, Council holds health information on clients who require home and community care services and family day care services.

Sensitive Information A type of personal information which includes an individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.
Primary Response the main reasons the personal information was shared with or collected by Council.
Reasonable Secondary Purpose A use of personal information that a reasonable person would understand could or may occur. An example of this is sharing an updated mailing address on a form to all Council departments instead of the one department who the form was sent to.

Scope

This policy covers personal information, sensitive information and health information stored and used about individuals by the City of Casey, staff, members of Council committees and contractors.

Context

Council is required to comply with the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).

Policy

The Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs)

This Privacy Policy outlines ten (10) IPPs and eleven (11) HPPs for Councillors, Council officers, contractors, volunteers and members of Council committees to note and observe as required by legislation.

The ten Information Privacy Principles are:

  • Information Privacy Principle 1 - Collection
  • Information Privacy Principle 2 - Use and Disclosure
  • Information Privacy Principle 3 - Data Quality
  • Information Privacy Principle 4 - Data Security
  • Information Privacy Principle 5 - Openness
  • Information Privacy Principle 6 - Access and Correction
  • Information Privacy Principle 7 - Unique Identifiers
  • Information Privacy Principle 8 - Anonymity
  • Information Privacy Principle 9 - Trans-Border Data Flows
  • Information Privacy Principle 10 - Sensitive Information

The eleven Health Privacy Principles are:

  • Health Privacy Principle 1 – Collection
  • Health Privacy Principle 2 – Use and Disclosure
  • Health Privacy Principle 3 - Data Quality
  • Health Privacy Principle 4 – Data Security and Retention
  • Health Privacy Principle 5 – Openness
  • Health Privacy Principle 6 – Access and Correction
  • Health Privacy Principle 7 – Identifiers
  • Health Privacy Principle 8 – Anonymity
  • Health Privacy Principle 9 – Trans-border Data Flows
  • Health Privacy Principle 10 – Transfer/closure of the Practice of a Health Service Provider
  • Health Privacy Principle 11 – Making Information available to another Health Service Provider

Collection

The City of Casey will only collect personal and health information that is necessary for its functions and activities. In some instances, Council is required by law to collect personal information. Council will only collect sensitive information where you have consented or as permitted under legislation.

If it is reasonable and practical to do so, Council will collect personal and health information directly from an individual. When doing so, it will inform the individual of the matters set out in the Act, including the purpose/s for which the information is collected, and will use lawful and fair means. Council will only collect an individual’s information from someone else if the individual’s consent is provided or from another government agencies or authority if it is lawful to do so.

If Council collects information about an individual from another government agency or authority, Council will take reasonable steps to:

  • ensure that the individual is made aware of the collection and its purpose,
  • confirm that the information collected is accurate, 
  • explain how the information will be used and disclosed by Council and
  • the process to gain access to the information -

before this information is used.

These reasonable steps will include attempting to make contact with the individual by at least one of the following methods (telephone, mail, or email).

Use and Disclosure

The City of Casey will only use personal information within Council, or disclose it outside Council, for a reasonable secondary purpose, if required by law to do so, or in accordance with the Act; for example where the individual has consented or where the individual would reasonably expect this to occur.

The information may be disclosed:

5.3.1 To Council’s contracted service providers who manage the services provided by Council. Some examples include: garbage collection, management of leisure centres, environmental health inspections and infrastructure maintenance. Council will also require these service providers to maintain the confidentiality of the information and comply with the Information Privacy Principles in all respects.

5.3.2 To Council appointed committees for the purpose of achieving their objectives.

5.3.3 To an individual’s authorised representatives, health service providers or legal advisers.

5.3.4 To Council’s professional advisers, including accountants, auditors and lawyers.

5.3.5 To organisations assisting the Council to perform statistical analyses for improving the services being delivered to the community. However, where practicable and reasonable, steps will be taken to de-identify the information.

5.3.6 To government agencies and other organisations, with the specific consent of the individual, or where required or authorised by law, which may include emergency situations and assisting law enforcement agencies.

5.3.7 To an immediate family member of the individual, for compassionate reasons or if it is necessary to provide the appropriate care or health service to the individual, when permitted by law.

5.3.8 To any recipient outside Victoria, only if they are governed by substantially similar information privacy principles, or when the individual has consented to the transfer or would be likely to give it, if it was practicable to obtain that consent.

Personal Information will be disclosed by the City of Casey where required to do so by any other legislation. Where there is an inconsistency, all other legislation overrides the Privacy and Data Protection Act 2014 or Health Records Act 2001 to the extent of the inconsistency. Other obligations under the Privacy and Data Protection Act 2014 or Health Records Act 2001 will remain.

Council has several policies and procedures which are either directly or indirectly relate to the use and disclosure of personal and health information held by Council, these are:

  • Information Requests from Law Enforcement and Integrity Agencies Procedure
  • Subpoena Procedure
  • Identity Verification Policy
  • Councillor Access to Council Information Policy

Quality, Security and Retention

The City of Casey will endeavour to maintain a secure system for storing personal information. Council will dispose of personal information where it is no longer necessary to fulfil the purposes for which the information was collected or as required by law.

Council has several policies and procedures which are either directly or indirectly relate to the quality, security and retention of personal and health information held by Council, these are:

  • IT Security Policy
  • Information Management Policy
  • Data Breach Response Plan
  • Information Management Policy
  • Cloud Policy

Access and Update

Should an individual wish to access their personal information, the individual can contact the most relevant Council department directly or Council's Privacy Officer located within Council’s Governance Department. Access will be provided except in the circumstances outlined in the Act, for example, where the information relates to legal proceedings or where the Freedom of Information Act 1982 applies. If an individual believes that their personal information is inaccurate, incomplete or out of date, the individual may request Council to correct the information. The request will be dealt with in accordance with the Act.

Council officers from time to time may contact individuals to confirm that the information we hold is correct via telephone, mail or email to ensure Council is meeting our obligations under IPP 3 - Data Quality.

Identifiers and Anonymity

Council will not adopt as its own identifier, an identifier that has been assigned by another government agency and will not use or disclose the identifier assigned to an individual by another government agency, unless the consent of the individual has been obtained or it is required by law to do so.

Where lawful and practical, the Council will give an individual the option of not identifying them self when supplying information or entering into transactions with Council.

Sensitive Information

Council will only collect sensitive information where you have consented or is it required under legislation. Sensitive information includes an individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.

Further Information

Copies of this Policy are available from all Council offices and the City of Casey website. Further information about the City of Casey’s Privacy Policy and its handling of personal information, can be obtained from

Privacy Officer

Governance Department

City of Casey

PO Box 1000

NARRE WARREN 3805

Tel: 03 9705 5200

Privacy and Data Breaches

If an individual feels aggrieved by Council's handling of their personal or health information, they may make a complaint to Council either by submitting a Privacy Compliant Form which can be found on Council’s website or by writing to or calling the:

Manager Governance

Governance Department

City of Casey

PO Box 1000

NARRE WARREN 3805

Tel: 03 9705 5200

The Manager Governance will aim to provide the complainant with a formal response within 10 days of receiving all required information and complainants will be advised of any unavoidable delay.

Externally people can complain to Office of the Victorian Information Commissioner, regarding personal information online or via email: www.ovic.vic.gov.au orprivacy@cpdp.vic.gov.au or the Office of the Health Complaints Commissioner, regardinghealth information or via phone: www.hcc.vic.gov.au or 1300 582 113.

Privacy and Data Breaches

Council takes every reasonable measure to prevent privacy and data breaches. But if a privacy or data breach does occur Council will enact its Data Breach Response Plan. The plan consists of four parts:

  1. Breach containment and preliminary assessment
  2. Evaluation of the risks associated with the breach
  3. Notification; and
  4. Prevention

Data Sharing

Internally (Inside Council)

Personal information provided to, and collected by, Council will be shared across all relevant Council departments and relevant contracts where it is reasonable to do so. The advantages of this is that Council will be able to streamline processes and use the shared data to help customers. This is in line with Council’s Smart City Strategy.

An example of this would be a customer updates their mailing address with Council’s Waste team, this would also be updated with Council Rates team.

This process of information sharing between all Council departments is in keeping with IPP 2 – Use and Disclosure IPP 3 - Data Quality and IPP 6 - Access and Correction.

Personal information from sources deemed not appropriate or if sharing of the personal information across Council would breach other Acts, will not be shared, some examples of these are:

  • Bunjil Place ticketing information
  • Information obtained from VicRoads

Externally (Outside Council)

Council will only share data including personal and health information in accordance with the Privacy and Data Protection Act 2014, Health Records Act 2001(Vic), Victorian Data Sharing Act 2017 and other legislation.

Council will never sell or share for benefit any personal and health information it holds. Council has several policies and procedures which are either directly or indirectly relate to the data sharing externally of personal and health information held by Council, these are:

  • Information Requests from Law Enforcement and Integrity Agencies Procedure
  • Subpoena Procedure
  • Open Data Policy

Smart Cities Strategy

In line Council’s Smart Cities Strategy, Council aims to be

  • A leader in applying technology and innovation, and
  • A Council whose services and facilities are driven by community needs

Some current examples of, but not limited to, how we do this is by using senor technology to collect de-identified personal information to understand the use of our facilities.

Council will undertake this work at all times in compliance with the IPPs and will only use this information where data matching is reasonably unlikely to occur.

Breaches

Breaches of this policy may result in action being taken in accordance with Council’s Disciplinary Code and may result in termination of employment.

Administrative Updates

It is recognised that, from time to time, circumstances may change leading to the need for minor administrative changes to this document. Where an update does not materially alter this document, such a change may be made administratively. Examples include a change to the name of a Council department, a change to the name of a Federal or State Government department, and a minor update to legislation which does not have a material impact. However, any change or update which materially alters this document must be by resolution of Council.

Review

The next review of this document is scheduled for completion by 1 February 2023.

Related Documents

Other Council polices and documents which relate to this policy are the:

  • Information Requests from Law Enforcement and Integrity Agencies Procedure
  • Subpoena Procedure
  • Smart City Strategy
  • Identity Verification Policy
  • IT Security Policy
  • Cloud Policy
  • Information Management Policy
  • Councillor Access to Council Information Policy
  • Disciplinary Code
  • Data Breach Response Plan