privacy-policy

1. INTRODUCTION

Gippsland Ports policies establish organisational standards and provide a reference guide for Board members and Gippsland Ports employees to make reasoned, consistent and lawful decisions in managing Gippsland Ports operations and activities.

Gippsland Ports (GP) policies guide the development of processes, procedures, and practices which indicate how policy will be implemented at the practical level.

2. PURPOSE

This policy supports GP need to collect, store and use personal and health information, and the right of the individual to privacy. It ensures that GP can collect personal and health information necessary for its services and functions, whilst recognising the right of individuals to have their information handled in ways they would reasonably expect and in accordance with the law.

3. SCOPE

This policy applies to all personal and health information GP collects, stores, uses and discloses to perform its business functions and activities. This policy applies to GP Board and sub-committee members, GP employees and third parties whose personal and/or health information may be held by GP.

4. POLICY STATEMENT

Personal and health information is collected and used by GP to:

1. fulfil statutory and other legal functions and duties

2. plan, fund, implement, monitor, regulate and evaluate its services and functions

3. comply with reporting requirements

4. investigate incidents and/or defend any legal claims against GP or its employees.

GP is subject to the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) set out in the Privacy and Data Protection Act 2014 and the Health Records Act 2001 as minimum standards when dealing with personal and health information.

1. Personal information

‘Personal information’ is defined in the Privacy and Data Protection Act 2014 as information or an opinion that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Examples of personal information are your name, date of birth, address, financial details, marital status, education and employment history.

2. Sensitive information

Some personal information is called ‘sensitive information’ and is given extra protection under the law. This includes information about:

1. racial or ethnic origin

2. political opinions

3. membership of a political association

4. religious beliefs or affiliations

5. philosophical beliefs

6. membership of a professional or trade association

7. membership of a trade union

8. sexual preferences, orientation or practices and

9. criminal record.

In this policy, personal information refers collectively to personal information and sensitive information, unless otherwise specified.

3. Health Information

‘Health Information’ is defined in the Health Records Act 2001 to include personal information which is also information or an opinion about:

1. the physical, mental or psychological health (at any time) of an individual

2. a disability (at any time) of an individual

3. an individual’s expressed wishes about the future provision of health services to him or her

4. a health service provided, or to be provided, to an individual.

4. Collection

GP will only collect personal or health information if it is necessary to provide or carry out its services and functions.

GP will only collect personal or health information by lawful and fair means, and by methods that are not unreasonably intrusive. If it is reasonable and practicable to do so, GP will only collect personal and health information directly…

When collecting personal information, GP will take reasonable steps to ensure that individuals are aware of:

1. why the information is being collected (including the purposes for the collection and any relevant laws requiring the collection);

2. who the information may be disclosed to;

3. the consequences of not disclosing the information (if we are collecting information directly); and

4. how people may contact us and gain access to the information collected.

GP very rarely collects sensitive information and individuals may always refuse to provide sensitive information, without adverse consequence.

5. Credit card information

GP may collect credit card information to process a payment. Credit card information collected by GP will be held in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements for enhancing payment account data security, including requirements for secure network and systems, cardholder data protection, vulnerability management program, access control measures, network monitoring and testing and information security policies.

6. Employment and recruitment information

GP may collect and store information about recruitment processes and applications including reference checks, security clearances and criminal history checks undertaken as part of that process.

Employment and recruitment information collected by GP is used or disclosed for people management purposes, including employee relations, human resources, payroll, learning and development, agency and government directories, capability development and workforce planning, emergency management, occupational health and safety and public health, safety and welfare, disputes or litigation, and is retained in accordance with the Public Records Act 1973, the Public Administration Act 2004 and other applicable legislation.

7. Closed Circuit Television (CCTV)

GP has several Closed Circuit Television (CCTV) cameras located at public areas of interest, depots and offices, high and mixed usage commercial facilities, and specific wharves and jetties across its area of responsibility.

CCTV cameras capture video footage to support safety, law enforcement, the operation of ports and waterways and the provision of real time information for waterway users. Footage may also provide data to GP on facility usage to support appropriate provision of services. For example, footage may be used to monitor jetty overstays or loading/unloading operations out of hours. These uses are authorised under the Port Management Act 1995, and are managed in accordance with the IPPs.

Select footage may be disclosed to Victoria Police to aid any investigation. Unless secured for an authorised use, footage is generally deleted 90 days after it is captured.

Access to footage of a person can be sought by that person from GP under the Freedom of Information Act 1982, by submitting a Freedom of Information (FOI) request.

8. Correspondence

Correspondence (including email) or complaints addressed to GP, or queries made through GP offices, regarding matters related to the functions of, or services provided by GP, may be referred to the relevant functional area for advice and response. Such correspondence may include personal information and may be accessed by GP staff, subject to operational needs. Copies of correspondence and applicable responses may be retained by GP for certain periods of time, in accordance with the Public Records Act 1973.

9. Use and disclosure

GP uses and discloses personal and health information for:

1. The primary purpose for which it was collected, or

2. A purpose related to that for which it was collected (secondary purpose) where the legislative requirements for using or disclosing for a secondary purpose are met.

The information collected may be shared within GP to enable efficient and effective delivery of services. GP may transfer personal information or health information to another person or organisation in limited circumstances, including that the recipient is subject to a law which upholds similar principles to the IPP or HPP, or if the transfer is consented to.

GP may also share your information with other entities (usually government entities, transport entities, councils or law enforcement agencies) if authorised to do so by the Privacy and Data Protection Act 2014 and other relevant Acts.

10. Information protection

GP must have security measures designed to protect personal information from misuse, loss, unauthorised access, modification or disclosure and must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose, in line with the Public Records Act 1973.

GP complies with the Victorian Protective Data Security Framework, which provides direction to Victorian public sector agencies or bodies on their data security obligations and takes reasonable steps to ensure that any personal information collected, use and disclose is accurate, complete and up to date.

11. Privacy Impact Assessments

In the case of any proposed new use of personal information, GP will prepare a Privacy Impact Assessment and where applicable, an assessment under the Charter of Human Rights and Responsibilities 2006, to ensure that the proposed new use is consistent with the privacy rights of people affected.

The Privacy Impact Assessment may recommend that the use not proceed, or that protective measures be put in place before the proposed use proceeds.

12. Access to and correction of information

GP will take all reasonable steps to ensure that any personal information and health information collected is accurate, complete and up to date.

Individuals are entitled to contact the GP Privacy Officer and request access to, and correction of, any of their personal information or health information held by GP.

GP will take all reasonable steps to correct and update any personal information or health information that is found to be inaccurate, incomplete or not up to date.

13. Privacy incidents (breaches/complaints)

Individuals may make a complaint about a potential privacy incident (Breach) by contacting feedback@gippslandports.vic.gov.au.

GP undertakes to resolve privacy complaints and breaches in a timely and fair manner.

Individuals may also make a privacy complaint to the Office of the Victorian Information Commissioner in relation to the use of their personal information.

14. Information transferred outside Victoria

GP adheres to the requirements of relevant Victorian legislation if it is required to transfer personal information outside Victoria. Personal information may only be transferred to another jurisdiction if the purpose of the transfer is allowed under enabling legislation.

15. Non-compliance with this policy

Suspected breaches of this policy should be reported to the Executive Manager Corporate Services for investigation as required.

5. DEFINITIONS

Information Privacy Principles (IPPs)

• • Collection
• • Use and disclosure
• • Data quality
• • Data security
• • Openness
• • Access and correction
• • Unique identifiers
• • Anonymity
• • Transborder dataflows
• • Sensitive information

Details associated with each principle can be found at Schedule 1 of the Privacy and Data Protection Act 2014.

6. REFERENCES AND SUPPORTING DOCUMENTS

6.1 Applicable Legislation

• • Privacy and Data Protection Act 2014
• • Public Records Act 1973
• • Health Records Act 2001
• • Freedom of Information Act 1982
• • Charter of Human Rights and Responsibilities Act 2006
• • Port Management Act 1995
• • Public Administration Act 2004

6.2 RELATED POLICIES AND PROCEDURES

• • Website Privacy Policy (under development)
• • GP CCTV Procedure

6.3 RELATED DOCUMENTS