This Privacy Management Plan (Plan) explains how we manage personal information in line with the Privacy and Personal Information Act 1998 (NSW) (PIPP Act) and health information in accordance with the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).
We collect, store, and use a broad range of information for the purpose of facilitating our business. A significant part of that information is personal and health information. It is important that the community and Council officials understand how we manage personal information. This Privacy Management Plan (Plan) explains how we will manage personal and health information in line with the previously mentioned legislation.
Information Protection Principles and Health Privacy Principles are legal obligations which we must abide by and are outlined on the Information and Privacy Commission NSW website.
Sutherland Shire Council may depart from these principles when using the Privacy Code of Practice for Local Government. We recommend this plan is read in conjunction with that Code.
The following Principles demonstrate how Council will manage your personal and health information.
Council will only collect personal and health information for a lawful purpose that directly relates to the proper functions and activities of Council.
The Local Government Act 1993 (NSW) (LGA) governs Council’s major obligations and functions. Chapter 5 provides details relating to the functions of Council governed under the LGA and other legislation.
Council will collect personal information directly from the person to whom the information relates unless the person has authorised collection of the information from someone else or the person is under the age of 16 years.
Council may collect personal information when a person visits Council website. The Privacy Statement on Council’s website provides further information on the type of information that is collected.
Council may also collect personal information via third party websites that provide services on behalf of Council. Council enters into agreements with these service providers and ensures privacy obligations are met.
Health information will be collected directly from the individual that the information concerns, unless it is unreasonable or impracticable to do so. For further information please see Handbook to Health Privacy.
Whenever personal and health information is collected, Council will tell you why your information is being collected, how it will be used, who will have access and how it will be stored. We will also tell you how you can access and amend your personal information.
We will include this information on our forms and website via a Privacy Statement.
Council will only collect personal and health information which is directly relevant to its functions and activities.
We will ensure that this information is accurate, up to date and not excessive and that the collection is not unnecessarily intrusive into the personal affairs of an individual.
Council will ensure personal information is secure and we will only keep it for as long as appropriate. We will secure your information by:
- monitoring network traffic using industry standard practice, processes, procedures and tools;
- undertake penetration testing annually;
- complying with State Records Act in relation to safe custody, preservation, accuracy, maintenance and disposal of state records; and
- ensuring staff compliance with the Computer Resource Usage Policy.
In the event of a data breach, Council will:
- follow the guidance issued by the Information & Privacy Commission NSW (IPC) relating to the Voluntary Reporting Scheme; and
- if the breach relates to Tax File Number information, following the protocols of the Office of the Australian Information Commissioner (OAIC) relating to Notifiable Data Breaches.
Council will take reasonable steps to enable a person to determine whether we hold personal and health information about them. If Council holds any information about a person, upon request it will advise them the nature of that information, the main purposes for which it is held, and that person’s entitlement to access.
In this regard, Council will consider any conditions or limitations contained in the Government Information (Public Access) Act 2009 (NSW).
Council will ensure that individuals are provided access to personal and health information held by Council without unreasonable delay or expense. Requests for access should be made in writing and addressed to the General Manager. You can do this by filling in the Access to Personal Information form - PDF - 49 KB.
The right to access personal information does not extend to information held about other people. Applications will need to be made under the Government Information (Public Access) Act 2009 (NSW) if:
- an individual’s personal information is in documents which also have information about other people
- access is sought for information about someone else
If an employee seeks access to personal information held about them they should make this request to the Manager People & Culture.
Council will allow the amendment of personal and health information to ensure that all information is current, accurate, complete and relevant for the purpose for which it was collected.
Any request for change will require appropriate supporting documentation. The type of documentation required will depend on the type of change being made which may include a statutory declaration.
This supporting documentation must accompany the appropriate application form.
Council will ensure that health information is relevant and accurate before using it.
Council will take reasonable steps to ensure that personal and health information is relevant, accurate, up-to-date and complete before using it.
These steps will depend on the age of information, its likelihood for change and the particular function for which the information was collected.
Council will only use personal information for purposes for which it was collected unless:
- Consent has been given by the individual whom the information relates to;
- The other purpose is directly related to the purpose for which it was collected;
- Use of the information is necessary to prevent or lessen a serious threat and imminent threat to the life or health of the individual or another person; and
- The other purpose is in pursuance of the lawful and proper functions of Council as mandated by the Privacy Code of Practice for Local Government.
Council will only use health information for the purpose which it was collected or for a directly related purpose that the individual to whom the information relates would expect. Otherwise, Council will obtain the individual’s consent.
Council will not disclose personal information to any other person (other than the individual to whom the information relates) or other body (including a public sector agency), unless:
- an individual provides consent;
- an individual would be reasonable likely to have been aware that that kind of information is disclosed to another body;
- Council believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned; and
- Council is authorised to disclose personal information for other purposes as mandated by the Privacy Code of Practice for Local Government.
Council will not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophic beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.
Council will only disclose health information under the following circumstances:
- with the consent of the individual to whom the information relates;
- for the purpose for which the health information was collected or a directly related purpose that the individual to whom in relates would expect; and/or
- if an exemption applies
Council will only give an identification number to health information if it is reasonably necessary for Council to carry out its functions effectively
Council will provide health services anonymously where it is lawful and practical
Council will only transfer personal information out of New South Wales if the requirements of Health Privacy Principle 14 are met.
Council does not currently use a health records linkage system. Council will obtain consent from individuals if this is introduced in the future.