Policy Name: Privacy
Section: General
Approved By: E-focus CEO 2018
Last Reviewed: January 2018



To establish organisational guidelines which must be observed by all employees to protect employee, and client privacy and confidentiality.

To outline the minimum standards of conduct overarching for the organisation related to the policy topic. This policy is complimentary to specific standards and codes outlined in the organisation’s underpinning Government contracts / agreements.


This policy is guided by the legislation and principles of protecting the privacy of clients, employees and the organisation, and compliance with privacy laws and standards. (see attached short version of Privacy Principles).


This policy and procedure applies to E- focus (“the organisation”) and subsidiaries and activities




Information Privacy Act (Vic.) 2000

Privacy Act (Commonwealth) 1988

Health Records Act (Vic.) 2001

Freedom of Information Act (Vic.) 1982

Public Records Act (Vic.) 1973.

National Privacy Principles


Word / Term Definition

Personal Information

Is information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes information such as a person’s name, address, financial information, marital status or billing details

Sensitive Information

Is a subset of personal information. It includes information about a person’s racial or ethic origin, political opinion or membership, religious beliefs or affiliations, sexual preferences, criminal records or health records. A higher level of privacy protection applies to sensitive information.

Health Information

Means personal information about an individual that includes

(a)      Information or opinion about –

i.           The physical, mental or psychological health (at any time) of an individual; or

ii.         A disability (at any time) of an individual


Includes information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not (eg hard copy, audio tapes, photographs, micro-fiche and computerised records including electronically derived databases and directories), about a person whose identity is apparent, or can reasonably ascertained, from the information or opinion.

Primary Purpose

A primary purpose is one for which the individual concerned would expect their information to be used. Using the information for this purpose would be within their reasonable expectations.

Secondary Purpose

A secondary purpose may or may not be apparent to the individual concerned, or within their reasonable expectations. Collecting information may be mandatory (because required by law) or optional. The main distinction is that the eservice could still be provided even if the secondary purpose were not serviced.

Privacy Statement

A statement related to the privacy of personal information which appears on all documents and forms generated by the organisation and used for the collection of information, and that is appropriate to the information being collected. This excludes documents used by the organisation to collect information which are generated by Government departments and used under contractual obligation.


1.        Collection of Information

The organisation will only collect personal information about a person if it is necessary for one or more of its functions or activities. At the time of collection, the organisation will explain to the person the purpose, proposed use, disclosure and rights of access.

Information (personal and sensitive) will only be collected with the consent of the individual. Personal information from a person or legally authorised representative will be required in accordance with contractual and legislative requirements.

2.        Use and Disclosure

Personal information is used and disclosed only for the purposes for which it was collected and is protected from misuse. Personal information can be shared if:

§   It is necessary for the purpose it was collected, or a secondary purpose directly related to that purpose;

§   The person consents to the discloser of their information, or the disclosure is necessary to lessen/prevent a serious and imminent threat to life, health or safety;

§   The disclosure is authorised by law, or for law enforcement or investigation.

3.        Data Quality

The organisation will ensure that all personal information collected, used or disclosed is accurate, complete and up to date.

4.        Data Security

All personal information collected is protected from misuse or loss and from unauthorised access, modification or disclosure. Information stored electronically is kept on a secure server and access is restricted to authorised employees. Paper based documents containing personal information are stored securely. Where documents are required to be transferred to another location, personal information is transported securely in an envelope, folder or document bag. Reasonable steps will be taken to destroy or permanently de-identify personal information when it is no longer required for any purpose.

5.        Openness

Access to the Privacy Policy and Procedures will be granted to any person making a request for it. On request, all reasonable steps will be taken to inform individuals of the sort of personal information held, its purpose, how it is collected and stored. Information held by the organisation may be accessed by individuals if requested, subject to the requirements of any contractual or legislative requirements.

6.        Access & Correction

Access to information by an individual held on that particular individual will be granted should it be requested. If this information is deemed inaccurate by the individual, and this is established, the organisation will take the appropriate steps to correct the information so that it is accurate, complete and up to date.

7.        Anonymity

Where lawful and practicable, individuals have the option of not identifying themselves when entering in to transactions with the organisation.

8.        Direct Marketing


personal information collected by the organisation may be used to send individuals direct marketing communication. Sensitive information will not be used for this purpose. Individuals have the option of opting out of direct marketing communications by contacting the Privacy Officer and where practicable, this will be noted on the information being sent.


  Procedure Steps Responsibility


Access to Personal Information

1.1  Access to Personal Information

Access to personal information will only be provided under:

1.1(a)     Freedom of Information legislation

1.1(a)     Legislative Obligations

1.1(a)     Individual Consent Arrangements



1.2   Access to Personal Information – Staff

1.2(a)     Staff will only be provided with access to personal information where it is necessary to carry out their responsibilities.

1.2(a)     Managers are required to maintain a register of staff who are given access to personal information collected by the division, and whether the staff member may amend or delete the information.




1.3   Access to Employee Records

Staff may request access to their employee records from:

1.3(a)     Human Resources Manager, for records held by the Human Resources and Finance.

1.3(a)     Site / Manager, for locally held records



CEO, Human Resources / Managers


Disclosure of Personal Information


2.1     The disclosure of all personal, health and sensitive information is subject to other legislative requirements (eg: The Freedom of Information Act 1982 (Vic.) )


2.2     The organisation will disclose personal information to a third party on request of an individual, where it receives a written authorisation (Signed) by the individual to be released for a specified purpose. The Manager must co-sign the consent as verification that the individual has properly consented.

2.3     The organisation will not require the written authorisation where the disclosure is authorised by law.







Privacy Risk Management Procedures


3.1     All Managers have the primary responsibility for privacy compliance in their division.


3.2     Managers must ensure that an appropriate Privacy Statement is in place where their division collects any personal information. These will be developed, where necessary, in consultation with the Privacy Officer.


3.3     Where a Manager is responsible for an information technology system, they are required to ensure that the applicable system complies with privacy legislation.


3.4     The organisation must not acquire or implement information systems that are not privacy compliant.





Privacy Complaints Handling Procedure


The following procedure applies if an individual considers that this policy has been breached, or the privacy laws in respect to that individual.


4.1     Complainant to Provide Details of Complaint in Writing

A written complaint must be forwarded to the Privacy Officer within six (6) months of the time the complainant first became aware of the apparent breach. The complaint must specify details of the apparent breach in writing. 


4.2     Timeframe for Internal Resolution

Unless principles of due and fair process dictate otherwise, the Privacy Officer must make a determination on a complaint / request to access information within forty-five (45) days of receipt of the complaint, and advise the complainant in writing.


4.3     Response to Complaint

If the Privacy Officer determines that there has been a breach of the policy, he or she will, upon notification of the determination to the complainant, advise relevant personnel in writing and any action required in order to remedy the breach. If the breach is capable of being rectified and is not rectified within thirty (30) days of the advice from the Privacy Officer, the Privacy Officer must inform the CEO.


4.4     Consequences if this Policy is Breached

Disciplinary action may be instigated against any staff member who breaches this policy, which may result in the employee being summarily dismissed in circumstances that the organisation considers there to have been a serious beach.











Privacy Officer – CEO












Human Resources

Regulatory Guidelines



Privacy Statement

Guidelines to the Information Privacy Principles (issued by Privacy Victoria)

Guidelines to the National Privacy Principles

Guidelines to Privacy in the Business, Health Sector [under s.95A of the Privacy Act 1988] and Government