Purpose and intent of the policy
This policy details the Moyne Shire Council’s commitment to the principles of information privacy. The policy explains how council will adhere to the key principles of the Privacy and Data Protection Act 2014 and the Health Records Act 2001.
Policy objective
To demonstrate Moyne Shire Council’s commitment to privacy by explaining how it adheres to its privacy obligations.
- In addition to meeting the requirements of IPP 5, other objectives of this policy are:
- helping employees understand how personal information should be handled;
- preventing the unnecessary collection or unlawful use or disclosure of information; and
- promoting greater public confidence in the organisation’s handling of personal information.
Who this policy applies to
This policy applies to all council employees, councillors, volunteers, council committee members and contractors of Moyne Shire Council. In addition, to all personal and health information held or collected by the shire.
Definitions of key terms and acronyms used within this policy
Personal Information
Information or an opinion (including information or an opinion forming part of a database), whether true or not about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information about an individual who has been dead for more than 30 years.
Health Information
Information or an opinion about the physical, mental, psychological health of an individual, disability of an individual or health service provided or to be provided to an individual.
Sensitive Information
Personal Information or an opinion about an individual’s –
- Race or ethnic origin; or
- Political opinions; or
- Membership of a political association; or
- Religious beliefs or affiliations; or
- Philosophical beliefs; or
- Membership of a professional trade association; or
- Membership of a trade union; or
- Sexual preferences or practice; or
- Criminal record.
- Gender identity
Policy details
Council will adhere to the requirements of the information privacy principles contained in the Privacy and Data Protection Act 2014 and the Health Privacy Principles in the Health Records Act 2001.
The ten Information Privacy Principles and eleven Health Privacy Principles are outlined in this policy apply to councillors, council officers, contractors, volunteers and members of council committees to observe and adhere to as required by legislation.
10 Information Privacy Principles are:
- Collection
- Use and Disclosure
- Data Quality
- Data Security
- Openness
- Access and Correction
- Unique Identifiers
- Anonymity
- Transborder Data Flows
- Sensitive Information
11 Health Privacy Principles are:
- Collection
- Use and Disclosure
- Data Quality
- Data Security and Retention
- Openness
- Access and Correction
- Identifiers
- Anonymity
- Transborder Data Flows
- Transfer / closure of the Practice of a Health Service Provider
- Making information available to another Health Service Provider
Collection (Information Privacy Principle 1 and Health Privacy Principle 1)
Council will only collect personal and health information that is necessary for its functions and activities. In some instances Council is required by law to collect personal information. Council will only collect sensitive information where the individual has consented or as permitted under legislation.
If it is reasonable and practicable to do so, Council will collect personal information and health information about a person directly from that individual. When doing so it will inform the person of the matters set out in these Acts, including the purpose/s for which the information is collected. Council will only collect personal information about an individual from someone else if the individuals consent is provided or from another government agency or authority if it is lawful to do so. If Council collects information about an individual from another government agency or authority, Council will take reasonable steps to:
- Ensure that the individual is made aware of the collection and its purpose
- Confirm that the information collected is accurate
- Explain how the information will be used and disclosed by Council and the process to gain access to the information – before this information is used
- These reasonable steps will include attempting to make contact with the individual by at least one of the following methods (telephone, mail or email)
Example of Privacy Collection Notice: The personal information requested on this form is being collected by Moyne Shire Council for the purpose(s) of (insert purpose). The personal information will also be disclosed to (insert the names of any other entities Council will be disclosing the personal information to) for the purpose of (insert how entities will be using the personal information). It will not be disclosed to any other external party without your consent, unless required or authorised by law. If the personal information is not collected, (insert details of what will happen if information is not provided). You may apply to alter any of the personal information you have provided to the Moyne Shire Council.
The information you provide may be used for purposes including but not limited to the below:
- To contact you where it is necessary in order to provide services requested by you;
- To facilitate the collection of Council fees and charges, for instance, rates notices;
- As part of Council’s commitment to customer service;
- To aid community safety. For example, Council collects images via closed circuit television cameras. Footage and photographs of incidents are made available to authorised police members who meet the criteria of the protocols and comply with the requirements for handling and use of footage and photographs
Use and Disclosure (Information Privacy Principle 2 and Health Privacy Principle 2)
Council will not use or disclose information about an individual other than for the primary purpose for which it was collected unless:
- It is for a related purpose that the individual would reasonably expect,
- Where Council have the consent of the individual to do so,
- If, as defined in the Health Records Act 2001, the individual is incapable of giving consent,
- As required or permitted by the Privacy Data and Protection Act 2014 or the Health Records Act 2001.
- Unless authorised or required by law
- Or, for a reasonable secondary purpose
The information may be disclosed to Councils contracted service providers who manage the services provided by Council. Some examples include garbage collection, management of leisure centres, environmental health inspections etc. Council requires these service providers to maintain the confidentiality of the information and comply with the Information Privacy Principles in all respects.
To Council appointed committees for the purpose of achieving their objectives contained within the charter.
To an individual’s authorised representative, power of attorney, health service providers or legal advisers.
To Council’s professional advisers, consultants, including accountants, auditors and lawyers.
To organisations assisting Council to perform statistical analyses for improving the services being delivered to the community. However, where practicable and reasonable steps will be taken to de-identify the information.
To government agencies and other organisations, with the specific consent of the individual, or where required or authorised by law, which may include emergency situations and assisting law enforcement agencies.
To an immediate family member of the individual, for compassionate reasons or if it is necessary to provide the appropriate care or health service to the individual, when permitted by law.
To any recipient outside Victoria, only if they are governed by substantially similar information privacy principles, or when the individual has consented to the transfer or would be likely to give it, if it was practicable to obtain that consent.
Personal Information will be disclosed by Moyne Shire Council where required to do so by any other legislation.
Where there is an inconsistency, all other legislation overrides the Privacy and Data Protection Act 2014 or Health Records Act 2001 to the extent of the inconsistency. Other obligations under the Privacy and Data Protection Act 2014 or Health Records Act 2001 will remain.
6.3 Data Quality (Information Privacy Principle 3 and Health Privacy Principle 3)
Council will take reasonable steps to ensure that all personal information collected, used or disclosed is accurate, complete and up to date.
Data Security and Retention (Information Privacy Principle 4 and Health Privacy Principle 4)
Council will take all reasonable measures to prevent misuse or loss or unauthorised access, modification or disclosure of personal and health information. Personal and health information will be managed confidentially and securely and destroyed or archived in accordance with the Victorian Local Government Disposal Schedules. Council is committed to monitoring and implementing reasonable and appropriate technical advances or management processes, to provide an up to date ongoing safeguard for personal information.
Openness (Information Privacy Principle 5 and Health Privacy Principle 5)
The Moyne Shire Council Information Privacy Policy will be made available upon request at Council offices and for download on Moyne Shire Council website.
Access and Correction (Information Privacy Principle 6 and Health Privacy Principle 6)
People can access their personal information by contacting the Councils Privacy Officer. Access to information will be provided except in the circumstances outlined in these Acts, for example where the information relates to legal proceedings or where the Freedom of Information Act 1982 applies.
If a person believes that their personal information is inaccurate, incomplete or out of date they may request Council to correct the information. Each request will be dealt with in accordance with these Acts.
A written request may be submitted to the Privacy Officer.
Privacy Officer
Moyne Shire Council
Po Box 51, Princes street
Port Fairy Victoria 3284
Email: moyne@moyne.vic.gov.au
Unique Identifiers Information Privacy Principle 7 and Health Privacy Principle 7)
Council will not assign, adopt, use, disclose or require unique health or other identifiers from individuals except for the course of conducting normal business or if allowed or required by law.
Anonymity Information Privacy Principle 8 and Health Privacy Principle 8)
Where lawful and practicable, Council will give the person the option of not identifying themselves when supplying information or entering into transaction with it.
Note: Lodgement of anonymous planning objections and ‘Sections 223 Submissions’ will be regarded as impractical and therefore not acceptable.
Transborder Data Flows Information Privacy Principle 9 and Health Privacy Principle 9)
Council will only transfer personal or health information outside Victoria in accordance with the Privacy and Data Protection Act 2014 and Health Records Act 2001.
Sensitive Information (Information Privacy Principle 10)
Council will not collect sensitive information unless the individual has consented or collection is required or permitted by law or when necessary for research or statistical purposes permitted under Privacy and Data Protection Act 2014.
Sensitive information will be treated with security and confidentiality and only used for the purpose for which it was collected.
There are instances where Council will seek sensitive information, collecting gender-disaggregated data (with consent) to monitor service equity and inform inclusive policy-making. This aligns with supporting the objects of the Gender Equality Act 2020.
Transfer / closure of the Practice of a Health Service Provider (Health Privacy Principle 10)
Health information relating to a discontinued Council Health Service will be managed in accordance with the Health Records Act 2001.
Making information available to another Health Service Provider (Health Privacy Principle 11)
Council will provide information to other health providers in accordance with the Health Records Act 2001.
External contractors
While personal information is usually handled by Council staff, Council may outsource some of its functions to third parties. This may require the contractor to collect, use or disclose certain personal information (e.g. waste collection). It is Council’s intention to require contractors to comply with these Acts in all respects.
Further information
Councils Privacy Statement is available from Moyne Shire Council website. Further information about Moyne Shire Council’s Privacy Policy and its handling of information, can be obtained from:
Moyne Shire Council
Privacy Officer
Po Box 51
Port Fairy Victoria 3284
03 5568 0555
moyne@moyne.vic.gov.au
Privacy and data breaches
Council takes every reasonable measure to prevent privacy and data breaches. If a privacy or data breach does occur Council will:
- Breach containment and preliminary assessment
- Evaluation of the risks associated with the breach
- Notification; and
- Prevention
Data sharing
Internally (Inside Council)
Personal Information provided to and collected by Council will be shared across all relevant Council departments and relevant contracts where it is reasonable to do so. The benefits of this is Council will be able to streamline processes and use the shared data to help customers.
Externally (Outside Council)
Council will only share data including personal and health information in accordance with the Privacy and Data Protection Act 2014, Health Records Act 2001 (Vic), Victorian Data Sharing Act 2017 and other legislation.
Council will never sell or share for benefit any personal and health information it holds. Council has several policies and procedures which either directly or indirectly relate to data sharing.
Artificial intelligence
Council will not input personal or sensitive information into public artificial intelligence tools. Theywill not be used to formulate decisions, undertake assessments, or used for other administrative actions that may have consequences for individuals, for example, evaluations, assessments, or reviews.
Public registers
These are documents required by law that Council’s are required to make publicly available. The registers are open for inspection during office hours by members of the public and contain information permitted by legislation. These public registers may contain personal information if permitted by legislation
Complaints
If a person feels aggrieved by Council’s handling of personal information, they may make a complaint to Councils Complaints Officer. The complaint will be investigated as soon as possible (but no later than 5 business days) and the person will be provided with a written response. Alternatively, a person may make a complaint to the Office of Victorian Information Commissioner, or the Health Services Commissioner for health information. However, the Commissioners may decline to hear the complaint if the complainant has not first complained to Council.
Moyne Shire Council
Complaints Officer
Po Box 51
Port Fairy Victoria 3284
03 5568 0555
moyne@moyne.vic.gov.au
Contact details for the Office of the Victorian Information Commissioner online or via email:
www.ovic.vic.gov.au or
enquiries@ovic.vic.gov.au or
the Office of the Health Complaints Commissioner, regarding health information:
www.hcc.vic.gov.au or 1300 582 113
6. Relevant legislation / references
HR001 Equal Opportunity, Harassment and Bullying
HR025 Access to Personnel Files
RM001 Records Management Policy
Moyne Shire Council Privacy Statement
Complaints Policy
Generative Artificial Intelligence (AI) Usage Procedure
Artificial Intelligence (AI) Policy
Privacy and Data Protection Act 2014
Health Records Act 2001
Victorian Data Sharing Act 2017
Freedom of Information Act 1982
Local Government Act 2020
Public Records Act 1973
Charter of Human Rights
Gender Equality Act 2020
Gender impact assessment
A gender impact assessment has been undertaken to enhance protection for vulnerable groups.
Human rights commitment
It is considered that this Policy does not impact negatively on any rights identified In the Charter of Human Rights and Responsibilities Act (2006). Moyne Shire Council is committed to consultation and cooperation between management and employees. The Council will formally involve elected employee health and safety representatives in any workplace change that may affect the health and safety of any of its employees
Child safety statement
Moyne Shire is committed to being a child safe organisation and has zero tolerance for child abuse. We recognise our legal and moral responsibilities in keeping children and young people safe from harm and promoting their best interests.
We are dedicated to ensure we provide a culturally safe environment, embedding well-being, psychological safety and empowering children about their rights, equity and respect. We ensure this is reflected across physical and online environments.
We aim to create enriching experiences for young learners and want all children to feel safe, happy and empowered. We have a commitment to the cultural safety of Aboriginal and Torres Strait Islander children, culturally and linguistically diverse children, and to the safety of children with a disability.
Policy owner
Manager Governance and Corporate Planning
Document history
Version 004
Date Endorsed 30 July 2025
Reason for Change: Artificial intelligence and gender equality considerations