In this policy:
"Personal information" means information or an opinion (including information or an opinion forming part of a database) about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
"Health information" means personal information that contains information or an opinion about:
- the physical, mental or psychological health (at any time) of an individual; or
- a disability (at any time) of an individual; or
- an individual's expressed wishes about the future provision of health services to him or her; or
- a health service provided, or to be provided, to an individual.
The "Act" means the Transport Accident Act 1986 (as amended).
Application of Privacy Principles by the TAC
Principle 1 - Collection of information
Personal information and health information will be collected by TAC where:
- the information collected is relevant to the primary purpose of collection, which is to determine a client's entitlement or continuing entitlement to benefits under the Act or to common law damages;
- the collection of the health information or personal information is limited to the information that is necessary and relevant to the determination of a client's entitlement to benefits or to common law damages;
- the collection of health information or personal information is for a related purpose that is consistent with the objectives of the TAC such as customer service surveys, accident research or inquiries in relation to the provision of services to TAC clients.
What This Means
The TAC will lawfully collect information that is relevant to carrying out functions or exercising powers under the Act. These functions include:
- assessing whether the circumstances of an accident mean that a person injured in such an accident is eligible for compensation under the Act;
- assessing whether injuries sustained by a person were sustained as a result of a transport accident as defined under the Act;
- determining the extent of a client's entitlement or continuing entitlement to income benefits or other compensation under the Act; and
- the assessment of the degree of injury sustained by a client in a transport accident for impairment and common law purposes.
The TAC will endeavour to ensure that personal information and health information collected about its clients is relevant to the administration of the claim and where practicable, that the information is collected directly from its clients. The TAC will collect some information about the claims it receives from third parties, such as reports from a client's treating doctor, hospital and ambulance reports and confirmation of income details from a client's employer. This information is obtained with the client's consent. The consent to collect this information is obtained as part of the process of making a claim for compensation under the Act.
This consent is used to obtain personal information and health information that is reasonable and necessary to assist the TAC to perform functions and to exercise powers, including making decisions about a client's entitlement to compensation under the Act. If the TAC is unable to obtain the information needed to determine a client's entitlement to benefits then this may result in delays in the making of payments or make it difficult for the TAC to determine reasonable compensation or the most appropriate treatment for a client.
In circumstances where the TAC obtains personal information or health information from a third party using the consent obtained from a client at the time that the client lodged a claim for compensation the TAC will advise the client about the collection of the information. The TAC will, subject to limited exceptions mainly detailed in Principle 6 of this Policy, make available to a client, on request, most of the personal information or health information held on its files about the client. If a client wants to access this information they can contact the TAC.
The TAC also has relationships with other organisations such as the Victorian Police, VicRoads and the Victorian WorkCover Authority, and where appropriate, the TAC will obtain information relevant to a client's claim from those bodies in accordance with the Act. The purpose of collecting personal information and health information about a client is to enable TAC to make informed decisions regarding the management of a client's claim and to otherwise meet the TAC's statutory obligations.
The TAC sometimes obtains records of payments from Commonwealth authorities such as the Health Insurance Commission. These records are principally obtained to assist the TAC to determine those payments for which it is liable in relation to a claim. If the TAC obtains these records it will not release these records to anyone other than the client to whom the record relates.
The TAC may also collect personal information or health information under specific provisions of the Act, such as sections 127 and 127A, which enable authorised officers of the TAC to obtain information from the Police and to conduct investigations in some circumstances.
Principle 2 - Use and Disclosure of Information
2.1 Use and disclosure for the purposes of managing claims for compensation
The primary purpose for the collection of personal information and health information by the TAC is to determine a client's entitlement or continuing entitlement to benefits under the Act or to common law damages. The TAC will lawfully collect, use and disclose personal information for this purpose.
2.2 Use and disclosure for the purpose of carrying out other functions under the Act
The TAC has a range of other statutory functions and powers in relation to accident prevention research and is able to seek information from clients to determine the level of satisfaction with the service provided by the TAC. Performing these functions and exercising these powers will, in some circumstances, require the collection, use and disclosure of personal information and health information. Use and disclosure of information for these purposes is regarded as a secondary purpose under this Policy.
What this means:
In respect of the secondary purpose, the TAC may disclose personal information or health information in circumstances where it is reasonable and necessary to do so to perform statutory functions or exercise statutory powers. By way of definition, use refers to the handling of information by the TAC; disclosure refers to the communication of personal information to another agency, organisation or individual. The TAC is empowered, under specific circumstances that are defined in the Act, to disclose information to third parties. These circumstances are set out in section 131(2) of the Act, and include:
- disclosure of documents or communications which must be produced in criminal proceedings or any other proceedings under the Act;
- disclosure of information to the Victorian WorkCover Authority (or an authorised agent);
- disclosure of information to a Court;
- disclosure to other State or Commonwealth Authorities set out in section 131(2) of the Act.
The TAC will only disclose personal information or health information to a third party when disclosure of the information is required for the primary purpose of collection, or (as long as the information is not sensitive information) a related purpose, which is consistent with the carrying out of statutory functions or the exercise of statutory powers under the Act. Any disclosure of personal information or health information to a third party will occur on the understanding that:
- the recipient of the information treats the information provided as confidential;
- the recipient uses the information only for the purposes set out by the TAC.
From time to time, the TAC may have to release relevant information to external parties. For example, if the TAC arranges for a claimant to be medically examined by a medical specialist to determine the extent of the client's injuries, it may be necessary for the TAC to provide copies of other health information held by the TAC to that specialist in order to assist with the medical assessment.
These sorts of disclosure fall within categories that clients of the TAC might reasonably expect to occur.
The TAC, on occasions, uses personal information about its clients to formulate accident research and statistical information, which in all cases has personal identification removed before the information is used. The TAC may also use personal information to conduct client satisfaction surveys. In all cases where it is practical to do so information has individual identification removed before it is provided to a third party for research purposes. In the case of client satisfaction surveys all information obtained from the surveys is treated confidentially and the clients are provided with an opportunity to opt out of the survey and future surveys. Client survey information has all individual identification removed before any of the results of the survey are disclosed.
On occasions the TAC will be requested to provide personal information or health information for the purposes of medical research e.g. to facilitate research into the treatment transport accident injuries. Personal information or health information is only provided for medical research where the research is conducted in accordance with any guidelines issued by Health Services Commissioner under the Health Records Act 2001, which incorporates relevant standards like the National Standard on Ethical Conduct in Research Involving Humans published by the National Health and Medical Research Council (NHMRC, 1999).
Principle 3 - Keeping information accurate and up to date
The TAC will take reasonable steps to ensure that the personal information and health information it collects is relevant, accurate, up to date and complete .
What this means:
The TAC will, before using personal information and health information it has obtained in relation to a client, take reasonable steps to ensure that the information held by the TAC is accurate, up to date and not misleading. In some circumstances the TAC relies on its clients and other parties to provide up to date, accurate information, which is not misleading (for example with name and address details). In addition, the Act imposes a number of statutory obligations on clients to provide accurate, up to date information that is not misleading.
Principle 4 - Keeping information secure
The TAC will take reasonable steps to ensure that the personal and health information collected is protected from misuse, loss, unauthorised access, modification or disclosure.
What this means:
The TAC staff and parties engaged by the TAC (for example IT contractors) are required to observe and abide by the secrecy provisions contained within section 131 of the Act. These provisions prohibit the release of information to any person or body, which identifies or could lead to the identification of any person, except to the extent necessary for the performance of duties under the Act (or other related legislation).
In addition, the TAC takes the following steps to ensure that information remains secure:
- training to ensure that staff of the TAC and contractors are adequately trained in the requirements for the collection, use and storage of personal and health information;
- technological measures. Where information is transmitted electronically, the TAC will take reasonable steps to ensure that the most appropriate security infrastructure is used to protect the information. Such measures include:
- automated password reset prompts and timeout screensavers on all desktops and laptops;
- encrypted memory storage devices;
- full logging and tracking of all transactions;
- a robust firewall to prevent unauthorised access;
- strictly controlled and audited access hierarchies;
- locked down operating systems that cannot be changed by users;
- full anti-virus protection using two products at all gateways and on all servers;
- certificate based messaging systems will be in place to ensure secure communications;
- ensuring any contracts with external service providers, contractors, sub-contractors or fee for service professionals entered into by the TAC contain clauses for the handling of personal information and health information in accordance with appropriate privacy principles; and
- physical measures such as building security to ensure that access to information held by the TAC is controlled.
Principle 5 - Openness
The TAC will make readily available to individuals specific information about its policies and practices relating to the management of personal information and health information.
What this means:
- Call the TAC on 1300 654 329 or 1800 332 556
- Email your inquiry to firstname.lastname@example.org; or
- Write to: TAC Information Privacy Officer PO Box 2751Y Melbourne Vic 3001
Principle 6 - Accessing and correcting information
A client of the TAC has a right to access and correct their personal information, health information and other information in relation to their claim, subject to the access rules set out in the Freedom of Information Act 1982 (the FOI Act) and to other limited exceptions e.g. where access may cause a threat to life or health. In most cases, whilst the access rules of the FOI Act will apply, it will not be necessary for a client of the TAC to make a formal request under the FOI Act to access most of the personal information held by the TAC about them.
What this means:
The TAC encourages its clients who wish to access the information held by the TAC about them to contact the TAC. The TAC will make most of the information held on the client's claim file available to them without the need to make a formal request under the FOI Act.
If a request is necessary under the FOI Act, it must be in writing, and must identify the documents sought. The TAC will respond to the request within not more than 45 days. There are some instances where the TAC may decline to release certain types of information. In those cases, the TAC will clearly state the reason for the denial of access.
Instances where access to information may be denied include documents subject to legal professional privilege and internal working documents. In some cases, the TAC may release health information to a client's designated treating doctor and/or specialist, or legal representative, rather than directly to them.
Principle 7 - Identifying your claim
The TAC will only assign identifiers to individuals where it is necessary to enable the TAC to carry out any of its functions efficiently.
What this means:
"Unique identifier" is a term used to describe an identifier (usually a number) assigned by an organisation for the purposes of the operations of that organisation. The TAC uses claim numbers in this manner. The TAC claim numbers are generated automatically, and are subject to the principles regarding disclosure and use set out in this Policy (in particular, at principles 1 and 2 above). The assignment of a claim number is essential for the TAC to effectively manage claims. The claim number assigned to a client's claim will be used on all correspondence associated with a claim for compensation.
The TAC also obtains access to other unique identifiers such as tax file numbers. The TAC obtains taxation details from its clients to ensure that appropriate tax law is complied with when calculating loss of earnings or other entitlements. The TAC will not release a tax file number obtained from a client to a third party under any circumstances. Once the TAC has recorded the details of a tax file number, the TAC takes all reasonable steps to ensure that the number is removed from the records held by the TAC.
Principle 8 - Anonymity
Wherever it is lawful and practicable, individuals have the option of not identifying themselves when entering transactions with the TAC.
What this means:
In practice, there are few occasions where anonymity will be possible in dealings with the TAC. Possible examples where anonymity is possible may include: general enquiries regarding the Act and road safety campaigns. In these cases, a person will not be required to provide personal information to receive the information requested and any personal information provided will not be recorded.
Principle 9 - Information transfers interstate or overseas
The TAC will only release personal information or health information outside Victoria if it believes this to be necessary to perform functions and exercise powers under the Act. For example, the TAC may need to have an insured person living interstate, medically examined interstate. In these instances, the TAC will take reasonable steps, including imposing contractual arrangements, to ensure that the information transferred will not be held, used or disclosed by the recipient of the information in a manner inconsistent with the TAC's privacy principles.
The TAC will take reasonable steps to ensure that the recipient of any personal information or health information is aware of the TAC's expectations for personal information and health information to be dealt with in confidence.
Principle 10 - Sensitive Information
The TAC cannot usually collect sensitive information about an individual, but is permitted to in cases where:
- the consent of the person is obtained; or
- the collection is required under law; or
- the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; or
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
What this means:
"Sensitive information", as defined in the Information Privacy Act 2000, means information or an opinion about an individual's:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual preferences or practices
- criminal record,
in circumstances where the information is also personal information.
in circumstances where the information is also personal information.
In almost all cases, the TAC does not require sensitive information for the performance of functions or exercise of powers under the Act.
The TAC may, during the course of business, incidentally obtain information that might be deemed to be sensitive, for example as part of a medical report or record received by the TAC.
In circumstances where the TAC incidentally obtains sensitive information in the course of carrying out its statutory functions or exercising its statutory powers under the Act, use will not be made of the information and the information will not be disclosed except where:
- the use is directly relevant to a function the TAC performs or a power the TAC is required to exercise; or
- use or disclosure is directly relevant in a proceeding relating to entitlement (or continuing entitlement) to compensation under the Act, or common law damages.
An example of where sensitive information may be relevant to the provision of services by the TAC might be where a client requests that an attendant care service provider observes similar religious beliefs or is required to have a similar cultural background to the client for communication purposes.
Principle 11 - Making information available to another health service provider
This principle deals with health service providers making information available to other health service providers. The TAC is not a health service provider under the Health Records Act 2001.
The TAC will make health information it holds about a client available to another health provider in accordance with Principle 2, above. The TAC will make health information it holds available to a client in accordance with Principle 6 above, which deals with accessing and correcting information.
Personal information is collected online, for example, in the following situations:
- when you send us an email;
- when you use our on-line services, such as completing a form electronically;
- when you register as a site user; or
- when you provide feedback online.
Set out below is a further explanation of how the TAC collects personal information online and your rights in relation to such collection.
In relation to email communications, your e-mail address will be recorded and used solely for the purpose for which you have provided it. It will not be disclosed, added to a mailing list or used for any other purpose without your consent.
You should be aware, however, that the internet is an insecure medium and clients should be aware that there are risks in transmitting information over the internet. Information sent via unencrypted email may be at risk of being intercepted, read or modified. While the TAC uses reasonable efforts to maintain a secure online environment, in order to protect your privacy and the privacy of others, we request that you do not send us personal information by email or other electronic means.
The TAC will not forward information of a personal nature by internet. We will only forward such information by traditional means, such as post, fax or telephone, if appropriate.
If you choose to use the internet to send personal information, then the TAC can only respond where we have been provided with a postal address, fax number or telephone number.
When accessing external links provided on our site, it is recommended that you read the site-owners' privacy statement before disclosing your personal information. We do not accept responsibility for inappropriate use, collection, storage or disclosure of your personal information collected or submitted outside of our site.
Click Stream Data
When you visit our on-line services, TAC makes a record of your visit. The following information, referred to as 'click stream data' in computer language, is logged by our server:
- your server address;
- your top level domain name (for example, .com, .gov, .au, .uk, etc);
- the date and time you visited our website or completed the on-line transaction;
- the pages you accessed and documents you downloaded;
- the type of browser you are using; and
- the address of the referring site (that is, the previous site you visited).
All of this information is collected for statistical purposes to enable us to assess the number of visitors to the different sections of our site, determine what information is most and least used and to help us make our site more useful to visitors.
We do not actively seek to identify you. However, in the unlikely event of an investigation, a law enforcement agency may exercise a warrant to inspect our server's logs.
When you visit our site, our server may generate a cookie. A cookie is a small piece of information (a text file) that a web server can place temporarily on your hard drive or web browser. It is used by your browser to identify the pages that you have visited on our site. A cookie is uniquely yours and can only be read by the server that gave it to you.
You may disable the receipt of a cookie through your browser, although this may interfere with the performance of the Site.
Our site uses web beacons. A web beacon is an often-transparent graphic image that is placed on a site (or in an e-mail) and when used in combination with cookies, can monitor the behaviour of the user visiting the site (or sending the e-mail). The type of information collected might include the Internet Protocol address of the computer that retrieved the image, the time the web beacon was viewed and for how long, the type of browser that retrieved the image and previously set cookie values.
Web beacons are also known as Web bugs, pixel tags or clear GIFs.
Security of Electronic Transmissions
We take reasonable steps to secure the information transmitted to our online services. However, the nature of electronic transmissions is such that there is the possibility that a third party may observe this information while it is in transit. You may prefer to provide information by telephone, paper mail or in person.
You can access our website without disclosing your personal information. However, certain functions within our website, such as feedback, the ordering of materials or register for email subscriptions may require the disclosure of personal information.