Privacy Management Policy
| Policy name | Privacy Management Policy |
| Policy number | COR004 |
| Date approved | 24 April 2024 |
| Approving body | Cairnmillar Council |
| Responsible officer | CEO |
| Implementation officer | General Manager |
| Next review date | April 2029 |
| Related policies |
1. Purpose of this policy
The purpose of this policy is to provide a consolidated statement of CMI's approach to and expectations regarding privacy.
2. Scope
This policy covers the management of all information at CMI.
This policy applies to all CMI staff, students and agents and individuals with whom CMI interacts.
3. Definitions and Acronyms
In this policy:
3.1. 'Agent' means a person or organisation external to CMI who is authorised to act on CMI's behalf.
3.2. ‘CoP’ means CMI Community of Practice.
3.3. 'Information' means personal information and sensitive information as defined in the Privacy and Data Protection Act 2014 (Vic); and health information as defined in the Health Records Act 2001 (Vic).
3.4. Risk: means effect of uncertainty on objectives.
4. Policy
4.1. Policy Statement
4.1.1 CMI values the privacy of all individuals and is committed to handling their information in a lawful and responsible manner. CMI is committed to ensuring that it is compliant with the Information Privacy Principles (IPPs) in the Privacy and Data Protection Act 2014 (Vic), the Health Privacy Principles (HPPs) (Cth) in the Health Records Act 2001 (Vic), and to the related legal obligations by which it is bound. Where legally required CMI will comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Clth).
4.2 Collecting Information
4.2.1 CMI will collect information only where it is necessary in order to carry out its functions and activities.
4.2.2 As part of running the business of the Institute, CMI collects information for various purposes, including for:
- The provision of education and related activities
- The employment of staff; and
- The provision of health services through its clinics.
- Providing membership services through our CMI CoP
4.2.3 Overarching privacy statements for staff, students and CoP members are attached to this policy.
4.2.4 When collecting information, CMI expects that it will only be collected by lawful and fair means and not in an unreasonably intrusive way. When collecting information, the individual to whom the request relates should be advised of:
- The purpose for which CMI is collecting the information.
- How the individual can access their information.
- To whom the information will be disclosed.
- Whether the collection is required by law; and
- The consequences of not providing the information.
4.2.5 CMI will only collect sensitive information in limited circumstances (e.g. with the individual's informed consent, if required by law).
4.3 How we collect personal information
4.3.1 We collect and handle your personal information when you interact with us, including through our website, online services, social media channels or visits to our offices. This may include details of the particular services you access during your visits, your IP address, device details or identifiers, usage and location data, personal data and images collected from video camera surveillance.
4.3.2 Our content and features on our website, remarketing4 and to improve security during your online session. We sometimes use cookies to deliver third party partner or sponsor advertising on various websites you may visit. We also use online behavioural analytics as part of optimising email campaigns based on audience behaviour and to measure the effectiveness of online content, resources and sales.
4.3.3 It is possible to disable cookies via your web browser, however, doing so may restrict your ability to access some web pages. Please refer to the ICT003 Cookie Policy for further information about cookies and how we handle cookie data.
4.3.4 We mostly collect personal information directly from you. However, in some circumstances your information may be collected indirectly from a third-party. We may also collect information about you that is publicly available including through searches of third-party databases.
4.3.5 Personal information received by Us that we have taken no active steps to collect may be retained as permitted by applicable laws. If the information is not to be retained, we will securely destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.
4.4 Providing information to CMI anonymously
4.4.1 Where lawful and practicable, individuals may choose not to identify themselves when transacting with CMI. However, CMI may consequently be unable to provide services in these circumstances.
4.5 Using and disclosing information
4.5.1 In most cases, CMI will only use or disclose an individual's information for the primary purpose for which it was collected.
4.5.2 However, CMI may use and disclose information for a secondary purpose if the secondary purpose is:
- Related to the primary purpose in the case of personal information; or
- Directly related to the primary purpose in the case of health and sensitive information; and
- The individual would reasonably expect CMI to use or disclose the information for that secondary purpose.
4.5.3 In all other cases, CMI may use and disclose the information if:
- The individual has consented to the use and disclosure; or
- The disclosure is authorised or required by law.
- For further guidance regarding the use and disclosure of information, including responding to requests for access to information, please see the privacy statements for staff, students, and CoP members attached to this policy.
4.6 Sending information outside of Victoria
4.6.1 Staff and agents sending information outside of Victoria as part of CMI's functions and activities must only do so:
- If the recipient is subject to principles for fair handling of information that are substantially similar to Victoria’s.
- With the individual's consent, or if it is impracticable to obtain their consent if the transfer is for their benefit and they would be likely to consent if they could.
- If contracting with the individual, or with a third party for the individual's benefit; or
- In accordance with the applicable legislation.
4.7 We may transfer your personal information internationally
4.7.1 Personal information may be transferred outside of Australia or the country in which you reside for the purposes as outlined in this policy and the applicable collection statement.
- We use contracted service providers (for example placement software, community of practice portal etc.) which may be located outside of your country resulting in your personal information being transferred outside of your country. We may store your information in cloud or other types of networked or electronic storage. As these may be accessed from various countries via an internet connection, it is not always practicable to know in which country your information may be accessed or held.
- We take all reasonable steps to ensure your information is protected by carefully selecting Our external service providers who may only use the data for the purposes stipulated by Us. We also contractually require our service providers to treat your information in accordance with this policy and relevant privacy legislation.
- Subject to applicable laws, by providing your personal information to Us or using Our website or Our products, you consent to transferring of your personal information in accordance with the terms of this policy.
4.8 Accessing and correcting information
4.8.1 CMI will provide individuals with access to information it holds about them, subject to legal requirements.
4.8.2 Requests for access to information will be considered in accordance with the applicable legislation, the Privacy Procedure.
4.8.3 In some cases, requests for access to information will need to be made through CMI 's Freedom of Information process.
4.8.4 Where there is a concern, staff should contact the relevant CMI Privacy Officer for advice.
4.8.5 If an individual establishes and notifies CMI that their information is inaccurate, incomplete or not up to date, CMI will take reasonable steps to correct the information or to record that the individual disagrees with the information on file.
4.9 Maintaining data quality
4.9.1. CMI expects its staff, students and agents to take reasonable steps to ensure that any information is collected, used or disclosed is accurate, complete and up to date.
4.10 Securing, storing and retaining data
4.10.1. CMI will take reasonable steps to ensure that the information it handles is protected from misuse, loss, unauthorised access, modification and disclosure.
4.10.2. We take appropriate steps to protect your personal information from accidental or unlawful interference, unauthorised access, misuse, loss, modification or disclosure by implementing physical, administrative and technical safeguards.
4.10.3. We retain your information for as long as it is necessary to fulfil the purpose and associated activities for which it was collected, including complying with Our legal and regulatory obligations (e.g. audit, accounting and statutory retention terms), handling disputes, and for the establishment, exercise or defence of legal claims in the countries in which we operate.
4.10.4. We may need to retain certain personal information after we cease providing you with membership, services or products to enforce Our terms or after you cease employment with Us for fraud prevention, audit or insurance purposes or to identify issues or resolve legal claims and/or for proper record keeping.
4.10.5. We will dispose of personal information in a secure manner. Aggregated usage data may be retained indefinitely for the purpose of monitoring historical performance of Our website and services.
4.10.6. CMI's requirements in relation to information technology security are set out in the Records Management Policy and relevant associated Procedures.
4.11 Disposing of and destroying information
4.11.1. CMI will take reasonable steps to destroy or permanently de-identify personal or sensitive information if it is no longer legally required to be held. CMI's requirements in relation to the destruction of documents are governed by the Records Management Policy and related procedures.
4.11.2. CMI will only destroy or permanently de-identify health information in accordance with the Health Records Act 2001 (Vic).
4.12 Health information
4.12.1. In addition to the above, there are specific obligations with respect to health information received in confidence and transferring health records to other health service providers. Refer to the Privacy Procedure for further information.
4.12.2. Health records may be created in many circumstances at CMI. Examples include through CMI’s clinics; through research or teaching and learning activities; through work performed by People & Culture; through student counselling; through the work of the student disability liaison, etc. These must be managed in accordance with the Health Records Act 2001 (Vic). Further guidance on this is provided in the Privacy Procedure and Records Management Policy and associated procedures.
4.13 Privacy support
4.13.1. CMI has Privacy Officers who carry out the functions listed in the Privacy Procedure. Any queries or concerns regarding Privacy should be directed to the relevant Privacy Officer.
5. Procedures
This policy is supplemented by Privacy Procedure and Privacy Security Breach Procedure.
6. Resources and References
6.1. Operational areas within CMI may develop guidelines tailoring the requirements under this policy and the Privacy Procedure to suit their business needs.
6.2. Privacy Appendix 1 to this policy is the Privacy Statement for the collection of staff student information.
6.3. Privacy Appendix 2 to this policy is the Privacy Statement for the collection of staff information.
6.4. Privacy Appendix 3 to this policy is the Privacy Statement for the collection of CoP member information.