CMRB Home

Registration & Information
Privacy Policy

Broad Policy Statement   Privacy Policy   Relevant Legislation   Effective Date   Privacy, Confidentiality, FOI   Information Privacy Principles   Staff, Consultants, Board, Panel Members   Complaints   Dispute Resolution   Review   End Notes  

Information Privacy Principles

IPP 1 Collection   IPP 2 Use and disclosure   IPP 3 Data quality   IPP 4 Data security   IPP 5 Openness   IPP 6 Access and correction   IPP 7 Unique identifiers   IPP 8 Anonymity   IPP 9 Transborder data flows    IPP 10 Sensitive information   IPP 11 Health Information  
PRIVACY STATEMENT

The right to privacy is a value that is highly regarded by Australians. The Chinese Medicine Registration Board takes privacy seriously and is committed to protecting the privacy of individuals. This includes health and other confidential information, which is necessary for the Board to carry out its functions under the Health Professions Registration Act 2005. The Board will take all reasonable steps to protect individual information from loss, misuse or unauthorised disclosure or destruction.

The Board endeavours to balance the rights of privacy with the need to be accountable and transparent in its dealings. Certain information will not be available under freedom of information laws. This includes private information relating to another individual, the Board's internal working documents and material obtained in confidence.

The Board's full privacy policy is available on the website at www.cmrb.vic.gov.au or from the office on phone (03) 9499 3800.
PRIVACY POLICY

1.0 Broad Policy Statement

The right to privacy is a value that is highly regarded by Australians. The Chinese Medicine Registration Board (the Board) takes privacy seriously and is committed to protecting the privacy of individual, health and other confidential information it holds.

The confidence of registered practitioners, complainants and others in protecting their individual information is fundamental to the Board's relationship with its stakeholders. The Board shall aim to maintain the highest standards of confidentiality of the information it receives or collects.

The Board collects individual information in its capacity as a regulatory authority in Victoria and is committed to complying with the provisions of the relevant privacy legislation. The individual information covered is information, which can be used to identify an individual and typically includes information such as name, address and date of birth and other appropriate information to enable it to conduct its lawful functions as required by the Health Professions Registration Act 2005. The Board will only collect information that is necessary for it to perform its functions. The Board will act lawfully and so far as is reasonable and practicable in a fair and non-intrusive way. Wherever possible, it will collect information directly from you rather than from third parties. The members and staff will do their best to tell you if the Board collects information about you from a third party.

Information will be collected and used in accordance with the privacy principles (see appendix 1) described in the legislation, which sets standards in relation to the collection, storage, use or disclosure of individual information. When the Board collects information it will advise of why it is being collected, and the law which requires it to be collected.

The Board will take all reasonable steps to protect individual information from loss, misuse or unauthorised disclosure or destruction.

To protect information from possible misuse the Board may require that inquirers establish their identity before discussing individual information.

The Board has delegated to the Registrar, responsibility for overseeing the implementation of all privacy procedures and that the procedures are running effectively, including:

  • Handling requests for information by government agencies,
  • Handling requests by members of the public to access confidential information in the Board,
  • Updating and correcting information,
  • Handling complaints concerning the privacy laws or this policy,
  • Reviewing the internal procedures for maintaining consistency of dealing in individual information and the keeping of appropriate records in a secure manner.

This policy shall be displayed on the Board's web site and be available at the offices of the Board. Any individuals shall be able to obtain a copy of the policy on application.

top of page

2.0 Relevant Legislation

The Board is required to comply with relevant Acts regarding the collection and handling of individual information and the access of such information by the individuals concerned.

The Information Privacy Act 2000 applies to the management of individual information in the Victoria Public Service and its regulatory authorities. The privacy laws became enforceable as of 1 September 2002. The Health Records Act 2001 is a complementary act which specifically establishes privacy standards for the handling of health information and applies to the handling of any health information. The Freedom of Information Act 1982 deals with accountability and transparency of authorities allowing the public to access certain documents and information about them.

top of page

3.0 Effective Date

This policy is effective from the 1 September 2002.

4.0 Privacy, Confidentiality and Freedom of Information

Privacy laws regulate the collection, use and disclosure, storage and disposal of individual information and relates to how an individual's information is handled. Freedom of Information laws provides for an individual's right of access to information and provides for access to certain documents of the Board whether or not they relate to the requester.

The Board endeavours to balance the rights of privacy with the need to be accountable and transparent in its dealings. Certain information will not be available under freedom of information laws. This includes private information relating to another individual, the Board's internal working documents and material obtained in confidence.

If there is a need to restrict information about an individual to an individual the Board will only do so if it is lawful to do so and will provide a explanation of the reason for doing so.

top of page

5.0 Information Privacy Principles

5.1 IPP 1 Collection

The Board will only collect information that is necessary to carry out its functions or activities. Individual information will be collected in a lawful manner and as far as is reasonable and practicable, in a fair means and not in an unreasonably intrusive way.

When collecting information, the Board will take reasonable steps to ensure that the individual is aware of his/her right to access the information, the purpose of its collection, to whom it may be disclosed, any law that requires the particular information to be collected, and the main consequences (if any) for the individual if all or part of the information is not provided. Where practicable and possible information will only be collected with an individual's consent from the individual. If collected without consent the Board will only do so if lawful. If the Board collects information about an individual from someone else it will take reasonable steps to ensure that the individual is made aware of their rights as referred to above (except if such action would pose a serious threat to the life or health of any individual).

The kind of information that the Board may collect includes the following:

  • Information provided to the Board by practitioners for the purpose of assessing applications for registration or renewal of registration
  • Information collected from third parties for the purpose of the Board assessing applications for registration or renewal of registration or conducting investigations into professional conduct, the health of a practitioner or s80 breaches of the Health Professions Registration Act 2005
  • Information received from members of the public wishing to make a complaint about a practitioner
  • Information collected for the purpose of conducting investigations into professional conduct and/or the health of practitioners.

Information shall only be collected where it is necessary for the fulfilment of the Board's role under the Health Professions Registration Act 2005 or where otherwise required by law.

top of page

5.2 IPP 2 Use and disclosure

The Board will not use or disclose individual information about an individual other than for the primary purpose of the collection unless the information is related to the primary purpose and it could reasonably be expected by the individual to be used or disclosed, or the individual has consented. The following exceptions apply:

  • Where no consent is given or it is impracticable to obtain it and the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual and the Board believes that the information will not be disclosed by the recipient;
  • the Board reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health, safety and welfare or a serious threat to public health, public safety, or public welfare;
  • the Board has reason to suspect that unlawful activity has been, is being or may be engaged in and it is necessary to use and disclose such information for investigating or reporting to relevant authorities.
  • the use or disclosure is required or authorised by or under the law or the BOARD reasonably believes that the use or disclosure is necessary by or on behalf of a law enforcement agency for:
    • prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of law imposing a penalty or sanction;
    • the enforcement of laws relating to the confiscation of the proceeds of crime;
    • protection of the public revenue;
    • the prevention, detection, investigation or remedying of seriously improper conduct;
    • the preparation for, or conduct of, proceedings before any court or tribunal or implementation of its orders.
  • the Board is requested to do so by ASIO (Australian Security Intelligence Organisation ) or ASIS ( Australian Secret Intelligence Service) and such request is authorised in writing by the Director-General of the relevant authority certifying that the disclosure would be connected with the performance of its functions.

5.3 IPP 3 Data quality

The Board will take reasonable steps to make sure that the individual information it collects uses or discloses is accurate, complete and up-to-date.

top of page

5.4 IPP 4 Data security

The Board will take reasonable steps to protect the individual information it holds from misuse and loss and from unauthorised access, modification or disclosure.

The Board and its staff are committed to maintaining the privacy of the individual information collected, and the Board will take all reasonable precautions to protect the information from loss, misuse, or unauthorised alteration. Internal systems shall be in place to monitor the access and changes to the data.

Data held on the Board's electronic data files, or which flows between system networks, or are stored in back up systems for disaster recovery purposes, shall be protected from unauthorised access. The Board uses its best endeavours to ensure that security systems used are the most appropriate technology to protect the information transmitted.

The Board will take all reasonable steps to destroy or permanently de-identify individual information if it is no longer needed for any purpose.

A separate policy is held by the Board in relation to the manner in which it secures information held by it.

5.5 IPP 5 Openness

On request the Board will take all reasonable steps to let an individual know what sort of individual information it holds, for what purposes and how it collects, holds, uses and discloses that information.

top of page

5.6 IPP 6 Access and correction

Practitioners and members of the public shall have a ready means of being able to contact the Board to access the information, to confirm its correctness, and to lodge requests for amendment of the records where necessary. The Board has established a procedure to handle the requests for information and provide a means for contacting the Board by mail, email or telephone.

Individuals wishing to obtain further information about the Board's privacy policy or procedures, or who wish to access their information or ensure that their information is up-dated should contact the Registrar.

The Board, at this time will not charge for lodging such request but may recover reasonable costs incurred in supplying this information.

The Board will provide access to individual information that is held about an individual on request by the individual except if:

  • Such access would pose a serious and imminent threat to the life or health of any individual
  • Such access would have an unreasonable impact on the privacy of other individuals
  • The request is frivolous or vexatious
  • The information relates to existing legal proceedings between the Board and the individual ( and would not be accessible by discovery or subpoena in the proceedings)
  • Such access would reveal intentions of Board in relation to negotiations with the individual in such a way as to prejudice those negotiations
  • Such access would be unlawful
  • Denying access is authorised by law
  • Providing access would be likely to prejudice:
    • prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of law imposing a penalty or sanction,
    • the enforcement of laws relating to the confiscation of the proceeds of crime;
    • protection of the public revenue,
    • the prevention, detection, investigation or remedying of seriously improper conduct,
    • the preparation for, or conduct of, proceedings before any court or tribunal or implementation of its orders,
  • by or on behalf of a law enforcement agency;
  • ASIO, ASIS or a law enforcement agency performing a lawful function asks the Board not to provide access to the information on the basis that providing access would likely to cause damage to the security of Australia.

If access would reveal evaluative information generated within the Board, which is confidential, the Board may give the individual an explanation for such decision rather than direct access to the information.

If the Board is not required to provide the individual with access to information (as stated above) it will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

If the Board charges for providing access it will advise the individual who requests access that access will be provided on the payment of a prescribed fee and may be refused until the fee is paid.

If an individual is able to establish that the information the Board holds about the individual is not accurate, complete and up to date, the Board will take reasonable steps to correct or append the information.

If the individual and Board disagree about whether the information is accurate, compete or up-to-date, and the individual asks the Board to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the Board will take all reasonable steps to do so.

top of page

5.7 IPP 7 Unique identifiers

The Board will not adopt a unique identifieri of an individual that has been assigned by another organisation unless it is necessary to carry out the Board's functions OR the individual has consented to it.

The Board will not use or disclose a unique identifieri to another organisation unless it is necessary for the Board to fulfil its obligations to the other organisation, or it is necessary to fulfill the objectives described under the Uses and Disclosure clause (above) OR the individual has given consent.

The Board will not require an individual to provide a unique identifieri in order to obtain a service unless it is required or authorised by law or is connected with a purpose for which the unique identifier was assigned.

5.8 IPP 8 Anonymity

The Board allows individuals the option to interact anonymously whenever it is lawful and practicable to do and will freely provide general information such as registration status of practitioners and information about its processes (including applying for registration, information on course approvals and making complaints).

The Board cannot offer practitioners the ability to transact with anonymity in relation to all matters, as this may inhibit the Board from carrying out its functions (ie to maintain accurate records).

With regard to an individual making a complaint about a registered practitioner the Board's preference is that the complaint be in writing and not anonymous. It is very difficult to deal with anonymous complaints or complaints where the person making the report is not prepared to lodge formal complaint as often this results in a lack of evidence as well as insufficient probity of evidence.

top of page

5.9 IPP 9 Transborder data flows

The Board will transfer information about an individual to a third party who is outside of Victoria in limited circumstances and only if one or more of the following apply-

  • The Board reasonably believes that the recipient of the information is subject to the law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Privacy Principles
  • The individual consents to the transfer
  • The transfer is necessary for the performance of a contract between the individual and the Board or the implementation of pre-contractual measures taken in response to the individuals request
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the Board and a third party
  • The transfer is for the benefit of the individual and it is impracticable to obtain the consent of the individual and if it were practicable the individual would be likely to give consent
  • The Board has taken reasonable steps to ensure that the information, which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the privacy principles.
5.10 IPP 10 Sensitive information


The Board will not collect sensitive informationii about an individual unless the individual has consented, it is required under law, or the collection is necessary to prevent or lessen an imminent threat to the life or health of any individual and the individual concerned is physically or legally incapable of giving consent or communicating consent or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

The Board may need to collect sensitive information, as authorised by the law, about an individual if it is necessary in order to fulfil the Board's role under the Health Professions Registration Act 2005. It will only be done without the individual's consent if there is no reasonably practical alternative to collecting the information for that purpose and it is impracticable for the Board to seek the individual's consent. The Board may request a practitioner to provide sensitive information as relates to professional conduct as a registered practitioner. This may include information as to the membership of a professional association or alliance and any criminal record or proceedings brought against the individual.Consent to the collection of some sensitive information may be a requirement for registration.

top of page

5.11 IPP 11 Health Information

The Board may need to collect health information in order to investigate the fitness or otherwise of a practitioner to practise. Health information may relate to a mental or physical incapacity or an alcohol or drug-dependency. Such information will be collected in accordance with the Health Records Act 2001 which sets out privacy principles specifically regarding the collection of health information. These principles are complementary and are essentially encompassed in the privacy principles set out in this document. Information on a individual's health will be collected only if the Board requires it to fulfil its role under the Health Professions Registration Act 2005.

6.0 Staff, Consultants, Board and Panel Members

The Board, its members and staff are trained in their obligations under this Policy. Consultants are required to understand and comply with this policy. Adherence to the privacy principles shall be a condition of employment. A breach of any of the principles or this policy is a ground for disciplinary action.

The Board will investigate any suspected infringements of privacy. Disciplinary action will be taken in cases where investigation demonstrates that an infringement has taken place.

top of page

7.0 Complaints

Individuals wishing to obtain further information about the Board's privacy policy, or who wish to make a complaint about the Board's handling of a privacy issue should contact the Registrar, Ms Debra Gillick, or the President, Prof. Vivian Lin.

Mail:
 		PO Box 5088, Alphington, Victoria, Australia, 3078.
Telephone:
 		+61 3 9499 3800
Facsimile:
 		+61 3 9499 8688
Email:
 		registrar@cmrb.vic.gov.au
 
 		president@cmrb.vic.gov.au

Information is also posted to the Board's website at www.cmrb.vic.gov.au

Alternatively, the Office of the Victorian Privacy Commissioner can be contacted on:
Phone:
 		1300 666 444
Phone:
 		+61 3 8619 8719
Email:
 		enquiries@privacy.vic.gov.au
Website:
 		www.privacy.vic.gov.au

Or you may contact the Health Services Commissioner on:
Phone:
 		1800 136 066
Phone:
 		+61 3 8601 5200
Email:
 		hsc@dhs.vic.gov.au
Website:
 		www.health.vic.gov.au

top of page

8.0 Dispute Resolution

The Board shall establish a dispute resolution procedure to deal with complaints and disputes regarding the information stored and used by the Board. The procedures shall allow complaints to be dealt with by the Registrar or the President (see section 7 for contact details) and provide the means to have the matter dealt with by the Board if the matter is not resolved satisfactorily or in a timely manner.

Where a matter cannot be resolved within the period of 30 days, the individual involved shall be kept informed of the progress of the dispute.

Alternatively, the Office of the Victorian Privacy Commissioner can be contacted on:
Phone:
 		1300 666 444
Phone:
 		+61 3 8619 8719
Email:
 		enquiries@privacy.vic.gov.au
Website:
 		www.privacy.vic.gov.au

Or you may contact the Health Services Commissioner on:
Phone:
 		1800 136 066
Phone:
 		+61 3 8601 5200
Email:
 		hsc@dhs.vic.gov.au
Website:
 		www.health.vic.gov.au

top of page

9.0 Review

This policy will be reviewed every two years or as required.

10.0 End Notes

i
 		A unique identifier is usually a number assigned to an individual in order to identify the individual for the purposes of an organisation's operations. Tax File Numbers and Driver's Licence Numbers are examples. Unique identifiers can facilitate data matching and data matching can diminish privacy
ii
 		Sensitive information means information or an opinion about an individual’s (I) racial or ethnic origin or (ii) political opinions or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record – THAT IS ALSO INDIVIDUAL INFORMATION
Appendix 1 - Privacy Principles

1. Principle 1-Collection
1.1
 		An organisation must not collect individual information unless the information is necessary for one or more of its functions or activities.
1.2
 		An organisation must collect individual information only by lawful and fair means and not in an unreasonably intrusive way.
1.3
 		At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects individual information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of--

  1. the identity of the organisation and how to contact it; and
  2. the fact that he or she is able to gain access to the information; and
  3. the purposes for which the information is collected; and
  4. to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
  5. any law that requires the particular information to be collected; and
  6. the main consequences (if any) for the individual if all or part of the information is not provided.
1.4
 		If it is reasonable and practicable to do so, an organisation must collect individual information about an individual only from that individual.
1.5
 		If an organisation collects individual information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
top of page

2. Principle 2-Use and Disclosure

2.1
 		An organisation must not use or disclose individual information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless--

  1. both of the following apply--
    1. the secondary purpose is related to the primary purpose of collection and, if the individual information is sensitive information, directly related to the primary purpose of collection;
    2. the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
  2. the individual has consented to the use or disclosure; or
  3. if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual--
    1. it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and
    2. in the case of disclosure--the organisation reasonably believes that the recipient of the information will not disclose the information; or
  4. the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent--
    1. a serious and imminent threat to an individual's life, health, safety or welfare; or
    2. a serious threat to public health, public safety, or public welfare;
  5. or (e) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the individual information as a necessary part of its investigation of the matter or in reporting its concerns to relevant individuals or authorities; or
  6. the use or disclosure is required or authorised by or under law; or
  7. the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency--
    1. the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
    2. the enforcement of laws relating to the confiscation of the proceeds of crime;
    3. the protection of the public revenue;
    4. the prevention, detection, investigation or remedying of seriously improper conduct;
    5. the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or
  8. the Australian Security Intelligence Organization (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the organisation to disclose the individual information and--
    1. the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and
    2. an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be connected with the performance by ASIO or ASIS (as the case requires) of its functions.
2.2
 		If an organisation uses or discloses individual information under paragraph 2.1(g), it must make a written note of the use or disclosure. 3.
top of page

3. Principle 3-Data Quality

3.1
 		An organisation must take reasonable steps to make sure that the individual information it collects, uses or discloses is accurate, complete and up to date.

4. Principle 4-Data Security

4.1
 		An organisation must take reasonable steps to protect the individual information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2
 		An organisation must take reasonable steps to destroy or permanently de-identify individual information if it is no longer needed for any purpose.
top of page

5. Principle 5-Openness

5.1
 		An organisation must set out in a document clearly expressed policies on its management of individual information. The organisation must make the document available to anyone who asks for it.
5.2
 		On request by a individual, an organisation must take reasonable steps to let the individual know, generally, what sort of individual information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
top of page

6. Principle 6-Access and Correction

6.1
 		If an organisation holds individual information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that--

  1. providing access would pose a serious and imminent threat to the life or health of any individual; or
  2. providing access would have an unreasonable impact on the privacy of other individuals; or
  3. the request for access is frivolous or vexatious; or
  4. the information relates to existing legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings; or
  5. providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  6. providing access would be unlawful; or
  7. denying access is required or authorised by or under law; or
  8. providing access would be likely to prejudice an investigation of possible unlawful activity; or
  9. providing access would be likely to prejudice--
    1. the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; or
    2. the enforcement of laws relating to the confiscation of the proceeds of crime; or
    3. the protection of public revenue; or
    4. the prevention, detection, investigation or remedying of seriously improper conduct; or
    5. the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders--by or on behalf of a law enforcement agency; or
  10. ASIO, ASIS or a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2
 		However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

6.3
 		If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (j) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.4
 		If an organisation charges for providing access to individual information, the organisation--
  1. must advise an individual who requests access to individual information that the organisation will provide access on the payment of the prescribed fee; and
  2. may refuse accessto the individual information until the fee is paid.
6.5
 		If an organisation holds individual information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date.

6.6
 		If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation must take reasonable steps to do so.

6.7
 		An organisation must provide reasons for denial of access or a refusal to correct individual information.

6.8
 		If an individual requests access to, or the correction of, individual information held by an organisation, the organisation must--

  1. provide access, or reasons for the denial of access; or
  2. correct the individual information, or provide reasons for the refusal to correct the individual information; or
  3. provide reasons for the delay in responding to the request for access to or for the correction of individual information--as soon as practicable, but no later than 45 days after receiving the request.
top of page

7. Principle 7-Unique Identifiers

7.1
 		An organisation must not assign unique identifiers to individuals unless the assignment of unique identifiers is necessary to enable the organisation to carry out any of its functions efficiently.
7.2
 		An organisation must not adopt as its own unique identifier of an individual a unique identifier of the individual that has been assigned by another organisation unless--

  1. it is necessary to enable the organisation to carry out any of its functions efficiently; or
  2. it has obtained the consent of the individual to the use of the unique identifier; or
  3. it is an outsourcing organisation adopting the unique identifier created by a contracted service provider in the performance of its obligations to the organisation under a State contract.
7.3
 		An organisation must not use or disclose a unique identifier assigned to an individual by another organisation unless--

  1. the use or disclosure is necessary for the organisation to fulfil its obligations to the other organisation; or
  2. one or more of paragraphs 2.1(d) to 2.1(g) applies to the use or disclosure; or
  3. it has obtained the consent of the individual to the use or disclosure.
7.4
 		An organisation must not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned.
top of page

8. Principle 8-Anonymity

8.1
 		Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
9. Principle 9-Transborder Data Flows

9.1
 		An organisation may transfer individual information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if--

  1. the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Information Privacy Principles; or
  2. the individual consents to the transfer; or
  3. the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
  4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
  5. all of the following apply--
    1. the transfer is for the benefit of the individual;
    2. it is impracticable to obtain the consent of the individual to that transfer;
    3. if it were practicable to obtain that consent, the individual would be likely to give it; or
  6. the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.
top of page

10. Principle 10-Sensitive Information
10.1
 		An organisation must not collect sensitive information about an individual unless--

  1. the individual has consented; or
  2. the collection is required under law; or
  3. the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns--
    1. is physically or legally incapable of giving consent to the collection; or
    2. physically cannot communicate consent to the collection; or
  4. the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2
 		Despite IPP 10.1, an organisation may collect sensitive information about an individual if--

  1. the collection--
    1. is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
    2. is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and
  2. there is no reasonably practicable alternative to collecting the information for that purpose; and
  3. it is impracticable for the organisation to seek the individual's consent to the collection.
Problems or comments about this site to admin@cmrb.vic.gov.au