HIGHWAY PRIVACY POLICY

Protecting your Privacy is important to us!

PRIVACY POLICY
Highway Foundation is committed to protecting the personal and health information that we collect, hold, manage, use, disclose and transfer. This policy supports Highway Foundation's need to collect information and the right of the individual to privacy. It ensures that Highway Foundation can collect personal and health information necessary for its services and functions while recognising the right of individuals to have their information handled in ways that they would reasonably expect, and in ways that protect their personal and health information. This policy supports Highway Foundation staff to demonstrate the value of respect by maintaining the confidentiality and treating private information properly. Staff treat information properly by complying with legislation and policies relating to dealing with personal and health information.


SCOPE This policy sets out how Highway Foundation is to collect, hold, manage, use, disclose or transfer personal and health information in accordance with the Information and Health Privacy Principles contained within the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).


COMPLIANCE Highway Foundation must collect and handle personal information and health information in accordance with the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) unless otherwise required by law.


ACCOUNTABLE OFFICER
The Accountable Officer for this policy is Dr. Tan Chyuan Chin. The Accountable Officer is responsible for the:
• development of this policy;
• implementation of any supporting protocols, processes and guidelines;
• ongoing monitoring of compliance with this policy.

REVIEW
This policy will be reviewed and updated from time to time to take account of new laws, technology and processes. The review process will be completed by the Partnership and Research Department, with oversight provided by the Chief Executive Officer. Contact For more information about this policy, contact the Foundation’s Privacy team at traffic@highwayfoundation.org

KEY DEFINITIONS
Throughout this policy: Health information means information or opinion about a person’s physical, mental or psychological health or disability that is also personal information. This includes information or opinion about a person’s health status and medical history.

Personal information means recorded information or opinion, whether true or not, about a person whose identity is
apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any
form.

Sensitive information means information or an opinion that is also personal information about a person’s racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, membership of a political association, professional or trade association, or trade union, or an individual’s criminal record.

Victorian privacy law refers to the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) collectively. There are additional Acts which have privacy implications and are listed in this policy under the under Associated Legislation and Schemes.

Privacy impact assessment means an assessment that identifies and assesses the privacy impacts of any system or software that handles personal, sensitive or health information.  

POLICY
Personal and health information is collected and used by Highway Foundation for the following purposes:
• to plan, fund, implement, monitor, regulate and evaluate the Foundation's services and functions
• to fulfil statutory and other legal obligations
• to comply with reporting requirements
• to investigate incidents and/or defend any legal claims against the Foundation or its employees.

Highway Foundation has adopted the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) in the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) respectively as minimum standards when dealing with personal and health information.

Adopting the IPPs and HPPs means that, subject to some exceptions (see Information and Health Privacy Principles), Highway Foundation must not commit an act, or engage in a practice, that contravenes an Information and/or Health Privacy Principle in respect of personal and/or health information collected, held, managed, used, disclosed or transferred by the Foundation unless otherwise permitted by law.


INFORMATION AND HEALTH PRIVACY PRINCIPLES
The Information and Health Privacy Principles most relevant to Highway Foundation are summarised as follows:

Collection of personal information
Highway Foundation will only collect personal information if the information is necessary for one of its functions or activities. Where the personal information of an individual is collected, reasonable steps should be taken to ensure that the individual is aware of:
• the identity of Highway Foundation and how to contact it;
• the fact that the individual is able to gain access to the information;
• who the Foundation usually discloses information of that kind to;
• the purposes for which the information is being collected;
• any law that requires the particular information to be collected; and
• the main consequence (if any) for the individual if all or part of the information is not provided to the Foundation.

Collection of health information
Highway Foundation will only collect health information if the information is necessary for one of its functions or activities and:
• the Foundation has gained consent from the individual; or
• collection is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual; or
• collection is necessary to prevent or lessen a serious threat to public health, safety or welfare; or
• collection is necessary for the establishment, exercise or defence of a legal or equitable claim.



Where the health information of an individual is collected, reasonable steps are taken to ensure that the individual is aware of:
• the identity of Highway Foundation and how to contact it;
• the fact that the individual is able to gain access to the information;
• the purposes for which the information is being collected;
• who the Foundation usually discloses information of that kind to;
• any law that requires the particular information to be collected; and
• the main consequence (if any) for the individual if all or part of the information is not provided to the Foundation.


Use and disclosure
Highway Foundation must only use or disclose personal and health information for the primary purpose for which it was collected, unless it falls within an exception, including where use and disclosure is:
• with the consent of the individual; or
• necessary for program quality assurance, or the compilation of statistics, in the public interest; or
• reasonably necessary to carry out a law enforcement function; or
• otherwise required, permitted or authorised by law. eg. Highway Foundation may be required to share information to:
• fulfil its duty of care to their program participants, staff, volunteers and visitors;
• provide a safe workplace in accordance with occupational health and safety law; or
• assess a risk of family violence or for a child wellbeing or safety purpose.
In cases where the use or disclosure is necessary for Highway Foundation’s program quality assurance or the compilation of statistics in the public interest, Highway Foundation will seek the consent of each of the individuals involved. Where it is impracticable to seek the individual's consent and when the research or the compilation of statistics cannot be undertaken with de-identified information, the research or compilation of statistics will be carried out in accordance with the National Health Medical Research Council's National Statement on Ethical Conduct in Research Involving Humans, or for health information, in accordance with the Statutory Guidelines on Research.


DATA QUALITY
Highway Foundation values information as an important resource. Accordingly, the Foundation must take reasonable steps to ensure that the personal and/or health information it collects, uses or discloses is accurate, complete, up to date and relevant to Highway Foundation’s functions or activities. For example, it is the Foundation’s practice to collect personal information from each individual concerned, rather than relying on other data sources, to ensure that names and other details are accurately recorded.


DATA SECURITY
Highway Foundation is guided by the principle that all information is well-governed and managed. Accordingly, the Foundation must take reasonable steps to protect the personal and/or health information it holds from misuse and loss, unauthorised access, modification or disclosure. Highway Foundation will destroy or permanently de-identify personal and/or health information if the Foundation no longer needs the information. Highway Foundation requires that a Privacy Impact Assessment is conducted for all new and significantly changed processes that involve personal, sensitive or health information. It also requires that information assets recorded in the Foundation’s Information Asset Register are assigned data classifications. Data classifications determine what level of security is required for each type of information. Privacy incidents are confirmed or suspected actions of information handling that are inconsistent with the IPPs and/or HPPs. Highway Foundation’s response to a privacy incident will focus on protecting personal and sensitive information and may require support by the Privacy Team which currently sits under the Partnerships and Research Department in order to resolve the incident. To report a suspected privacy incident, please email traffic@highwayfoundation.org.

OPENNESS
On request, Highway Foundation must take reasonable steps to advise individuals, in general terms:
• what sort of personal information it holds about them;
• for what purposes such information has been collected; and
• how it collects holds, uses and discloses that information.



ACCESS AND CORRECTION

Individuals have a right to request access to, and correct, their personal and health information held by Highway Foundation. Most requests to access and/or correct information held by the Department are processed in accordance with the Freedom of Information Act 1982 (Vic).

TRANSFER OF INFORMATION OUTSIDE VICTORIA
Highway Foundation will only transfer personal and/or health information about an individual to someone who is outside Victoria in limited circumstances. Specifically, the Foundation should only transfer personal and/or health information outside Victoria if: • the individual consents to the transfer; • the Foundation reasonably believes that the recipient of the information is subject to a law,
binding scheme or contract which is very similar to the Victorian privacy law; or • the Foundation has taken reasonable steps to ensure that the transferred information will not be held, used or
disclosed inconsistently with the Victorian privacy law.

In cases where personal and/or health information is being transferred to a jurisdiction whose privacy requirements are inconsistent with Victorian privacy law, Highway Foundation requires that a Privacy Impact Assessment be undertaken before the data is sent.

CHARTER OF HUMAN RIGHTS AND RESPONSIBILITIES
When any decision is made in relation to personal, health or sensitive information, such as to use or disclose of that information, the decision-maker should give proper consideration to the Charter of Human Rights and Responsibilities Act 2006. Some guidance on how to apply the Charter when making a decision is available through the Charter of Human Rights and responsibilities - Guidelines for Legislation and Policy Officers in Victoria and other Departmental guidance.  
ASSOCIATED LEGISLATION AND SCHEMESChild Wellbeing and Safety Act 2005 (Vic) - Part 6A Information Sharing
The Child Wellbeing and Safety (Information Sharing) Regulations are available from the Victorian Legislation website.
Family Violence Protection Act 2008 – Part 5A Information Sharing and Family Violence Information Sharing Guidelines The Family Violence Protection Act and the Family Violence Protection (Information Sharing and Risk Management) Regulations 2018 are available from the Victorian Legislation website. Guidance on sharing information in the context of family violence can be found in the Child Information Sharing Scheme Ministerial Guidelines and further information is also available online about the Family Violence Information Sharing Scheme and MARAM.



THE NOTIFIABLE DATA BREACHES SCHEME
The Notifiable Data Breaches (NDB) scheme came into effect on the 22nd of February 2018 and requires entities captured by the scheme to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any data breach which are likely to result in serious harm to individuals whose personal information is involved in the breach. The NDB scheme applies to entities that have obligations to protect the personal information they hold under the Privacy Act 1988 (Cth). This includes Australian Privacy Principle (APP) entities, credit reporting bodies, credit providers and tax file number (TFN) recipients. Highway has a Data Breach Response Plan. Further information is available at: Office of the Australian Information Commissioner.



GENERAL DATA PROTECTION REGULATION (GDPR)
The European Union (EU) General Data Protection Regulation (GDPR) is designed to align data privacy laws across the EU and offer enhanced privacy protections for individuals in the EU. The GDPR came into effect on 25 May 2018. The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU or that process or control the personal data of data subjects that reside in the EU regardless of the location of the business. The GDPR makes entities accountable for their data processing activities, regardless of their location, when processing the personal data of individuals in the EU. This means that it can apply in the case of the Foundation handling information of EU or Australian citizens who are located within the EU; however it does not apply for EU citizens who are located in Australia. If you have any further queries regarding the GDPR please contact Office of the Victorian Information Commissioner, Office of the Australian Information Commissioner and EU GDPR.


COMPLAINTS
Highway Foundation will be fair and efficient when investigating and responding to information privacy complaints. The Foundation will investigate and respond to complaints made to traffic@highwayfoundation.org or by phone : +613 7038 6518. More information For more information about this policy, contact the Foundation’s Privacy team via traffic@highwayfoundation.org or by phone : +613 7038 6518.


Comments about this statement
Highway Foundation welcomes your comments regarding this privacy statement. If you believe that this website or any Foundation team or employee has not adhered to this statement please contact Highway Foundation by email, or mail.

Contact: Highway Foundation
traffic@highwayfoundation.org
1/297 Ingles Street, Port Melbourne, 3207









Would you like to get inspired about your life?

Join a Highway session today.

If you would like to explore what’s going on for you today, then just jump on! You will be welcomed to a safe, warm, non-judgemental space where you can be yourself and uncover what is important to you.