In this policy:
"Health information" means personal information that contains information or an opinion about:
- the physical, mental or psychological health (at any time) of an individual; or
- a disability (at any time) of an individual; or
- an individual's expressed wishes about the future provision of health services to him or her; or
- a health service provided, or to be provided, to an individual.
"Personal information" means information or an opinion (including information or an opinion forming part of a database) about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The “Act” means the Transport Accident Act 1986 (as amended).
Application of privacy principles by the TAC
Principle 1 - Collection of information
Personal information and health information will be collected by TAC where:
- the information collected is relevant to the primary purpose of collection, which is to determine a client’s entitlement or continuing entitlement to benefits under the Act or to common law damages;
- the collection of the health information or personal information is limited to the information that is necessary and relevant to the determination of a client’s entitlement to benefits or to common law damages;
- the collection of health information or personal information is for a related purpose that is consistent with the objectives of the TAC such as customer service surveys, accident research or inquiries in relation to the provision of services to TAC clients.
What this means
The TAC will lawfully collect information that is relevant to carrying out functions or exercising powers under the Act.
These functions include:
- assessing whether the circumstances of an accident mean that a person injured in such an accident is eligible for compensation under the Act;
- assessing whether injuries sustained by a person were sustained as a result of a transport accident as defined under the Act;
- determining the extent of a client’s entitlement or continuing entitlement to income benefits or other compensation under the Act; and
- the assessment of the degree of injury sustained by a client in a transport accident for impairment and common law purposes.
The TAC will endeavour to ensure that personal information and health information collected about its clients is relevant to the administration of the claim and where practicable, that the information is collected directly from its clients. The TAC will collect some information about the claims it receives from third parties, such as reports from a client’s treating doctor, hospital and ambulance reports and confirmation of income details from a client’s employer. This information is obtained with the client’s consent. The consent to collect this information is obtained as part of the process of making a claim for compensation under the Act.
This consent is used to obtain personal information and health information that is reasonable and necessary to assist the TAC to perform functions and to exercise powers, including making decisions about a client’s entitlement to compensation under the Act. If the TAC is unable to obtain the information needed to determine a client’s entitlement to benefits then this may result in delays in the making of payments or make it difficult for the TAC to determine reasonable compensation or the most appropriate treatment for a client.
In circumstances where the TAC obtains personal information or health information from a third party using the consent obtained from a client at the time that the client lodged a claim for compensation the TAC will advise the client about the collection of the information. The TAC will, subject to limited exceptions mainly detailed in Principle 6 of this Policy make available to a client, on request, most of the personal information or health information held on its files about the client. If a client wants to access this information they can contact the TAC.
The TAC also has relationships with other organisations such as the Victorian Police, VicRoads and the Victorian WorkCover Authority, and where appropriate, the TAC will obtain information relevant to a client’s claim from those bodies in accordance with the Act. The purpose of collecting personal information and health information about a client is to enable TAC to make informed decisions regarding the management of a client’s claim and to otherwise meet the TAC’s statutory obligations.
The TAC sometimes obtains records of payments from Commonwealth authorities such as the Health Insurance Commission. These records are principally obtained to assist the TAC to determine those payments for which it is liable in relation to a claim. If the TAC obtains these records it will not release these records to anyone other than the client to whom the record relates.
The TAC may also collect personal information or health information under specific provisions of the Act, such as sections 127 and 127A Act of the Act, which enable authorised officers of the TAC to obtain information from the Police and to conduct investigations in some circumstances.
Principle 2 – Use and disclosure of information
2.1 Use and disclosure for the purposes of managing claims for compensation
The primary purpose for the collection of personal information and health information by the TAC is to determine a client’s entitlement or continuing entitlement to benefits under the Act or to common law damages. The TAC will lawfully collect, use and disclose personal information for this purpose.
2.2 Use and disclosure for the purpose of carrying out other functions under the Act
The TAC has a range of other statutory functions and statutory powers eg in relation to accident prevention research or to seek information from TAC clients about the impact of their injury and the service provided by the TAC. Performing these functions and exercising these powers will, in some circumstances, require the collection, use and disclosure of personal information and health information. Use and disclosure of information for these purposes is regarded as a secondary purpose under this Policy.
What this means
The TAC may disclose the personal and health information that the TAC has obtained about a client where this is required by law or where this is necessary to manage a client’s claim for compensation. Relevant information may be disclosed when necessary to medical and health service providers or to a client’s employer or solicitor.
In respect of the secondary purpose, the TAC may disclose personal information or health information in circumstances where it is reasonable and necessary to do so to perform statutory functions or exercise statutory powers. By way of definition, use refers to the handling of information by the TAC; disclosure refers to the communication of personal information to another agency, organisation or individual. The TAC is empowered, under specific circumstances that are defined in the Act, to disclose information to third parties. These circumstances are set out in section 131(2) of the Act, and include:
- disclosure of documents or communications which must be produced in criminal proceedings or any other proceedings under the Act;
- disclosure of information to the Victorian WorkCover Authority (or an authorised agent);
- disclosure of information to a Court;
- disclosure to other State or Commonwealth Authorities set out in section 131(2) of the Act.
The TAC will only disclose personal information or health information to a third party when disclosure of the information is required for the primary purpose of collection, or (as long as the information is not sensitive information) a related purpose, which is consistent with the carrying out of statutory functions or the exercise of statutory powers under the Act. Any disclosure of personal information or health information to a third party will occur on the understanding that:
- the recipient of the information treats the information provided as confidential;
- the recipient uses the information only for the purposes set out by the TAC.
From time to time, the TAC may have to release relevant information to external parties. For example, if the TAC arranges for a claimant to be medically examined by a medical specialist to determine the extent of the client’s injuries, it may be necessary for the TAC to provide copies of other health information held by the TAC to that specialist in order to assist with the medical assessment.
The TAC will note on the client’s claim file when health or personal information is disclosed.
These sorts of disclosure fall within categories that clients of the TAC might reasonably expect to occur.
The TAC, on occasions, uses personal information about its clients to formulate accident research and statistical information, which in all cases has personal identification removed before the information is used. The TAC may also use personal information to conduct client surveys. In all cases where it is practical to do so information has individual identification removed before it is provided to a third party for research purposes. In the case of client surveys all information obtained from the surveys is treated confidentially and the clients are provided with an opportunity to opt out of the survey and future surveys. Client survey information has all individual identification removed before any of the results of the survey are disclosed.
On occasions the TAC will be requested to provide personal information or health information for the purposes of medical research e.g. to facilitate research into the treatment transport accident injuries. Personal information or health information is only provided for medical research where the research is conducted in accordance with any guidelines issued by Health Services Commissioner under the Health Records Act 2001, which incorporates relevant standards like the National Standard on Ethical Conduct in Research Involving Humans published by the National Health and Medical Research Council (NHMRC, 1999).
Principle 3 - Keeping information accurate and up to date
The TAC will take reasonable steps to ensure that the personal information and health information it collects is relevant, accurate, up to date and complete.
What this means
The TAC will, before using personal information and health information it has obtained in relation to a client, take reasonable steps to ensure that the information held by the TAC is accurate, up-to-date and not misleading. In some circumstances the TAC relies on its clients and other parties to provide up to date, accurate information, which is not misleading (for example with name and address details). In addition, the Act imposes a number of statutory obligations on clients to provide accurate, up to date information that is not misleading.
Principle 4 – Keeping information secure
The TAC will take reasonable steps to ensure that the personal and health information collected is protected from misuse, loss, unauthorised access, modification or disclosure.
What this means
The TAC staff and parties engaged by the TAC (for example IT contractors) are required to observe and abide by the secrecy provisions contained within section 131 of the Act. These provisions prohibit the release of information to any person or body, which identifies or could lead to the identification of any person, except to the extent necessary for the performance of duties under the Act (or other related Acts).
Destruction of TAC records is done in accordance with the Public Records Act 1973, however most TAC claim files are maintained indefinitely as they are likely to be required for ongoing assessment, management and the provision of entitlements and services under law, future entitlements, disputes or legal proceedings.
In addition, the TAC takes the following steps to ensure that information remains secure:
- training to ensure that staff of the TAC and contractors are adequately trained in the requirements for the collection, use and storage of personal and health information
- technological measures. Where information is transmitted electronically, the TAC will take reasonable steps to ensure that the most appropriate security infrastructure is used to protect the information. Such measures include:
- automated password reset prompts and timeout screensavers on all desktops and laptops;
- encrypted memory storage devices;
- full logging and tracking of all transactions;
- robust firewall to prevent unauthorised access;
- strictly controlled and audited access hierarchies;
- locked down operating systems that cannot be changed by users;
- full anti-virus protection using two products at all gateways and on all servers;
- certificate based messaging systems will be in place to ensure secure communications; and
- ensuring any contracts with external service providers, contractors, sub-contractors or fee for service professionals entered into by the TAC contain clauses for the handling of personal information and health information in accordance with appropriate privacy principles.
- physical measures such as building security to ensure that access to information held by the TAC is controlled.
Principle 5 – Openness
The TAC will make readily available to individuals specific information about its policies and practices relating to the management of personal information and health information.
What this means
- Call the TAC on 1300 654 329 or 1800 332 556
- Email your inquiry to mailto:email@example.com; or
- Write to: TAC Information Privacy Officer PO Box 742 Geelong Vic 3220
Principle 6 – Accessing and correcting information
A client of the TAC has a right of access to their personal information, health information and other information in relation to their claim, subject to the access rules set out in the Freedom of Information Act 1982 (the FOI Act) and to other limited exceptions e.g. where access may cause a threat to life or health. In most cases, whilst the access rules of the FOI Act will apply, it will not be necessary for a client of the TAC to make a formal request under the FOI Act to access most of the personal information held by the TAC about them.
A client of the TAC may also ask for amendment of their information under the FOI Act.
What this means
The TAC encourages its clients who wish to access the information held by the TAC about them to contact the TAC. The TAC will make most of the information held on the client’s claim file available to them free of charge and without the need to make a formal request under the FOI Act.
If a request is necessary under the FOI Act, it must be in writing and identify the documents sought. The TAC will respond to the request within not more than 45 days. There are two types of costs involved in an FOI request; the application fee and access charges. These costs are set in accordance with the Monetary Units Act 2004. These fees may be waived for applicants seeking personal information who provide a copy of their current valid health care card or pensioner concession card.
There are some instances where the TAC may decline to release certain types of information. In those cases, the TAC will clearly state the reason for the denial of access and offer to discuss it with the client or arrange a health service provider to discuss it with the client.
Instances where access to information may be denied include; documents subject to legal professional privilege and internal working documents. In some cases, the TAC may release health information to a client’s designated treating doctor and/or specialist, or legal representative, rather than directly to them.
If a client is denied access on the grounds that giving them the information would pose a serious threat to their life or health they can get a second opinion. The client may nominate another health service provider of their own choice to review the decision to deny them access. In most cases the TAC will accept the nomination but the client may need to choose another one. That person would then look at the information, discuss it with the TAC and make a decision about whether or not if released it would pose a threat to the TAC client’s life or health.
The TAC can arrange changes to a client’s name, address, or bank details by contacting their claims manager or a TAC customer service representative.
A request to amend or correct any other personal information must be made in writing and addressed to the TAC Freedom of Information officer. In the request you must identify the information that needs correction and explain, and provide proof, that the information is inaccurate, incomplete, misleading or not up-to –date, and what the information should be. There is no cost to amend personal information.
Principle 7 – Identifying your claim
The TAC will only assign identifiers to individuals where it is necessary to enable the TAC to carry out any of its functions efficiently.
What this means
“Unique identifier” is a term used to describe an identifier (usually a number) assigned by an organisation for the purposes of the operations of that organisation. The TAC uses claim numbers in this manner. The TAC claim numbers are generated automatically, and are subject to the principles regarding disclosure and use set out in this Policy (in particular, at principles 1 and 2 above). The assignment of a claim number is essential for the TAC to effectively manage claims. The claim number assigned to a client’s claim will be used on all correspondence associated with a claim for compensation.
The TAC also obtains access to other unique identifiers such as tax file numbers. The TAC obtains taxation details from its clients to ensure that appropriate tax law is complied with when calculating loss of earnings or other entitlements. The TAC will not release a tax file number obtained from a client to a third party under any circumstances. Once the TAC has recorded the details of a tax file number, the TAC takes all reasonable steps to ensure that the number is removed from the records held by the TAC.
Principle 8 – Anonymity
Wherever it is lawful and practicable, individuals have the option of not identifying themselves when entering transactions with the TAC.
What this means
In practice, there are few occasions where anonymity will be possible in dealings with the TAC. Possible examples where anonymity is possible may include: general enquiries regarding the Act and road safety campaigns. In these cases, a person will not be required to provide personal information to receive the information requested and any personal information provided will not be recorded.
Principle 9 – Information transfers interstate or overseas
The TAC will only release personal information or health information outside Victoria if it believes this to be necessary to perform functions and exercise powers under the Act. For example, the TAC may need to have an insured person living interstate, medically examined interstate. In these instances, the TAC will take reasonable steps such as contractual arrangements to ensure that the information transferred will not be held, used or disclosed by the recipient of the information in a manner inconsistent with the TAC’s privacy principles.
The TAC will take reasonable steps to ensure that the recipient of any personal information or health information is aware of the TAC’s expectations for personal information and health information to be dealt with in confidence.
Principle 10 – Sensitive Information
The TAC cannot usually collect sensitive information about an individual, but is permitted to in cases where:
- the consent of the person is obtained; or
- the collection is required under law; or
- the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; or
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
What this means
“Sensitive information”, as defined in the Information Privacy Act 2000, means information or an opinion about an individual’s:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual preferences or practices
- criminal record,
in circumstances where the information is also personal information.
In almost all cases, the TAC does not require sensitive information for the performance of functions or exercise of powers under the Act.
The TAC may, during the course of business, incidentally obtain information that might be deemed to be sensitive for example as part of a medical report or record received by the TAC.
In circumstances where the TAC incidentally obtains sensitive information in the course of carrying out its statutory functions or exercising its statutory powers under the Act, use will not be made of the information and the information will not be disclosed except where:
- the use is directly relevant to a function the TAC performs or a power the TAC is required to exercise; or
- use or disclosure is directly relevant in a proceeding relating to entitlement (or continuing entitlement) to compensation under the Act, or common law damages.
An example of where sensitive information may be relevant to the provision of services by the TAC might be where a client requests that an attendant care service provider observes similar religious beliefs or is required to have a similar cultural background to the client for communication purposes.
Principle 11 – Making information available to another health service provider
This principle deals with health service providers making information available to other health service providers. The TAC is not a health service provider under the Health Records Act 2001.
The TAC will make health information it holds about a client available to another health provider in accordance with Principle 2, above. The TAC will make health information it holds available to a client in accordance with Principle 6 above, which deals with accessing and correcting information.