Personal information and health information will be collected by TAC where:

1. The information collected is relevant to the TAC’s functions, activities and objectives, which include determining a client’s entitlement or continuing entitlement to benefits under the Act or to common law damages;
2. The collection of information is limited to the information that is necessary and relevant to the determination of a client’s entitlement to benefits or to common law damages;

The collection of information is for another purpose that is consistent with the statutory functions objectives of the TAC, such as customer service surveys, accident and rehabilitation research, development and review of service provision, or acting as an authorized agent under the Accident Compensation Act 1985 and the Workplace Injury Rehabilitation and Compensation Act 2013.

What this means

The TAC will lawfully collect information that is relevant to carrying out its functions & objectives, or exercising powers under the Act.

These functions include:

• Assessing whether the circumstances of an accident mean that a person injured in such an accident is eligible for compensation under the Act;
• Assessing whether injuries sustained by a person were sustained as a result of a transport accident as defined under the Act;
• Determining the extent of a client’s entitlement or continuing entitlement to income benefits or other compensation under the Act; and
• The assessment of the degree of injury sustained by a client in a transport accident for impairment and common law purposes.

The TAC’s core functions and objectives are set out under sections 11 and 12 of the Act.

The TAC ensures that personal information and health information collected about its clients is relevant to the administration of the claim and where practicable, that the information is collected directly from its clients. The TAC will collect some information about the claims it receives from third parties, such as reports from a client’s treating doctor, hospital and ambulance reports and confirmation of income details from a client’s employer. This information is obtained with the client’s consent.

This consent is required under section 67A of the Act, and is used to obtain personal information and health information that is reasonable and necessary to assist the TAC to perform functions and to exercise powers, including making decisions about a client’s entitlement to compensation, under the Act. If the TAC is unable to obtain all the information needed to determine a client’s entitlement to benefits then this may result in delays in the making of payments or mean the TAC is unable to determine reasonable compensation or the most appropriate treatment for a client.

In circumstances where the TAC obtains personal information or health information from a third party using the client’s consent, the TAC will advise the client about the collection of the information.

The TAC also has relationships with other organisations such as the Victorian Police, VicRoads (Department of Transport) and the Victorian WorkCover Authority which are relevant to processing a client’s claim.  Where appropriate, the TAC will obtain information relevant to a client’s claim from those bodies in accordance with the consent, and specific powers under the  Act. The purpose of collecting personal information and health information about a client is to enable TAC to make informed decisions regarding the management of a client’s claim and to otherwise meet the TAC’s statutory obligations to maintain the fund in an economically and socially responsible manner.

The TAC sometimes obtains records of payments from Commonwealth authorities such as the Health Insurance Commission. These records are principally obtained to assist the TAC to determine those payments for which it is liable in relation to a claim. If the TAC obtains these records it will not release these records to anyone other than the client to whom the record relates.

The TAC may also collect personal information or health information under specific provisions of the Act, such as sections 127 and 127A, which enable authorised officers of the TAC to obtain information from Victoria Police and other organisations, and to conduct investigations - including where clients may be fraudulently obtaining benefits and/or have provided the TAC with false information.

2.1 Use and disclosure for the purposes of managing claims for compensation

The primary purpose for the collection of personal information and health information by the TAC is to determine a client’s entitlement or continuing entitlement to benefits under the Act or to common law damages. The TAC will lawfully use and disclose personal information collected for this purpose as a part of day to day claims management processes established under the scheme.  By way of definition, ‘use’ refers to the handling of personal or health information by the TAC; ‘disclosure’ refers to the communication of personal or health information to another agency, contracted service provider, party or individual.

2.2 Use and disclosure for the purpose of carrying out other functions under the Act

The TAC has a range of other statutory functions and statutory powers under sections 11 and 12 of the Act in relation to accident prevention research, effective rehabilitation, scheme performance, and seeking information from TAC clients about the impact of their injury and the services provided by the TAC. Performing these functions and exercising these powers will, in some circumstances, require the use and disclosure of personal information and health information. Use and disclosure of information for these purposes, as well as for general service provision improvement, is regarded as a ‘secondary purpose’ under this Policy.

What this means

The TAC may use or disclose the personal or health information that the TAC has obtained about
a client for the primary purpose of managing a client’s claims (as set out in 2.1 above). Relevant information may be disclosed when necessary to medical and health service providers or to a client’s employer or solicitor.

From time to time, the TAC may have to release personal and health information to other external parties. For example, if the TAC arranges for a client to be medically examined by a medical specialist to determine the extent of the client’s injuries, it may be necessary for the TAC to provide copies of other health information held by the TAC to that specialist in order to assist with the medical assessment.

The TAC will note on the client’s claim file when health or personal information is disclosed.

In respect of the secondary purpose, the TAC may disclose personal information or health information in circumstances where it is reasonable and necessary to do so to perform statutory functions or exercise statutory powers.  

In some circumstances, the TAC is specifically empowered to disclose information to third parties under the Act. These circumstances are set out in sections 131(2) and 131A of the Act, and include:

• Disclosure of documents or communications which must be produced in criminal proceedings or any other proceedings under the Act;
• Disclosure of information to the Victorian WorkCover Authority (or an authorised agent);
• Disclosure of information to welfare, benefit or compensation schemes of another State or Territory of the Commonwealth; (e.g. such as the NDIA or Centrelink);
• Disclosure of information to regulatory bodies to investigate conduct related to the adequacy or appropriateness of services provided to a client;
• Disclosure of information to a Court.

Where no specific legislative power exists, the TAC will only disclose personal or health information to a third party when:

• Another law or order requires the TAC to do so;
• For research purposes (see below);
• For health safety and wellbeing purposes (see below);
• With the information owner’s consent;
• Where the disclosure of the information is required for the primary purpose of collection, or (as long as the information is not sensitive information) a related secondary purpose, which is consistent with the carrying out of statutory functions or the exercise of statutory powers under the Act. Any disclosure of personal information or health information to a third party will occur on the understanding that:
  • The recipient of the information treats the information provided as confidential;
  • The recipient uses the information for the purposes set out by the TAC.

These sorts of disclosure fall within categories that clients of the TAC might reasonably expect to occur.

Research

Internal use

The TAC uses personal & health information obtained from its clients and Victorian Road Safety Partners (Hospital trauma centers, Victoria Police, the Department of Health, VicRoads, the Department of Transport and others) to formulate accident research and statistical information.  The TAC undertakes such research work itself, or engages research service providers to conduct work on its behalf (e.g. Monash University Accident Research Centre [MUARC]). The TAC always removes identifying information of individuals so that research can be conducted in either an anonymized form (where an individual’s name or identity is not apparent from the data set) or a de-identified form (where the individual’s name or identity is not apparent from the data set, and the individual is not capable of being re-identified).

The TAC may also use personal information to conduct client surveys in relation to road usage, injuries, and TAC service provision. In all cases where it is practical to do so information identifying individuals is removed before it is provided to a TAC research service provider for research purposes. In the case of client surveys, all information obtained from a survey is treated confidentially and clients are provided with an opportunity to opt out of the survey and future surveys. Client survey information is de-identified before any of the results of the survey are used or disclosed by the TAC.

Disclosure outside of TAC

The TAC may release personal and/or health information for the purposes of research to its Road Safety Partners and other government agencies and research service providers to facilitate research into treatment for, or the prevention of, transport accident injuries. Personal or health information is only provided for medical research where it is conducted in accordance with any guidelines issued by Health Services Commissioner under the Health Records Act 2001, which incorporates relevant standards like the National Standard on Ethical Conduct in Research Involving Humans published by the National Health and Medical Research Council (NHMRC, 1999).

The TAC always removes identifying information of individuals before disclosure so that research can be conducted in either an anonymized form (where an individual’s name or identity is not apparent from the data set) or a de-identified form (where the individual’s name or identity is not apparent from the data set, and the individual is not capable of being re-identified).

See here for examples of releases by TAC of anonymized or de-identified information for research purposes.

Recipients of TAC information for research purposes are required to sign strict Data Access & Usage Agreement prohibiting the use or disclosure of TAC information for any other reason or purpose.  They are also required to prove compliance with security and privacy assessments mandated by the TAC.

Health Safety and Wellbeing

The TAC is required under the Occupational Health and Safety Act 2004 (the OHS Act) to, so far as is reasonably practicable, provide and maintain a working environment that is safe and without risks to health. Where a client exhibits behaviours of concern (BOC), contracted/ registered service providers to the TAC may be notified for safety purposes.  A BOC includes, but is not limited to, where:

• A threat has been made to an individual’s life, health, safety or wellbeing. This applies if the threat has been made against the provider or any other individual;
• There is a threat to public health, public safety or public welfare;
• The BOC demonstrated by the Client may pose a risk to the health, safety and wellbeing of a provider(s);
• There is a risk identified in relation to the environment where the provider(s) would be visiting or treating the client.

The TAC will only share personal or health information that is necessary to advise the contract/registered provider of the risk in order to protect their health and safety. The information may vary depending on the BOC, however will usually include the client’s full name and date of birth; claim number; details of the safety risk; TAC actions taken to address the situation; and information on any communication restrictions put in place by the TAC.  
Disclosure for this purpose is considered to be a directly related purpose to the TAC’s collection of client personal & health information (namely service provision under the Act).

Where any serious threats to a client’s (or any other individuals) life, health, safety or welfare exists, the TAC may use or disclose personal or health information where it is necessary to lessen or prevent such threat(s).

The TAC will take reasonable steps to ensure that the personal information and health information it collects is relevant, accurate, up to date and complete.

What this means

The TAC will, before using or disclosing personal information and health information it has obtained in relation to a client, take reasonable steps to ensure that the information held by the TAC is accurate, up-to-date and not misleading. In some circumstances the TAC relies on its clients and other parties to provide up to date, accurate information, which is not misleading (for example, name and address details). In addition, the Act imposes a number of statutory obligations on clients to provide accurate, up to date information that is not misleading – including information relevant to TAC benefits such as the nature of injuries, and employment status.

The TAC will take reasonable steps to ensure that the personal and health information collected is protected from misuse, loss, unauthorised access, modification or disclosure.

What this means

The TAC staff and parties engaged by the TAC (for example IT contractors) are required to observe and abide by the secrecy provisions contained within section 131 of the Act. These provisions prohibit the release of information to any person or body, which identifies or could lead to the identification of any person, except to the extent necessary for the performance of functions, objectives or duties under the Act (or other related Acts).

Destruction of TAC records is done in accordance with the Public Records Act 1973, however most TAC claim files are maintained indefinitely as they are likely to be required for ongoing assessment, management and the provision of entitlements and services under law, future entitlements, disputes or legal proceedings.

In addition, the TAC takes the following steps to ensure that information remains secure:

• Training to ensure that staff of the TAC and contractors are adequately trained in the requirements for the collection, use and storage of personal and health information;
• Technological measures. Where information is transmitted electronically, the TAC will take reasonable steps to ensure that the most appropriate security infrastructure is used to protect the information. Such measures include:
  • Automated password reset prompts and timeout screensavers on all desktops and laptops;
  • Encrypted memory storage devices;
  • Logging and tracking of transactions;
  • Robust firewall to prevent unauthorised access;
  • Communicating with clients via email only where consent has been obtained;
  • Using secure drop-box or encryption certificates where sending client personal and health information;
  • Using secure video-conferencing facilities;
  • Strictly controlled and audited access hierarchies;
  • Locked down operating systems that cannot be changed by users;
  • Full anti-virus protection using two products at all gateways and on all servers;
  • Certificate based messaging systems will be in place to ensure secure communications. And
• Ensuring any contracts with external service providers, contractors, sub-contractors or fee for service professionals entered into by the TAC contain clauses for the handling of personal information and health information in accordance with privacy laws;
• Physical measures such as building security to ensure that access to information held by the TAC is controlled;
• Conducting Privacy Impact Assessments (PIAs).

The TAC will make readily available to individuals specific information about its policies and practices relating to the management of personal and health information. These can be accessed on TAC’s website or by request.

What this means

The TAC will openly publish its privacy policy, and will be transparent about practices relevant to the handling of personal or health information. If a client has any concerns or inquiries regarding  the TAC’s privacy policy or would like information about the personal information or health information held on their file, or has any privacy related concerns, then:

• Call the TAC on 1300 654 329 or 1800 332 556
• Email your inquiry to policy@tac.vic.gov.au; or
• Write to: TAC Information Privacy Officer PO Box 742 Geelong Vic 3220

A client of the TAC has a right of access to their personal information, health information and other information in relation to their claim, subject to the access rules set out in the Freedom of Information Act 1982 (the FOI Act) and to other limited exceptions e.g. where access may cause a threat to life or health. In most cases, whilst the access rules of the FOI Act will apply, it will not be necessary for a client of the TAC to make a formal request under the FOI Act to access most of the personal information held by the TAC about them.

A client of the TAC may also ask for amendment of their information under the FOI Act.

What this means

The TAC encourages its clients who wish to access the information held by the TAC about them to contact the TAC. The TAC will make most of the information held on the client’s claim file available to them free of charge and without the need to make a formal request under the FOI Act. See here for Details on how to get a copy of your TAC documentation.

If a request is necessary under the FOI Act, it must be in writing and identify the documents sought. The TAC will respond to the request within not more than 30 days. There are two types of costs involved in an FOI request; the application fee and access charges. These costs are set in accordance with the Monetary Units Act 2004. These fees may be waived for applicants seeking personal information who provide a copy of their current valid health care card or pensioner concession card.

There are some instances where the TAC may decline to release certain types of information. In those cases, the TAC will clearly state the reason for the denial of access and offer to discuss it with the client or arrange a health service provider to discuss it with the client.

Instances where access to information may be denied include; documents subject to legal professional privilege and internal working documents. In some cases, the TAC may release health information to a client’s designated treating doctor and/or specialist, or legal representative, rather than directly to them.

If a client is denied access on the grounds that giving them the information would pose a serious threat to their life or health they can get a second opinion. The client may nominate another health service provider of their own choice to review the decision to deny them access. In most cases the TAC will accept the nomination but the client may need to choose another one. That person would then look at the information, discuss it with the TAC and make a decision about whether or not if released it would pose a threat to the TAC client’s life or health.

The TAC can arrange changes to a client’s name, address, or bank details by contacting their claims manager or a TAC customer service representative.

A request to amend or correct any other personal information must be made in writing and addressed to the TAC Freedom of Information officer. In the request you must identify the information that needs correction and explain, and provide proof, that the information is inaccurate, incomplete, misleading or not up-to –date, and what the information should be. There is no cost to amend personal information.

The TAC will only assign identifiers to individuals where it is necessary to enable the TAC to carry out any of its functions efficiently.

What this means

“Unique identifier” is a term used to describe an identifier (usually a number) assigned by an organisation for the purposes of the operations of that organisation. The TAC uses claim numbers in this manner. The TAC claim numbers are generated automatically, and are subject to the principles regarding disclosure and use set out in this Policy (in particular, at principles 1 and 2 above).

The assignment of a claim number is essential for the TAC to effectively manage claims. The claim number assigned to a client’s claim will be used on all correspondence associated with a claim for compensation.

The TAC also obtains access to other unique identifiers such as tax file numbers. The TAC obtains taxation details from its clients to ensure that appropriate tax law is complied with when calculating loss of earnings or other entitlements. The TAC will not release a tax file number obtained from a client to a third party (with the exception of the Australian Tax Office) under any circumstances. Once the TAC has recorded the details of a tax file number, the TAC takes all reasonable steps to ensure that the number is removed from the records held by the TAC.

Wherever it is lawful and practicable, individuals have the option of not identifying themselves when entering transactions with the TAC.

What this means

In practice, there are few occasions where anonymity will be possible in dealings with the TAC. Examples where anonymity is possible may include: general enquiries regarding the Act and road safety campaigns. In these cases, a person will not be required to provide personal information to receive the information requested and any personal information provided will not be recorded.

The TAC will only release personal information or health information outside Victoria if it believes this to be necessary to perform functions and exercise powers under the Act. For example, the TAC may need to have an insured person living interstate, medically examined interstate. In these instances, the TAC will take reasonable steps such as contractual arrangements to ensure that the information transferred will not be held, used or disclosed by the recipient of the information in a manner inconsistent with the TAC’s privacy principles.

The TAC will take reasonable steps to ensure that the recipient of any personal information or health information is aware of the TAC’s expectations for personal information and health information to be dealt with in confidence.  The TAC conducts Privacy Impact Assessments wherever a transfer of personal or health information outside of Victoria to another organization or agency is required.

The TAC cannot usually collect sensitive information about an individual, but is permitted to in cases where:

1. the consent of the person is obtained; or
2. the collection is required under law; or
3. the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual;
4. or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

What this means

“Sensitive information”, as defined by the Privacy & Data Protection Act 2021 (Vic), means information or an opinion about an individual’s:

• Racial or ethnic origin;
• Political opinions;
• Membership of a political association;
• Religious beliefs or affiliations;
• Philosophical beliefs;
• Membership of a professional or trade association;
• Membership of a trade union;
• Sexual preferences or practices;
• Criminal record;

That is also personal information.

In almost all cases, the TAC does not require sensitive information for the performance of functions or exercise of powers under the Act.

The TAC may, during the course of business, incidentally obtain information that might be deemed to be sensitive for example as part of a medical report or record received by the TAC.

In circumstances where the TAC incidentally obtains sensitive information in the course of carrying out its statutory functions or exercising its statutory powers under the Act, use will not be made of the information and the information will not be disclosed except where:

• The use is directly relevant to a function the TAC performs or a power the TAC is required to exercise; or
• Use or disclosure is directly relevant in a proceeding relating to entitlement (or continuing entitlement) to compensation under the Act, or common law damages.

An example of where sensitive information may be relevant to the provision of services by the TAC might be where a client requests that an attendant care service provider observes similar religious beliefs or is required to have a similar cultural background to the client for communication purposes.

This principle deals with health service providers making information available to other health service providers. The TAC is not a health service provider under the Health Records Act 2001.

The TAC will make health information it holds about a client available to another health provider in accordance with Principle 2, above. The TAC will make health information it holds available to a client in accordance with Principle 6 above, which deals with accessing and correcting information.