Skip to content
State Government of Victoria logo
Service Agreement Information Kit for Funded Organisations

3.17.3 Collection and disclosure of personal and health information

Collection notice

Under Information Privacy Principle (IPP) 1.3 of the PDP Act and Health Privacy Principle (HPP) 1.4 of the HR Act, before, at the time, or as soon as practicable after, information is collected, funded organisations must provide a notice to an individual informing them of the following factors:

  • the identity of the organisation and how to contact it
  • the fact that the individual is able to gain access to the information
  • the purposes for which the information is collected
  • to whom (or the types of individuals or organisations to which) the funded organisation usually discloses information of that kind
  • any law that requires the particular information to be collected
  • the main consequences (if any) for the individual if all or part of the information is not provided.

In complying with IPP 1.3 and HPP 1.4, clause 17.3(k) of the Service Agreement specifically requires funded organisations ensure that they make individuals to whom the organisation provides services aware that:

  • the department is an organisation to which it may disclose personal and health information to (clause 17.3k(i);
  • the organisation may collect and disclose information to the department for specific purposes, including for the purpose of providing its services to the individual and for the department’s auditing and monitoring of the organisation’s recordkeeping; and
  • unless the personal information is destroyed by the organisation, it will ultimately be disposed of to, or at the direction of, the department of the Keeper of Public Records

A ‘collection notice’ can be provided to an individual through various means, for example, information sheets provided at an initial consultation, a standard telephone script, on an organisation’s website, posters, or brochures.

Giving this notice to individuals helps promote transparency about an organisation’s collection and handling of personal and health information. It also informs individuals about important rights and obligations related to the provision of access to this information.

Information on collection notices can be found on the Office of the Commissioner for Privacy and Data Protection’s website (external link, opens in new window).

Disclosure of information

Under the IPPs and HPPs, organisations must use and disclose information only for the primary purpose for which it was collected or for a permitted secondary purpose.

IPP 2.1 and HPP 2.2 permit an organisation to disclose information about an individual for a secondary purpose if:

  • the secondary purpose is related (or, in the case of sensitive personal information and health information, directly related) to the primary purpose for which the information was collected; and
  • the relevant individual to whom the information relates would reasonably expect the organisation to disclose the information for that secondary purpose.

There are other circumstances where disclosure of information may be permitted. For example, IPP 2.1(d) permits the use or disclosure of personal information where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent risk to the life, health, safety or welfare of an individual, or a serious threat to public health, safety or welfare.

Under the Service Agreement, the department is entitled to access records related to funded services for purposes defined in the Service Agreement, and retains legal ownership of records (clause 6.6 and clause 6.9). The department will only use personal and health information in accordance with relevant privacy and other laws and will take reasonable measures to ensure that any information disclosed to it from an organisation is treated in a way that does not breach those laws.