The purpose of this Policy is to set out Melbourne Water’s commitments regarding privacy of personal and health information.
We understand how important it is to you that we protect the privacy of your personal information. We collect and handle your personal information including sensitive information consistent with the Information Privacy Principles in Victoria’s Privacy and Data Protection Act 2014. We collect and handle any information about your physical or mental health or disability consistent with the Health Privacy Principles in Victoria’s Health Records Act 2001. We treat all health information as sensitive. We collect and handle Tax File Numbers of employees consistent with the Commonwealth Privacy Act 1988 and the Notifiable Data Breach Scheme in that act.
1. Collection of personal information
We collect and handle personal information because of our:
- services related to managing water supply, sewerage, waterways and flood and drainage and environmental stewardship
- works related to land, buildings and other assets we own and manage
- employment and engagement of people and organisations to deliver our services.
Wherever possible we only collect enough personal or health information necessary for the relevant service. Sometimes we are required to collect personal information by law for example by the Water Act 1989.
We aim to collect personal information directly from you. Sometimes we collect it from others, for example your water retailer or local council. If you are applying to work or volunteer with us we may collect personal information with your consent from others.
Personal information we collect includes:
- home, postal or other address
- telephone, mobile and fax number
- email address.
We may also collect other information depending on the service, for example:
- information you give us when you:
- make an enquiry, request for service or complaint
- apply for a licence, permit, advice or grant
- register for and attend a meeting, course or event
- apply to work or volunteer with us.
- water bill customer number
- driver licence or vehicle registration
- other licences to carry out work
- Tax File Numbers of employees
- banking details
- employment history
- photographic images
- qualifications and licences
- next-of-kin emergency contact details
- information about physical or mental health or disability
- other personal information we need to deliver you a service.
We collect personal information in emails, other written correspondence, phone calls, meetings and events, online forms, application forms, contracts, agreements, leases, licences and permits, customer contact databases and referrals from other agencies.
We only collect sensitive personal information (defined in the Information Privacy Principles) and health information (defined in the Health Privacy Principles) if it is necessary to deliver our services and only with your consent. We collect health information about our employees’ and contractors’ health information direct and indirectly and only with consent.
Where practicable we aim to give you the option of dealing with us without giving us personal information. However, we may not be able to deliver you a service if you do not give us the necessary personal or health information.
2. Use of personal information
We collect your personal information for a range of purposes including to:
- verify your identity
- establish and deliver services
- handle your enquiry, request for service or complaint
- handle a planning application referred to us
- manage a lease or licence agreement with you or funding grant to you
- manage communication with you
- provide you with and manage our website and other digital services
- manage and comply with statutory obligations
- manage recruitment and procurement.
Our privacy statements for particular services like our website, grants and job applications include more detail about what information we collect and why.
3. Disclosure of personal information
Depending on the purpose for collecting your personal information we may disclose it to:
- people and organisations you have given us your consent to disclose it to
- our contract service providers
- your retail water corporation
- another State government agency
- a local council
- other organisations where required or authorised by law.
Before we disclose any of your personal information to another person or organisation, we will take all reasonable steps to satisfy ourselves of at least one of the following criteria:
- It will be disclosed for the purpose we collected it or another purpose you would reasonably expect.
- You have consented to us disclosing it.
- The person or organisation we disclose it to has a commitment to protecting your personal information at least equal to our commitment.
- Disclosure is required or authorised by law.
- Disclosure is necessary to prevent a serious and imminent threat to your health, safety or wellbeing, or prevent a serious threat to public health, safety or wellbeing.
4. Marketing and customer research
We may use your personal information to provide you with information about our services (marketing) and ask you about your experience of them (customer research). If you do not wish to receive marketing information or participate in customer research you may decline at any time by contacting us using the details in part 10 of this policy.
If the marketing or research is by email you may also unsubscribe. We will take all reasonable steps to meet your request as soon as practicable.
5. Accessing, updating and correcting your personal information
You may request access to your personal or health information at any time by making a request under Victoria’s Freedom of Information Act 1982. Fees and charges apply.
We will send you an initial response within seven days of receiving your request and the outcome of the investigation within 45 days. There may be situations where we are not required to provide you with access to your personal information and we will give you the reasons. Examples of this are where the information relates to existing or anticipated legal proceedings or your request is vexatious.
If your personal information is incorrect, inaccurate or out of date you may also request to have it corrected. We will normally rely on you to assist us by informing us if the information we hold about you is inaccurate or incomplete.
Depending on the request we may update your personal information immediately, or we may send you an initial response within seven days of receiving your request. Where reasonable and after our investigation we will provide you with details within 45 days from your initial request about whether we have corrected the personal information. We may need to consult with other people or organisations as part of your request to access or correct your personal information.
6. Using government related identifiers
If we collect government related identifiers such as water bill account numbers or tax file numbers we will not use or disclose this information other than to efficiently resolve a problem or to the extent required or as authorised by law. We will not adopt any other government related identifier as a number with us to identify you.
7. Doing business without identifying you
For most of our services we need your personal information to identify you and successfully provide the service. Where it is lawful and practicable to do so, we will offer you the opportunity to deal with us anonymously. For example you need not give us your personal information to report an issue if you do not need us to contact you about it later. However we may not be able to deliver you a service if you do not give us the personal or health information necessary to deliver it.
8. How safe and secure is your personal information?
We normally store your personal information in electronic form but it may also be in paper form. We take reasonable steps to protect your personal and health information by ensuring it is stored in a secure environment regardless of the form.
We take reasonable steps to protect any personal information from misuse, loss and unauthorised access, modification or disclosure. We do this by:
- only providing you with your personal information when we are satisfied it is you
- ensuring security and access requirements are in place for IT systems, such as passwords, firewalls and virus scanning software
- having document storage and destruction policies
- encrypting data during internet transactions and data transfers
- ensuring restricted access to sensitive and health information
- ensuring our contract service providers’ commitment to privacy is at least equal to ours.
We use and contract the use of cloud computing to store and manage data including personal information. Computer servers may be based in our buildings, interstate or overseas. We take reasonable steps to ensure the security of your information managed this way. Where the information is transferred outside Victoria we take steps consistent with the principles in Victoria’s privacy laws to ensure its protection from unauthorised use and disclosure.
When personal information is no longer required for the purpose for which the information was collected it will be either permanently de-identified or added to a disposal schedule for future destruction in accordance with the Public Records Act 1973 and other relevant laws.
9. Concerns and complaints about privacy
If you are not satisfied with how we have dealt with your personal information or have a complaint about our compliance with Victoria’s privacy laws we encourage you to contact us using the contact details in part 10 of this policy.
We will acknowledge your complaint within seven days and provide you with a decision on your complaint within 30 days. If you feel your complaint is still not resolved after discussing it with us, you may then take the complaint to:
- The Victorian Information Commissioner if your complaint is about personal information protected by the Privacy and Data Protection Act 2014
- Victoria’s Health Services Commissioner if your complaint is about health information protected by the Health Records Act 2001
- The Australian Information Commissioner if your complaint relates to an eligible breach (defined in the Commonwealth Privacy Act 1988) involving your Tax File Number.
10. More information
If you have any questions or concerns about how we collect and handle your personal or health information, contact:
PO Box 4342
MELBOURNE Vic 3001
Telephone (in Australia): 131 722
Email: [email protected]