Public Transport Victoria (PTV) will collect, use, store and disclose personal information and health information in accordance with Information Privacy Principles (IPPs) set out in the Privacy and Data Protection Act 2000 (Vic) (PDP Act) and the Health Privacy Principles (HPPs) and the Health Records Act 2001 (Vic).
This policy outlines how PTV manages Personal Information and Health Information, and is designed to assist people to understand how Personal Information and Health Information is managed by PTV. Information is also provided about how people can seek assurance that their Personal Information and/or Health Information is maintained in accordance with the Privacy and Data Protection Act 2014 and the Health Records Act 2001.
This policy applies to all employees of PTV when dealing with Personal Information or Health Information. Where PTV enters into a contract with another organisation for the provision of goods or services relevant to the functions and powers of PTV, those organisations will be required to manage all Personal Information and Health Information in accordance with the PDP Act and Health Records Act 2001 too, but may have their own relevant privacy policies.
This policy may be varied from time to time and will operate consistently, and in conjunction, with customised privacy policies and collection statements developed by individual business or work units within PTV to explain their particular privacy management practices.
Types of Information
Personal information means information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from that information or opinion. Some examples of Personal Information are your name, sex, date of birth, address, financial details, marital status, education and employment history. Some Personal Information is called Sensitive Information and is given extra protection under the law. This includes information about an individual’s racial or ethnic origin, religious beliefs, political views, sexual preferences, membership of unions and criminal record.
In this policy, the term Personal Information will refer collectively to Personal Information and Sensitive Information, unless otherwise specified.
Health information means information or an opinion that can be linked to an individual, whether living or deceased, that is about their physical, mental or psychological health; disability status; expressed wishes about the future provision of health services to him or her; a health service that has been provided; or a health service that will be provided.
What is not Personal Information?
Information contained in publications which are generally available is not Personal Information. Publications which are generally available include magazines, books, newspaper articles, annual reports and the Victorian Government Gazette.
PTV will only collect Personal Information or Health Information from an individual if it is necessary for the provision of services to that individual, or to carry out PTV’s functions. PTV will always take reasonable steps to collect Personal Information or Health Information directly from the individual the information concerns.
PTV’s principal functions are to plan, coordinate and provide public transport services across Victoria.
Reasons that PTV may collect Personal Information or Health Information from a person include if they:
- are employed by, or apply to be employed by, PTV;
- request to be placed on a mailing list maintained by PTV;
- contact PTV directly, or contact the Victorian Government about a matter relevant to PTV’s function or services;
- are provided with products or services by PTV; or
- make a request for access to documents under the Freedom of Information Act 1982 (Vic).
At or before the time PTV collects any Personal Information or Health Information from a person (or if that is not practicable, as soon as practicable afterwards), PTV will take reasonable steps to ensure that they are given a collection statement setting out the purpose for collecting the information, how the information will be used and the consequences, if any, for not providing the information requested.
Whenever it is lawful and practical, PTV will provide people with the option of not identifying themselves.
Examples of information which may be collected, used, stored or disclosed by PTV
Correspondence (including email) or complaints addressed to Victorian Government Ministers or agencies, or queries made through the public transport call centre regarding matters related to the functions of, or service provided by, PTV may be referred to PTV for advice and response. Such correspondence, as well as correspondence addressed directly to PTV may include Personal Information or Health Information, and may be accessed by PTV staff, subject to operational need.
Copies of correspondence, applicable responses and details pertaining to correspondence received by PTV which contains Personal Information or Health Information may be retained by PTV for certain periods of time, in accordance with the Public Records Act 1973 and other applicable legislation.
Information collected on PTV’s website
Unless information is expressly provided to PTV by a visitor to PTV’s website, PTV will not know the identity of any visitor to its website. If there are “cookies” on PTV’s website, it will be the visitor’s choice to enable them or not.
Visitors to PTV’s website will be subject to PTV’s Internet Service Provider’s standard web logs, which record anonymous information about traffic patterns through PTV’s website for statistical purposes only. No attempt will be made by PTV to identify the personal details of any website visitor, except in the event that an investigation is undertaken by a law enforcement agency, exercising a warrant to inspect PTV’s Internet Service Provider’s logs.
Employment and recruitment information
If a person is employed by, or applies to be employed by, PTV, PTV may collect and store information about the recruitment process used and their application including reference checks, security clearances and criminal history checks undertaken as part of that process.
Employment and recruitment information collected by PTV may be retained for certain periods of time, in accordance with the Public Records Act 1973 (Vic), the Public Administration Act 2004 (Vic), and other applicable legislation. Some of this information may be disclosed to third parties, where legally required.
Credit Card information
PTV may collect a person’s credit card information to process a payment to PTV.
Credit card information collected by PTV will be held in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements for enhancing payment account data security, including requirements for secure network and systems, cardholder data protection, vulnerability management program, access control measures, network monitoring and testing and information security policies.
Use and disclosure of information
PTV will only use or disclose Personal Information or Health Information for the purpose which was either specified or reasonably apparent at the time of collection unless the individual in question has consented to the information being put to another related use, or would reasonably expect that the information was put to another related use.
PTV will only use Personal Information or Health Information for another purpose if the secondary purpose directly relates to the primary purpose for which it was collected. In some circumstances PTV may be authorised by legislation to use or provide Personal Information or Health Information to another organisation for a particular reason. For example, PTV may not have to comply with IPPs when exercising responsibilities directly related to law enforcement or where the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS) or Centrelink have requested the disclosure of your Personal Information or Health Information.
PTV will only transfer your Personal Information or Health Information to another individual or organisation in limited circumstances, including that the recipient is subject to a law which upholds similar principles to the IPPs or HPPs, or if the transfer is consented to.
PTV may also provide your Personal Information or Health Information to public transport operators and public transport authorities (Transport Ticketing Authority, Transport Safety Victoria, the Department of Transport) where you raise an issue or query with PTV, and responding to that issue or query requires information from that party.
Data security and destruction
Irrespective of whether your Personal Information or Health Information is stored electronically or in hard copy form, PTV will take reasonable steps to protect it from misuse and loss and unauthorised access, modification or disclosure.
Credit card information collected by PTV will be held in accordance with the requirements of PCI-DSS. PTV will also take reasonable steps to destroy or permanently de-identify your Personal Information or Health Information if it is no longer needed for the purpose (or a related purpose) for which it was initially collected, unless, in the case of Personal Information, it is subject to the Public Records Act 1973, in which case it will be retained or disposed of in accordance with that legislation.
Data quality, access and correction
PTV will take reasonable steps to ensure that Personal Information and Health Information we collect is accurate, complete and up to date.
People are entitled to contact the PTV Information Privacy Officer (contact details are set out below) and request access to, and correction of any of their Personal Information or Health Information held by PTV. PTV will take reasonable steps to correct and update any Personal Information or Health Information that is established to be inaccurate, incomplete or not up to date or provide you with a written statement if such a request is refused.
If a person’s Personal Information or Health Information is associated with information relating to an event, commercial activities or in some way affects the privacy of another individual, they may need to make a formal Freedom of Information request pursuant to section 17 of the Freedom of Information Act 1982 (Vic). Your Freedom of Information application should be made to:
PTV Freedom of Information Officer
PO Box 4724, Melbourne VIC 3000
Telephone: 1800 800 007
Fax: 03 9027 4074
Email: [email protected]
A unique identifier is a code consisting of letters or numbers (not the individual’s name) that is assigned to an individual to distinguish them from other individuals - for example a drivers licence number.
PTV will not:
- assign, use or disclose unique identifiers to individuals unless it is necessary to do so to carry out one of its organisational functions efficiently;
- adopt, use or disclose a unique identifier assigned to any person by another organisation except in limited circumstances; or
- require people to provide a unique identifier in order to obtain a service, unless it is required or authorised by law or connected to the purpose for which the unique identifier was assigned.
If a person believes that their Personal or Health Information has been used by PTV in a manner contrary to the Privacy and Data Protection Act 2014 (Vic) or Health Records Act 2001 (Vic), they may contact the PTV Privacy Officer.
PTV Privacy Officer
PO Box 4724, Melbourne VIC 3000
Telephone: 1800 800 007
Fax: (03) 9027 4074
Email: [email protected]
Health Complaints Commisssioner
Complaints about any use of a person’s Health Information which is believed to be contrary to the Health Records Act 2001 (Vic), or requests for further information can be made with the Health Complaints Commissioner.
Commissioner for Privacy and Data Protection
People can also contact the Commissioner for Privacy and Data Protection for more information or to raise certain complaints about privacy matters and regulation in Victoria.