FRNSW Privacy Policy
Purpose
This Policy provides the framework under which Fire and Rescue NSW (FRNSW) manages personal and health information.
Scope and application
It is the responsibility of everyone working for, or with, FRNSW to protect the privacy of individuals.
Personal Information is defined as information or opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. This includes written information, voice recordings or information forming part of a database.
Health Information is defined as personal information that is information or an opinion about an individual’s:
- physical or mental health or disability;
- health services (both current and future);
- information relating to organ or other bodily part donations; or
- genetic information.
This Policy sets out the way personal and health information will be managed at FRNSW, so as to comply with relevant legislation.
Legal and policy framework
Legal framework
As a NSW government agency, FRNSW must meet the requirements of the Privacy and Personal Information Protection Act 1998 [external link] and the Heath Records and Information Privacy Act 2002 [external link]. These two acts establish principles for the management of personal and health information by NSW government agencies. They set out our obligations in relation to the collection, retention, security, access, use and disclosure of personal and health information.
The (Commonwealth) Telecommunications Act 1997 [external link] regulates the management of telephone calls to FRNSW including triple zero calls.
There are certain exemptions to these laws, for example to allow sharing of information between government agencies for law enforcement or investigative purposes.
Policy framework
This Policy is to be read in conjunction with the FRNSW Privacy Management Plan. These two documents describe how personal and health information is to be managed at FRNSW.
The following internal FRNSW policies and procedures contain individual references to enable staff to manage personal information collected for different purposes;
- Records management policy
- Information security policy
- In Orders 2009/26, AIRS policy
- In Orders 2006/13, Overt video surveillance policy
- In Orders 2006/11, Recording of radio, telephone and paging messages
- In Orders 1990/4, Access to Communication Centre information
- In Orders 1998/25, Incident notebooks
- Public interest disclosures policy
Policy principles
General
The Privacy and Information Protection Act 1998 sets out 12 Information Protection Principles. The Health Records and Information Privacy Act 2002 sets out 15 Health Privacy Principles. FRNSW must follow these principles for collecting, storing, using and disclosing personal and health information.
Specific application of these principles should be built into the policies and procedures of each area of the FRNSW that collects, stores, uses or discloses personal or health information. The principles are:
Collection of information must be:
Lawful - FRNSW will only collect personal or health information for a lawful purpose. The information must be directly related to FRNSW’s activities and necessary for that purpose.
Relevant - FRNSW will ensure that the personal and health information it collects is relevant, not excessive, accurate and up to date. FRNSW will not unnecessarily intrude into the personal affairs of the individual.
Direct - FRNSW will collect personal and health information directly from the person concerned, and only from third parties when authorised to do so.
Open - FRNSW will take reasonable steps to inform people their personal information is being collected, what it will be used for and to whom it will be disclosed. We will also inform people how they can see and correct the information. This principle may be applied differently in an emergency situation.
Storage of information must be:
Secure - FRNSW will ensure that personal and health information is stored securely, not kept any longer than necessary, and is disposed of appropriately. Information must be protected from unauthorised access, use or disclosure.
The Information Security Policy (Commissioners Orders 2011/15) applies to this principle for both personal and health information.
Access to information must be:
Transparent - FRNSW will take reasonable steps to explain to people what personal or health information it holds, why it is being used and any rights they have to access and amend it.
Accessible - FRNSW allows people to access their personal or health information without unreasonable delay or expense.
Correct - FRNSW allows people to update, correct or amend their personal or health information where necessary.
Use of information must be:
Accurate - FRNSW will take reasonable steps to ensure that personal and health information is relevant and accurate before using it.
Limited - FRNSW will only use personal or health information for the purpose for which it was collected, or a directly related purpose that the person would expect. We may use personal and health information without consent in order to deal with a serious and imminent threat to any person’s health or safety. Otherwise we will get the person’s consent.
Disclosure of the information, must be;
Restricted - during an emergency FRNSW may disclose personal and health information in order to deal with a serious and imminent threat to any person’s health or safety. FRNSW may also disclose personal or health information to a third party who has lawful authority to collect the information.
Apart from the above, FRNSW will only disclose personal or health information with consent, for the purpose for which it was collected, or a directly related purpose that the person would expect.
Sensitive information - FRNSW will not disclose sensitive personal information, for example information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership without consent or lawful authority.
Additional requirements for health information
Identification - FRNSW allocates unique numbers to its employees and volunteers in order to manage their records effectively. FRNSW may use unique identifiers for health information.
Anonymous - FRNSW will allow people to remain anonymous with regard to health information, where this is lawful and practicable.
Transfers - FRNSW does not normally transfer health information outside NSW, however, if there is a requirement to do so, we will make sure that substantially similar privacy laws apply in the receiving jurisdiction.
Linking health records - if FRNSW becomes a party to any system that links our health records with those of another organisation, we will obtain express consent to participate.
Policy implementation
FRNSW has developed a Privacy Management Plan to be read in conjunction with this document. FRNSW’s Privacy Management Plan specifies how the Privacy Policy will be implemented at FRNSW so as to comply with the Privacy and Personal Information Protection Act and the Health Records and Information Privacy Act.
The procedure of how to seek private information or lodge a privacy complaint are detailed in the FRNSW Privacy Management Plan.
Roles and responsibilities
All Staff
Be aware of the Privacy Policy and the Privacy Management Plan so they are aware of their responsibilities when managing personal or health information.
Managers of databases
Must sure that the information collected is accurate and only used for the purpose for which it was collected. Any person responsible for managing a database containing personal or health information must be aware of and comply with the:
- Privacy Policy
- Privacy Management Plan
- Information Security Policy
Privacy Officer
FRNSW’s Privacy Officer is responsible for:
- investigating and responding to privacy enquiries
- conducting reviews of privacy complaints
- providing advice on privacy legislation and personal information
- liaising with the NSW Privacy Commissioner, implementing any instructions or requests from the Privacy Commissioner and undertaking any reporting required by the Privacy and Personal Information Protection Act 1998.
Training and support
Additional information about protecting and releasing personal information can be obtained from the Privacy Officer. Training and additional support on privacy matters can also be organised by the Privacy Officer.
The Information and Privacy Commission provides information to public sector employees to assist in making privacy decisions. This includes details of previous court rulings and information about how to lodge a privacy complaint. This information is available on the Information and Privacy Commission’s website at www.ipc.nsw.gov.au [external link]
Monitoring and review
The Governance and Legal Office will monitor and review legislative changes to State and Federal Acts relating to privacy to determine if there are any implications for FRNSW. Where privacy matters are determined by the courts and are of relevance to FRNSW these will be captured and circulated to appropriate staff.
The Privacy Officer will also monitor external and internal information on privacy and health information matters. Where regular issues are raised the Privacy Officer will undertake reviews of information collection or distribution systems to determine if there are sufficient security and access controls.
Further information
Public Registers - Part 6 of the PPIPAprescribes special rules for personal and health information held on public registers. These rules regulate when personal or health information contained in a public register can be disclosed. FRNSW does not maintain any public registers for the purposes of PPIPA or HRIPA.
Privacy codes of practice – The PIPPA and HRIPA allow agencies to develop a privacy code of practice where they intend to depart from the Privacy Principles contained in the Acts. FRNSW does not intend to depart from the Privacy Principles and as such has not developed a privacy code of practice.
For further information about privacy contact the FRNSW Privacy Officer.