Data privacy protocols

Purpose

The National Coronial Information System (NCIS) is committed to protecting the personal and health information that we collect, use and disclose.

Coroners and the Victorian Department of Justice and Community Safety (the NCIS' host jurisidiction) (the Department) are sensitive to the need to protect the privacy of personal information stored on the NCIS. Although this information primarily relates to deceased persons, the information is still regarded as potentially sensitive to the deceased’s relatives and friends.

 

Definitions

Access agreement - an agreement executed in writing between the Department and a third party which entitles that third party to access data, either via online access or such other means as agreed between the parties, subject to any specified terms and conditions

Authorised organisation - a third party with which the Department has entered into a written Access Agreement

Authorised user - an employee, servant or agent of the authorised organisation nominated in Schedule 6 and approved by the Department or such other employee, servant or agent subsequently nominated in writing by the authorised organisation and approved by the Department; ‘collect’ includes recording or downloading data

Data - means the coronial information provided by Participating Jurisdictions and compiled and collated and stored in the NCIS, and includes personal information

Department - the Department of Justice and Community Safety for and on behalf of the State of Victoria

Ethics committee - the Victorian Department of Justice Human Research Ethics Committee, being an Ethics Committee established in accordance with the National Statement on Ethical Conduct Involving Humans issued by the National Health and Medical Research Council in accordance with the National Health & Medical Research Act 1992 (Cth), or such other Ethics Committee notified by the Department to the authorised organisation, and in the case of authorised organisations which request identifying data from Western Australia, means the Western Australian Coronial Ethics Committee established under the auspices of the Coroners Act 1996

NCIS - the National Coronial Information System, being a remote data entry and retrieval system, managed by the Department

Personal information - information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably by ascertained, from the information or opinion.

 

Scope

This protocol sets out how the Department is to collect, hold, manage, use, disclose or transfer personal and health information in accordance with the Information and Health Privacy Principles contained within the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).

 

Access to and collection of data

An authorised user may only access and collect data from the NCIS that is necessary for the purpose for which access to the NCIS was approved.

 

Security of data

An authorised organisation that has obtained access to or is in possession of data must ensure that any such data, for so long as it is in the possession or control of the authorised organisation, is protected by all reasonable safeguards.

Whenever data is left unattended by an authorised user, it must be stored in a secure environment such as a secure network file system, locked drawer or locked filing cabinet.

An authorised user must not under any circumstances disclose their user name or password to any person for any reason. An authorised user who becomes aware that any person has obtained unauthorised access to the NCIS or has obtained information regarding a user’s login name or password must immediately notify the Department.

Authorised organisations and authorised users must ensure that the original data is not altered or modified in any way.

 

Use of data

An authorised organisation may only use data for the purpose for which access to the NCIS was approved and in a manner that is consistent with any restrictions imposed on access pursuant to the access agreement.

 

Disclosure of data

An authorised user who has obtained data must not disclose data to any other person unless such disclosure is specifically authorised by the access agreement or unless the disclosure is required or authorised by or under law.

An authorised organisation must ensure that any report of publication based on or containing data is presented accurately.

Any report of publication published by an authorised organisation that contains or refers to data must not contain any personal information.

 

Return or destruction of data

Once an authorised organisation no longer requires the data for the purpose for which it was collected, the organisation must ensure that it is destroyed or must otherwise ensure that the appropriate and secure archive arrangements are in place. Where an organisation intends to archive the data, the organisation must ensure that any identifying data is permanently de-identified prior to being archived. Where an organisation intends to destroy the data, it must ensure that the data is destroyed using a secure method such as shredding.

 

More information

Contact us for more information about NCIS data privacy and security protocols.