View Document

Management of Special Category Information Instruction

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) RMIT is a contracted service provider with the Department of Employment, Skills, Small and Family Business (the Department) under the jobactive Deed 2015-2020. As part of this, RMIT is contracted to provide employment services for the Commonwealth, which includes the delivery of programs to individuals that receive social security benefits or payments.

(2) This document outlines how RMIT will manage ‘protected information’ as an employment services provider.

Top of Page

Section 2 - Authority

(3) Authority for this document is established by the Privacy Policy.

Top of Page

Section 3 - Scope

(4) All staff who have access to ‘protected information’ and the Privacy Office in providing central oversight.

Top of Page

Section 4 - Instruction

‘Protected Information’

(5) RMIT must comply with the Social Security (Administration) Act 1999, including the provisions that govern the collection, use and disclosure of ‘protected information’ in addition to the requirement to comply with the Privacy Act 1988 (Cth).

(6) ‘Protected information’ is information about an individual, that is protected under the Social Security Act 1991 (Cth) and the Social Security Administration − Class of Cases − Public Interest Certificate (No. 1) (the Class PIC), effective 1 September 2019.

(7) It covers information that was obtained under the social security law and is or was held in the records of the Department or the Human Services Department. It includes information that is personal, sensitive, or health information (see the Privacy Policy).

Summary of Responsibilities for Handling ‘Protected Information’

Activity
Responsibility
Conditions
Completion of ‘Information Exchange and Privacy’ online training available via the department's Learning Centre.
All School of Vocational Business Education (SVBE) staff involved in the administration of the NEIS program.
Privacy Office representative
Mandatory
Notifies the Dean SVBE of disclosure requests received for protected information.
Program Manager and/or delegate
As soon as possible and with joint referral to Privacy Office
Receives and makes disclosures of protected information including notifying the Department’s Account Manager when disclosures are made under the Class PIC.
Dean SVBE
Local process retains confidentiality of requests
Delegate uses Release of Protected Information Notification Form using the Class Public Interest Certificate to notify the Department account manager.
Provides independent assessment of whether the thresholds for disclosure have been met
Privacy Office
As required
Monitors disclosures made and reports to the Chief Audit and Risk Officer
Privacy Office
Annually
Security of records of ‘protected information’ including physical and electronic, on premises and off premises.
Dean SVBE
Program Manager
Security arrangements approved by CISO, ITS.
System Security Plan of Electronic Data for the NEIS program maintained and current.

Threshold Requirements

(8) Protected information must only be disclosed in the following limited circumstances:

  1. Pursuant to the Public Interest Certificate (No 1) 2019
    1. the Class PIC 2019 provides that protected information may be disclosed to police, other emergency services, health service providers and child protection agencies when there is a threat to a person's health or welfare; or
    2. where there has been a Commonwealth offence committed on RMIT premises.
  2. Pursuant to section 202(2)(f) of the Social Security (Administration) Act 1999
    1. with the express or implied authorisation of the person to whom the information relates (refer the RMIT Privacy Statement and core collection statements) (relevant to enrolled students)
  3. With specific permission from the Department
    1. Disclosure may not be appropriate where the information can be reasonably obtained from another source, or that the relevant information is not necessary to prevent, or lessen, a threat to the life, health or welfare of the person). In these circumstances, RMIT will need to approach the Department to obtain specific permission to disclose the information. (for example, where RMIT has been issued with a subpoena or other notice requiring production of documents).

(9) In assessing whether ‘protected information’ can be disclosed, details of the request from the relevant authority or organisation must include, at a minimum:

  1. who the request was made by, their contact person and phone number
  2. why the information is required by the person making the request (for example, if there has been a breach or an alleged breach of a criminal law, what the breach is and the details surrounding the breach).

Monitoring and Reporting

(10) The Dean SVBE will report annually to the Privacy Office (privacy@rmit.edu.au) on SVBE staff training currency, and any authorised disclosures made under the Class PIC.