The Victorian Managed Insurance Authority (VMIA) provides risk management and insurance services to Victorian State Government departments and participating bodies, as defined under the Victorian Managed Insurance Authority Act 1996. We collect, use, disclose and handle personal information for the purpose of providing those services.
We value the privacy of every individual and are committed to protecting all personal and health information we collect. We are required to comply with the Privacy and Data Protection Act 2014 and the Health Records Act 2001. This policy outlines how we manage the collection, use, disclosure and handling of personal information in accordance with those Acts.
We may amend this privacy policy from time to time. Updated versions of this policy will be placed on our website, or can be obtained by contacting our Privacy Officer.
If you are a user of our website, by accepting our terms and conditions, you consent to us collecting, using, disclosing and handling personal information as described in this policy, and agree to be bound by the obligations it imposes on you. As the policy may be amended from time to time, you should review it regularly.
If you are a user of our website, for the purpose of this policy, "you" also includes the organisation by which you are authorised to access the site.
Personal information
In this policy, "personal information" means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably by ascertained from the information or opinion. Personal information includes "sensitive information" (which means information or an opinion about an individual's racial origin, political opinion, membership of a political association or trade union, religious beliefs, sexual preferences or criminal record) and "health information" (which means information, or an opinion about the health or a disability of an individual, or individual's wishes about the provision of health services).
Collection of personal information
We collect and hold personal information mainly about our staff, about our clients and their staff and about people involved in insurance claims. Depending on the situation, the personal information we collect may include:
- name, address and contact details (including phone number and email);
- date of birth;
- information relating to previous or current insurance, or an insurance claim;
- employment, health and financial information.
If information we request is not provided, we may not be able to provide services in the most effective or efficient manner, or at all. We only collect personal information that is necessary for the operation of our business. This means we only collect information that is necessary for:
- providing risk management or insurance services;
- processing insurance claims;
- employing staff and engaging service providers.
We generally collect personal information in person, in writing, by telephone, email or via our website. For example, we may collect information when you make an application for insurance or other services, submit a claim or access the secure area of our website. We may also collect personal information via third parties. For example, if we are processing an insurance claim, we may collect personal information about the claimant from the insured or from other third parties, such as loss adjusters, lawyers, insurers, doctors, healthcare workers or witnesses.
Collection of information via our website
When you visit our website, information about your computer or web device is automatically recorded by our website. This includes your IP address, your top level domain name (eg .com.au, .gov.au), the date and time of your visit to our site, the pages you accessed or downloaded, the address of the last site you visited, your operating system and the type of browser you used. This information may be collected by us or by a third party service provider on our behalf. This information is collected for statistical and system administration purposes, and to improve our web based services. It does not readily identify individuals, and we will not attempt to identify individuals from the records our server generates unless it is necessary to do so for law enforcement purposes.
We may also use cookies to assign your device a user ID. Cookies contain information that allows us to identify your device. We may use this information to determine whether or not to display standard content. You can usually configure your browser so that it does not accept cookies.
Use and disclosure of personal information
We will generally only use personal information for the purpose for which it was collected, or for a purpose that is related to, or in the case of sensitive or health information, directly related to, the purpose for which it was collected.
We use personal information we collect to provide, manage and administer the insurance and risk management products and services we provide. In the normal course of our business operations we may disclose personal information to our insured client, to other insurers, or to third party service providers such as actuaries, auditors, investigators, medical service providers, loss adjusters, legal advisors and other parties involved in the risk assessment or claims handling process. Personal information may also be disclosed to our contract service providers, including but not limited to customer service staff, consultants, advisers, IT and internet service providers.
Where you deal with us through the secure area of our website, information provided may also be disclosed to other individuals authorised by your organisation to access that secure area.
We will also disclose personal information if required by law to do so. This may include disclosure to regulatory agencies, to courts or tribunals or under the Freedom of Information Act 1982 (VIC).
If you consent, we will use your personal information to send you details of other products and services that we believe may be of interest to you. If at any time you no longer wish to receive such material, you may unsubscribe or otherwise let us know, and your details will be removed from relevant databases.
Transfer of information outside Victoria
Some organisations to which we disclose information to may be located, or may store information on computer servers, outside Victoria. For example, some insurers and IT providers we deal with regularly are based overseas. We do not transfer information outside Victoria unless we are satisfied that the recipient organisation is subject to a binding legal obligation to protect privacy that is equivalent to the obligations that apply to us.
Your responsibilities
If you provide us with personal information about other individuals, you must ensure that they are aware or will be made aware that the information is being provided to us, the types of organisations to which we may disclose the information and how they can access the information. If the information you are providing is health information or sensitive information, you must first obtain the individual's consent to disclosing the information to us.
If we disclose personal information to you, or you collect, use or handle personal information on our behalf, you must comply with all requirements for the collection, use, disclosure and handling of personal information that apply to you. These may include the Information Privacy Principles set out in the Privacy and Data Protection Act 2014 and the Health Privacy Principles set out in the Health Records Act 2001 (Vic).
Security of personal information
We may store personal information we hold in hard copy documents, as electronic data or in our software or IT systems (and those of our service providers). We endeavour to protect all personal information that we hold from misuse and loss, and to protect it from unauthorised access, modification and disclosure. We achieve this through:
- confidentiality requirements on our employees;
- policies regarding document storage and security;
- policies concerning the access of our computer systems;
- controlling access to our premises;
- imposing contractual obligations on our service providers; and
- website security measures.
For information collected through the secure section of our website, submitted data is transmitted by 128 Bit encryption, using secure sockets layer (SSL) technology. This means data can only be intercepted in their encrypted form.
While we take all reasonable steps to ensure the security of information provided to us via our website, there are risks in transmitting information across the internet. If you are concerned about conveying sensitive information via the internet, you might prefer to contact us by telephone or mail.
Retention of your information
We generally retain personal information we hold for as long as is necessary to perform the function or provide the services in relation to which the information is collected. However, we may retain personal information for longer periods to comply with legislative requirements for document retention, such as under the Public Records Act 1973. If personal information is deleted from our database it may be retained in de-identified from on the servers of our internet service provider.
Accessing your information
We try to ensure that personal information we hold is accurate, complete, and up to date. If you ask us we will provide you with access to, and allow you to correct, personal information we hold about you, although this is subject to exceptions under the Information Privacy Principles and Health Privacy Principles, for example where:
- access would pose a serious threat to the life or health of any individuals;
- access would have an unreasonable impact on the privacy of others;
- your request to access information is frivolous or vexatious;
- the information relates to commercially sensitive decision making processes;
- access would be unlawful or denying access is required or authorised by law;
- access would prejudice enforcement activities relating to criminal activities and other breaches of the law, public revenue or a security function; or
- the information is to be used in legal proceedings.
If we do not provide you with access to your personal information we will advise you of the reasons for the refusal and inform you of any exceptions relied upon.
In some circumstances we may require you to pay the reasonable cost of providing access to personal information we hold about you.
Dealing with us anonymously
When you use our website or ask us to provide general information, we may deal with you without requiring you to provide personal information. However, aside from those circumstances, the nature of our business is such that it is generally not possible for us to deal with people on an anonymous basis.
Use of our website
Our website may contain links to other websites that are not owned, operated or endorsed by us. We are not responsible for the privacy practices of those websites, or for the content, product or services provided by, or contained on, those websites.
Contact us
For further information about this privacy statement or how VMIA handles personal information, please contact us by email at privacy@vmia.vic.gov.au.
For other information requests or further guidance on your rights, see the Victorian Government's Office of the Victorian Information Commissioner website.
For more information on privacy visit the following websites:
- Office of the Victorian Information Commissioner (https://ovic.vic.gov.au/privacy/)
- Health Complaints Commissioner (https://hcc.vic.gov.au/)
- Office of the Australian Information Commissioner (OAIC) (https://www.oaic.gov.au/privacy)