This policy provides information to external individuals and entities about how we handle confidential information, including personal, health, commercially sensitive and legally privileged information.
Privacy and confidential information policy
This policy provides information to external individuals and entities about how we handle confidential information, including personal, health, commercially sensitive and legally privileged information.
Types of confidential information that we may handle
The types of confidential information that we may handle in performing our statutory functions include:
- personal information: recorded information or opinion about an individual where their identity is clear or can reasonably be ascertained. Such as:
- name, address, contact details
- employment information such as employer, email address and job role
- utilities usage and billing.
- health information: information or an opinion about an individual’s physical, mental or psychological health (including any disability), or the provision of health services to them, in relation to hardship or domestic violence.
- commercially sensitive information: information such as trade secrets, or other matters of a business, commercial or financial nature which, if disclosed, would likely unreasonably expose the relevant undertaking to disadvantage.
- legally privileged information: information that is covered by legal professional privilege.
Compliance with laws
We only handle confidential information in accordance with all relevant laws, including the Essential Services Commission Act and the legislation we administer, the Privacy and Data Protection Act 2014, the Health Records Act 2001, and Freedom of Information Act 1982.
Relevant prohibitions under the Essential Services Commission Act
The prohibitions under the Essential Services Commission Act in relation to confidential information include the following (each of which is subject to exceptions):
- The commission must not disclose confidential information obtained under certain legislative provisions unless various requirements are complied with, including that we invite the person giving the information to make prior submissions (s 60C)
- The commission must not disclose any ‘exempt document’ obtained from an ‘agency’ (each as defined in the Freedom of Information Act, noting that exempt documents may contain, for example, commercially sensitive information) (s 60D)
- A person must not disclose any confidential information obtained under the Essential Service Commission Act or the legislation we administer, or use that information to obtain any pecuniary or other advantage for any person (s 61).
If any confidential information falls within the scope of the relevant provision(s), we only use or disclose that information to the extent permitted under those provision(s) or as otherwise required or authorised by law.
Our contractors and consultants are likewise prohibited from disclosing confidential information obtained in the course of their work on our behalf, unless specific circumstances apply (such as where they have consent of the person who supplied the information or the disclosure or use is made at the direction of a court). We also use contractual arrangements to require them to comply with relevant privacy laws, as well as our policies and procedures in relation to confidential information.
Information sharing arrangements under the Essential Services Commission Act
Section 60E of the Essential Services Commission Act permits the commission to enter into information sharing arrangements with ‘relevant agencies’, which includes agencies responsible for fair trading, essential services regulation or law enforcement.
We are authorised to request and receive information from, and disclose information to, agencies with whom we have entered into information sharing arrangements (s 60E(3)). However, there are restrictions applicable to such arrangements, including that:
- only certain types of information may be shared (s 60E(2), (6))
- any sharing of information is permitted only to the extent that the information is reasonably necessary to assist in our statutory functions or the functions of the relevant agency (s 60E(4)).
Provided that we comply with those restrictions, we may share confidential information with agencies with whom we have entered into information sharing arrangements.
Presently, we have entered into a memorandum of understanding incorporating an information sharing arrangement with Energy Safe Victoria and Consumer Affairs Victoria. We may enter into other information sharing arrangements as required.
How we manage personal and health information
We value the privacy of every individual’s personal and health information. Protecting individuals’ privacy is important to us and we have in place various procedures to ensure compliance with the Information and Health Privacy Principles under the Privacy and Data Protection Act and Health Records Act.
Functions for which we collect personal or health information
We may collect personal or health information for:
- recruitment, employment and human resource management functions
- licensing functions
- analysis and reform functions
- reviews and inquiries functions
- compliance and enforcement functions
- reporting functions
- complaints handling
- responding to enquiries and correspondence from members of the public
- responding to requests under the Freedom of Information Act.
When we require or request that information or submissions be provided to us, we generally inform the party providing the information why we are collecting that information.
Is it compulsory or optional to provide personal or health information?
If we require the provision of information by issuing a Compulsory Notice, and personal or health information falls within the scope of the requirement, it is compulsory for the recipient of the notice to provide such information unless they have a reasonable excuse.
In other circumstances, it is generally optional for the recipient of the request to provide personal or health information.
Can I be anonymous?
When individuals contact us on their own accord, they generally can be anonymous but should provide us with some means to contact them (such as an email) if they would like a response.
However, if we have invited submissions within a consultation process, we do not encourage, and may not accept, anonymous submissions1.
Collection
We collect an individual’s personal or health information only where it is necessary for our functions or activities, and only by lawful and fair means that are not unreasonably intrusive.
The common scenarios in which we may collect personal or health information include:
- when we require the provision of information by issuing a statutory information gathering notice (Compulsory Notice)2 directly to the individual, or to an entity we regulate
- when we request information, or invite submissions, from stakeholders or members of the public
- when we receive information from another agency under a s 60E information sharing arrangement and/or a memorandum of understanding
- when individual subscribe to our email alerts
- when individuals correspond with us, including by email, mail, telephone or through our website or social media channels.
Social media
If you engage with any of our social media accounts, we will only collect information provided by you. This includes engagement by way of posts, comments, direct messages or poll entries. Most of such activities on social media are accessible to anyone using the same channel. We do not have control over these settings. We recommend that you check the privacy policies of the relevant social media channels to understand what information you are making public when you engage with us through those channels3.
Website
If you visit our website, we automatically collect data that may include some personal information. We use Google Analytics and other measurement software to help analyse how the site is used based on the data we collect.
Cookies are used to make your site experience easier and more efficient. We do not use cookies to collect any personal information.
Storage
We take reasonable steps to ensure the personal and health information we hold is accurate, complete and up to date.
All personal and health information is stored securely. We have a range of information security controls in place, including:
- firewalls
- antivirus software
- data backup and recovery software
- network security software
- security operations and incident management software
- web and email filters
- access controls to our offices and to our information systems
- protective markings
Once any personal or health information comes into our possession, we take reasonable steps to protect that information from misuse, loss and unauthorised access, modification and disclosure. These include ensuring that access to the information is limited to commission staff who need it to undertake their roles and responsibilities, which may be through the use of security-controlled folders in our information management system.
We take reasonable steps to destroy or permanently de-identify personal or health information if it is no longer needed for any purpose, in line with the Public Records Act 1973.
Use and disclosure
We only use (internally) or disclose (externally) personal or health information for the performance of our functions and the exercise of our powers, or as otherwise required or authorised by law.
We may disclose your personal information to a third party such as:
- external service providers who we engage to assist us with our functions. These could include an external lawyer, economic advisor, auditor, or third-party IT service providers
- another regulator (including foreign regulators) or law enforcement agency
- courts and tribunals
- other government agencies
- to a Royal Commission or ministerial inquiry
- the public, if the personal information is required to be published in a register that can be searched by the public
- ministers and parliamentary committees.
The common scenarios in which we may use or disclose personal or health information for a purpose other than the one for which the information was collected include:
- when the information is relevant to the exercise of another commission function or power (and there is no prohibition on its use for that function or power)
- when the disclosure is to another agency under a s 60E information sharing arrangement
- when the individual providing the information has consented to the use or disclosure
- when the information is in the public domain at the time of the use or disclosure.
When we require or request that information or submissions be provided to us, the commission is responsible for identifying and managing the private and health information provided appropriately.
Will personal or health information be disclosed to someone outside of Victoria?
We will not disclose personal or health information about an individual to a third-party outside Victoria, unless the individual has consented, or the disclosure is otherwise permitted under the Information or Health Privacy Principles. For example, we may disclose the information to a Commonwealth agency under an information sharing arrangement.
Access and correction
Individuals may request access to, or correction of, documents that contain their personal or health information that are in our possession.
In some cases, requests for access or correction will be handled in accordance with the Freedom of Information Act.
If an individual wishes to gain access to or correct the personal or health information about them that we hold, they should contact our Privacy Officer by emailing privacy@esc.vic.gov.au
How we manage commercially sensitive information
Collection
We only collect commercially sensitive information for the performance of our functions and the exercise of our powers, and only by lawful and fair means that are not unreasonably intrusive.
The common scenarios in which we may collect commercially sensitive information include:
- when we require the provision of information by issuing a Compulsory Notice to an entity we regulate
- when we request information, or invite submissions, from stakeholders or members of the public
- when we receive information from another agency under a s 60E information sharing arrangement and/or a memorandum of understanding.
The functions for which we may collect commercially sensitive information include licensing, analysis and reform, reviews and inquiries, compliance and enforcement and reporting functions.
When we require or request that information or submissions be provided to us, we generally inform the party providing the information why we are collecting that information.
Is it compulsory or optional to provide commercially sensitive information?
If we require the provision of information by issuing a Compulsory Notice, and commercially sensitive information falls within the scope of the requirement, it is compulsory for the recipient of the notice to provide the information unless they have a reasonable excuse.
In other circumstances, it is generally optional for the recipient of the request to provide commercially sensitive information.
Storage
We take reasonable steps to ensure the commercially sensitive we hold is accurate.
Commercially sensitive information is stored securely. We have a range of information security controls in place, including:
- firewalls
- antivirus software
- data backup and recovery software
- network security software
- security operations and incident management software
- web and email filters
- access controls to our offices and to our information systems
- protective markings
Once commercially sensitive information comes into our possession, we take reasonable steps to protect that information from misuse, loss and unauthorised access, modification and disclosure. These include ensuring that access to the information is limited to commission staff who need it to undertake their roles and responsibilities, which may through the use of security-controlled folders in our information management system.
We take reasonable steps to destroy or permanently de-identify commercially sensitive information if it is no longer needed for any purpose, in line with the Public Records Act 1973.
Use and disclosure
We only use (internally) or disclose (externally) commercially sensitive or personal information for the performance of our functions and the exercise of our powers, or as otherwise required or authorised by law.
The common scenarios in which we may use or disclose commercially sensitive, personal or health information for a purpose other than the one for which the information was collected include:
- when the information is relevant to the exercise of another commission function or power (and there is no prohibition on its use for that function or power)
- when the disclosure is to another agency under a s 60E arrangement
- when the party providing the information has consented to the use or disclosure
- when the information is in the public domain at the time of the use or disclosure.
When we require or request that information or submissions be provided to us, we generally inform the party providing the information that they should clearly identify any information that they consider to be confidential (including any commercially sensitive information) and provide reasons in support of that claim4. If we accept that claim, we will not publish the information or disclose it to a third party unless we do so by lawful means.
This excludes private and heath information provided in submissions, as it is the commission’s responsibility to identify and manage private and health information appropriately.
How we manage legally privileged information
Legal professional privilege protects the disclosure of documents that record work carried out by internal or external lawyers for the benefit of the commission. This privilege belongs to the commission and only the commission may waive it over such documents.
Use and disclosure
Legally privileged information is not disclosed outside the commission unless expressly authorised by the commission or where required by law.
Legal professional privilege claims
There may be circumstances where we require the provision of information by issuing a Compulsory Notice in performing our statutory functions, and the recipient of the notice considers that legal professional privilege applies to all or part of that information. In that case, the recipient must provide us with details of the privilege claim to rely on it.
How you can contact us or make a complaint
If you have any questions relating to how we handle confidential information, or if you wish to make a privacy complaint, please email our Privacy Officer at privacy@esc.vic.gov.au
Individuals may also make a privacy complaint to:
- the Office of the Victorian Information Commissioner (if the complaint relates to personal information), or
- the Health Complaints Commissioner (if the complaint relates to health information).
1. Our Submissions Policy provides further information in relation to anonymous submissions.
2. Our Information Gathering Notice Guideline provides further information in relation to information gathering notices.
3. The social media channels we use include LinkedIn (LinkedIn Privacy) and Facebook (Meta Privacy Policy).
4. Our Information Gathering Guideline and Submissions Policy provide further information in relation to requests for confidentiality.