Privacy Policy - Bushfire Recovery Victoria

How Bushfire Recovery Victoria collects, uses and discloses personal information, including sensitive information, about people using its services and its staff.

The privacy policy recognises the sensitivity of personal information that Bushfire Recovery Victoria handles, and is therefore committed to protecting the privacy of this personal information in accordance with the law.

We are bound by privacy and other laws, including:

  • Privacy and Data Protection Act 2014 (Vic)
  • Health Records Act 2001 (Vic)
  • Charter of Human Rights and Responsibilities Act 2006 (Vic)
  • Freedom of Information Act 1982 (Vic)

Using and disclosing information about bushfire-affected individuals is a legitimate part of providing services and keeping people safe. It is important to note that information may only be dealt with in accordance with the law.

This policy outlines our commitment to respecting and valuing the information of Victoria and the community.

Bushfire Recovery Victoria values and is committed to protecting your privacy. We collect and handle your personal information in order to carry out bushfire recovery functions, in accordance with the Privacy and Data Protection Act 2014 (Vic), Health Records Information Act 2001(Vic), Public Records Act 1973 (Vic) and other applicable legislation.

We respect and value in managing the personal and health information of Victorians and the community.

Our Privacy Statement

Your privacy is important to us. This Privacy Statement describes how we collect, store, use and disclose personal information when you interact with Bushfire Recovery Victoria.

What information do we collect?

We collect personal information for statutory and administrative reasons in order to carry out our functions. Personal information is information or an opinion (including information or an opinion forming part of a database), that is recorded in any form, whether true or not, about an individual whose identity is apparent, or can be reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 (Vic) applies.

In certain limited circumstances, as permitted by the Privacy and Data Protection Act 2014 (Vic), BRV may collect sensitive information. Sensitive information is a subset of personal information. It is information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences.

How do we collect your information?

Typically, Bushfire Recovery Victoria collects personal information when:

  • correspondence is received from the public
  • applications, registrations, enquiries, submissions, surveys and complaints are submitted
  • referrals and coordination of services is collected or submitted
  • research data is collected
  • employment information and details about occupational health and safety are collected from staff

How do we keep your information?

All personal and sensitive information is stored securely and in line with our information security policies. Once any personal information comes into our possession, we will take reasonable steps to protect that information from misuse, loss and unauthorised access, modification and disclosure. Access to your personal information is restricted to persons within Bushfire Recovery Victoria on a need to know basis.

How do we use and share your information?

Bushfire Recovery Victoria uses and provides personal information to other people or organisations for the primary purpose we collected it. In some instances, we may be authorised by law to use or provide your personal information for another reason. BRV may also use or disclose your personal information for a secondary purpose that is connected or associated with the primary purpose for which your information was collected.

The information you provide to us may be disclosed to ministerial or departmental staff or other government bodies for the purpose it was collected or to resolve issues you raise with us.

How can you access or correct your personal information?

There may be limited circumstances where we will provide you access to your personal information without the need to follow the statutory requirements set out in the Freedom of Information Act 1982 (Vic).

Should you wish to gain access to or correct your personal information held by Bushfire Recovery Victoria, please contact:

Freedom of Information-Privacy Lead

Bushfire Recovery Victoria
GPO Box 4912
Melbourne VIC 3001


How can you make a privacy complaint?

An individual may make a complaint about a potential privacy incident (breach) by contacting our privacy team via email

We work to resolve privacy complaints and breaches in a timely and fair manner.

An individual may also make a privacy complaint to the Office of the Victorian Information Commissioner in relation to a complaint relating to personal or sensitive information on phone 1300 006 842.

How can you contact us?

If you have any privacy enquiries please contact:

Privacy Officer
Evaluation and Reporting Unit
Bushfire Recovery Victoria
GPO Box 4912

Phone: 1800 560 760

Collection of personal information

Bushfire Recovery Victoria collects personal information necessary to our functions and activities, including various programs and services we run and those we fund others to provide and that we regulate.

We collect personal information only by lawful and fair means and not in an unreasonably intrusive way. If it is reasonable and practicable to do so, we collect personal information about an individual only from that individual.

When collecting information directly from an individual and when collecting information from someone else about an individual, we will take reasonable steps to ensure the individual is aware of why the information is being collected (including the purposes for the collection and any relevant laws requiring the collection), who it may be disclosed to, the main consequences if the individual does not disclose the information (if collecting information directly from the individual), and how the individual may contact us and gain access to the information collected.

There may be exceptions in the Information Privacy Principles in certain circumstances that do not require reasonable steps to be taken but this needs to be assessed on a case by case basis.

We typically collect information in the following ways:

  • directly from the individual to which the information relates
  • where it is not reasonable or practicable to collect the information directly from the individual, information may be collected from a third party, such as the individual's authorised representative
  • as a by-product of a provision of bushfire recovery services, which may include through (funded) agencies which are required to provide the information to us for the purpose of our functions and activities
  • as a result of activities associated with applications, registrations, enquiries, submissions, services and activities, grants, complaints and reporting
  • where information may be provided by a third party

We collect personal information for delivering, planning, funding, monitoring, evaluating and improving our services and functions, and for meeting statutory requirements.

Unless the use or disclosure of personal information is for the primary purpose of collection, or it is for secondary purpose and one of the permissible exceptions under Information Privacy Principle 2.1 applies, we remove identifying details from the information collected.

Collection of sensitive information

We may collect sensitive information where:

  • the individual has consented to the collection
  • the collection is required or authorised under law
  • the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual whom the information concerns is physically or legally incapable of giving consent to the collection or physically cannot communicate consent to the collection, or
  • the collection is necessary for the establishment, exercise or defence of a legal or equitable claim

We may also collect sensitive information about an individual if:

  • the collection is necessary for research or the compilation or analysis of statistics relevant to bushfire recovery support, or
  • the information being collected relates to an individual's racial or ethnic origin and the purpose of the collection is to provide government and non-government funded targeted recovery services, and bushfire-impacted communities to recover
  • there is no reasonably practicable alternative to collecting the information for either purpose, and
  • it is impracticable for the organisation to seek the individual's consent to the collection

Types of information collected

The types of personal information collected depends on the nature of the contact with Bushfire Recovery Victoria, services provided and statutory requirements.

Personal information collected by Bushfire Recovery Victoria may include (but is not limited to):

  • name, address and contact details
  • personal circumstances (age, gender and information)
  • financial matters (payment and bank account details)
  • housing accommodation
  • identity (date and country of birth)
  • government identifiers

What we do with the information collected

We use and disclose personal, including sensitive information for:

  • the primary purpose for which it was collected; or
  • a purpose related to that for which it was collected (secondary purpose) where the legislative requirements for using or disclosing for a secondary purpose are met

We may use or disclose personal, including sensitive information when:

  • the secondary purpose relates to the primary purpose of collection (or directly relates to the primary purpose in the case of sensitive or health information) and an individual would reasonably expect us to use or disclose it in this way
  • the individual to whom the information is about has given consent for the use or disclosure
  • Bushfire Recovery Victoria is required, authorised or permitted by or under law to use or disclose the information

The information collected might be able to be shared within Bushfire Recovery Victoria between different business units if business units comply with the Information Privacy Principles before doing so.

Such information may also be shared from Bushfire Recovery Victoria to service providers to allow efficient and effective delivery of quality services in compliance with the Information Privacy Principles.

We collect, use, hold and disclose personal information about a range of matters, including, but not limited to:

  • individuals participating in bushfire recovery services
  • managing contracts and funding agreements
  • managing fraud and compliance investigations
  • managing audits
  • managing grants
  • employment and personnel matters concerning staff and contractors
  • correspondence from members of the public to Bushfire Recovery Victoria, Ministers and Parliamentary Secretaries
  • complaints made and the feedback provided
  • requests made under the Freedom of Information Act 1982
  • planning, monitoring and evaluating BRV’s functions and services
  • meeting legislative requirements
  • policy development and research
  • meeting the reporting requirements of government and external oversight agencies
  • mandatory reporting

There are circumstances where we're authorised and or required by law to collect, use, hold or disclose an individual’s information. For example, in order to coordinate recovery under Division 5 of the Emergency Management Act 2013 (Vic) or to provide advice to the Minister on any matter relating to the functions of the Emergency Management Commissioner.

Wherever it is lawful and practicable, an individual must be given the option of remaining anonymous when interacting with Bushfire Recovery Victoria. A circumstance where it is not practicable for the individual to remain anonymous is where we are responsible for providing a full range of specific and coordinated services to the individual.

How we store and protect information

Bushfire Recovery Victoria has security measures designed to protect personal information from misuse, loss, unauthorised access, modification or disclosure. We must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose in line with the Public Records Act 1974.

We take reasonable steps to ensure that any personal information we collect, use and disclose is accurate, complete and up to date, and having regard to the purpose for which information is to be used, that it is relevant to our current functions and activities.

How do we protect information transferred outside Victoria?

Bushfire Recovery Victoria adheres to the requirements of the Privacy and Data Protection Act when transferring personal information outside of Victoria.

The only circumstances in which personal information may be transferred or stored outside of Victoria is when the transfer or storage meets one (or more) of the following criteria:

  • Bushfire Recovery Victoria reasonably believes that the recipient of the information is subject to a law, binding scheme or binding contract that provides substantially similar protection to the Privacy and Data Protection Act
  • the individual has provided consent to the transfer
  • the transfer is necessary for the performance of a contract between the individual and Bushfire Recovery Victoria, or for the implementation of pre-contractual measures taken in response to the individual's request
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Bushfire Recovery Victoria and a third party
  • the transfer is for their benefit of the individual, and it is impracticable to obtain the individual’s consent to the transfer, but if it were practicable to obtain consent the individual would be likely to give it
  • We have taken reasonable steps to ensure that information which it has transferred will not be held, used or disclosed by recipients inconsistently with the Information Privacy Principles

Definitions of information

Personal information

Personal information is defined in the Privacy and Data Protection Act 2014 as information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Sensitive information

Sensitive information is a subset of personal information. It is defined in the Privacy and Data Protection Act. It means information or an opinion about an individual’s:

  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual preferences, orientation or practices
  • criminal record

That is also personal information (Information Privacy Principles (IPP) Schedule 1, Privacy & Data Protection Act).

Health Information

Health information is defined in the Health Records Act 2001 as:

  • the physical, mental or psychological health (at any time) of an individual
  • a disability (at any time) of an individual
  • an individual's expressed wishes about the future provision of health services to him or her
  • a health service provided, or to be provided, to an individual,
  • that is also personal information
  • other personal information collected to provide, or in providing, a health service
  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances
  • other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants
  • but does not include health information prescribed as exempt for the purposes of the Health Records Act

Unique identifiers

Unique identifiers are defined in the Health Records Act as an identifier (usually a number) assigned by an organisation to an individual to uniquely identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual’s name and not an identifier within the meaning of the Health Records Act (IPP 7).

De-identified information

De-identified information is defined in the Privacy and Data Protection Act as personal information that no longer relates to an identifiable individual or an individual who can be reasonably identified.

Reviewed 22 February 2021

Was this page helpful?