The policy refers to the collection and handling of personal and health information by Cobaw Community Health Services Ltd (Cobaw) in a way that establishes a reasonable balance between an individual’s right to control the use of their personal information, with Cobaw’s need to ensure that it can collect and use information with confidence in order to perform its functions.

Cobaw must comply with relevant privacy laws. Principally the:

  • Privacy Act 1988 (Cth)
  • My Health Records Act 2012 (Cth)
  • Privacy Amendment (Enhancing Privacy Protection) Act 2012
  • Healthcare Identifiers Act 2010
  • Privacy and Data Protection Act 2014 (Vic)
  • Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic)
  • Information Privacy Act 2000 (Vic)
  • Information Privacy Principles (Vic)
  • Health Records Act 2001 (Vic)
  • Health Insurance Act 1973 (Cth)
  • Children, Youth and Families Act 2005 (Vic)
  • Family Violence Protection Act 2008 (Vic)
  • Family Violence Protection (Information Sharing) Regulations 2018 (Vic)

The Australian Privacy Principles have been utilised to guide the development of policy and procedures that, as required by law, protect the rights of individuals who access a Cobaw service.


To ensure that clients’ privacy and the right to confidentiality is respected, and maintained according to privacy laws. 


Cobaw provides confidential services to all clients. The above legislations require procedures pertinent to the private and confidential collection, storage, usage and disclosure of personal information. All persons covered in the scope of this policy are required to comply with Cobaw’s Code of Ethical Conduct.


The policy is binding on all Cobaw staff, consultants, external contractors, volunteers and students who have access to personal information maintained by Cobaw.

The scope of this policy includes personal information of parties both internal and external to Cobaw Community Health. Any personal information collected, regardless if it is from a service user, stakeholder or an employee of Cobaw Community Health, will be handled according to this policy.


The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988, outline how organisations must handle, use and manage personal information.

These principles outline the requirement for:

  • the open and transparent management of personal information including having a privacy policy
  • an individual having the option of transacting anonymously or using a pseudonym where practicable
  • the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
  • how personal information can be used and disclosed (including overseas)
  • maintaining the quality of personal information
  • keeping personal information secure
  • right for individuals to access and correct their personal information
Collection Notice

When collecting personal or health information, Cobaw Community Health, will take reasonable steps to advise what information is being sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.

Information Collected

Personal information is information or an opinion that is recorded in any form, about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion, but not including health information. Health information is information that can be linked to an identifiable individual, including deceased individuals, which concerns that individual’s physical, mental or psychological health, disability or genetic make-up.

Broadly speaking, Cobaw Community Health, collects personal and health information related to the delivery of health and wellbeing services. Cobaw Community Health, is a community health service and is required to collect information related to the provision of health and wellbeing services from existing, prospective or previous service users. These activities can extend beyond service delivery and may include Community Health Promotion, Consultation and Advocacy. Through these activities sometimes Cobaw, invites involvement of the broader community and collects contact details for the purpose of engaging in future consultations or responding to enquiries.

Contact details are collected from individuals interested in being informed about and participating in programs and events. Similar details are also collected from individuals who wish to receive publications and those consulting on policy and legislative matters.

You can visit the Cobaw website anonymously because the site does not collect or record personal information other than information you choose to provide by email or internet forms.

Use and Disclosure

Cobaw staff only collect and are provided with the information necessary for them to carry out the functions and activities of their role. Staff members are required to handle all personal and health information with discretion and to comply with the secrecy provisions of the Privacy and Data Protection Act 2014.

Some de-identified personal information from enquiries and complaints is used in awareness raising activities, public information and training, but never in a way that would compromise a person’s privacy. De-identified information may be shared with funding bodies and for awareness and reporting functions.

In certain circumstances, and in accordance with law, documents related to a complaint may be referred to appropriate complaints handling bodies such as the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.

Specific disclosures will be made with consent or otherwise in accordance with the use and disclosure standards of the Privacy and Data Protection Act 2014 and the Health Records Act.

The Family Violence Information Sharing Scheme commenced in February 2018. Under Part 5A of the Family Violence Protection Act 2008 program areas who are prescribed Information Sharing Entities (ISEs) may be authorized to share information with other ISEs for family violence risk assessment and risk management.

Data Quality and Security

Cobaw Community Health, takes reasonable steps to ensure the information it holds is accurate, complete and up-to-date. Where possible we will check the accuracy of personal or health information with you before we use it.

We use a number of procedural, physical, software and hardware safeguards, together with access controls, secure methods of communication and back-up and disaster recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure.

Generally, information is destroyed or permanently de-identified when it is no longer required. However, most information held by Cobaw is subject to the Public Records Act (1973) and is required to be disposed of under the relevant Retention & Disposal guidelines such as the Record retention guide for organisations funded under the Service Agreement.

Access and Correction

Requests for access to and/or correction of documents containing personal information held by Cobaw will be handled in accordance with the Australian Privacy Principle 12 – Access to personal information and should be addressed to the CEO, PO BOX 146, KYNETON 3444 Tel: 03 5421 1666.

Unique Identifiers

The Information Privacy Principle 7 (IPP 7) restricts the assignment, adoption, use and disclosure of unique identifiers by Victorian public sector organisations, except in certain circumstances.  Circumstances in which this is permitted under IPP 7 include: where assignment or adoption of a unique identifier is necessary to enable the organisation to carry out any of its functions efficiently, or where the consent of the individual has been obtained.

Under Part 3 of the Healthcare Identifiers Regulations (2010) Cobaw may collect, use and disclose an individual’s healthcare identifier used for My Health Record. This may be done for the purpose of communicating or managing health information as part of the provision of healthcare to a service user or the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare.  Healthcare Identifiers can only be used for the purposes described in the Healthcare Identifiers Act 2010 and Healthcare Identifiers Regulations 2010, e.g. for communicating and managing healthcare, which covers documents and processes such as electronic referrals, discharge summaries and medication management.

Unique identifiers created by another organisation will not be requested unless required by law. Nor will we use or disclose a unique identifier unless there is a lawful basis for doing so.


When seeking general information from Cobaw, you do not have to identify yourself. If you wish to make an enquiry, no personal information will be collected or recorded unless we need it to get back to you with an answer. However, if you wish to make a complaint under the Privacy and Data Protection Act, identification is necessary.

Transfer of Information outside Victoria

We will not send your personal or health information outside Victoria without obtaining your consent.

Sensitive Information

Generally, we will only collect sensitive information with your consent or where required by law.

Cobaw is an organisation committed to improving the health and wellbeing outcomes for LGBTIQ+ service users and seeking accreditation against the Rainbow Tick Standards. With the service users’ consent, Cobaw collects information about sexual preference and gender identity at first point of contact. Unidentified data is used by Cobaw as research evidence to inform policy, support advocacy, and build capacity. It is recognised that disclosure of a person’s sex, gender identity or sexual orientation is a personal decision.

The Australian Privacy Principles (APPs) cover the collection, use, disclosure and storage of personal information. Cobaw supports and abides by Principle 6: The Right to Privacy of the Yogyakarta Principles (2006) which states:

“Everyone, regardless of sexual orientation or gender identity, is entitled to the enjoyment of privacy without arbitrary or unlawful interference, including with regard to their family, home or correspondence as well as to protection from unlawful attacks on their honour and reputation. The right to privacy ordinarily includes the choice to disclose or not to disclose information relating to one’s sexual orientation or gender identity, as well as decisions and choices regarding both one’s own body and consensual sexual and other relations with others.”

Privacy Complaints

Complaints in relation to privacy are treated seriously and attempts are always made to resolve them fairly and quickly. If a complaint is made, we will work with the complainant to resolve it and keep them informed of its progress.

If the person making the complaint is not satisfied with how it is dealt with, they can involve an appropriate complaints handling body such as; the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.

Notifiable data Breaches

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.


Information for Service Users

Enquiries about this privacy policy should be directed to the Privacy Officer, Cobaw Community Health, PO BOX 146, KYNETON VICTORIA 3444 or via email to: privacyofficer@cobaw.org.au