The Taking Responsibility program is about providing all staff with the tools, training and resources to ensure the department fulfils all of its obligations. Taking responsibility is what we do when we adopt good records management practices and why we ensure sensitive information is handled in a sensitive manner. It is about asking for advice if unsure, so we can all adopt stringent but practical regimes. The program aims to maintain and grow awareness of the key obligations that each staff member has in their day-to-day work. The Program is about supporting you with tools, training, promotional materials and resources to ensure all staff know how to perform their roles and meet all of their obligations on an ongoing daily basis. Some of those obligations include adhering to the VPS Code of Conduct, privacy and freedom of information laws, information security requirements, records management practices and risk and environmental management. The program takes a pro-active approach to compliance through cooperation and coordination and, only where necessary, through intervention. The program emphasises three broad activities. These are: prevention – through policies, procedures, general awareness activities and learning and development tailored intervention – through self assessment tools, monitoring of activities, issues management and feedback treatment and control – through investigations, complaints handling, disciplinary procedures and auditing.
While there are several obligations you need to be mindful of as an employee, responsibilities which are pivotal to the Taking Responsibility program are: Privacy & FOI Records Management Information Security Code of Conduct Environment As a group they form the mnemonic – PRICE. The cost of non- compliance can be “price”-less, whereby breaches exact a heavy “price” on both individuals and the department. What price would you personally put on non-compliance?
The Victorian Information Privacy Act covers personal information, other than health related personal information, held by Victorian public sector organisations. This is the legislation that will be focussed on in this session. The Information Privacy Act came into effect on 1 September 2001. It established the Office of the Victorian Privacy Commissioner which is an independent statutory office along the lines of the Ombudsman or Auditor-General. The Privacy Commissioner, Paul Chadwick, took up a five year appointment in July 2001 which finishes this year. The Privacy Commissioner can receive complaints about perceived breaches of privacy by public sector organisations which took place after 1 September 2002. Each of the two acts contain Privacy Principles which guide how personal information should be handled – these are very similar across the two pieces of legislation.. Most Victorian public sector organisations will be subject to more than one privacy law. For example, many will hold some health related personal information about employees making the organisation subject to both the Information Privacy Act and the Health Records Act .
Under the Victorian Information Privacy Act , personal information is any information or opinion, whether true or not, about an individual whose identity is apparent or can reasonably be ascertained. Information can still be identifying even if it does not include a person’s name. For example an address in today’s age of reverse telephone directories may be personal information. Most public sector organisations hold personal information about members of the public and also about their employees. The Health Records Act defines health information as information able to be linked to a living or deceased person about a person's physical, mental or psychological health. It includes disability related information. Sensitive information includes information about a person’s race, ethnicity and criminal record.
Always assume that whatever you write on a file could be accessed under FoI It is imperative that files are well maintained You should always attach documents in TRIM and to the relevant file (including e-mails) so that they can readily be discovered Information and decisions recorded in TRIM and on files needs to be factual, soundly based, objective and reached in an appropriate manner
The code of conduct is binding and describes the behaviours expected of us as public sector employees. It may be supplemented by other information. Check with your manager or HR to see what other guidelines apply to your work. You might like to mention those that apply in your organisation. The behaviours described in the code are so important to our work that acting otherwise could be regarded as misconduct.
Today was an introduction to the code of conduct, the Victorian public sector values and the behaviours that support them. There are lots of ways you can put the code into practice. Here are some. Can you suggest other ways?
The Taking Responsibility Program consists of four distinct phases: Risk, Awareness & Education, Monitoring & Compliance, & Policies & Procedures. Under each of these headings a number of activities have, or will be occurring. It is important to bear in mind that all of these phases are just as important as each other. All parts of the program need to be ongoing and kept active. Briefly, there will be a number of communication and training activities. There will be regular communication by a variety of means to keep compliance in your mind. Think short presentations ( like this one), posters and giveaways, articles on J-NET, messages on email and e-messages. A few well chosen key messages have been developed. Communication back the other way from you is also just as important! We are also taking a close look at our policies and procedures. Our policies and procedures must be written from the person who will carry them out, so they require direct input from the operating divisions to ensure that they actually work. We are examining how many policies we have, the quality of those polices and how we train you in there requirements. An important part of monitoring is to identify the main potential danger areas in each work practice and pay special attention to those areas on a regular basis. The Programme will be working closely with business units to monitor against unwanted problems. The purpose of monitoring is to ensure that the required procedures are being followed, help resolve difficulties at an early stage, seek, and listen to, any suggestions for improvements, and serve as early waning device. Underpinning a lot of this program, is identifying and controlling danger areas. The prompt rectification of all failures of the system can, to some extent, be managed through a threat and risk assessment approach.
Many of you would have received some promotional materials either electronically or in hard copy as part of Privacy and Human Resources Awareness Week. CCS staff would have received materials from CV Head Office. In the coming months posters and tips will be distributed. Sneak and Peak In addition, hot off the press, is a sneak peak at some of the posters that have been developed and will be rolled out in the coming weeks. Each of the icons in the secondary posters also features in the primary poster. The hand and tree for environment, a USB key and padlock for information security, and a whistle for whistle blowing.
The coloured balloon activity raises awareness of the clear desk and screen policy, especially the importance of securing sensitive and private information. The coloured balloons and cards used green, orange and red to signify how well staff complied with the policy. Coloured cards provided individuals with a personal rating while the balloons indicated team performance. The activity also used black balloons to highlight the importance of being environmentally responsible such as turning off lights and computers at the end of every day. The activity provides Managers with an immediate indication as to which areas could be improved and which were doing things well. Information for Regional Managers on how to host a Coloured Balloon day activity and FAQs and tips on keeping a clear desk and being environmentally will be available from the Taking Responsibility homepage.
Taking Responsibility Update January 2008
Taking Responsibility program OVERVIEW <ul><li>The taking responsibility program is about supporting our people with: </li></ul><ul><ul><li>tools </li></ul></ul><ul><ul><li>training </li></ul></ul><ul><ul><li>communication </li></ul></ul><ul><ul><li>resources </li></ul></ul><ul><li>To ensure they know what to do to meet all their obligations on an ongoing daily basis </li></ul>
Responsibilities that govern how we work Underpinning this is Risk management framework ! What price is non-compliance ? <ul><li>Environmental framework </li></ul>Environmental <ul><li>Public Administration Act </li></ul>Code of Conduct <ul><li>Information Security Strategy </li></ul>Information Security <ul><li>Public Records Act </li></ul><ul><li>Freedom of Information Act </li></ul>Records Management & FOI <ul><li>Information Privacy Act </li></ul><ul><li>Health Records Act </li></ul>Privacy
What is privacy? ‘ Personal information’ & ‘health information’ ‘ Health information’ ‘ Personal information’ Cth & ACT public sector & some private sector orgs Vic public & private sectors Vic public sector Federal Privacy Commissioner Health Services Commissioner, Vic Privacy Commissioner, Vic NPPs & IPPs Privacy Act 1988 (Cth) 11 Health Privacy Principles (HPPs) Health Records Act 2001 (Vic) (HRA) 10 Information Privacy Principles (IPPs) Information Privacy Act 2000 (Vic) (IPA)
Privacy – Key definitions Is a photo personal information? Are details of a person’s position and salary recorded on their personnel file? Includes information about a person’s race or ethnicity and criminal record. Sensitive information Information able to be linked to a living or deceased person about a person’s physical, mental or psychological health. Health information Recorded information about a living identifiable or easily identifiable individual. Personal information
‘ Privacy Statement’ <ul><li>When collecting personal info, </li></ul><ul><ul><li>you must take reasonable steps to ensure subject knows: </li></ul></ul><ul><ul><li>Identity & contact details of collecting org </li></ul></ul><ul><ul><li>Purposes of collection </li></ul></ul><ul><ul><li>Who info will be disclosed to </li></ul></ul><ul><ul><li>Any law requiring collection (if applicable) </li></ul></ul><ul><ul><li>Consequences if subject doesn’t provide info </li></ul></ul><ul><ul><li>Right to access & correct info </li></ul></ul><ul><li>Exception: info collected from 3 rd person & notice would pose serious threat to any person’s life/health (IPP 1.3 & 1.5) </li></ul><ul><li>Easiest way to do this: ‘privacy statement/collection notice’ </li></ul>
Collection, use & disclosure <ul><li>Think of a traffic light when </li></ul><ul><li>collecting, using or disclosing personal information. </li></ul><ul><li>Slow down! & think about it: </li></ul><ul><li>Does the law prohibit , allow or require </li></ul><ul><li>the collection/use/disclosure? </li></ul>Law requires the disclosure; you must disclose. Law requires the usage; you must use the information that way. Law requires the collection; you must collect. Disclosure Use Collection Law permits the disclosure; you may disclose. Law permits the usage; you may use the information that way. Law permits the collection; you may collect. Law prohibits the disclosure; you cannot disclose. Law prohibits the collection; you cannot collect. Law prohibits the usage; you cannot use the information that way.
<ul><li>Recorded information in any form… created or received and maintained by an organisation or person in the transaction of business or the conduct of affairs and kept as evidence of such activity. </li></ul><ul><li>(AS/ISO 15489) </li></ul>What is a Record?
<ul><li>Inability to comply with audit requests </li></ul><ul><li>Poor decision making resulting from incomplete records </li></ul><ul><li>Time wasted searching for records </li></ul><ul><li>Legal liabilities and increased corporate risk </li></ul><ul><li>Inconsistent customer service </li></ul><ul><li>Disaster recovery </li></ul><ul><li>Stress. </li></ul>Risk of Poor Recordkeeping
<ul><li>Make file notes of phone calls, ad hoc meeting and outcomes of meetings </li></ul><ul><li>If you select Send and File Notes will ask where you want to file email messages </li></ul><ul><li>Follow the Clear Screen and Desk Policy </li></ul><ul><li>Always use secure destruction bins </li></ul><ul><li>Use document naming conventions in all systems. </li></ul>Tips and Hints Document type – Subject/Document Title – Version – Date Ministerial Briefing – Privacy Breach Mr Big – 20 August 2007
Activity 4 Whole Group Case Study <ul><li>Scenario: </li></ul><ul><li>You have been by our Executive Director to prepare a report regarding a community consultation process. The work was undertaken by a consultant who has subsequently left the department. </li></ul><ul><li>By talking to other members of your team you have been able to determine: </li></ul><ul><li>Information relevant to the consultation process is stored in a number of places: </li></ul><ul><ul><li>Personal drives of current and former team members </li></ul></ul><ul><ul><li>Shared rives </li></ul></ul><ul><ul><li>Memory sticks </li></ul></ul><ul><li>There is no uniformity in the titling of documents </li></ul><ul><li>Multiple versions of relevant documents exist </li></ul>
And remember what FoI mean to you as an employee? <ul><li>Always assume that whatever you write on a file could be accessed under FoI </li></ul><ul><li>It is imperative that files are well maintained - always attach documents in TRIM and to the relevant file (including e-mails) so that they can readily be discovered </li></ul><ul><li>Information and decisions recorded in TRIM and on files needs to be factual, soundly based, objective and reached in an appropriate manner </li></ul>
What is information security ? <ul><li>Information Security is a part of Information Management. </li></ul><ul><li>Information security covers: </li></ul><ul><ul><li>Confidentiality: ensuring that information is only accessed for legitimate purposes by appropriately authorised people. </li></ul></ul><ul><ul><li>Integrity/Reliability: ensuring that the quality of information is maintained and that the information can be relied upon. </li></ul></ul><ul><ul><li>Availability: ensuring that information is available to the right people at the right time. </li></ul></ul><ul><ul><li>Sensitivity and Privacy: ensuring that information is accessed only for legitimate purposes by authorised people. It must be cared for properly during this time, and when finished with it must be properly stored away. </li></ul></ul>
Tips for keeping information secure <ul><li>Keep your desk in order… </li></ul><ul><li>Whether you work at a desk, workstation or from a vehicle, follow the ‘clear desk’ policy for records containing personal information – and be especially careful in areas to which the public has access such as public waiting rooms/reception areas </li></ul><ul><li>Know where your information is… </li></ul><ul><li>Ensure that files are tracked so that you know who has possession of them </li></ul><ul><li>Manage copies… </li></ul><ul><li>If you have sensitive internal reports containing personal information ensure you know how many copies exist and who holds a copy – and that they are kept secure </li></ul>
Tips for keeping information secure (2) <ul><li>Think about information in all situations… (ish!) </li></ul><ul><li>If you take work home do not leave it in a car between home and work and ensure it is locked away at home </li></ul><ul><li>Dispose of paper records effectively - discarded confidential information belongs in the secure bins provided in each office/floor </li></ul><ul><li>If someone leaves DOJ, make sure as part of their exit interview all files that were in that person’s possession are accounted for and secured </li></ul><ul><li>Shut down computers at the end of each working day </li></ul>
what is the code of conduct? <ul><li>Describes how we are expected to behave towards the Victorian Government, community and colleagues </li></ul><ul><li>May be supplemented by information in: </li></ul><ul><ul><li>legislation </li></ul></ul><ul><ul><li>industrial agreements </li></ul></ul><ul><ul><li>awards </li></ul></ul><ul><ul><li>policies </li></ul></ul><ul><ul><li>procedures </li></ul></ul><ul><li>Failing to comply with the code may be misconduct </li></ul>
what to do next <ul><li>Read the code of conduct </li></ul><ul><li>Lead your team in discussing a workplace problem in your next team meeting </li></ul><ul><li>Start a discussion about the values the next time you have to make a major decision </li></ul><ul><li>Examine your own behaviour and challenge misconduct in the workplace </li></ul><ul><li>Speak to HR about more comprehensive training </li></ul>
Bottom line <ul><li>This code is binding upon you </li></ul><ul><li>Use it and refer to it during your work </li></ul><ul><li>It can be the basis of misconduct </li></ul><ul><li>It will be part of your performance management and you will be assessed in relation to your adherence to it. </li></ul>
Environmental Management System (EMS) <ul><li>Examples of existing initiatives </li></ul><ul><li>Monitor each facility's environmental performance. </li></ul><ul><li>Produce environmental communications, activities and events. </li></ul><ul><li>Develop and implement annual environmental surveys. </li></ul><ul><li>Standardised the use of recycled paper across DOJ. </li></ul><ul><li>Acquire low emission vehicles within the vehicle pool. </li></ul><ul><li>Facilitate the implementation of recycling systems. </li></ul><ul><li>Reduce the use of paper, water, energy & vehicles. </li></ul>
Aims of environmental action plans <ul><li>Identifies objectives and targets for the achievement of regional / departmental / agency objectives. </li></ul><ul><li>Includes a list of actions along with responsibilities and expected completion dates. </li></ul><ul><li>Actions are within budgetary constraints and/or available resources for each region. </li></ul>
Implementation phases of the program Risk Monitoring & Compliance Awareness & Education Policies & Procedures
Watch out for our posters <ul><li>Secondary Posters </li></ul>Primary Poster