On this page:
The Department grants to the Organisation the right to access and use CIMS for the duration of the CIMS Agreement for the Nominated Purposes on the terms set out in the CIMS Agreement. The way in which the Department grants the Organisation access to CIMS, that is, through Portal Access and/or API Access, shall be agreed by the parties.
The Organisation agrees that it will be bound by the Information Privacy Principles and the Health Privacy Principles with respect to any act done in connection with CIMS in the same way as the Department would have been bound had the relevant act been done by the Department. The Organisation agrees that it will ensure that it makes individuals whose information is entered into CIMS aware that:
- the Department is an organisation to which the Organisation may disclose their information; and
- the Organisation may collect and disclose information to the Department for the Nominated Purposes.
The Organisation will implement and maintain an IT Security Policy at all times during the term of the CIMS Agreement.
The Organisation Data may only be accessed or used by the Department for the purpose of the operation and administration of CIMS. The Department may use the Client Incident Information for any purpose of the Department.
The Organisation warrants its computer environment and data transfer protocols will be compatible with CIMS, as varied under clause 4.5 of the CIMS Agreement.
The Organisation acknowledges that the Department may vary CIMS on 10 Business Days’ Written Notice or other notice period as nominated by the Department and that, in that event, the Organisation must (at its own cost) perform whatever upgrades may be required to its computer environment as may be necessary to ensure it continues to comply with the warranty in clause 4.4 of the CIMS Agreement.
The Organisation will ensure that neither it nor any person to whom it gives access to the Confidential Information will disclose any of the Confidential Information of the Department to any other person without the prior written consent of the Department unless required by law.
The Organisation must not use the name or branding of the Department in a way that suggests endorsement or association with the Department, without prior written approval.
Functions of the Organisation Authority
The Organisation will ensure that the Organisation Authority manages User and organisational matters related to the Organisation for CIMS, including if applicable to the type of access to CIMS used by the Organisation:
- verifying the identity of a person applying to be registered as a User of CIMS and his/her role within the Organisation;
- verifying that a prospective User's job/position within the Organisation requires him/her to access CIMS;
- periodically reviewing each User's need to access CIMS;
- maintaining the currency of organisational details including but not limited to structure and registered address;
- maintaining an up to date register of Users, and a record of previous/de-registered Users, who access(ed) CIMS on behalf of the Organisation; and
- being available by telephone to the Department at all times during Business Hours with regard to Users and any issues relation to User access.
To the extent permitted by law, the Department shall have no liability in damages (including special, indirect or consequential damages, which damages will be deemed to include loss of revenue, loss of profit and opportunity loss) in respect of any act or omission of the Department in connection with CIMS, even if the Department has been advised by the Organisation as to the possibility of such losses being incurred.
Subject to clause 7.3, the CIMS is provided on an ‘as is’ and ‘as available’ basis without any express or implied warranties in respect of CIMS.
Pursuant to section 64A of the Australian Consumer Law, this clause applies in respect of any goods or services supplied under this agreement which are not of a kind ordinarily acquired for personal, domestic or household use or consumption, provided that this clause will not apply if the Customer establishes that reliance on it would not be fair and reasonable. Liability for breach of a guarantee conferred by the Australian Consumer Law (other than those conferred by sections 51 to 53 of the Australian Consumer Law) is limited:
- to the supplying of the services again; or
- to the payment of the cost of having the services supplied again.
The Organisation acknowledges that CIMS shall not be error free.
The Organisation must not use CIMS in a manner that;
- breaks or circumvents any of the technical, administrative or security measures;
- disrupts the performance or degrades the performance of CIMS; or
- attempts to exceed or circumvents limitations on volume or otherwise in a manner that exceeds reasonable volumes or volumes specified in a Written Notice.
The Organisation may use the Client Incident Information retrieved through the API Access in any third party applications at its own risk. The Organisation must rely on its own inquiries and judgement as to the suitability of the Client Incident Information for use in any third party application.
IT Security Policy
The IT security policy will:
- be based on the Victorian Protective Data Security Framework and Standard (available on the website of the Commissioner for Privacy and Data Protection at https://www.cpdp.vic.gov.au/);
- comply with Standards Australia's "Information Security Management - implementation guide for the health sector" HB 174-2003; and
- meet all of the requirements set out in clauses 2 to 7 below.
The security controls and practices of the Organisation must be based on the Australian Signals Directorate (ASD) Information Security Manual (ISM) and implement the Australian Signals Directorate's (ASD) Strategies to Mitigate Cyber Security Incidents – Essential Eight ( https://www.asd.gov.au/publications/protect/essential-eight-explained.htm)
The IT security policy must be published and communicated to all employees, consultants or contractors of the Organisation who will access the Environment.
The IT security policy will include the following access control measures:
- User registration and de-registration procedures are used to control access to all information systems and services.
- All Users have a unique identifier (User ID) for their personal and sole use so that activities can be traced to the responsible individual.
- Passwords must be kept confidential and not shared with unauthorised Users.
The IT security policy will include the following physical and environmental security measures:
- Reliable processes are used to remove or destroy confidential data located on electronic storage media such as PC hard drives, portable storage devices (such as USB) and DVD/CDs prior to disposal or re-use.
- Sensitive information is not stored on the hard disk of a PC or notebook unless it is appropriately protected, e.g. using encryption where the sensitivity of the information demands. Sensitive or private information is not sent by email unless appropriately protected. Appropriated levels of user access rights and control are applied to the sensitive information stored on the network drives.
The IT security policy will include the following general security measures:
- All ICT systems either containing or accessing Department’s data:
- have installed and maintained antivirus software;
- have a configured and enabled firewall and Intrusion Detection/Prevention system;
- are kept current with all critical operating system and application security patches and updates;
- require all users have individual logon accounts with complex passwords with a minimum of 10 characters;
- require adequate system logging is in place to support cyber incident response or other enquires;
- require audit and logging of privileged user management (e.g. administrator root, etc) actions is enabled and logs are stored to support cyber incident response or other enquiries;
- rename default Administrator accounts and disable Guest accounts; and
- if using wireless networking: use robust encryption (WPA2 or higher is recommended); and change the default administration name and password to the router or similar device.
The Organisation will ensure that all relevant managers regularly review security procedures within their area of responsibility to ensure compliance with security policies and standards.
The Organisation will take reasonable steps to implement clear desk and clear screen practices appropriate to the sensitivity of the information they handle.Back to top
We are committed to ensuring that people with disabilities can access this site and its information.
Every effort has been made to ensure that this website reaches AA standard accessibility and most AAA accessibility criteria according to the World Wide Web Consortium (W3C). We continue to review and improve the accessibility of the site.
There is help if you are having trouble accessing or downloading documents.
Some parts of this site might not meet your specific accessibility needs. If you have any problems accessing information on the site, we can give you the information in an alternative format. Please contact us on 1300 650 172 and tell us what information you want, including the web address (URL). More contact options are available in the contacts and help section.Back to top
© State of Victoria 2017
Copyright in this website (including content and design) is owned by the State of Victoria or used under licence.
You may make limited copies of this website in accordance with the Copyright Act 1968 (Cth), including copies for research, study, criticism, review or news reporting.
You may not publish, reproduce, adapt, modify, communicate or otherwise use any part of this website (in particular for commercial purposes).Back to top