Privacy Policy
View printable version of this page
Privacy Policy
August 2006
Table of Contents
About this policy
Why develop a privacy policy?
The purpose of a privacy policy is to communicate clearly the personal information handling practices of an agency or organisation. Privacy policies enhance the transparency of the operations of agencies and organisations. They also give individuals a better and more complete understanding of the sort of personal information an agency or organisation holds and the way it handles that information. Our privacy policy has been developed with these aims in mind.
Is the development of a privacy policy a requirement of the Privacy Act 1988?
Australian and ACT Government agencies must comply with the Information Privacy Principles (IPPs) in the Privacy Act. As an Australian Government agency, we are therefore required to comply with the IPPs. Under the IPPs, agencies are not required to develop a privacy policy but are required to maintain a record of what files they have that contain personal information, for inclusion in a yearly Personal Information Digest (described below).
Private sector organisations that are covered by the Privacy Act must comply with the National Privacy Principles (NPPs). Under the NPPs, these organisations are required to have clearly expressed policies on their management of personal information.
Despite the different requirements of the IPPs and NPPs, we consider it good privacy practice for all agencies and organisations to develop and display a privacy policy and this is why we have one.
IPPs and NPPs - what’s the difference?
The IPPs and the NPPs are contained in the Privacy Act and set out rules for the handling of personal information. The main difference between the two sets of principles is that the IPPs cover Australian and ACT Government agencies while the NPPs cover much of the private sector.1
Both the IPPs and the NPPs contain similar rules about the collection, use, disclosure and storage of personal information. However, there are some differences. For example, the NPPs include principles regulating the use of government identifiers, anonymity, transborder data flows of personal information outside Australia and the handling of sensitive information. Private sector organisations will need to take these differences into account when drafting their own privacy policies.
I don’t have time to read the whole policy. What should I read first?
This privacy policy has been developed to follow the ‘layered policy’ format, which means that it offers layers of greater or lesser detail so people can read as much as they wish and find what they need fast.
If all you want is a snapshot of our personal information handling practices, you can have a look at our condensed privacy policy which forms the ‘short’ layer of our privacy policy. This offers an easy to understand summary of how we collect, use, disclose and store your personal information and how you can contact us if you want to access or correct personal information we hold about you.
If, on the other hand, you are in search of a more comprehensive explanation of our information handling practices, then this is the document for you. This document forms the ‘detailed’ layer of our privacy policy.
What does this policy contain?
Part A – Our Personal Information Handling Practices explains our general information handling practices across the agency including information about how we collect, use, disclose and store your personal information.
Part B – Our Files offers further detail by explaining our personal information handling practices in relation to specific Office functions or activities such as complaint handling and policy advice. Here you can find out what sort of records we keep and why. You may find this section helpful if, for example, you have made an enquiry to our Office and wish to know how we manage our enquiries files.
Part C – Our Website explains our personal information handling practices when you visit our website.
What is a Personal Information Digest?
Our Office compiles a Personal Information Digest (PID) each year from entries submitted by Australian and ACT Government agencies. In their entries, agencies are required to set out:
- what sorts of records of personal information they hold
- the purpose of the records
- the types of individuals about whom records are kept
- for how long each type of record is kept
- the people who are entitled to have access to the personal information contained in the records and
- information about how a person can access the personal information held in the records.
Under the Privacy Act, agencies are required to submit their entries to our Office each year in June. PIDs are publicly available on the Personal Information Digest page of our website.
Where can I find more information?
Some useful publications include:
Part A – Our Personal Information Handling Practices
Our obligations under the Privacy Act 1988
This privacy policy sets out how we comply with our obligations under the Privacy Act 1988. As an Australian Government agency, we are bound by the Information Privacy Principles (IPPs) in the Privacy Act which regulate how agencies may collect, use, disclose and store personal information and how individuals may access and correct personal information held about them.
In this privacy policy, personal information (as defined in the Privacy Act) means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Collection
It is our usual practice to collect personal information directly from the individual.
Sometimes we collect personal information from a third party or a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way, or if it is necessary for a specific purpose such as the investigation of a privacy complaint.
In limited circumstances we may receive personal information about third parties from individuals who contact us and supply us with the personal information of others in the documents they provide to us. In these circumstances we will attempt to ensure that the consent of those third parties is obtained if we think we may need to use or disclose that information.
We only collect personal information for purposes which are directly related to our functions or activities under the Privacy Act, and only when it is necessary for or directly related to such purposes. These purposes include:
Complaint handling and investigations:
- When an individual makes a complaint to us
- When we conduct audits of Australian or ACT Government agencies or private sector organisations
- When we conduct investigations of Australian or ACT Government agencies or private sector organisations on the Privacy Commissioner’s own initiative.
Enquiries:
- When an individual contacts us asking for information or advice about our Office’s functions and its legislation.
Policy advice:
- When making contact with officers in Australian and ACT Government agencies or private sector organisations for the purpose of analysis and advice
- When we are planning consultation with stakeholders who we believe will want to be consulted
- When an organisation applies to have its Privacy Code approved by our Office
- When we are conducting research into a policy issue.
Public awareness and education:
Administrative activities:
- When we process freedom of information applications
- When we manage the personnel and corporate services functions of our Office.
For more detailed information about these purposes and the information handling practices that apply to them, see Part B – Our Files.
We also collect personal information as part of our normal communication processes directly related to those purposes, including:
- When an individual emails staff members
- When an individual phones us we may store their phone number on our telephone system
- When an individual hands us their business card.
Use and disclosure
We only use personal information for the purposes for which it was given to us, or for purposes which are directly related to one of our functions or activities, and we do not give it to other government agencies, organisations or anyone else unless one of the following applies:
- the individual has consented
- the individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies
- it is required or authorised by law
- it will prevent or lessen a serious and imminent threat to somebody's life or health
- it is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.
Data quality
We take steps to ensure that the personal information we collect is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.
Data security
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include password protection for electronic files, securing paper files in locked cabinets and physical access restrictions.
When no longer required, personal information is destroyed in a secure manner or deleted.
Access and correction
If an individual requests access to the personal information we hold about them, or requests that we change that personal information, we will allow access or make the changes unless we consider that there is a sound reason under the Privacy Act, Freedom of Information Act 1982 (Cth) (FOI Act) or other relevant law to withhold the information.
If we do not agree to provide access to personal information the individual may seek a review of our decision or may appeal our decision under the FOI Act.
If we do not agree to make requested changes to personal information the individual may make a statement about the requested changes and we will attach this to the record.
Individuals can obtain further information about how to request access or changes to the information we hold about them by contacting us (see details below).
How to contact us
Individuals can obtain further information in relation to this privacy policy, or provide any comments, by contacting us:
| Telephone |
1300 363 992 (for the cost of a local call anywhere in Australia)
+61 2 9284 9800 |
| TTY |
1800 620 241
(this number is for the hearing impaired only) |
| Post |
GPO Box 5218
Sydney NSW 2001 |
| Facsimile |
+61 2 9284 9666 |
| Email |
privacy@privacy.gov.au |
Part B - Our Files
This section provides further details about how we handle specific types of files that contain personal information.
Complaint Files
Purpose
We collect personal information in complaint files to enable us to assess, investigate, conciliate or determine privacy complaints, and use that personal information to ensure that we are accountable for the way we handle complaints.
The personal information in these files is about complainants and respondents. Complaint files may also include personal information about individuals who are authorised to represent complainants or respondents, and about third parties who provide information in the course of our investigations.
Collection
We collect personal information directly from complainants and respondents or their authorised representatives.
We may also collect personal information about complainants and respondents from third parties, when it is relevant to our assessment, investigation, conciliation or determination of a complaint.
Use and disclosure
We only use the personal information on these files to assess, investigate, conciliate or determine complaints.
We may use personal information held in complaint files to make contact with the complainant, the respondent and any other relevant individual or organisation.
We give the complainant’s name and details about the complaint to the respondent as we consider the complainant would be reasonably likely to be aware that this would happen. However, we give the complainant the opportunity to tell us if there are any parts of their complaint that they do not want us to disclose to the respondent. We will not disclose any such parts of the complaint to the respondent unless we are required by law to do so or if the disclosure will prevent or lessen a serious and imminent threat to somebody's life or health.
If the information the complainant agrees to disclose to the respondent is too limited, we may not be able to proceed with the complaint because procedural fairness requires that we must provide the respondent with sufficient information to respond to the complaint in a meaningful way.
We may give information to other regulators or to enforcement bodies in the course of referring a complaint to that body or seeking its advice. We prefer to seek the consent of the individual, but may sometimes disclose without consent if we are authorised or required by law to disclose the information.
We may disclose personal information held in complaint files to a judicial review body if a complainant seeks a review of our Office’s processes or decisions, for example by the Ombudsman or under the Administrative Decisions (Judicial Review) Act 1977.
As we are obliged to conduct our investigations in private, we will only give personal information about a complaint to the media if the complainant and the respondent have consented, or if the complainant and the respondent have already made the information public.
Data quality
We maintain and update personal information in our complaint files as necessary or when we are advised by individuals that their personal information has changed.
Data security
We offer an encrypted email service for individuals to lodge complaints.
Complaint files are stored in locked cabinets in paper form. When no longer required, personal information in complaint files is destroyed in a secure manner. For further information about the secure storage of complaint information see Complaints and Enquiries Database in this Part.
The following staff members have access to complaint files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Compliance staff and
- Records management staff.
Access and correction
For information about how to access or correct personal information in complaint files see Access and correction in Part A of this document.
Audit Files
Purpose
Audit files record details of audits of agencies and organisations which are conducted by our Office.
The personal information held in audit files may include contact information and opinions of employees of agencies or organisations that are subject to audit.
Collection
We collect personal information in these files from employees of the agency or organisation being audited.
Use and disclosure
We use information in audit files for the purpose of undertaking audits and to assist in the compilation of audit reports.
Personal information in audit files is not disclosed to other agencies, organisations or anyone else, unless the individual would reasonably expect us to or has given their consent. Audit reports may be published on our website, but they do not contain personal information.
Data quality
We maintain and update personal information in our audit files as necessary or when we are advised by individuals that their personal information has changed.
Data security
Audit files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in audit files is destroyed in a secure manner or deleted.
The following staff members have access to audit files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Compliance staff
- Policy staff and
- Records management staff.
Access and correction
For information about how to access or correct personal information in audit files see Access and correction in Part A of this document.
Own Motion Investigation Files
Purpose
The purpose of Own Motion Investigation (OMI) files is to record details of investigations undertaken on the Privacy Commissioner’s own initiative.
The personal information in these files may relate to individuals reporting matters for investigation, respondents and witnesses.
Collection
We collect personal information on these files from individuals, respondents and witnesses.
Use and disclosure
Personal information held in OMI files is used for the purpose of undertaking investigations into possible breaches of the Privacy Act.
We only disclose the personal information in OMI files to other agencies, organisations or anyone else if we have the consent of the individuals to whom the information relates or if we are required or authorised by law to do so.
Data quality
We maintain and update the personal information in OMI files as necessary or when we are advised by individuals that their personal information has changed.
Data security
OMI files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in OMI files is destroyed in a secure manner or deleted.
The following staff members have access to OMI files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Compliance staff and
- Records management staff.
Access and correction
For information about how to access or correct information in OMI files see Access and correction in Part A of this document.
Complaints and Enquiries Database
Purpose
The purpose of the complaints and enquiries database is to register and store information about privacy complaints and enquiries received by our Office.
The personal information in the database relates to enquirers, complainants, respondents, authorised representatives and witnesses. It also relates to employees of agencies or organisations which we have audited.
Collection
We collect personal information on this database from individuals or their authorised representatives. We also collect personal information on this database from agencies and organisations which we have audited.
Use and disclosure
The personal information on the complaints and enquiries database is used for the purpose of recording and managing complaints and enquiries. In particular it is used for making contact with complainants and respondents and generating correspondence.
The personal information on the database is disclosed to enquirers, complainants and respondents for the purpose of handling complaints or responding to enquiries.
Data quality
We maintain and update personal information in the complaints and enquiries database as necessary or when we are advised by individuals that their personal information has changed.
Data security
Personal information is stored in an electronic records management database which can only be accessed by registered users for the purpose of working on enquiries, complaints, own motion investigations or audits.
The database maintains an audit trail whenever personal information is included, amended or deleted on the database.
When no longer required, personal information on the database is destroyed in a secure manner or deleted.
The following staff members have access to the complaints and enquiries database on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Compliance staff.
Access and correction
For information about how to access or correct personal information held in the complaints and enquiries database see Access and correction in Part A of this document.
Enquiries Files
Purpose
We maintain enquiries files containing personal information for the purpose of responding to enquiries.
Collection
We collect personal information directly from the individual making the enquiry or their authorised representative.
In the course of responding to some enquiries, we may collect personal information from publicly available sources such as websites or telephone directories for the purpose of making contact with the enquirer.
Use and disclosure
We only use personal information collected from an enquirer to respond to the enquiry or to make referrals which the enquirer has consented to or is reasonably likely to expect us to make.
Sometimes, if the enquirer consents, we will pass on their personal information to other Office staff, government departments or organisations for the purpose of following up their enquiry.
Data quality
We maintain and update personal information in our enquiries files as necessary or when we are advised by individuals that their personal information has changed.
Data security
We offer an encrypted email service for individuals to lodge enquiries.
Enquiries files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in enquiries files is destroyed in a secure manner or deleted.
The following staff members have access to this personal information on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Compliance staff and
- Records management staff.
Access and correction
For information about how to access or correct personal information held in enquiries files see Access and correction in Part A of this document.
Policy Files
Purpose
The purpose of policy files is to store policy correspondence, analysis, working papers and other documents that relate to our functions to:
- provide advice
- examine enactments
- issue guidelines
- make determinations
- undertake research
- approve privacy codes and
- maintain an NPP opt-in register of small businesses.
The limited personal information in policy files relates to correspondence and submissions from people with an interest in privacy issues, and people working for or representing agencies or organisations with an interest in information privacy. This includes people working for an organisation, group or association representing a particular sector of the community.
Collection
We collect personal information in policy files directly from individuals or their agencies or organisations, or from publicly available sources such as websites or telephone directories.
Use and disclosure
Personal information in policy files is only used for the purpose of undertaking policy research and providing advice.
The personal information on policy files is not disclosed to other agencies, organisations or anyone else without consent unless: the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals; or the disclosure is required or authorised by law.
Data quality
We maintain and update personal information in our policy files as necessary or when we are advised by individuals that their personal information has changed.
Data security
Policy files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in policy files is destroyed in a secure manner or deleted.
The following staff members have access to policy files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- Policy staff and
- Records management staff.
Access and correction
For information about how to access or correct personal information in policy files see Access and correction in Part A of this document.
Public Awareness and Education Files
Purpose
The purpose of public awareness and education files is to record details of public awareness and educational activities, such as contact with the media, speeches, event management and publication preparation.
The limited personal information in public awareness and education files relates to agencies, organisations, individuals, media representatives, event attendees, privacy service providers and events calendar listings which appear on our website, and educational institutions with an interest in information privacy.
Collection
It is our usual practice to collect personal information in public awareness and education files directly from individuals.
Sometimes we may collect personal information from an individual’s representative or from publicly available sources such as websites or telephone directories.
Use and disclosure
We only use the personal information in public awareness and education files for the purposes of undertaking public awareness and education initiatives and managing public relations.
The personal information on public awareness and education files is not disclosed to other agencies, organisations or anyone else without consent unless: the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals; or the disclosure is required or authorised by law.
Data quality
We maintain and update personal information in our public awareness and education files as necessary or when we are advised by individuals that their personal information has changed.
Data security
Public awareness and education files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in public awareness and education files is destroyed in a secure manner or deleted.
The following staff members have access to public awareness and education files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors and
- Corporate and Public Affairs staff.
Access and correction
For information about how to access or correct personal information in public awareness and education files see Access and correction in Part A of this document.
Contacts Lists
Purpose
We maintain contacts lists which include contact information about individuals who may have an interest in privacy, such as Privacy Contact Officers (PCOs) and media representatives. We use these contacts lists to distribute information about our activities and publications.
Collection
It is our usual practice to collect personal information in contacts lists directly from individuals, for example, where they have asked to be added to a contact list.
Sometimes we collect personal information from a third party or from a publicly available source such as a website or telephone directory. We usually only collect personal information in this way if the individual would reasonably expect us to or has given their consent. For instance we might collect this information if we thought that the individual (or the organisation they work for) would like to receive information about a consultation we are carrying out, or that they might be likely to consider information about the Privacy Act useful in the work they do. We would only contact this individual in their work capacity.
Use and disclosure
We only use personal information in contacts lists for the purpose of managing public and stakeholder relations.
We do not give personal information about an individual to other agencies, organisations or anyone else without consent unless: the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals; or the disclosure is required or authorised by law.
In the course of coordinating the PCO Network, we may provide a PCO’s contact details to members of the public or other PCOs.
Data quality
We maintain and update personal information in our contacts lists when we are advised by individuals that their personal information has changed. We also regularly audit contacts lists to check the currency of the contact information. In the course of updating the lists we will remove contact information of individuals who no longer wish to be contacted.
Data security
The personal information in the contacts lists is stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in contacts lists is destroyed in a secure manner or deleted.
Routine access to contacts lists is limited to the database operators who have responsibility for maintaining the contacts lists. Other staff members have access to the personal information in contacts lists on a need to know basis.
Access and correction
For information about how to access or correct personal information in our contacts lists see Access and correction in Part A of this document.
Freedom of Information Files
Purpose
We collect personal information in files relating to Freedom of Information (FOI) applications from individuals to enable us to process their application and to keep track of the information released to them under the FOI Act.
The personal information in these files relates to the FOI applicant. FOI files may also contain personal information which appears in the documents requested.
Collection
We collect personal information in FOI files directly from individuals who make an FOI request.
Use and disclosure
We only use the personal information in FOI files for the purpose of assessing and processing the FOI application.
We do not give personal information held in FOI files to other agencies, organisations or anyone else without consent unless: the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals; or the disclosure is required or authorised by law.
Data quality
We maintain and update personal information in FOI files as necessary or when we are advised by individuals that their personal information has changed.
Data security
FOI files are stored in either password protected electronic media or in locked cabinets in paper form. When no longer required, personal information in FOI files is destroyed in a secure manner or deleted.
The following staff members have access to FOI files on a need to know basis:
- Privacy Commissioner
- Deputy Privacy Commissioner
- Assistant Privacy Commissioner
- Directors
- FOI Contact Officer and
- Records management staff.
Access and correction
For information about how to access or correct personal information in FOI files see Access and correction in Part A of this document.
Administrative Files
Administrative files including personnel and other corporate services records for our Office are managed and held by the Human Rights and Equal Opportunity Commission (HREOC) under a Memorandum of Understanding. For further information about how this personal information is handled, contact HREOC on (02) 9284 9600.
Part C - Our Website
This section explains how we handle personal information collected from our website www.privacy.gov.au.
Our website follows the Privacy Commissioner’s Guidelines for Federal and ACT Government Websites.
Users are advised that there are inherent risks in transmitting information across the internet. Individuals may contact our Office by phone or mail if they have concerns about making contact via the internet. For further information see How to contact us in Part A of this document.
Collection
When individuals only browse the website, we do not collect their personal information.
Sometimes, we collect personal information that individuals choose to give us via online forms or by email, for example when individuals:
When an individual looks at our website, our internet service provider (WebCentral) makes a record of the individual’s visit and logs (in server logs) the following information for statistical purposes:
- the individual’s server address
- the individual’s top level domain name (for example .com, .gov, .org, .au, etc)
- the pages the individual accessed and documents downloaded
- the previous site the individual visited and
- the type of browser being used.
We do not identify users or their browsing activities except, in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the internet service provider's server logs.
Cookies
Our website uses session cookies during a search query of the website and when an individual accesses the Privacy Events RSS feed and web-based calendar. Our internet service provider does not employ cookies on our website except in those circumstances. The website statistics for this site are generated from the server logs as outlined above.
When an individual closes their browser the session cookie set by our website is destroyed and no personal information is maintained which might identify an individual should they visit our website at a later date.
Use and disclosure
We only use personal information collected via our website for the purposes for which it was given to us.
We do not share personal information about individuals with other government agencies, organisations or any one else unless one of the following applies:
- the individual has consented
- the individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies
- it is required or authorised by law
- it will prevent or lessen a serious and imminent threat to somebody's life or health
- the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.
When an individual’s email address is received by us because they sent us a message, the email address will only be used or disclosed for the purpose for which they have provided it and it will not be added to a mailing list or used or disclosed for any other purpose without the individual’s consent.
Personal information published on the following webpages is done with the consent of the individual: Opt-in register; Privacy Advisory Committee; Privacy code approval; Privacy events calendar and Privacy service providers.
Data quality
We maintain and update personal information collected from or published on our website as necessary or when we are advised by individuals that their personal information has changed.
Data security
We offer an encrypted email service for individuals to lodge enquiries and complaints. For further information see the secure email page of our website.
Individuals who choose to join our email lists, complete online forms or lodge enquiries will have their contact details stored on password protected databases.
Staff members associated with website maintenance have access to our website’s backend system which is password protected. Our website server, hosted by our internet service provider, is also password protected.
Access and correction
For information about how to access or correct personal information collected on our website see Access and correction in Part A of this document.
Endnote
- To find out which types of private sector organisations are covered by the Privacy Act see Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions.
|
HOME > Privacy Policy
