The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of personal information about individuals. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information).
The APPs regulate how organisations can collect, hold, use and disclose personal information and how you can access and correct that information. The APPs only apply to information about individuals, not information about corporate entities such as businesses, firms or trusts.
‘Sensitive information’ means personal information about you that is of a sensitive nature, including information about health, genetics, biometrics or disability; racial or ethnic origin; religious, political or philosophical beliefs; professional association or trade union memberships, sexuality; or criminal record1. Special requirements apply to the collection and handling of sensitive information.
Personal information may be collected directly by us, or by people or organisations acting on our behalf. It may be collected directly from you, or on your behalf from a representative you have authorised.
Under the APPs, we will only collect information for a lawful purpose that is reasonably necessary for, or directly related to your employment with us, or where otherwise required or authorised by law.
Types of personal information collected by us
This personal information may include but is not limited to:
Collection of sensitive information
In carrying out our functions and activities we may collect personal information that is sensitive information (see above). The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information from you:
We also collect sensitive information where authorised to do so for the purposes of human resource management, fraud investigations, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.
Collection of unsolicited information
Sometimes personal information is not sought by us but is delivered or sent to us by either the individual or a third party without prior request.
Where unsolicited information is received by us, we will, within a reasonable period, determine whether that information is directly related to one or more of our functions or activities. If this cannot be determined, we will, as soon as practicable, destroy or de-identify the information. If this can be determined we will notify you of the purpose of collection and our intended uses and disclosures according to the requirements of the APPs, unless it is impracticable or unreasonable for us to do so.
How we collect personal information
We primarily use forms, online portals and other electronic or paper correspondence to collect your personal information. By signing paper documents or agreeing to the terms and conditions and disclaimers for electronic documents you are consenting to the collection of any personal information you provide to us.
We may also collect your personal information if you:
We hold personal information in a range of paper-based and electronic records, including cloud computing.
We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.
Access to your personal information held by us is restricted to authorised persons who are departmental employees or contractors, on a need to know basis.
We take all reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, relevant and not misleading.
These steps include responding to requests to correct personal information when it is reasonable and appropriate to do so. Audits and quality inspections are also conducted from time to time to ensure the accuracy and integrity of information, and any systemic data quality issues are identified and resolved promptly.
Purposes for which information is collected, held, used and disclosed
We collect personal information for a variety of different purposes relating to our functions and activities including:
We use and disclose personal information for the primary purpose for which it is collected.
We will only use your personal information for secondary purposes where we are able to do so in accordance with the Privacy Act. This may include where you have consented to this secondary purpose, or where the secondary purpose is related (or if sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose, where it is required or authorised by law or where a permitted general situation exists such as to prevent a serious threat to safety.
Likely secondary purposes for which we many use or disclose your personal information include but are not limited to: quality assurance, auditing, reporting, research, evaluation and analysis, and promotional purposes.
There are inherent risks associated with the transmission of information over the internet, including via email. You should be aware of this when sending personal information to us via email or via our website or social media platforms. If this is of concern to you then you may use other methods of communicating with us, such as post, fax or telephone (although these also have risks associated with them).
We only record your email address when you send a message to us or subscribe to one of our mailing lists. Any personal information, including email addresses, will only be used or disclosed for the purpose for which it was provided.
Accidental or unauthorised disclosure of personal information
We will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information. Legislative or administrative sanctions may apply to unauthorised disclosures of personal information.
How to seek access to and correction of personal information
You have a right under the Privacy Act to access personal information we hold about you. You also have a right under the Privacy Act to request corrections of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Our access and correction process
If you request access to or correction of your personal information, we will respond to you within 7 calendar days.
While the Privacy Act requires that we give you access to your personal information upon request or an opportunity to request the correction of your personal information, it does set out circumstances in which we may refuse to give you access or decline to correct your personal information.
If we refuse to give you access or make corrections to your personal information, we will provide you with a written notice which, among other things, gives our reasons for refusing your request.