Privacy Policy

 

Privacy

Version Number

3

Effective Date

6 December 2007

Authorisation

 

 

 

 

Date of Review

June 2010

 

1. PURPOSE

This policy describes RRA’s approach to privacy of personal information.

2. SCOPE

This policy applies to all personal information held or controlled by RRA.

3. RISK

Compliance Register Risk management - Compliance Plan 2010

4. REFERENCES

A

 Privacy Act 1988 (amended 2004)

 http://www.privacy.gov.au/act/index.html

 

B

 National Privacy Principles

 http://www.privacy.gov.au/publications/npps01.html

 

 

5. DEFINITIONS

Term

Definition

Personal information

Personal information is information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (section 6). It includes all personal information regardless of its source.

 

Personal information relates to a natural living person. A natural person is a human being rather than, for example, a company, which may in some circumstances, be recognised as a legal ‘person’ under the law.

Sensitive information

 

Sensitive information is a subset of personal information. It means information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information about an individual.

 

6. POLICY

RRA manages private information in accordance with the Privacy Act 1988 (Refer A). In particular, the Corporation’s privacy policy implements the ten National Privacy Principles (Refer B) set out in the Privacy Act, which specify how organisations should collect, use, keep, secure and disclose personal information.   The principles also give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong.

 

Overview of personal information collected by RRA

For the most part, personal information collected by RRA falls under two categories:

information concerning staff and directors, as required in the normal course of human resource management; and

information concerning importers, wholesalers, service providers and people with whom RRA has dealings (typically contact details for individuals and, in some instances, bank account details for electronic payments).

 

Privacy Principle 1- Collection

RRA will not collect personal information by unlawful or unfair means and will not collect personal information for inclusion in a record or in a generally available publication unless the information is collected for a lawful purpose directly related to the function of RRA.

 

Privacy Principle 2- Use and disclosure

When in possession or control of a record that contains personal information, RRA will only use and disclose the information for the purpose for which the information was collected.

 

When in possession or control of a record that contains personal information that was obtained for a particular purpose, RRA will not use or disclose the information for any other purpose unless:

•   the individual concerned has consented;

•   RRA believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

•   use of the information for that other purpose is required by law;

•   use of the information for that other purpose is reasonably necessary for enforcement of the law, or for the protection of public revenue (if this right is exercised, RRA will include in the record containing that information a note of that use); or

•   the purpose for which the information is used is directly related to the purpose for which the information was obtained and the individual would reasonable expect the organisation to use or disclose the information for the secondary purpose.

 

Privacy Principle 3- Data quality

When RRA has possession or control of a record that contains personal information, it will not use that information without ensuring the information is accurate, up to date and complete.

 

Privacy Principle 4- Data security

When RRA has possession or control of a record that contains personal information, it will ensure the following:

  • The record is protected by security safeguards against loss; against unauthorised access, use, modification or disclosure; and against other misuse.
  • Take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under Principle 2. Privacy

 

Privacy Principle 5- Openness

RRA will set out in a document clearly expressed policies on its management of personal information. RRA will make the document available to anyone who asks for it.

 

On request by a person, RRA will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

 

Privacy Principle 6- Access and correction

If RRA holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent of exceptions detailed in Section 6.1 of the National Privacy Principles.

 

However, where providing access would reveal evaluative information generated within RRA in connection with a commercially sensitive decision making process, RRA may give the individual an explanation for the commercially sensitive decision rather than direct access to the information

 

If RRA holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, RRA will take reasonable steps to correct the information so that it is accurate, complete and up to date.

 

If the individual and RRA disagree about whether the information is accurate, complete and up to date, and the individual asks RRA to associate with the information a statement claiming that the information is not accurate, complete or up to date, RRA will take reasonable steps to do so.

 

RRA will provide reasons for denial of access or a refusal to correct personal information.

 

Privacy Principle 7- Identifiers

RRA will not adopt as its own identifier of an individual an identifier of the

individual that has been assigned by:

       (a)  an agency; or

       (b)  an agent of an agency acting in its capacity as agent; or

       (c)  a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

 

RRA will not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider, unless: the use or disclosure is necessary for the organisation to fulfil its obligations to the agency.

 

Privacy Principle 8- Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

 

Privacy Principle 9- Transborder data flows

RRA will only transfer personal information about an individual to someone (other than RRA or the individual) who is in a foreign country in compliance with the National Privacy Principles.

 

Privacy Principle 10- Sensitive Information

RRA will not collect sensitive information about an individual unless:

       (a)  the individual has consented; or

       (b)  the collection is required by law; or

       (c)  the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

              (i)  is physically or legally incapable of giving consent to the collection; or

              (ii)  physically cannot communicate consent to the collection; or

       (d)  if the information is collected in the course of the activities of a non profit organisation—the following conditions are satisfied:

              (i)  the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

              (ii)  at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

       (e)  the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.