About this Policy
This Policy expands upon the ACT Human Rights Commission’s (‘the Commission’s) Website Privacy Statement and the Privacy collection statement located on our Complaint Forms relevant to the jurisdiction of the Commission. These include complaints about:
- Health services;
- Services for people with a disability;
- Services for children and young people; or
- Services for older people.
The Commission’s collection and handling your personal information are outlined in the Information Privacy Act 2014 (IP Act), the Territory Privacy Principles found in that Act, the Health Records (Privacy and Access) Act 1997, Human Rights Act 2004 and the Human Rights Commission Act 2005.
Please note, many complaints made to the Commission involving personal health information will be governed by the Health Records (Privacy and Access) Act and not the Information Privacy Act. This is particularly so for complaints about a health service or service for people with a disability.
This statement is made in accordance with Territory Privacy Principle 1.3 of the IP Act.
If you have any questions about this privacy statement, our practices, including our website, please contact us.
The Commission collects, holds, uses and discloses personal information to carry out functions or activities under the Human Rights Commission Act; the Information Privacy Act 2014; the Territory Records Act 2002, Human Rights Act 2004, Discrimination Act 1991 and the Health Records (Privacy and Access) Act 1997.
The Commission will only collect information by lawful and fair means.
We generally only collect your personal information when you provide it to us in a variety of ways, including through paper complaint forms, in correspondence to and from you as well as email, over the telephone and by fax. Normally we collect information directly from you unless it is unreasonable or impracticable to do so, or if we are exercising our powers in relation to a complaint made under the Human Rights Commission Act 2005.
In certain circumstances, for example where it is required by law, we may also obtain personal information collected by other Australian, state and territory government bodies or other organisations.
We also collect personal information from publicly available sources where it is reasonably necessary for, or directly related to, our functions.
Generally, information will be collected when:
- We are required or authorised by law or a Court or Tribunal order to collect the information;
- We are handling a complaint;
- You send us an email, including submitting a complaint via email. Please note, you may choose to include sensitive information in your complaint, and we are not responsible for the level of encryption or protection you choose to apply to your own email. You can elect to provide your complaint in writing instead. Further information is provided below;
- You subscribe to our email newsletter;
- You RSVP for an event or training session;
- You participate in a survey;
- You undertake a payment or other transaction;
- You contact us to ask for information (but only if we need it) ;
- You make a complaint about the way we have handled a Freedom of Information (FOI) request or seek a review of an FOI decision; and
- You ask for access to information the Commission holds about you or other information about the Commission’s operation/s.
The Commission will generally not collect sensitive information (such as sexual orientation or criminal history information) without your consent. This will usually be as part of our complaints process, eg sexuality discrimination. You are not obliged to provide this information, however without it we may not be able to consider your complaint in full.
Sometimes we may collect sensitive personal information without your consent, such as when it is required or authorised by a law, including as part of our complaint handling processes, or court or tribunal order, or is necessary to prevent a threat to the life, health or safety of one or more individuals, or to public health or safety.
You may choose not to provide the information we request, or alternatively, identify yourself using a pseudonym. However, depending on the circumstances, without accurate personal information we may not be able to handle your complaint. Generally a pseudonym and email address will be sufficient to keep you updated via our e-newsletter, or accept your attendance at one of our events or training.
Use of personal information collected
Any personal information you provide will only be used for the purpose for which it was provided and will not be disclosed to other people or organisations without your consent, except where required by law.
Personal information collected as part of our complaints information will be used to attempt to resolve your complaint and investigate any systemic issues that arise.
Information collected for the purposes of education or training will only be used to keep a record of your attendance, and keep you informed about our activities (if you opt in to this process).
Types of information we collect and hold
The Commission attempts to only collect the minimum information we need. The personal information we collect and hold will vary depending on what we require to perform our functions and responsibilities. It may include –
- information about your identity (eg date of birth, country of birth, passport details, visa details and drivers licence);
- your name, address and contact details (eg phone, email and fax);
- information about your personal circumstances (eg age, gender, marital status and occupation);
- information about your employment (eg applications for employment, work history, referee comments and remuneration); and
- information about assistance provided to you under our assistance arrangements.
Sensitive information is handled with additional protections under the IP Act.
Sensitive information is information that is about an individual’s –
This information is generally collected in relation to complaints, particularly complaints about unlawful discrimination or health services under the Human Rights Commission Act 2005. It is usually collected by individual’s providing it to us when they submit the complaint, or at our request as we progress a complaint.
The Commission does have powers under the Human Rights Commission Act 2005 to compel parties to provide information, but we only use this information to address individual complaints or investigate systemic issues, and there are strict requirements about how this information may be used. This includes that it is inadmissible in any proceedings against the person from which it was collected.
Notice of collection
When the Commission needs to collect personal information from you we will generally notify you about –
- who we are and how you can contact us;
- the circumstances in which we may or have collected personal information;
- the name of the law that requires us to collect this information (if any);
- the purposes for which we collect the information;
- how you may be affected if we cannot collect the information we need;
- the details of any agencies or types of agencies which we normally share personal information with, including whether those recipients are overseas, and which countries those recipients are located in;
We will only elect not to notify you when such a decision is made under an applicable law.
Use and disclosure
The Commission will not use your personal information for a secondary purpose or share your personal information with other government agencies, private sector organisations or anyone else without your consent, unless an exception applies.
We commonly use or disclose information to resolve complaints and investigate systemic matters within our jurisdiction. For example, as stated on our complaint forms, we will pass certain elements of your information to the other party in your complaint to assist them respond.
We will also consider personal information in our systemic work, but no personal information will be publicly published without your consent.
Generally information collected for the purposes of education or community engagement will only be used to keep you informed about that training, as a record of attendance and if you wish, to keep you informed about our work.
Exceptions are available a number of circumstances including when:
- you would reasonably expect us to use the information for the secondary purpose that is related (or directly related – in the case of sensitive information) to the original purpose for which the information was collected;
- the use or sharing of information is legally required or authorised by an Australian law, or Court or Tribunal order;
- the use is reasonably necessary for an law enforcement-related activity such as the prevention, detection, investigation prosecution or punishment of criminal offences or breaches of the law; intelligence gathering, surveillance, conduct of protective or custodial services;
- we reasonably believe that use is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. For example, we may notify health services or the police if someone makes a threat of harm to themselves or others in their dealings with us;
- we have reason to suspect unlawful activity, or misconduct of a serious nature, that relates to our functions and we reasonably believe that collection of the information is necessary in order for us to take appropriate action; and
- we reasonably believe that the use is reasonably necessary to help locate a person who has been reported as missing.
The Commission does not usually collect and hold biometric information, unless you provide it to us for the purposes of a complaint. If the Commission has this information it is allowed to provide your biometric information (such as your fingerprints or photograph) or your biometric templates (digital representations of your distinct characteristics) to an enforcement body (like the Australian Federal Police, Department of Immigration) if we comply with any relevant guidelines.
The Commission may also disclose personal information to Commonwealth intelligence agencies where that disclosure is authorised by the head of the intelligence agency and the agency certifies that the collection of the personal information from the Commission is necessary for its functions.
Sharing information with service providers
The Commission contracts with service providers to support us carrying out specific activities and functions. For example, hosting our website.
In some circumstances it may be necessary for the Commission to share personal information with these service providers to enable them to perform their functions efficiently and effectively.
In these situations we protect personal information by only entering into contracts with service providers who agree to comply with Territory requirements for the protection of personal information.
Disclosure of personal information overseas
We use third party providers for some web-based services, with information stored in the United States and Europe. These include MailChimp for email subscriptions, SurveyMonkey for online surveys and EventBrite for registration at events. Please follow the hyperlinks for details on their privacy policies. This information will only be transferred overseas if you elect to utilise one of these services via our website.
If we need to share or store information with overseas recipients, we will take reasonable steps before disclosing the information to ensure that the recipient treats the personal information with the similar standard of care as is required by the IP Act.
In some cases, the information will already be sufficiently protected under the law governing the overseas recipient, and you can access mechanisms to enforce those protections.
If it is practical and reasonable to do so we will obtain your consent to overseas disclosure. However, there may be situations where we are unable, for example, where we share information as part of a law enforcement activity.
As MailChimp is based in the United States of America (USA) and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by MailChimp on servers located outside Australia, we are required to inform you that by subscribing to our news service:
- you understand and acknowledge that this service utilises a MailChimp platform, which is located in the United States of America (USA) and relevant legislation of the USA will apply; and
- you understand and acknowledge that MailChimp is not subject to the ACT Information Privacy Act 2014, and you will not be able to seek redress under Australian legislation, but will need to seek redress under the laws of the USA.
The ACT Human Rights Commission only use this information if you choose to respond to our invitation to participate in a survey, and for the purpose of receiving and analysing your answers.
As Survey Monkey is based in the United States of America and Luxembourg and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by Survey Monkey on servers located outside Australia, we are required to inform you that by responding to one of our surveys:
- you understand and acknowledge that Survey Monkey is not subject to the ACT Information Privacy Act 2014, and you will not be able to seek redress under Australian legislation, but will need to seek redress under the laws of the USA and Luxembourg.
The ACT Human Rights Commission only use this information if you choose to respond to our invitation to attend an event, and for the purpose of reserving a space for your attendance, and to determine the number of attendees.
As Event Brite is based in the United States of America (USA) and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by Event Brite on servers located outside Australia, we are required to inform you that by responding to one of our surveys:
- you understand and acknowledge that EventBrite is likely not subject to the ACT Information Privacy Act 2014, and you may not be able to seek redress under Australian legislation, but instead seek redress under the laws of the USA.
Quality of personal information
The Commission is required to take reasonable steps to ensure that the personal information we collect is accurate, up-to-date and complete. We take the following steps to ensure this is the case:
- Keep you informed about the progress of your complaint at least every six weeks, as required by the Human Rights Commission Act 2005, and reminding you to alert us to any errors in the personal information we hold about you.
- Recording the date of collection, and confirming with you when you next interact with us that your details are up to date.
- Promptly updating any changes into our records database;
Personal information we use or disclose must also be relevant for the purpose for which we uses or disclose it.
We can assist you to correct your personal information held by us if it is no longer accurate, up-to-date and complete.
Storage and security of personal information
This section is informed by the OAIC’s Guide to Securing Personal Information: Reasonable Steps to Protect Personal Information. This Policy has been drafted with the following steps and strategies in mind to avoid and respond to breaches:
- Governance, culture and training.
- Internal practices, procedures and systems.
- ICT security.
- Access security.
- Third party providers (including cloud computing).
- Data breaches.
- Physical security.
- Destruction and de-identification.
The Commission is required to take reasonable steps to ensure that personal information it holds is safe and secure.
We strive to protect your personal information from misuse, interference or loss and from unauthorised access, use, modification or disclosure in accordance with the IP Act.
The Territory Records Act, Health Records (Privacy and Access) Act and the Human Rights Commission Act establish frameworks for the management of your personal information if it is held within our files or data systems.
Our IT systems employ comprehensive protections to guard against unauthorised access. We have sought assurances from service providers in writing that our electronic communications and databases are secure. Paper-based files are stored securely.
As a part of our general practice personal information is only available to staff who need to have access in order to perform their roles. We keep physical files stored in locked cabinets and rooms when not in use. Access to the building is further limited after hours.
USB storage devices are generally only used to store publicly available information (eg presentations) and are password secured.
Staff are also regularly reminded of their privacy obligations, including the need to keep physical and electronic records secure. ACT Government security arrangements also require staff to regularly change their passwords, and use robust passwords. Software is also regularly upgraded to the latest versions to enhance security. Email attachments and websites are also automatically scanned for viruses. Certain sites are blacklisted, and cloud based computer storage is not used for personal information.
Any temporary staff, including interns, are usually not provided access to personal information. Nonetheless, all are also asked to sign non-disclosure agreements which include details about the importance of securing personal information.
In relation to online transactions, the Internet is an insecure medium and users should be aware that there are inherent risks transmitting information across the Internet. Information submitted unencrypted via email or web forms may be at risk of being intercepted, read or modified. If you do not wish to email, you can send a letter to the address in contact us.
The Commission has attempted to take all reasonable measures to prevent a data breach occurring, but is committed to assessing the risk of such a breach and immediately dealing with it if it occurs.
The risk of an online security breach is small, as we have assurances from our providers that they have taken measures to keep data secure. Nonetheless, the Commission does not store large amounts of personal information, and no sensitive information, in a public facing online environment, and so any unlawful removal of information from our online servers would not result in your sensitive information being assessed.
Only certain staff members have access to our electronic records, and logs are kept of which staff members assess information. As such, any breach could be quickly identified. Similarly, the risk of physical files being assessed inappropriately is mitigated by rooms that hold such information requiring swipe card access. Some of these files do hold sensitive information, particularly health information, and so the Commission is acutely aware of the negative consequences of any breach.
The Commission is also aware of the risks of natural disaster, and has in place a Business Continuity Plan so we can protect and access relevant information in the case of our records becoming inaccessible. Data is also backed up daily.
As much as possible, this Policy and other related practices have been designed with the risk of human error in mind. The Commission is currently working on a Data Breach Policy and Response Plan
Accessing your personal information
In accordance with the IP Act (Territory Privacy Principle 12) and your human rights, you have the right to ask for access to personal information that the Commission holds about you held under that Act.
If you contact us to request access to your personal information we must provide you with access to your information in an appropriate manner, if it is reasonable and practicable to do so.
If we refuse access, we must respond to your request in writing within 30 days telling you why we are unable to provide you with access to that information.
We will not charge you any fees for making the request or providing you with access.
In some circumstances, you may also have the right under the 31TU31TUFreedom of Information Act 1989UU31T31T to request access to documents that we hold and ask for information that we hold about you to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading.
Correcting your personal information
If you ask the Commission to correct your personal information held under the IP Act, we must take reasonable steps to correct the information if we are satisfied that it is incorrect, inaccurate, incomplete irrelevant, out-of date or misleading. Any information held under the Health Records (Privacy and Access) Act is subject to separate provisions regarding claims that information is incorrect.
If we agree to correct information and that information has previously been shared with another agency, you may request that we notify the other agency of the possible need for them to correct that information.
There may be reasons why we refuse to correct that information, for example if we are required or authorised by law not to correct the information.
If we refuse to correct the information we must give you written notice of why we have refused to correct your information and how you may complain about our decision, within 30 days.
If we refuse to correct your personal information, you can ask us to attach or link a statement that you believe the information is incorrect and why to the information.
We will not charge you any fees for making the request for correction, correcting the information or attaching a statement to the personal information.
How to make a complaint
Complaints about how the Commission has managed your personal information need to be made in writing to the contact details below. We are also able to assist you to lodge your complaint if required.
We will consider your complaint to work out how we can resolve your issue satisfactorily.
We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.
If you are not satisfied with our response, in some circumstances, you can make a formal privacy complaint under section 34 of the IP Act. The Australian Information Commissioner (OAIC) is exercising some of the functions of the ACT Information Privacy Commissioner, including handling complaints of privacy complaints against ACT public sector agencies. For more information, including on making a complaint, you can contact the OAIC:
Telephone: 1300 363 992.
GPO Box 5218 Sydney NSW 2001
Level 3, 175 Pitt Street, Sydney 2000
Google will not collect personal information about you and the reports provided by Google to us will only contain aggregate non personal data about your use of this website. (These reports may contain data relating to pages viewed, files downloaded or the completion of online subscriptions). We will use the data collected by Google Analytics to improve how this website functions. For example we can use the data to check whether customers are having problems finding information and make access to information as easy as we can.
By using this website, you consent to the processing of data about you by Google in the manner and for the purposes stated.
When you browse our web site, our system automatically makes a record of your visit and logs the following information for statistical purposes:
- your server address;
- top level domain name (e.g. .com, .net, .gov, .au etc);
- the type of browser and operating system you used;
- date and time of your visit;
- the previous site visited;
- which pages are accessed;
- the time spent on individual pages and the site overall; and
- which files were downloaded.
No attempt will be made to identify individual users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency (e.g. Australian Federal Police) exercises a warrant to inspect our service provider’s log files. This information is analysed to determine the web site’s usage statistics
Social Networking Services
The Commission will not collect personal information via social media unless you choose to provide it to us. Please note, that social network may also collect information in accordance with their own privacy policies.
How to contact us
The ACT Human Rights Commission is located at Level 4, 12 Moore Street, Canberra City (near the Jolimont Centre on Northbourne Avenue).
We are open between 9.00am – 5.00pm, Monday to Friday.
If you would like to talk with the Commission, please contact us.
Our postal address is: ACT Human Rights Commission, GPO Box 158, Canberra, ACT, 2601.
The Children & Young People Commissioner can also be emailed at ACTkids@act.gov.au