Under the Information Privacy Act 2014 (see Territory Privacy Principle 1.3), all ACTGovernment agencies, including the ACT Human Rights Commission (‘the Commission’) must have a clearly expressed and up-to-date privacy policy.
This policy outlines how the Commission and its staff collect, hold, use and disclose information about you.
The Commission’s Online Services Privacy Statement forms part of this policy, as does the attached (Appendix 1) outlining specific types of information collected used, and shared by each area of the Commission.
The policy is supported by individual privacy statements that we include on our forms used to collect information.
The Commission also has a summary privacy policy. If you ask us to, we will also provide a copy of either policy to you in a form of your choice (provided it is reasonable to do so).
If you have any questions about this policy or how we collect or handle information about you, please contact us.
We only collect, hold, use and disclose information about you so we can help you and as allowed to do, by ACT laws. The following ACT laws are some of the laws that allow us to do so. There are also some laws that mean that the Public Advocate gets information about vulnerable people.
We will only share your information where the law or a court or tribunal makes us share or allows us. If we share that information with other ACT government agencies, those other agencies also have to handle your information using the Information Privacy Act 2014 (Information Privacy Act).
The Commission promotes the human rights and welfare of all people living in the ACT. We are an independent agency established in 2006 under the HRC Act.
Our role under the HRC Act is to:
Four independent Commissioners manage the Commission’s eight major responsibilities under ACT law. The Commissioners are:
Each Commissioner’s responsibilities are outlined in our Operations Protocol (see page 4 and 5 of that Protocol).
One of the Commission’s functions is to provide an independent, fair and accessible process for complaints, including about:
The Commission advocates for vulnerable individuals in the community. It also protects the rights of children and young people, and of people with disability (including those with mental health concerns).
The Commission also supports, advocates for and assists victims of crime (including with financial assistance).
We only collect information about you in ways that are lawful and fair.
We only collect information about you with your informed consent or where we need it for our work. This means we will try to collect as little information about you as possible.
Each of the Commissioners and their teams have different roles and responsibilities. Each Commissioner and their teams are likely to collect different personal information about you.
The information we collect depends on what services we may provide.
For example, we may collect:
For a description of the kinds of personal information each Commissioner and their teams collect and why, see our information collection table (Appendix 1).
We collect information from you in many ways, including through complaint forms, in letters or emails to and from you, over the telephone and by fax or in person.
Generally, we will collect information from you directly when:
We may collect information about you from other people, government bodies or organisations when we have your consent or laws allow us to.
For example, the HRC Act, the Children and Young People Act 2007 or Victims of Crime Act 1994 allow us to collect information about you from other people. Some Commissioners can ask other services for information about your case or question. We can also make people give us information or documents where we reasonably believe it is relevant to a complaint or issue we are considering.
In some circumstances, for example, where it is required by law, we may also obtain information about you that was collected by other Australian, state and territory government bodies or other organisations.
We can also collect information about you from others where it is not workable, safe or reasonable to collect information directly from you. This will be in accordance with protections and safeguards under relevant laws and the TPPs. For example, we may be unable to locate you or asking you for the information may place you in serious danger.
We also collect information about you that is public where it is reasonably necessary for, or directly related to, our functions.
The Commission will only collect information about you from the social media services we use (eg Twitter and Facebook) if you choose to:
These social networks may collect information about you according to their own privacy policies.
To do some of our work, we may receive information about you from another person or organisation under a specific law without having asked anyone for it. This is discussed further in section 4.5 below.
When we need to collect information about you, we will give you notice before we collect it or as soon as we can afterwards unless we are allowed by law not to do so. This notice will set out:
We will normally give this notice in privacy statements. A privacy statement might be in writing or explained to you over the phone – it depends on how we are collecting your information. We also have an Online Services Privacy Statement for information collected through our website.
Sensitive information includes information about your:
We treat your sensitive information with greater caution. Except in strictly limited situations, we will not collect your sensitive information without telling you why we need to collect it and asking for your permission. The only times we may collect sensitive information without telling you are:
We have to comply with the Health Records (Privacy and Access Act) 1997 when we collect and handle information about your health. This law says that we can only collect your ‘personal health information’ for a lawful purpose that is directly related to what we do.
We may receive information (including sensitive information) about you from other people or bodies, such as your representatives or someone who has made a complaint about you.
We may also receive information about you as part of reports made to us by government bodies so that we can check on the services they provide to the community. We receive this information under relevant laws about child protection, mental health and personal violence.
As examples, the Community Services Directorate and Health Directorate may make reports to the Public Advocate under the Children and Young People Act 2008 and Mental Health Act 2015. The Victims of Crime Commissioner may also receive information from government bodies, including ACT Policing, Director of Public Prosecutions and ACT Courts and Tribunals, to support victims of crime.
Where we receive information that we have not asked for, we will decide within a reasonable time whether we could have collected the information ourselves.
If we believe we would have been allowed to collect the information (because it is related to what we do), we will treat it as if we had collected it ourselves and will only use and hold the information in accordance with this policy and relevant laws (such as the Territory Records Act 2002).
Where we receive information about you that is not related to what we do, we will take out your personal details or remove the information.
We understand that you may not want us to know your name.
Where possible, we will let you not use your name or use a made-up name.
Sometimes, such as when you make a complaint, we might need your name, contact details and other information about you to respond to you in a way that is efficient and fair.
We normally will not use or disclose information about you unless you agree, or would reasonably expect us to do so for the particular reason for which you gave us the information.
However, there are some situations discussed below where we collect information for one purpose but may then need to use or share it with another team for a different purpose or disclose it to a body outside the Commission.
As mentioned above (at 4.3), we will tell you why we need information about you when we collect it. We will only use information about you for that reason or for reasons that are directly related reasons.
Most often we will use information about you to try to resolve your concern or complaint, talk with you about what services you may need and communicate with you. We also use information about you to consider what financial assistance you may be able to get as a victim of crime, refer you to relevant services or assistance and investigate any system-wide issues that arise from your case.
Sometimes we will use information collected in relation to one complaint or contact made by you to assist with another complaint or enquiry that you make later. This is so we can provide a quick and convenient service to you or answer your questions as soon as we can. We try not to ask you the same questions more than once.
When we collect information for education or training events, we will only use it to keep a record of whether you attended and to keep you informed about our activities (if you opt-in to this process).
We may use information from you for research or to improve services, but we will not publish it without your consent or we will remove your personal information.
We will only share or disclose your information to bodies outside the Commission with your informed consent or where we are allowed or required to by law, including when handling your complaint. Other examples include where:
Service providers – We will share information with service providers when dealing with your complaint or when providing you a service, or otherwise helping you.
We may suggest you contact other service providers, such as community services and legal services so that they can help you. However, we will only release any personal information about you to providers with your consent.
We may also share your information so that service providers can provide answers to any questions you may have more quickly.
Courts and tribunals – If we are asked by a court or tribunal, we may have to share your information.
Government agencies – As we are an independent agency that is separate to the ACT and Australian Governments, we will not normally share your personal information with other government agencies without your agreement unless we have to do so by law or a court order.
Online services – We use third party providers for some web-based services, including SurveyMonkey for online surveys and EventBrite for registration at events organised or hosted by the Commission. This may mean that your information is shared in a secure way with these providers. Information about these services is available in our Online Services Privacy Statement.
Media – We will not provide information that would identify you to the media without your permission.
We will normally be able to help you better if we know whether you have recently contacted one of the Commissioner’s teams.
We will generally use your name, address, contact details and the issues you have raised to share information between Commissioners and their teams so that we can help you better.
If a Commissioner receives information about you under an ACT law, they are allowed to share it with another Commissioner and their staff if they believe the other Commissioner needs that information to assist you.
We may also share your information with other Commissioners and their teams if there is a risk or threat to you or someone else’s life, safety, health or wellbeing as allowed by law.
We use third party providers for some web-based services, including SurveyMonkey for online surveys (see their privacy policy for more information on information stored in the United States and European countries), Mailchimp for newsletters (stored in the United States) and EventBrite for registration at events (stored in the United States). We also use Google Analytics for analysis of that information by service providers based in the United States of America. Web traffic information is disclosed to Google Analytics when you visit the Commission’s websites.
These services collect and host information about your use of their websites (eg your IP address) on servers located overseas in the United States of America and Europe and your ability to complain or take action under Australian law about their use or disclosure of your information is limited. Privacy policies for each are linked above.
Apart from using these services, we do not normally disclose or store your information overseas. If we need to share or store information about you with a body or person overseas, we take reasonable steps before doing so to make sure that they treat your information in a way that is similar to the way to ACT law.
In some cases, the information will already be protected under the law that applies overseas, and you can complain or take action about the misuse or disclosure of your information.
If it is practical and reasonable to do so we will obtain your consent when your information is disclosed overseas. However, there may be situations when we are unable to obtain your consent, for example, where we are legally required to share information.
We actively take steps to make sure your information is stored securely. We make every effort to protect your personal information.
You have the right to ask for access to information that we hold about you under several laws, including the:
If you contact us to ask for access to your personal information, we must reply to you in 30 days. We must give you access to your information if it is reasonable and practicable and must do so in an appropriate manner. If documents containing information about you also include personal information about other people, we may take out their information to respect their privacy.
If we do not give you access to information about you, we must tell you why in writing, eg that it is sensitive information under the Children and Young People Act 2008 or information relating to complaints or the Commission’s inquiries under the HRC ACT.
We will not charge you any fees for asking for your information or providing you with it unless there is a fee for the specific information(such as court records).
We must take reasonable steps to make sure information about you that we collect, hold, use or disclose is accurate, up-to-date and complete. We take the following steps to do so:
If you access the personal information, we hold about you and discover it is wrong, you can ask us to correct it. If we have shared this information with another agency, you can ask us to tell them that they also need to correct the personal information.
We may decide not to change information about you, including when it is not personal information. We will write to you within 30 days to explain why we will not change your information and how you can complain about our decision.
We must take reasonable steps to make sure that information we hold about you is safe and secure.
The ACT Protective Security Policy Framework (ACT PSPF) means that all ACT agencies must take steps to protect people, information and assets, at home and overseas.
We have several policies and procedures for the steps we need to take under the ACT PSPF, including:
For example, we generally only use USB storage devices to store publicly available information (presentations), which will not contain personal information about you.
We take all reasonable steps not to lose or misuse information about you.
If your information is accidentally released, or is lost, or accessed without authorisation (hacked or misused) we will:
In view of the steps the Commission and our service providers take to keep your data secure, we do not believe an online security breach is likely to occur. However, we regularly review our processes and data security to minimise this risk.
We are also aware of the risks of natural disaster, and have a Business Continuity Plan so we can protect and access relevant information if we cannot access our records. We also back up data regularly.
The Commission is required to maintain records of its work under the Territory Records Act 2002. This means that we may keep it as part of our records securely and as allowed by law.
If we hold information about you and we no longer need to use or disclose it or keep it in our records, we will take reasonable steps to stop you from being identified or will destroy it.
If you are unhappy with how the Commission has handled information about you, you can complain to us in writing (by letter or email). This will help us clearly respond to your complaint.
We will help you lodge your complaint with us if you ask.
You can also contact us with suggestions for how we could better handle your personal information.
The Commission is located on level 2, 11 Moore Street, Canberra ACT.
The Commission is open Monday to Friday, between 9.00am-5.00pm, except on public holidays.
Our mailing address for complaints and other letters is:ACT Human Rights Commission, GPO Box 158, Canberra, ACT, 2601. Our email is: HRCprivacy@act.gov.au.
If you would like help in lodging a complaint, our phone number is: (02) 6205 2222
We will promptly tell you we have received your complaint when we receive it.
We will then consider your complaint to work out how we can appropriately resolve your issue and respond within a reasonable time (normally within four weeks).
If you are not satisfied with our response, in some circumstances, you can make a formal privacy complaint to the Office of the Australian Information Commissioner (OAIC) who acts as the ACT Information Privacy Commissioner.
The OAIC handles privacy complaints against ACT public sector agencies. For more information, including on making a complaint, you can contact the OAIC.
The OAIC handles privacy complaints against ACT public sector agencies. For more information, including on making a complaint, you can contact the OAIC.
The OAIC’s mailing address is GPO Box 5218 Sydney NSW 2001. Their email is enquiries@oaic.gov.au. For more information, you can visit the Office of the Australian Information Commissioner website.