Privacy Policy

1. About this Policy

Under the Information Privacy Act 2014 (see Territory Privacy Principle 1.3), all ACTGovernment agencies, including the ACT Human Rights Commission (‘the Commission’) must have a clearly expressed and up-to-date privacy policy.

This policy outlines how the Commission and its staff collect, hold, use and disclose information about you.

The Commission’s Online Services Privacy Statement forms part of this policy, as does the attached (Appendix 1) outlining specific types of information collected used, and shared by each area of the Commission.

The policy is supported by individual privacy statements that we include on our forms used to collect information.

The Commission also has a summary privacy policy. If you ask us to, we will also provide a copy of either policy to you in a form of your choice (provided it is reasonable to do so).

If you have any questions about this policy or how we collect or handle information about you, please contact us.

2. Overview

We only collect, hold, use and disclose information about you so we can help you and as allowed to do, by ACT laws. The following ACT laws are some of the laws that allow us to do so. There are also some laws that mean that the Public Advocate gets information about vulnerable people.

We will only share your information where the law or a court or tribunal makes us share or allows us. If we share that information with other ACT government agencies, those other agencies also have to handle your information using the Information Privacy Act 2014 (Information Privacy Act).

3. Who we are and what we do?

The Commission promotes the human rights and welfare of all people living in the ACT. We are an independent agency established in 2006 under the HRC Act.

Our role under the HRC Act is to:

  • independently handle complaints about discrimination, health services, disability and community services
  • promote understanding of human rights in the ACT
  • encourage ways of improving services in the ACT for all people and increase awareness of people’s rights and responsibilities when using those services
  • give advice to government and others about their human rights obligations
  • give a voice to children, young people and adults in vulnerable situations; and
  • deliver services to people who have been victims of crime and promote their interests.

Four independent Commissioners manage the Commission’s eight major responsibilities under ACT law. The Commissioners are:

  • Dr Helen Watchirs – President and Human Rights Commissioner
  • Ms Jodie Griffiths-Cook – Public Advocate and Children and Young People Commissioner
  • Ms Karen Toohey – Discrimination, Health Services, Disability and Community Services Commissioner
  • Ms Heidi Yates – Head of Victim Support ACT and Victims of Crime Commissioner

Each Commissioner’s responsibilities are outlined in our Operations Protocol (see page 4 and 5 of that Protocol).

One of the Commission’s functions is to provide an independent, fair and accessible process for complaints, including about:

  • Disability services
  • Services for older people
  • Discrimination
  • Sexual harassment
  • Services for children and young people
  • Victimisation
  • Health services
  • The rights of victims of crimes

The Commission advocates for vulnerable individuals in the community. It also protects the rights of children and young people, and of people with disability (including those with mental health concerns).

The Commission also supports, advocates for and assists victims of crime (including with financial assistance).

4. Collecting and receiving information about you

We only collect information about you in ways that are lawful and fair.

We only collect information about you with your informed consent or where we need it for our work. This means we will try to collect as little information about you as possible.

4.1. What kinds of information do we collect and why?

Each of the Commissioners and their teams have different roles and responsibilities. Each Commissioner and their teams are likely to collect different personal information about you.

The information we collect depends on what services we may provide.

For example, we may collect:

  • information about your identity (eg date of birth, country of birth, passport details, visa details and drivers licence)
  • your name, address and contact details (eg phone, email and fax)
  • information about your personal circumstances (eg age, gender, marital status and occupation)
  • information about your employment at the Commission (eg job applications, work history, referee comments and pay)
  • information about assistance we have provided to you

For a description of the kinds of personal information each Commissioner and their teams collect and why, see our information collection table (Appendix 1).

4.2. How do we collect it?

We collect information from you in many ways, including through complaint forms, in letters or emails to and from you, over the telephone and by fax or in person.

Generally, we will collect information from you directly when:

  • A law or a court or tribunal says that we must or should do so
  • we are providing you with services or help
  • we are handling a complaint
  • you send us an email
  • you subscribe to our email newsletter
  • you register for an event or training session
  • you participate in a survey
  • you make a payment or other transaction
  • you contact us to ask for information
  • you send an application for Victims of Crime Financial Assistance, by email
  • you make a complaint about the way we have handled a Freedom of Information (FOI) request or ask for a review of an FOI decision; and
  • you ask for access to information the Commission holds about you or other information about what we do.

We may collect information about you from other people, government bodies or organisations when we have your consent or laws allow us to.

For example, the HRC Act, the Children and Young People Act 2007 or Victims of Crime Act 1994 allow us to collect information about you from other people. Some Commissioners can ask other services for information about your case or question. We can also make people give us information or documents where we reasonably believe it is relevant to a complaint or issue we are considering.

In some circumstances, for example, where it is required by law, we may also obtain information about you that was collected by other Australian, state and territory government bodies or other organisations.

We can also collect information about you from others where it is not workable, safe or reasonable to collect information directly from you. This will be in accordance with protections and safeguards under relevant laws and the TPPs. For example, we may be unable to locate you or asking you for the information may place you in serious danger.

We also collect information about you that is public where it is reasonably necessary for, or directly related to, our functions.

The Commission will only collect information about you from the social media services we use (eg Twitter and Facebook) if you choose to:

  • provide it to us by messaging us or posting photos on our pages, or
  • post the information as publicly visible.

These social networks may collect information about you according to their own privacy policies.

To do some of our work, we may receive information about you from another person or organisation under a specific law without having asked anyone for it. This is discussed further in section 4.5 below.

4.3. How will you know if we’re collecting information about you?

When we need to collect information about you, we will give you notice before we collect it or as soon as we can afterwards unless we are allowed by law not to do so. This notice will set out:

  • who we are and how you can contact us?
  • the circumstances in which we may or have collected information about you
  • the name of the law (if any) that allows or requires us to collect the information
  • why we are collecting the information
  • how you may be affected if we cannot collect the information we need
  • the details of any agencies or types of agencies with which we normally share people’s information, including whether they might be located overseas and in which countries
  • that we have this policy explaining how we handle your information and complaints about our information handling; and
  • how you can access this policy.

We will normally give this notice in privacy statements. A privacy statement might be in writing or explained to you over the phone – it depends on how we are collecting your information. We also have an Online Services Privacy Statement for information collected through our website.

4.4. What about when information about you is sensitive or relates to your health?

Sensitive information includes information about your:

  • Racial or ethnic origin
  • Political opinions
  • Membership of a political association
  • Philosophical beliefs
  • Religious beliefs or affiliations
  • Experience of crime including sexual assault
  • Sexual orientation, gender identity
  • Membership of a trade union
  • Membership of a professional or trade association
  • Criminal record
  • Physical or mental health
  • Genetic and biometric information (eg photographs and recordings of you, fingerprints, tissue samples, eye scans)

We treat your sensitive information with greater caution. Except in strictly limited situations, we will not collect your sensitive information without telling you why we need to collect it and asking for your permission. The only times we may collect sensitive information without telling you are:

  • where required or permitted by an Australian law or a court or tribunal order
  • where necessary to lessen or prevent a serious threat to life, health or safety or public health or safety
  • where we have good reason to think collecting the information is necessary to assist a law enforcement body in performing their role.

We have to comply with the Health Records (Privacy and Access Act) 1997 when we collect and handle information about your health. This law says that we can only collect your ‘personal health information’ for a lawful purpose that is directly related to what we do.

4.5 What about when we did not actually ask for your information?

We may receive information (including sensitive information) about you from other people or bodies, such as your representatives or someone who has made a complaint about you.

We may also receive information about you as part of reports made to us by government bodies so that we can check on the services they provide to the community. We receive this information under relevant laws about child protection, mental health and personal violence.

As examples, the Community Services Directorate and Health Directorate may make reports to the Public Advocate under the Children and Young People Act 2008 and Mental Health Act 2015. The Victims of Crime Commissioner may also receive information from government bodies, including ACT Policing, Director of Public Prosecutions and ACT Courts and Tribunals, to support victims of crime.

Where we receive information that we have not asked for, we will decide within a reasonable time whether we could have collected the information ourselves.

If we believe we would have been allowed to collect the information (because it is related to what we do), we will treat it as if we had collected it ourselves and will only use and hold the information in accordance with this policy and relevant laws (such as the Territory Records Act 2002).

Where we receive information about you that is not related to what we do, we will take out your personal details or remove the information.

4.6 What if you do not want us to know your name?

We understand that you may not want us to know your name.

Where possible, we will let you not use your name or use a made-up name.

Sometimes, such as when you make a complaint, we might need your name, contact details and other information about you to respond to you in a way that is efficient and fair.

5. Using and sharing information about you

We normally will not use or disclose information about you unless you agree, or would reasonably expect us to do so for the particular reason for which you gave us the information.

However, there are some situations discussed below where we collect information for one purpose but may then need to use or share it with another team for a different purpose or disclose it to a body outside the Commission.

5.1. How we use your information

As mentioned above (at 4.3), we will tell you why we need information about you when we collect it. We will only use information about you for that reason or for reasons that are directly related reasons.

Most often we will use information about you to try to resolve your concern or complaint, talk with you about what services you may need and communicate with you. We also use information about you to consider what financial assistance you may be able to get as a victim of crime, refer you to relevant services or assistance and investigate any system-wide issues that arise from your case.

Sometimes we will use information collected in relation to one complaint or contact made by you to assist with another complaint or enquiry that you make later. This is so we can provide a quick and convenient service to you or answer your questions as soon as we can. We try not to ask you the same questions more than once.

When we collect information for education or training events, we will only use it to keep a record of whether you attended and to keep you informed about our activities (if you opt-in to this process).

We may use information from you for research or to improve services, but we will not publish it without your consent or we will remove your personal information.

5.2. Will we share your information?

We will only share or disclose your information to bodies outside the Commission with your informed consent or where we are allowed or required to by law, including when handling your complaint. Other examples include where:

  • we believe it is necessary to lessen or prevent a serious threat to your or someone else’s life or health or to public safety or health. For example, we may tell health services or the police if someone threatens harm to themselves or others while dealing with us.
  • we believe that sharing it with the police or another law enforcement body is necessary because a law may have been broken or needs to be investigated or detention places such as prisons need to be looked at.
  • we have reason to suspect unlawful activity, or serious misconduct related to what we do.
  • we have a reasonable suspicion that a child is being abused or something else is happening which means we have to make a mandatory report to a child protection or other agency, like the Ombudsman or police.
  • we are required to act on a subpoena, tribunal order or other court order.

5.3. Who will we share your information with?

Service providers – We will share information with service providers when dealing with your complaint or when providing you a service, or otherwise helping you.
We may suggest you contact other service providers, such as community services and legal services so that they can help you. However, we will only release any personal information about you to providers with your consent.

We may also share your information so that service providers can provide answers to any questions you may have more quickly.

Courts and tribunals – If we are asked by a court or tribunal, we may have to share your information.

Government agencies – As we are an independent agency that is separate to the ACT and Australian Governments, we will not normally share your personal information with other government agencies without your agreement unless we have to do so by law or a court order.

Online services – We use third party providers for some web-based services, including SurveyMonkey for online surveys and EventBrite for registration at events organised or hosted by the Commission. This may mean that your information is shared in a secure way with these providers. Information about these services is available in our Online Services Privacy Statement.

Media – We will not provide information that would identify you to the media without your permission.

5.4. Sharing your information between Commissioners

We will normally be able to help you better if we know whether you have recently contacted one of the Commissioner’s teams.

We will generally use your name, address, contact details and the issues you have raised to share information between Commissioners and their teams so that we can help you better.

If a Commissioner receives information about you under an ACT law, they are allowed to share it with another Commissioner and their staff if they believe the other Commissioner needs that information to assist you.

We may also share your information with other Commissioners and their teams if there is a risk or threat to you or someone else’s life, safety, health or wellbeing as allowed by law.

5.5. Will we send personal information overseas?

We use third party providers for some web-based services, including SurveyMonkey for online surveys (see their privacy policy for more information on information stored in the United States and European countries), Mailchimp for newsletters (stored in the United States) and EventBrite for registration at events (stored in the United States). We also use Google Analytics for analysis of that information by service providers based in the United States of America. Web traffic information is disclosed to Google Analytics when you visit the Commission’s websites.

These services collect and host information about your use of their websites (eg your IP address) on servers located overseas in the United States of America and Europe and your ability to complain or take action under Australian law about their use or disclosure of your information is limited. Privacy policies for each are linked above.

Apart from using these services, we do not normally disclose or store your information overseas. If we need to share or store information about you with a body or person overseas, we take reasonable steps before doing so to make sure that they treat your information in a way that is similar to the way to ACT law.

In some cases, the information will already be protected under the law that applies overseas, and you can complain or take action about the misuse or disclosure of your information.

If it is practical and reasonable to do so we will obtain your consent when your information is disclosed overseas. However, there may be situations when we are unable to obtain your consent, for example, where we are legally required to share information.

6. How we hold information about you

We actively take steps to make sure your information is stored securely. We make every effort to protect your personal information.

6.1. How can you access information we hold about you?

You have the right to ask for access to information that we hold about you under several laws, including the:

If you contact us to ask for access to your personal information, we must reply to you in 30 days. We must give you access to your information if it is reasonable and practicable and must do so in an appropriate manner. If documents containing information about you also include personal information about other people, we may take out their information to respect their privacy.

If we do not give you access to information about you, we must tell you why in writing, eg that it is sensitive information under the Children and Young People Act 2008 or information relating to complaints or the Commission’s inquiries under the HRC ACT.

We will not charge you any fees for asking for your information or providing you with it unless there is a fee for the specific information(such as court records).

6.2. What if the information we hold is not correct or out of date?

We must take reasonable steps to make sure information about you that we collect, hold, use or disclose is accurate, up-to-date and complete. We take the following steps to do so:

  • Recording the date we collected your information and confirming your details as appropriate.
  • Promptly updating any changes to your information in our records
  • And, if you have submitted a complaint, keeping you informed about the progress of a complaint you have made at least every six weeks, as required by the HRC Act, which gives you a chance to tell us if there is anything wrong in the information we hold about you.

If you access the personal information, we hold about you and discover it is wrong, you can ask us to correct it. If we have shared this information with another agency, you can ask us to tell them that they also need to correct the personal information.

We may decide not to change information about you, including when it is not personal information. We will write to you within 30 days to explain why we will not change your information and how you can complain about our decision.

6.3. How securely do we store information about you?

We must take reasonable steps to make sure that information we hold about you is safe and secure.

The ACT Protective Security Policy Framework (ACT PSPF) means that all ACT agencies must take steps to protect people, information and assets, at home and overseas.

We have several policies and procedures for the steps we need to take under the ACT PSPF, including:

  • Limiting access to databases containing your information for staff who need it to do their jobs (eg handling complaints, organising events etc.)
  • computer and network firewalls
  • secure logins with password protections
  • restricted access to premises for approved pass-holders only
  • secure storage of paper-based files.

For example, we generally only use USB storage devices to store publicly available information (presentations), which will not contain personal information about you.

6.4. What do we do if we lose or misuse information about you?

We take all reasonable steps not to lose or misuse information about you.

If your information is accidentally released, or is lost, or accessed without authorisation (hacked or misused) we will:

  • act immediately to limit the breach and make sure there is no further compromise of personal information
  • assess the breach by getting the facts and evaluating the risks, including the risk of serious harm to individuals whose information was compromised
  • notify you, and other relevant agencies (such as the police) if your information is affected and serious harm to you is likely as a result
  • identify the cause and implement policies, training and other measures to prevent similar breaches in future.

In view of the steps the Commission and our service providers take to keep your data secure, we do not believe an online security breach is likely to occur. However, we regularly review our processes and data security to minimise this risk.

We are also aware of the risks of natural disaster, and have a Business Continuity Plan so we can protect and access relevant information if we cannot access our records. We also back up data regularly.

6.5. When will we dispose of information about you?

The Commission is required to maintain records of its work under the Territory Records Act 2002. This means that we may keep it as part of our records securely and as allowed by law.

If we hold information about you and we no longer need to use or disclose it or keep it in our records, we will take reasonable steps to stop you from being identified or will destroy it.

7. How can you complain if we get it wrong?

If you are unhappy with how the Commission has handled information about you, you can complain to us in writing (by letter or email). This will help us clearly respond to your complaint.

We will help you lodge your complaint with us if you ask.

You can also contact us with suggestions for how we could better handle your personal information.

7.1. How can you contact us?

The Commission is located on level 2, 11 Moore Street, Canberra ACT.

The Commission is open Monday to Friday, between 9.00am-5.00pm, except on public holidays.

Our mailing address for complaints and other letters is:ACT Human Rights Commission, GPO Box 158, Canberra, ACT, 2601. Our email is: HRCprivacy@act.gov.au.

If you would like help in lodging a complaint, our phone number is: (02) 6205 2222

7.2. How will we handle your complaint?

We will promptly tell you we have received your complaint when we receive it.

We will then consider your complaint to work out how we can appropriately resolve your issue and respond within a reasonable time (normally within four weeks).

7.3. What if you are unsatisfied with how we handle your complaint?

If you are not satisfied with our response, in some circumstances, you can make a formal privacy complaint to the Office of the Australian Information Commissioner (OAIC) who acts as the ACT Information Privacy Commissioner.

The OAIC handles privacy complaints against ACT public sector agencies. For more information, including on making a complaint, you can contact the OAIC.

The OAIC handles privacy complaints against ACT public sector agencies. For more information, including on making a complaint, you can contact the OAIC.
The OAIC’s mailing address is GPO Box 5218 Sydney NSW 2001. Their email is enquiries@oaic.gov.au. For more information, you can visit the Office of the Australian Information Commissioner website.