The Australian Law Reform Commission (ALRC) must comply with standards set out in the Privacy Act 1988 (Cth) (the Privacy Act).
The Privacy Act establishes the Australian Privacy Principles (APPs) as the minimum legal standard federal agencies are required to meet in handling personal information. The APPs regulate the way in which the ALRC must collect, store, use and disclose information about people. They include requirements that:
- agencies must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities.
- people be told why information is being collected;
- people have access to personal information about them;
- personal information only be used for the purpose for which it was collected; and
- personal information not be disclosed except to the person concerned.
There are exceptions to the general rules, including that further things can be done with the consent of the individual concerned.
Forms used to collect personal information
All forms used by the ALRC to collect personal information shall include a notice specifying why the information in necessary, how that information will be used, whether the information will be kept and where it will be stored, and to whom the information will be disclosed.
This includes paper based forms, fax back forms and forms available on the ALRC website used in relation to sending publications, obtaining subscriptions, seeking general information about the ALRC or a particular reference, and any recruitment related forms.
The ALRC will comply with the Guidance for agency websites: ‘Access to information’ web page developed by the Office of the Australian Information Commissioner. In particular, the ALRC will:
- incorporate on the website a Privacy Statement or Policy stating what information is collected, for what purpose and how this information is used, and if it is disclosed to whom; and
- where personal information is collected, ensure it is collected by secure means or that users are otherwise warned that secure means are not available.
The ALRC uses ‘cookies’ for maintaining contact with a user through a website session. A cookie is a small file supplied by our web server and stored by the web browser software on your computer when you access this site. An explanation of cookies can be found at the site of the Office of the Australian Information Commissioner. Cookies allow us to recognise you as an individual as you move from one of our web pages to another.
Depending on your internet settings, usually all cookies will be immediately deleted when you end your internet session and shut down your computer. Our copy of your information will be automatically deleted twenty minutes after you last used the system. This information is only used to help you use our website systems more efficiently, for example by maintaining a record of what text size you prefer to view pages in, not to track your movements through the internet, or to record private information about you.
Collection of database information
Information stored in ALRC databases may come from a variety of sources including:
- information collected from a publicly available source; or
- information collected from an individual where the individual was made aware of why the information was collected, the purpose for which the information would be used, and who would have access to the information.
In some cases individuals may provide their personal information for inclusion in an ALRC database without full disclosure of the privacy practices surrounding the collection and use of the information. In such cases it should be assumed under ALRC policy that:
- the information was collected consistent with the purpose for which the individual agreed to provide their personal information; and
- the information will not be disclosed outside of the ALRC without the prior approval of the individual.
Use and disclosure of database information
Each entry on an ALRC database is to include identification for the purpose for which the information was collected (eg in relation to a specific reference, for general ALRC information, or in relation to Reform subscriptions). Any use of the information within a database must be consistent with the identified purpose for which the information was collected.
The ALRC is not to disclose to an external person or organisation the information contained in its databases without prior approval of each individual concerned.
If approached by another organisation to make use of an ALRC database to distribute information, the ALRC must consider whether distribution of that information would be consistent with the purposes for which the database was established. Where the purpose would be consistent, the ALRC may undertake to distribute the information on behalf of the organisation or to provide ready-printed mailing labels under agreement that the other organisation will not seek to incorporate the information in the labels into their own information systems. Under no circumstances is the ALRC to provide the database information to the other organisation in an accessible and reusable format.
Updating database information
The ALRC will make reasonable attempts to keep databases up-to-date.
If a person asks to be removed from an ALRC database, the ALRC must comply with this request.
If the ALRC has no future use for database information that is consistent with the purpose for which it was collected, the information should be deleted.
Personnel records containing personal information about current and past Commissioners and staff members are treated as confidential records. Access to the records is restricted to those staff who must handle the records in order to properly fulfil their responsibilities. They are kept for 10 years after the individual leaves the Commission.
Personal information contained in personnel records will not be disclosed to an external organisation except where required for authorised purposes or with the consent of the individual concerned. Disclosure to a partner or family member will only take place with the approval of the individual concerned, where the information is necessary to prevent or lessen a death or injury, or where required by law.
ALRC personnel files are the property of the ALRC, not the individual. Where an individual seeks information that is on their personnel files, they should first make a request to the Payroll Officer.
It is also possible to make a formal request to the ALRC under the Privacy Act or the Freedom of Information Act 1982 (Cth). Under these Acts, individuals are entitled to access documents that contain personal information about themselves. Under the Freedom of Information Act 1982 (Cth), individuals are also entitled to request that the information be amended if it is incomplete, incorrect, misleading or out of date.
The ALRC is required to comply with the Privacy Act, and the Privacy (Tax File Number) Rule 2015. The ALRC also complies with guidance provided by the Office of the Australian Information Commissioner. in relation to the handling of Tax File Numbers. In particular:
- Tax File Numbers should only be collected for purposes authorised by taxation, superannuation, or related laws;
- individuals have the right to refuse to disclose their Tax File Number, but the ALRC has the responsibility of advising of the consequences of non-disclosure; and
- Tax File Numbers should not be disclosed except to authorised bodies.
Concerns regarding the handling by the ALRC of personal information in personnel records should first be directed to the Executive Director.
Responsibility for privacy matters
The ALRC has a Privacy Contact Officer who is responsible for:
- ongoing monitoring of the ALRC’s privacy obligations;
- dealing with external queries or complaints about the way in which the ALRC handles personal information;
- processing formal requests to access or amend personal information contained in ALRC records;
- liaison with the Office of the Australian Information Commissioner in relation to privacy matters.
The Privacy Contact Officer for the ALRC can be contacted at firstname.lastname@example.org