Privacy Policy

Strategic Planning and Governance
March 2014

1. Introduction

1.1. Purpose

The purpose of the policy is to outline the National Archives of Australia (the Archives) obligations for managing personal information in accordance with the Australian Privacy Principles (APPs) as specified in the Privacy Act 1988 (Cth) (Privacy Act). A summary of the APPs is at Appendix A.

Scope

This Policy applies to records created or received by the Archives in the course of its functions and activities.

Out of Scope

The Policy does not apply to Commonwealth records held in the Archives’ collection. The application of the APPs do not extend to Commonwealth records which are administered in accordance with provisions contained in the Archives Act 1983 (Cth) (Archives Act). However it is important to note that the Archives takes appropriate steps to safeguard the integrity and authenticity of the collection and associated metadata.

1.2. Objectives

In accordance with APP 1 (1.1), the objectives of this policy are to:

  • support the principles outlined in the Privacy Act by providing general guidance for managing personal information that is collected, held, used and disclosed;
  • define the APPs;
  • promote the management of all personal information in an open and transparent way; and
  • instil an Archives-wide understanding of the principles and how they apply.

1.3. Outline of this policy

The policy explains the Archives’ general information handling practices including information about how the Archives collects, uses, discloses and stores personal information. The Policy assists the Archives comply with the APPs.

In addition it outlines:

  • the kinds of personal information the Archives collects and holds to support its functions and activities;
  • how the Archives collects, holds, uses and discloses personal information;
  • how an individual may access personal information about them self that is held in the Archives’ administrative records and seek the correction of such information;
  • how an individual may complain about a breach of the APPs and how the Archives will deal with such a complaint; and
  • whether the Archives is likely to disclose personal information to overseas recipients.

1.4. Legislative Framework

  • Archives Act 1983 (Cth);
  • Public Service Act 1999 (Cth);
  • Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth);
  • Privacy Act 1988 (Cth);
  • Criminal Code Act 1995 (Cth);
  • Freedom of Information Act 1982 (Cth);
  • Human Rights and Equal Opportunity Commission Act 1986 (Cth);
  • Merit Protection (Australian Government Employees) Act 1984 (Cth);
  • Australian Information Commissioners Act 2010 (Cth); and
  • Ombudsman Act 1976 (Cth).

1.5. Who does this policy apply to?

  • An individual whose personal information may be given to or held by the Archives in the records of its functions or activities.
  • Any employee of the Archives.
  • An applicant to the Archives for information under the Freedom of Information Act 1982 (Cth) (FOI Act).
  • A contractor, consultant, volunteer, supplier or vendor of goods or services to the Archives.

1.6. The Privacy Act 1988

The Privacy Act regulates how Commonwealth agencies use, disclose, store and access personal information. In accordance with APP 1 (1.2(a)), the Archives complies with the APPs and takes reasonable steps to implement practices, procedures and systems relating to the Archives’ functions and activities as set out in this policy.

1.7. The Archives and privacy

This policy sets out how the Archives complies with the Privacy Act. The Archives collects personal information through reference enquiries or reading room visits. Personal information is also collected for the purposes of collection management, public programs; social media engagement; e-commerce; people management and development; ICT; international relations/government correspondence and security.

2. Personal information handling practices

2.1. The kinds of personal information the Archives collects and holds

In accordance with APP 1 (1.4(a)), personal information about any individual may be collected by the Archives from the individual, or from a third party. The Archives uses forms, online systems and other electronic or paper documentation to collect personal information. There is a distinction between personal information and ‘sensitive information’ which is outlined below.

The Archives collects and holds over 30 classes of personal information in connection with its business. These classes may include:

  • Records relating to the administration of the Archives
    • Advisory Council records
    • After hours/emergency records
    • Consultant files
    • Financial management records
    • Fraud investigation files
    • Freedom of Information records
    • Mailing and referral lists
    • Personnel and employment records
    • Personnel Security records
    • Tender records
    • Visitor books
    • Volunteer worker records
  • Records relating to functional activities of the Archives
    • applications for fellowships and scholarships
    • community consultation and oral histories
    • community survey files
    • correspondence with researchers
    • details of a person’s research interests and records requested
    • personal records depositors files
    • reader registration
    • review of access decision files
    • special access case files

Personal information - Sensitive

The Archives will not ask for information which it does not need to conduct its business. Sensitive personal information includes information or opinion about an individual's:

  • racial or ethnic origin;
  • political opinions and association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • sexual preferences or practices;
  • trade or professional associations and memberships;
  • union membership;
  • criminal record; and
  • health or genetic information.

The Archives will not collect this personal information unless the individual consents and the information is reasonably necessary or directly related to the Archives’ functions or activities.

The Archives ensures that any information it collects is relevant for the purpose for which it is collected. The Archives will only collect personal information by lawful and ‘fair’ means and will generally collect the information from the individual personally.

2.2. Authority and purpose for which the Archives collects personal information

In accordance with APP 1 (1.4(c)), the purpose for which the Archives collects personal information is to allow the Archives to achieve the objects of the Archives Act (s 2A), which provide that the Archives’ functions include:

  • identifying the archival resources of the Commonwealth;
  • preserving and making publically available the archival resources of the Commonwealth;
  • overseeing Commonwealth record-keeping, by determining standards and providing advice to Commonwealth institutions; and
  • imposing record-keeping obligations in respect of Commonwealth records.

Some examples of other types of personal information the Archives collects are:

  • Applications for employment including résumés, statements addressing the criteria and referee reports.
  • Written tasks undertaken by the employee during the selection process.
  • Notes from the selection committee during the selection process.
  • The employee's employment contract and other records relating to their terms and conditions of employment.
  • Details of financial and other personal interests supplied by some employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest.
  • Proof of Australian citizenship.
  • Certified copies of academic qualifications.
  • Records relating to the employee's salary benefits and leave.
  • Medical certificates or health related information supplied by an employee or their medical practitioner.
  • Contact details.
  • Taxation details.
  • Superannuation contributions.
  • Information relating to the employee's training and development.

2.3. About personal information we collect

The personal information collected in connection with the operations of the Archives may include:

  • Name, and contact details of individuals seeking access to or making an inquiry about the collection.
  • Mailing lists for distributing information.
  • Name, email address, phone number, mailing address, workplace – bookings for public events and school visits.
  • Name, locality/state – visitor’s books for voluntary feedback/complaints.
  • Age, gender, English as a Second Language, whether Aboriginal or Torres Strait Islander descent, postcode, name, email address, workplace – evaluation of public programs and school visits/audience profiling.

2.4. How the Archives holds personal information

In accordance with APP 1 (1.4(b)), the Archives may hold personal information in the following ways:

  • Electronic document and records management system for example in TRIM or Microsoft Access.
  • Client Relationship Management system, for example Maximiser.
  • E-Recruitment system.
  • Human Resources system.
  • Research management systems, for example RefTracker and RecordSearch.
  • Electronically or in paper files.

The Archives take steps to ensure that the personal information we collect is accurate, up to date and complete and secured appropriately. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.

2.5. Access to and correction of personal information

In accordance with APP 1 (1.4(d)), the following information outlines how an individual may access their own personal information that is created or maintained by the Archives in carrying out its functions and activities and how an individual may seek correction of such information.

Access to personal information – APP 12

Individuals have a right under APP 12 of the Privacy Act to access personal information about themselves created or maintained by the Archives in carrying out its functions. The right of access is subject to relevant exemptions in other legislation such as the FOI Act. The Privacy Act requires agencies to notify an individual of a decision in relation to a request within 30 days of receipt of the request. Agencies must also give written reasons for a refusal to provide information.

Amendment of personal information – APP 13

The Archives will take reasonable steps to correct personal information that it collects and holds for business purposes to ensure that it is accurate, up-to-date, complete, relevant and not misleading. It is important to note that the application of the APPs are to records created by the Archives in the course of its functions or activities and does not extend to Commonwealth records in the Archives collection which are administered in accordance with provisions contained in the Archives Act.

Individuals can request information the Archives holds about them to be corrected. The Archives has a statutory obligation to notify an individual of the decision within 30 days and must provide written reasons if the request to amend personal information is refused.

2.6. Use and disclosure of personal information

APP 6 provides the Archives with guidance about the use and disclosure of personal information. The Archives holds personal information that is collected for a particular business purpose and will not use or disclose it for another purpose, unless the individual provides consent to disclosure, or disclosure falls within the guidelines set out in 6.3 and 6.4 of APP 6 in the Privacy Act. The Archives will always consider the information and will determine whether it is being used or disclosed for the purpose for which it was collected.

The Archives uses information it collects, including personal information, for the primary purpose for which it was collected. For example, personal information gathered from a client who approaches the Archives with a reference inquiry, is used to respond to the reference inquiry.

The Archives may also use or disclose personal information for reasonably expected secondary purposes directly related to the primary purpose or for other purposes permitted under the Privacy Act, including where the use or disclosure is required or authorised by law or where the individual concerned has consented to the use or disclosure.

2.7. Disclosure of personal information to foreign recipients

The Archives may interact with foreign organisations.

APP 8 places obligations on the Archives relating to the disclosure of personal information to overseas entities. If personal information is disclosed overseas the Archives will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.

2.8. Accidental or unauthorised disclosure of personal information

The Archives protects personal information it holds and will take seriously, and deal promptly with, any accidental or unauthorised disclosure of personal information.

Internal auditing of the processes that enable the disclosure of information, coupled with an effective customer feedback system, ensures that any accidental disclosure of personal information by the Archives is identified quickly and remedied promptly.

External service providers who handle personal information about the Archives staff or other individuals are bound contractually to comply with the requirements of the Privacy Act. Any possibility of unauthorised disclosure by staff, contractors or service providers is also covered by the following legislation:

  • Archives employees are subject to the Public Service Act 1999, the Public Service Regulations 1999 and the Australian Public Service (APS) Values and Code of Conduct. If employees disclose official information without authority they may face disciplinary sanctions including, in the most serious cases, termination of employment; and
  • current and former employees and service providers are generally covered by the Crimes Act 1914 which provides criminal penalties for unauthorised disclosure of official information. The Criminal Code Act 1995 provides for similar penalties if former employees dishonestly use official information gained during their employment to benefit themselves or others or to cause harm to another person.

2.9. Data quality

The Archives maintains and updates personal information as necessary or when we are advised by individuals that their personal information has changed.

The Archives will remove contact information of individuals who advise us that they no longer wish to be contacted.

2.10. Storage and data security

APP 11 requires the Archives to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.

Personal information collected is held electronically and on paper files.

The Archives protects the personal information held against loss, unauthorised access, use, modification or disclosure, and against other misuse. For example, password protection is implemented for accessing electronic IT systems, paper files are secured in locked cabinets and physical access is restricted.

2.11. Records management

Personal information received, collected and stored by the Archives will in almost all cases be considered a Commonwealth record. The ongoing management of these records will be carried out in line with the relevant records and information management policies and guidelines and disposed of in accordance with s 24 of the Archives Act. The grounds on which this may be done include ‘normal administrative practice’ or under arrangements as set out in the National Archives Records Authority or other relevant general records authorities (such as Administrative Functions Disposal Authority).

2.12. Our websites

The Privacy Statement available on the Archives’ website explains the privacy aspects of data, web analytics, cookies and email.

2.13. Email communication

There are inherent risks associated with the transmission of information over the internet, including via email. Archives staff should be aware of this when sending personal information via email. If this is of concern then other methods of communication such as post, fax, or phone should be used.

When information (including an email) is created, the originator is required to assess the consequences of damage from unauthorised use or compromise of the information. If adverse consequences could occur or the Archives is legally required to protect the information it is to be given a protective marking.

Official information not needing a protective marking should be marked 'Unclassified'.

Emails are to be marked:

  • 'Unofficial';
  • 'Unclassified';
  • or with a Dissemination Limiting Marker (DLM).

DLMs are markings to be applied to emails where disclosure of the content of the email (including attachments) may be limited or prohibited by legislation, or where it may otherwise require special handling. The DLMs that can be used on the Archives email system are:

  • For-Official-Use-Only (used on 'unclassified' information only);
  • Sensitive;
  • Sensitive: Legal; and
  • Sensitive: Personal.

3. Complaints

3.1. Archives complaint-handling commitment

In accordance with APP 1 (1.2(b)), the Archives will take reasonable steps in the circumstances to deal with enquiries or complaints about compliance with the APPs. The Archives will send a considered response to complaints or suggestions within 30 days where contact details are provided. The Archives is committed to quick and fair resolution of complaints and will ensure complaints are taken seriously. In accordance with APP 2, the Archives will where practicable accept complaints where the complainant has not identified themselves, or where they chose to use a pseudonym.

3.2. How to make a complaint

In accordance with APP 1 (1.4(e)), an individual may complain about a breach of the APPs. General enquiries about the Archives' compliance with the APPs can be made to the Archives' Privacy Contact Officer who can be contacted at privacy@naa.gov.au or by writing to:

Privacy Contact Officer
National Archives of Australia
PO Box 7425
Canberra Business Centre ACT 2610
Australia

3.3. How to make a complaint to the Federal Privacy Commissioner

Any complaints about the Archives’ personal information handling practices can be made to the Privacy Contact Officer (above) or to the Office of the Australian Information Commissioner.

4. The Archives and APP2

APP 2 provides that agencies must allow individuals to have the option of dealing anonymously or by pseudonym. As stated above in 3.1, the Archives will where practicable apply APP 2 when an individual wishes to make a complaint.

However, the Archives acknowledges that it may not be practicable to accept anonymous requests if, compliance with this provision would have a serious practical and procedural impact for the Archives relating to the safeguarding of its collection or the provision of equitable services.

Individuals wishing to access the information anonymously or by pseudonym can contact the Archives’ Privacy Contact Officer to discuss.

5. Privacy Policy updates

In accordance with APP 1 the Archives reviews this policy annually.

6. How to contact the Archives

In accordance with APP 1 (1.5(a)-(b)), an individual may contact the Archives’ Privacy Contact Officer to:

  • obtain access to their personal information;
  • make a complaint about a breach of their privacy;
  • query how their personal information is collected, used or disclosed;
  • request a free copy of the privacy policy; or
  • ask questions about the Archives privacy policy.

Telephone + 61 2 6212 3600 (callers within Australia)
Speak and Listen users phone 1300 555 727 then ask for 02 6212 3900
Internet Relay users connect to the National Relay Service then enter 02 6212 3900
0 Fax +61 2 6212 3649
Email privacy@naa.gov.au

The Archives’ Privacy Contact Officer can be contacted at any of the contact points above, or by sending a letter to:

Privacy Contact Officer
National Archives of Australia
PO Box 7425
Canberra Business Centre ACT 2610
Australia

7. Authorisation

This policy has been approved by:

Signature of Lennard Marsden, Assistant Director-General, Executive and Information Services

Lennard Marsden
Assistant Director-General
Executive and Information Services
National Archives of Australia

10 March 2014

Appendix A

Australian Privacy Principles - A summary for APP entities

From the Office of the Australian Information Commissioner. From 12 March 2014. For private sector organisations, Australia Government, ACT Government and Norfolk Island agencies covered by the Privacy Act 1988.

APP 1 - Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having clearly expressed and up to date APP privacy policy.

APP 2 - Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 - Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of 'sensitive' information.

APP 4 - Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 - Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 - Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 - Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 - Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

APP 9 - Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 - Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use of disclosure.

APP 11 - Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 - Access to personal information

Outlines an APP entity's obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 - Correction of personal information

Outlines an APP entity's obligations in relation to correcting the personal information it holds about individuals.

Copyright National Archives of Australia 2017