Strategic Planning and Governance
The purpose of the policy is to outline the National Archives of Australia (the Archives) obligations for managing personal information in accordance with the Australian Privacy Principles (APPs) as specified in the Privacy Act 1988 (Cth) (Privacy Act). A summary of the APPs is at Appendix A.
This Policy applies to records created or received by the Archives in the course of its functions and activities.
The Policy does not apply to Commonwealth records held in the Archives’ collection. The application of the APPs do not extend to Commonwealth records which are administered in accordance with provisions contained in the Archives Act 1983 (Cth) (Archives Act). However it is important to note that the Archives takes appropriate steps to safeguard the integrity and authenticity of the collection and associated metadata.
In accordance with APP 1 (1.1), the objectives of this policy are to:
The policy explains the Archives’ general information handling practices including information about how the Archives collects, uses, discloses and stores personal information. The Policy assists the Archives comply with the APPs.
In addition it outlines:
The Privacy Act regulates how Commonwealth agencies use, disclose, store and access personal information. In accordance with APP 1 (1.2(a)), the Archives complies with the APPs and takes reasonable steps to implement practices, procedures and systems relating to the Archives’ functions and activities as set out in this policy.
This policy sets out how the Archives complies with the Privacy Act. The Archives collects personal information through reference enquiries or reading room visits. Personal information is also collected for the purposes of collection management, public programs; social media engagement; e-commerce; people management and development; ICT; international relations/government correspondence and security.
In accordance with APP 1 (1.4(a)), personal information about any individual may be collected by the Archives from the individual, or from a third party. The Archives uses forms, online systems and other electronic or paper documentation to collect personal information. There is a distinction between personal information and ‘sensitive information’ which is outlined below.
The Archives collects and holds over 30 classes of personal information in connection with its business. These classes may include:
The Archives will not ask for information which it does not need to conduct its business. Sensitive personal information includes information or opinion about an individual's:
The Archives will not collect this personal information unless the individual consents and the information is reasonably necessary or directly related to the Archives’ functions or activities.
The Archives ensures that any information it collects is relevant for the purpose for which it is collected. The Archives will only collect personal information by lawful and ‘fair’ means and will generally collect the information from the individual personally.
In accordance with APP 1 (1.4(c)), the purpose for which the Archives collects personal information is to allow the Archives to achieve the objects of the Archives Act (s 2A), which provide that the Archives’ functions include:
Some examples of other types of personal information the Archives collects are:
The personal information collected in connection with the operations of the Archives may include:
In accordance with APP 1 (1.4(b)), the Archives may hold personal information in the following ways:
The Archives take steps to ensure that the personal information we collect is accurate, up to date and complete and secured appropriately. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.
In accordance with APP 1 (1.4(d)), the following information outlines how an individual may access their own personal information that is created or maintained by the Archives in carrying out its functions and activities and how an individual may seek correction of such information.
Individuals have a right under APP 12 of the Privacy Act to access personal information about themselves created or maintained by the Archives in carrying out its functions. The right of access is subject to relevant exemptions in other legislation such as the FOI Act. The Privacy Act requires agencies to notify an individual of a decision in relation to a request within 30 days of receipt of the request. Agencies must also give written reasons for a refusal to provide information.
The Archives will take reasonable steps to correct personal information that it collects and holds for business purposes to ensure that it is accurate, up-to-date, complete, relevant and not misleading. It is important to note that the application of the APPs are to records created by the Archives in the course of its functions or activities and does not extend to Commonwealth records in the Archives collection which are administered in accordance with provisions contained in the Archives Act.
Individuals can request information the Archives holds about them to be corrected. The Archives has a statutory obligation to notify an individual of the decision within 30 days and must provide written reasons if the request to amend personal information is refused.
APP 6 provides the Archives with guidance about the use and disclosure of personal information. The Archives holds personal information that is collected for a particular business purpose and will not use or disclose it for another purpose, unless the individual provides consent to disclosure, or disclosure falls within the guidelines set out in 6.3 and 6.4 of APP 6 in the Privacy Act. The Archives will always consider the information and will determine whether it is being used or disclosed for the purpose for which it was collected.
The Archives uses information it collects, including personal information, for the primary purpose for which it was collected. For example, personal information gathered from a client who approaches the Archives with a reference inquiry, is used to respond to the reference inquiry.
The Archives may also use or disclose personal information for reasonably expected secondary purposes directly related to the primary purpose or for other purposes permitted under the Privacy Act, including where the use or disclosure is required or authorised by law or where the individual concerned has consented to the use or disclosure.
The Archives may interact with foreign organisations.
APP 8 places obligations on the Archives relating to the disclosure of personal information to overseas entities. If personal information is disclosed overseas the Archives will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.
The Archives protects personal information it holds and will take seriously, and deal promptly with, any accidental or unauthorised disclosure of personal information.
Internal auditing of the processes that enable the disclosure of information, coupled with an effective customer feedback system, ensures that any accidental disclosure of personal information by the Archives is identified quickly and remedied promptly.
External service providers who handle personal information about the Archives staff or other individuals are bound contractually to comply with the requirements of the Privacy Act. Any possibility of unauthorised disclosure by staff, contractors or service providers is also covered by the following legislation:
The Archives maintains and updates personal information as necessary or when we are advised by individuals that their personal information has changed.
The Archives will remove contact information of individuals who advise us that they no longer wish to be contacted.
APP 11 requires the Archives to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.
Personal information collected is held electronically and on paper files.
The Archives protects the personal information held against loss, unauthorised access, use, modification or disclosure, and against other misuse. For example, password protection is implemented for accessing electronic IT systems, paper files are secured in locked cabinets and physical access is restricted.
Personal information received, collected and stored by the Archives will in almost all cases be considered a Commonwealth record. The ongoing management of these records will be carried out in line with the relevant records and information management policies and guidelines and disposed of in accordance with s 24 of the Archives Act. The grounds on which this may be done include ‘normal administrative practice’ or under arrangements as set out in the National Archives Records Authority or other relevant general records authorities (such as Administrative Functions Disposal Authority).
The Privacy Statement available on the Archives’ website explains the privacy aspects of data, web analytics, cookies and email.
There are inherent risks associated with the transmission of information over the internet, including via email. Archives staff should be aware of this when sending personal information via email. If this is of concern then other methods of communication such as post, fax, or phone should be used.
When information (including an email) is created, the originator is required to assess the consequences of damage from unauthorised use or compromise of the information. If adverse consequences could occur or the Archives is legally required to protect the information it is to be given a protective marking.
Official information not needing a protective marking should be marked 'Unclassified'.
Emails are to be marked:
DLMs are markings to be applied to emails where disclosure of the content of the email (including attachments) may be limited or prohibited by legislation, or where it may otherwise require special handling. The DLMs that can be used on the Archives email system are:
In accordance with APP 1 (1.2(b)), the Archives will take reasonable steps in the circumstances to deal with enquiries or complaints about compliance with the APPs. The Archives will send a considered response to complaints or suggestions within 30 days where contact details are provided. The Archives is committed to quick and fair resolution of complaints and will ensure complaints are taken seriously. In accordance with APP 2, the Archives will where practicable accept complaints where the complainant has not identified themselves, or where they chose to use a pseudonym.
In accordance with APP 1 (1.4(e)), an individual may complain about a breach of the APPs. General enquiries about the Archives' compliance with the APPs can be made to the Archives' Privacy Contact Officer who can be contacted at email@example.com or by writing to:
Privacy Contact Officer
National Archives of Australia
PO Box 7425
Canberra Business Centre ACT 2610
Any complaints about the Archives’ personal information handling practices can be made to the Privacy Contact Officer (above) or to the Office of the Australian Information Commissioner.
APP 2 provides that agencies must allow individuals to have the option of dealing anonymously or by pseudonym. As stated above in 3.1, the Archives will where practicable apply APP 2 when an individual wishes to make a complaint.
However, the Archives acknowledges that it may not be practicable to accept anonymous requests if, compliance with this provision would have a serious practical and procedural impact for the Archives relating to the safeguarding of its collection or the provision of equitable services.
Individuals wishing to access the information anonymously or by pseudonym can contact the Archives’ Privacy Contact Officer to discuss.
In accordance with APP 1 the Archives reviews this policy annually.
In accordance with APP 1 (1.5(a)-(b)), an individual may contact the Archives’ Privacy Contact Officer to:
Telephone + 61 2 6212 3600 (callers within Australia)
Speak and Listen users phone 1300 555 727 then ask for 02 6212 3900
Internet Relay users connect to the National Relay Service then enter 02 6212 3900
0 Fax +61 2 6212 3649
The Archives’ Privacy Contact Officer can be contacted at any of the contact points above, or by sending a letter to:
Privacy Contact Officer
National Archives of Australia
PO Box 7425
Canberra Business Centre ACT 2610
This policy has been approved by:
Executive and Information Services
National Archives of Australia
10 March 2014
From the Office of the Australian Information Commissioner. From 12 March 2014. For private sector organisations, Australia Government, ACT Government and Norfolk Island agencies covered by the Privacy Act 1988.
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of 'sensitive' information.
Outlines how APP entities must deal with unsolicited personal information.
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use of disclosure.
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Outlines an APP entity's obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
Outlines an APP entity's obligations in relation to correcting the personal information it holds about individuals.