- Our privacy obligations
- AHL has obligations for handling personal information as outlined in the:
- Privacy Act 1988 (Cth);
- Australian Privacy Principles (APPs)
- Australian Government Agencies Privacy Code (the Privacy Code); and
- Archives Act 1983 (the Archives Act).
1.3 The Privacy Act legislates the way in which the AHL collects, stores, provides access to, amends, uses and discloses an individual’s personal and sensitive information.
- What is privacy?
- AHL will often require individuals to provide certain personal and sensitive information so that we can provide them with particular products and services as a customer (resident) or manage their employment with AHL.
- The Privacy Act does not regulate an Agency’s information. It only regulates information relating to individuals.
- As an individual you have a right to know:
- when your personal and sensitive information is being collected by AHL;
- who will have access to this information;
- what the information will be used for;
- how it will be stored and for how long; and
- whether it will be disclosed to someone other than AHL.
- What certain terms in this policy mean
3.1 Personal and sensitive information
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Sensitive information is a subset of personal information and includes information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions;
- religious beliefs or affiliations;
- philosophical beliefs;
- sexual orientation;
- criminal record;
- health information;
- Centrelink information (social welfare); and
- genetic information.
Sensitive information that AHL holds is subject to extra protection under the Privacy Act.
- How we collect personal information
- AHL may collect personal information from a person directly, or their authorised representative, or via a third party if permitted by law. We may collect personal information in a range of ways, including through surveys, email and phone communication, forms or notices, online portals, and via our website.
- Dealing with AHL without being identified or using a pseudonym
5.1 We will allow you to remain anonymous or use a pseudonym if you wish, when dealing with AHL unless it is impractical or not possible to do so (not possible for residents staying at AHL hostels). Situations where you do not have to identify yourself or you can use a pseudonym may include when you seek general information from AHL or where making a complaint or providing feedback. Identification will generally only be necessary where it would be appropriate or necessary to identify yourself.
- How we safeguard personal information
6.1 AHL takes seriously its obligations to protect the personal information it holds. We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include:
- classifying and storing records securely as per Australian government security guidelines;
- Internal access to information is on a ‘need to know’ basis and only by authorised personnel;
- monitoring system access which can only be accessed by authenticated credentials;
- ensuring our buildings are secure; and
- regularly updating and auditing our storage and data security systems.
6.3 If personal information that we hold is lost, or subject to unauthorised access or disclosure, we will respond in line with the Office of the Australian Information Commissioner's Data breach preparation and response —a guide to managing data breaches in accordance with the Privacy Act. We aim to provide timely advice to affected individuals if a data breach is likely to result in serious harm.
- The types of information we hold
7.1 In performing our functions, AHL may collect and hold the following kinds of personal and sensitive information:
- identity and contact details for individuals (e.g. name, phone, email and postal address),
- photographs, video recordings and audio recordings of individuals,
- information relating to personal circumstances (e.g. age, gender, community of origin, cultural and linguistic background, disabilities and other family circumstances including spouses, carers and dependents),
- information relating to financial affairs (e.g. payment details, bank account details),
- other information relating to identity (e.g. date of birth, drivers licence),
- information about employment (e.g. employment status and work history, education status, referee comments, salary), and
- government identifiers (e.g. tax file number and Centrelink information).
7.2 We may also collect information about how you use our online services and applications. For example, we use social networking services such as Facebook, Twitter and LinkedIn to talk with the public and our staff. When you talk with us using these services we may collect your personal information to communicate with you and the public. These social networking services will also handle your personal information for their own purposes. These services have their own privacy policies. You can access the privacy policies for these services on their websites.
- How we use and disclose information
- AHL may use and disclose collected personal information for the purpose it was first collected. We will take reasonable steps to give you information about the reason for collection at the time of collection, or as soon as possible. AHL will only use and disclose your personal information for a secondary purpose if APP 6 allows it.
Australian Privacy Principle 6 — use or disclosure of personal information
Use or disclosure
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
- the individual has consented to the use or disclosure of the information; or
- subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
- It should be noted that regulation 9.2 of the Public Service Regulations 1999 provides authority for personal information about APS employees to be disclosed by AHL in the exercise of certain powers.
PUBLIC SERVICE REGULATIONS 1999 - REG 9.2
Use and disclosure of personal information (Act s 72E)
(1) For paragraph 72E(a) of the Act, an Agency Head may use personal information in the possession, or under the control, of the Agency Head, if the use is necessary for, or relevant to, the performance or exercise of the employer powers of the Agency Head.
(2) For paragraph 72E(a) of the Act, an Agency Head may disclose personal information in the possession, or under the control, of the Agency Head if the disclosure is necessary for, or relevant to:
(a) the performance or exercise of the employer powers of the Agency Head or another Agency Head; or
(b) the exercise of a power or performance of a function of the Australian Public Service Commissioner; or
(c) the exercise of a power or performance of a function of the Merit Protection Commissioner; or
(d) the performance of a function of an ISAC.
We may disclose personal information to overseas entities (such as a foreign government or agency) where this is a necessary part of our work. We will only do this with your consent or in other circumstances allowed by APP 8.
Australian Privacy Principle 8 — cross-border disclosure of personal information
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
- who is not in Australia or an external Territory; and
- who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
8.3 We may also use third party providers or website such as Facebook, Twitter, Campaign Monitor, LinkedIn, YouTube and others to deliver or otherwise communicate content. Such third-party sites have their own privacy policies and may send their own cookies to your computer. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.
- When using our website
9.3 Please note, by using our website, you consent to the processing of data about you by Google in the manner described in 'How Google uses data when you use our partners' sites or apps' which is located at www.google.com/policies/privacy/partners/ (or any other URL Google may provide from time to time). You can configure your browser to accept or reject all cookies, including opting-out of Google Analytic cookies at: https://tools.google.com/dlpage/gaoptout .
9.4 Our website may also use third party social media and video websites (such as, Youtube, Facebook and Twitter). We do not collect or use any information stored in the cookies set by any of those websites. For further information about how they use their cookies, please refer to those third-party websites/applications.
- Accessing and correcting personal information
- AHL allows individuals to have access to their personal information that we hold and we will correct an individual’s personal information if it is inaccurate (subject to restrictions on such access/alteration of records under the applicable provisions of any law of the Commonwealth).
- To request access to, or correction of, your personal information please contact our Privacy Officer. Discussing your request with our Privacy Officer will help us give you early guidance about your request. This may include guidance about whether your request is best dealt with under the Privacy Act, the FOI Act or another arrangement.
- The Freedom of Information Act 1982 also provides an opportunity to request access to documents in the possession of AHL. An individual who wishes to access the personal information the agency holds about them and to seek correction of that information can email their request to firstname.lastname@example.org.
- Privacy Impact Assessments
11.1 The Privacy (Australian Government Agencies – Governance) Australian Privacy Principles Code 2017 (the Code) requires agencies, including AHL, to conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects. A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
11.2 PIAs completed by AHL, since the Code commenced on 1 July 2018, are listed in the table below.
- Overseas Disclosure
12.1 If personal information is sent, used, held or stored overseas, we will take reasonable steps to ensure that any service providers are carefully chosen and have policies, procedures and systems in place to ensure your personal information is otherwise handled in accordance with the Privacy Act.
12.2 Where we use cloud infrastructure provided by a third party, to protect your personal information, AHL:
- takes contractual measures to ensure its providers do not do anything that would breach an Australian Privacy Principle; and
- requires its providers have appropriate security measures in place, including ensuring no unauthorised party is allowed physical or electronic access to the cloud infrastructure.
13.1 Privacy Officer
The Privacy Officer is the primary point of contact for advice on privacy matters and is responsible for:
- handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Act;
- maintaining a record of AHL’s personal information holdings;
- assisting with the preparation of privacy impact assessments (PIAs);
- maintaining AHL’s register of PIAs; and
- measuring and documenting AHL’s performance against its privacy management plan (PMP) at least annually.
13.2 Privacy Champion
The Privacy Champion is AHL’s Chief Financial Officer and Company Secretary who is responsible for:
- promoting a culture of privacy within AHL that values and protects personal information;
- providing leadership within AHL on broader strategic privacy issues;
- reviewing and/or approving AHL’s PMP, and documented reviews of AHL’s progress against the PMP; and
- providing regular reports to AHL’s executive, including about any privacy issues arising from AHL’s handling of personal information.
Contact AHL’s Privacy Officer if you want to:
- obtain access to or seek correction of your personal information held by AHL; or
- make a privacy complaint about AHL.
- How to make a privacy complaint
- AHL has a formal complaint management process for privacy complaints. If you are not satisfied with how we have collected, held, used or disclosed your personal information, you can make a formal complaint to our Privacy Officer on the details listed above.
14.2 You have the option to remain anonymous, although this may inhibit AHL’s ability to appropriately investigate your concerns.
14.3 In responding to enquiries and complaints, AHL takes all reasonable steps to ensure it does not disclose personal information inappropriately.
14.4 Your complaint should include:
A short description of your privacy concern,
- any action or dealings you have had with staff of the Department to address your concern; and
- your preferred contact details so we can contact you about your complaint.
If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
14.5 The OAIC can receive privacy complaints through:
- the online Privacy Complaint form (refer to the OAIC’s website)
- by email (email that is not encrypted can be copied or tracked) at email@example.com
- by mail (if a person has concerns about postal security, they might want to consider sending their complaint by registered mail):
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
- by fax: 02 9284 9666.
14.6 AHL will review this policy periodically to ensure that it continues to provide transparent and current information about how AHL’s policies and practices affect your personal and sensitive information
- Privacy Management Plan (PMP)
15.1 AHL maintains a PMP that identifies its specific, measurable privacy targets and goals. The PMP also explains how AHL meets its compliance obligations under APP 1.2.
15.2 The AHL PMP is updated as needed throughout the year and reviewed annually. Following the annual review, a report on AHL’s performance against the PMP is published on the AHL website.
Schedule A- Australian Privacy Principles Quick Reference Guide
Open and transparent management of personal information
Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
Collection of solicited personal information
Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.
Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Adoption, use or disclosure of government related identifiers
Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Access to personal information
Correction of personal information