Privacy Policy

Strategic Planning and Governance
22 May 2017

1. Introduction

1.1. Purpose

This purpose of this policy is to outline how the National Archives of Australia (the Archives) will manage personal information collected in the course of carrying out its business. Personal information is managed in accordance with the Australian Privacy Principles (APPs) as specified in the Privacy Act 1988 (Cth) (Privacy Act).

Definition

In accordance with the Privacy Act personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not’1.

Scope

This Policy applies to information in all formats created or received by the Archives’ in the performance of its business.

Out of Scope

The Policy does not apply to Commonwealth records held in the Archives’ collection. These are administered in accordance with provisions in the Archives Act 1983 (Cth) (Archives Act).

1.2. Objectives

This policy supports the principles outlined in the Privacy Act by promoting and facilitating an understanding of and compliance with the APPs and how they apply in the Archives context. This includes:

  • Outlining how the Archives manages the personal information it collects, holds, uses and discloses.
  • providing guidance for individuals accessing records containing their personal information and seeking correction of such information
  • outlining how an individual can complain about a breach of the APPs and how the Archives will deal with such a complaint

1.3. Legislative Framework

2. Personal information and the Archives

2.1 Personal information the Archives collects and holds

The Archives will only collect personal information when it is reasonably necessary for, or directly related to, the Archives business.

Personal information may be collected by the Archives in the performance of its business, including:

  • personnel and employment records
  • access case files
  • advice to agencies
  • personnel Security records
  • Advisory Council records
  • financial management records
  • freedom of Information records
  • tender records
  • personal records depositors files
  • correspondence with public and official researchers
  • applications for fellowships and scholarships
  • community consultation and oral histories
  • community survey files

We may also collect or hold a range of sensitive information which is a type of personal information. This includes information or opinion about an individual's:

  • health (including predictive genetic information)
  • racial or ethnic origin;
  • political opinions and association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • sexual orientation or practices;
  • trade or professional associations and memberships;
  • union membership; and
  • criminal record.

The Archives collects sensitive personal information about an individual only with the individual’s consent or if authorised by law to do so. The Archives ensures that any information it collects is relevant for the purpose for which it is collected and is used only for that purpose. Personal information will only be collected by lawful and ‘fair’ means.

The Archives uses forms, online systems and other electronic or paper documentation and will usually collect the information from the individual personally.

Personal information is held in the following ways:

  • Electronic Document & Records Management system e.g. HP Records Manager
  • Client Relationship Management System e.g. Maximiser
  • E-Recruitment System
  • Human Resources System
  • Research Management Systems e.g. RefTracker, E-Commerce and RecordSearch
  • Electronic and Paper files

2.2 Storage and data security

The Archives will take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.

Digital information is protected in systems that comply with the Australian Government Protective Security Policy Framework. Information held in a physical formats are secured in locked cabinets and access is restricted to those with a ‘need to know’.

If a data breach occurs the Archives will respond as required by the Office of the Australian Information Commissioner’s Data breach notification – A guide to handling personal information security breaches.

2.3 Records management

Personal information held by the Archives is managed in accordance with the relevant records and information management policies and guidelines and disposed of in accordance with section 24 of the Archives Act.

2.4 Access to and correction of personal information

The Archives is required under APP 12 to provide access on request of the individual to their personal information created or maintained by the Archives. Where access is requested the Archives must respond within 30 days. The Archives must take reasonable steps to provide access in a way that meets the Archives’ needs and the needs of the individual.

If the Archives make a decision not to grant access to an individual a written response will be provided listing reasons for the refusal and mechanisms available to complain about the refusal.

Under APP 13 the Archives will to take reasonable steps to correct personal information that it collects and holds to ensure that it is accurate, up-to-date, complete, relevant and not misleading. An individual may seek correction of their personal information through a request for amendment to the area of Archives responsible for the information (e.g. People Management and Development (PMC) for personnel and employment records). The Archives will notify the individual of the decision within 30 days and provide written reasons if the request to amend personal information is refused.

2.5 Use and disclosure of personal information

Under APP 6 the Archives uses the personal information it collects for the primary purpose for which it was collected. An example of this is where personal information gathered from a client who approaches the Archives with a reference inquiry, is used to respond to the reference inquiry.

The Archives may also use or disclose personal information for reasonably expected secondary purposes permitted under the Privacy Act including requirements or authorisation by law, or through the individual’s consent.

The Archives will notify the individual at the point of collection or as soon as practicable afterwards about disclosures that apply to particular collections of personal information.

The Archives will not usually disclose personal information overseas but in the event it does, the Archives will enter into a contractual arrangement that requires the overseas recipient to handle the personal information in accordance with the APPs.

3. Complaints

3.1. Archives complaint-handling commitment

The Archives is committed to timely and fair resolution of complaints including those relating to compliance with the APPs.

General enquiries about the Archives' compliance with the APPs can be made to the Archives' Privacy Contact Officer who can be contacted at privacy@naa.gov.au

Complaints about the Archives’ personal information handling practices can also be made directly to the Office of the Australian Information Commissioner.

If a complaint is received by the Archives about a breach to the APPs or any registered binding APP code, the Archives’ will investigate the complaint. The result of the investigation will be documented and communicated to the appropriate parties, including the complainant and/or the individual who is the subject of the personal information. The Archives will examine the processes around the collection, use and disclosure of personal information to ensure issues or gaps are identified and rectified to avoid future breaches.

4. Authorisation

This policy has been approved by:

Signature of David Fricker, Director-General

David Fricker
Director-General
22 May 2017

Copyright National Archives of Australia 2017