This purpose of this policy is to outline how the National Archives of Australia will manage personal information collected in the course of carrying out its business. Personal information is managed in accordance with the Australian Privacy Principles (APPs) as specified in the Privacy Act 1988 (Cth) (Privacy Act).
In accordance with the Privacy Act personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not’1.
This Policy applies to information in all formats created or received by the National Archives in the performance of its business.
Out of Scope
The Policy does not apply to Commonwealth records held in the National Archives’ collection. These are administered in accordance with provisions in the Archives Act 1983 (Cth) (Archives Act).
This policy supports the principles outlined in the Privacy Act by promoting and facilitating an understanding of and compliance with the APPs and how they apply in the Archives context. This includes:
- outlining how the National Archives manages the personal information it collects, holds, uses and discloses
- providing guidance for individuals accessing records containing their personal information and seeking correction of such information
- outlining how an individual can complain about a breach of the APPs and how the National Archives will deal with such a complaint
1.3. Legislative Framework
- Privacy Act 1988 (Cth);
- Archives Act 1983 (Cth);
- Public Service Act 1999 (Cth);
- Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth);
- Criminal Code Act 1995 (Cth);
- Freedom of Information Act 1982 (Cth);
- Human Rights and Equal Opportunity Commission Act 1986 (Cth);
- Merit Protection (Australian Government Employees) Act 1984 (Cth);
- Australian Information Commissioners Act 2010 (Cth); and
- Ombudsman Act 1976 (Cth).
2. Personal information and the National Archives
2.1 Personal information the National Archives collects and holds
The National Archives will only collect personal information when it is reasonably necessary for, or directly related to, the National Archives' business.
Personal information may be collected by the National Archives in the performance of its business, including:
- personnel and employment records
- access case files
- advice to agencies
- personnel Security records
- Advisory Council records
- financial management records
- freedom of Information records
- tender records
- personal records depositors files
- correspondence with public and official researchers
- applications for fellowships and scholarships
- community consultation and oral histories
- community survey files
We may also collect or hold a range of sensitive information which is a type of personal information. This includes information or opinion about an individual's:
- health (including predictive genetic information)
- racial or ethnic origin;
- political opinions and association;
- religious beliefs or affiliations;
- philosophical beliefs;
- sexual orientation or practices;
- trade or professional associations and memberships;
- union membership; and
- criminal record.
The National Archives collects sensitive personal information about an individual only with the individual’s consent or if authorised by law to do so. The National Archives ensures that any information it collects is relevant for the purpose for which it is collected and is used only for that purpose. Personal information will only be collected by lawful and ‘fair’ means.
The National Archives uses forms, online systems and other electronic or paper documentation and will usually collect the information from the individual personally.
Personal information is held in the following ways:
- Electronic Document & Records Management system e.g. HP Records Manager
- Client Relationship Management System e.g. Maximiser
- E-Recruitment System
- Human Resources System
- Research Management Systems e.g. RefTracker, E-Commerce and RecordSearch
- Electronic and paper files
2.2 Storage and data security
The National Archives will take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.
Digital information is protected in systems that comply with the Australian Government Protective Security Policy Framework. Information held in a physical formats are secured in locked cabinets and access is restricted to those with a ‘need to know’.
If a data breach occurs the National Archives will respond as required by the Office of the Australian Information Commissioner’s Data breach notification – A guide to handling personal information security breaches.
2.3 Records management
Personal information held by the National Archives is managed in accordance with the relevant records and information management policies and guidelines and disposed of in accordance with section 24 of the Archives Act.
2.4 Access to and correction of personal information
The National Archives is required under APP 12 to provide access on request of the individual to their personal information created or maintained by the National Archives. Where access is requested the National Archives must respond within 30 days. The National Archives must take reasonable steps to provide access in a way that meets the National Archives’ needs and the needs of the individual.
If the National Archives make a decision not to grant access to an individual a written response will be provided listing reasons for the refusal and mechanisms available to complain about the refusal.
Under APP 13 the National Archives will to take reasonable steps to correct personal information that it collects and holds to ensure that it is accurate, up-to-date, complete, relevant and not misleading. An individual may seek correction of their personal information through a request for amendment to the area of the National Archives responsible for the information (e.g. People Management and Development (PMD) for personnel and employment records). The National Archives will notify the individual of the decision within 30 days and provide written reasons if the request to amend personal information is refused.
2.5 Use and disclosure of personal information
Under APP 6 the National Archives uses the personal information it collects for the primary purpose for which it was collected. An example of this is where personal information gathered from a client who approaches the National Archives with a reference inquiry, is used to respond to the reference inquiry.
The National Archives may also use or disclose personal information for reasonably expected secondary purposes permitted under the Privacy Act including requirements or authorisation by law, or through the individual’s consent.
The National Archives will notify the individual at the point of collection or as soon as practicable afterwards about disclosures that apply to particular collections of personal information.
The National Archives will not usually disclose personal information overseas but in the event it does, the National Archives will enter into a contractual arrangement that requires the overseas recipient to handle the personal information in accordance with the APPs.
3.1. National Archives complaint-handling commitment
The National Archives is committed to timely and fair resolution of complaints including those relating to compliance with the APPs.
General enquiries about the National Archives' compliance with the APPs can be made to the National Archives' Privacy Contact Officer who can be contacted at firstname.lastname@example.org
Complaints about the National Archives’ personal information handling practices can also be made directly to the Office of the Australian Information Commissioner.
If a complaint is received by the National Archives about a breach to the APPs or any registered binding APP code, the National Archives’ will investigate the complaint. The result of the investigation will be documented and communicated to the appropriate parties, including the complainant and/or the individual who is the subject of the personal information. The National Archives will examine the processes around the collection, use and disclosure of personal information to ensure issues or gaps are identified and rectified to avoid future breaches.
This policy has been approved by:
22 May 2017