The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Privacy Act) updates the Privacy Act 1988 (Cth) and is intended to establish a comprehensive national scheme for the collection, holding, use, correction, disclosure and transfer of personal information by organisations in the private sector. This gives individuals the right to know what information an organisation holds about them and a right to correct that information if it is wrong.
This policy is to ensure KnowledgeSpace complies with the Privacy Act established for the handling of personal information by organisations in the private sector. KnowledgeSpace is required to ensure that it complies with the thirteen Australian Privacy Principles (APPs) set out by the Privacy Act The Australian Privacy Principles (APPs) regulate the way KnowledgeSpace can collect, use, disclose, amend and pass on personal information.
Responsibility and Authority
All Managers and Staff
- Ensure compliance with the policy
Privacy Compliance Officer
- Receives complaints from an individual regarding an alleged breach of privacy by KnowledgeSpace
- Investigates and attempts to resolve any alleged breach of privacy complaint internally with the individual
- KnowledgeSpace’s Privacy Officer is Renee Simonds
Part 1 – Consideration of Personal Information Privacy
APP 1: Open and Transparent Management of Personal Information
Personal information will only be collected to the extent necessary by lawful and fair means and not in an unreasonably intrusive way for one or more of KnowledgeSpace’s functions or activities.
At the time of collection (or as soon as practicable afterwards) KnowledgeSpace will take reasonable steps to ensure personal information is managed is an open and transparent way. Under the Privacy Act you are entitled to:
- know the kind of information the entity collects and holds
- how the entity collects and holds personal information
- the purposes for collecting, holding and disclosing personal information
- how they can access and seek correction of such information
- how an individual may complain about a breach of the Australian Privacy Principles, and how the entity would deal with such a complaint
- whether the entity is likely to disclose personal information overseas recipients
- if the entity is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to do so
APP 2: Anonymity and pseudonymity
Whenever it is lawful and practicable, an individual will have the option of not identifying themselves or of using a pseudonym in relation to a particular matter.
Part 2 – Collection of Personal Information
APP 3: Collection of solicited personal information
Personal Information other than Sensitive Information
KnowledgeSpace will only collect personal information (other than sensitive information) if it is reasonably necessary for one or more of the KnowledgeSpace’s functions or activities.
KnowledgeSpace will not collect sensitive information about an individual unless:
- the individual has consented and the information is reasonably necessary for one or more functions or activities;
- the collection is required or authorised by law; or
- a permitted general situation exists in relation to the collection of information by KnowledgeSpace
- a permitted health situation exists in relation to the collection of information by KnowledgeSpace
Permitted general situations:
- lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety
- taking appropriate action in relation to suspected unlawful activity or serious misconduct
- locating a person reported as missing
- asserting a legal or equitable claim
- conducting an alternative dispute resolution process
Permitted health situation:
- the collection of health information to provide a health service
- the collection of health information for certain research and other purposes
- the use or disclosure of health information for certain research and other purposes
- the use or disclosure of genetic information
- the disclosure of health information for a secondary purpose to a responsible person for an individual
Personal Information: means information or an opinion about an identified individual, or an individual who is reasonably identifiable
- Whether the information or opinion is true or not; and
- Whether the information or opinion is recorded in a material form or not.
Sensitive Information: means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information.
Means of Collection
KnowledgeSpace will only collect personal information by lawful and fair means. KnowledgeSpace can only collect personal information about an individual from that individual unless it is unreasonable or impractical to do so.
APP 4: Dealing with Unsolicited Personal Information
Where KnowledgeSpace receives personal information in a manner that is not compliant with APP3, that information will be destroyed and/or de-identified. If unsolicited personal information is contained in a Commonwealth record, KnowledgeSpace is not required to destroy or de-identify that information.
APP 5: Notification of the Collection of Personal Information
At the time of collection (or as soon as practicable afterwards) KnowledgeSpace will take reasonable steps to ensure that the individual is notified:
- (a) The identity and contact details of KnowledgeSpace
- (b) That KnowledgeSpace is or has collected information, and the circumstances of that collection
- (c) KnowledgeSpace will state when the collection of personal information is required and/or authorised by law, and provide details of the relevant law or order.
- (d) The purpose for which the personal information is collected
- (e) The main consequences (if any) for the individual if some/all of the personal information is not collected
- (f) Of any disclosures of personal information that KnowledgeSpace will make to any other entity, body or person.
- (g) How the individual can access and seek the correction of personal information
- (h) How the individual can lodge a complaint of a breach of the Australian Privacy Principles or a registered APP code that binds KnowledgeSpace and how KnowledgeSpace will deal with complaints.
- (i) Whether KnowledgeSpace is likely to disclose personal information to overseas recipients, and if applicable, which countries.
Procedure for making a complaint
A person may make a complaint if they feel their personal information has been handled inappropriately by a private sector organisation in breach of KnowledgeSpace’s privacy obligations under the Privacy Act.
In the first instance, complaints must be directed to KnowledgeSpace’s Privacy Officer in writing. KnowledgeSpace will investigate the complaint and prepare a response to the complainant in writing within a reasonable period of time.
If the complainant is not satisfied with KnowledgeSpace’s response or the manner in which KnowledgeSpace has dealt with the complaint, the individual may make a formal complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC may investigate, resolve or close complaints based on information found during preliminary inquiries. If the OAIC believes there is enough evidence to support the complaint, it will try to conciliate the matter.
If conciliation does not resolve the complaint, depending on the circumstances, the Australian Information Commissioner may make a determination. A determination could include a requirement that KnowledgeSpace issue an apology, improve practices to reduce likelihood of a breach of the Privacy Act, or compensation is to be paid to the complainant. A complainant may withdraw their complaint at any time.
Where OAIC has made a decision, a complainant may request OAIC to review it by a new officer. If the OAIC closes the file or the Information Commissioner makes a determination that is not legally
correct, the complainant may apply to the Federal Court or the Federal Magistrates Court by way of appeal. Either party may also appeal to the Administrative Appeal Tribunal within 28 days of a final OAIC decision for a review of any compensation amount ordered by the Information Commissioner.
KnowledgeSpace may amend and vary this policy from time to time.
Part 3 – Dealing with Personal Information
APP 6: Use or Disclosure of Personal Information
KnowledgeSpace will not use personal information for another purpose (secondary purpose) unless:
- (1) the individual has consented; or
- (2) the secondary purpose is related to the primary purpose and the individual would reasonably expect KnowledgeSpace to use or disclose the information for the secondary purpose.
- (3) The use/disclosure of the information is required by law
- (4) A permitted general/health situation exists in relation to the disclosure. Health situation information will be de-identified before KnowledgeSpace discloses it.
- (5) KnowledgeSpace believes that the use/disclosure of information is reasonably necessary for one or more enforcement related activities conducted by/on behalf of an enforcement body
Written Note of Use or Disclosure
KnowledgeSpace will make a written note of all uses and disclosures of personal information.
Related Bodies Corporate
Where KnowledgeSpace collects personal information from a body corporate, it will treat personal information in the same manner as stated above.
Where personal information is used or disclosed for the purpose of direct marketing or government related identifiers, the above principles do not apply.
APP 7: Direct Marketing
Direct marketing concerns the use/disclosure of personal information to communicate directly with an individual to promote goods and services. KnowledgeSpace will not use or disclose personal information held about an individual for the purposes of direct marketing unless one of the exceptions outlined below apply.
Exceptions – Personal Information other than Sensitive Information
KnowledgeSpace will not use or disclose personal information for the purposes of direct marketing unless:
(a) KnowledgeSpace has collected the information from the individual and the individual would reasonably expect KnowledgeSpace to use/disclose the information for this purpose
(b) KnowledgeSpace has provided a simple means where the individual may easily request not to receive direct marketing communications, and the individual has not made such a request
Where KnowledgeSpace has collected the personal information from a third party or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing, KnowledgeSpace will seek consent from an individual for each direct marketing communication.
Exception – Sensitive Information
KnowledgeSpace will not use or disclose sensitive information about an individual for the purposes of direct marketing without the consent of the individual.
Exception – Contracted Service Providers
KnowledgeSpace may use or disclose personal information for the purpose of direct marketing where:
(a) KnowledgeSpace is a contracted service provider for a Commonwealth contract
(b) KnowledgeSpace collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract
(c) The use or disclosure is necessary to meet (directly or indirectly) such an obligation
Individual may request not to receive direct marketing communications
Where an individual has requested for KnowledgeSpace not to use or disclose their personal information for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations, KnowledgeSpace will give effect to any such request by an individual within a reasonable period of time and without cost to the individual.
KnowledgeSpace will, on request, notify an individual of its source of the individual’s personal information that it has used or disclosed for the purpose of direct marketing unless this is unreasonable or impracticable to do so.
This does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations apply.
APP 8: Cross-Border Disclosure of Personal Information
KnowledgeSpace will not disclose personal information to a person overseas unless reasonable steps have been taken to ensure that the recipient does not breach the Australian Privacy Principles.
This does not apply when:
- (a) KnowledgeSpace reasonably believes that the recipient is subject to a law or scheme that is overall similar to the APP, and the individual can access mechanisms to enforce the protection of that law or scheme.
- (b) KnowledgeSpace seeks the consent of the individual to disclose the personal information, expressly stating that they will not take reasonable steps to ensure the recipient does not breach the APP.
- (c) The disclosure of information is required/authorised by an Australian law or court/tribunal order
- (d) A permitted general situation exists in relation to the disclosure of the information by KnowledgeSpace
APP 9: Adoption, Use or Disclosure of Government Related Identifiers
Adoption of Government Related Identifiers
KnowledgeSpace will not adopt as its own identifier an identifier that has been authorised under Australian law. Examples are an individual’s Medicare or tax file number.
Use or Disclosure of Government Related Identifiers
KnowledgeSpace will not use or disclose an identifier unless:
- It is to verify the identity of the individual for the purposes of their activities/functions
- It is necessary for KnowledgeSpace to fulfil its obligations to an agency or a State/Territory
- It is required/authorised by law
- A permitted general situation exists in relation to the use/disclosure of the identifier
- KnowledgeSpace reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body
Regulations about Adoption, Use or Disclosure
KnowledgeSpace may use/adopt or disclose a government related identifier of an individual if:
(a) The identifier is prescribed by regulations
(b) KnowledgeSpace is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations
(c) The adoption, use or disclosure is prescribed by the regulations
APP 10: Quality of Personal Information
KnowledgeSpace will take reasonable steps to ensure that personal data collected, used or disclosed is accurate, up to date and complete.
APP 11: Security of Personal Information
KnowledgeSpace will take reasonable steps to protect personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. KnowledgeSpace will also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under Principle 3.
APP 12: Access to Personal Information
Where KnowledgeSpace holds personal information about an individual, it will provide the individual with access to the information on request.
Exceptions to access
KnowledgeSpace is not required to give the individual access to the personal information where:
(a) KnowledgeSpace reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual/to public health/public safety
(b) Giving access would have an unreasonable impact on the privacy of other individuals
(c) The request for access is frivolous or vexatious
(d) The information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings
(e) Giving access would reveal the intentions of the entity in relation to negotiations with that individual, and would prejudice those negotiations
(f) Giving access would be unlawful
(g) Denying access is required/authorised by or under Australian Law or a court/tribunal order
(h) KnowledgeSpace has reason to suspect that unlawful activity or serious misconduct relating to KnowledgeSpace has been engaged in, and giving access is likely to prejudice the taking of appropriate action
(i) Giving access would be likely to prejudice one or more enforcement related activities conduced by/on behalf of an enforcement body
(j) Giving access would reveal evaluative information generated within the KnowledgeSpace in connection with a commercially sensitive decision-making process
Dealing with requests for access
KnowledgeSpace must respond to requests for access to personal information within 30 days of a request by an agency, or within a reasonable time period after the request is made by an organisation.
Access to information should be given in the manner requested by the individual if it is reasonable and practicable to do so.
Other means of access
Where KnowledgeSpace refuses to give access to personal information on a permitted ground or refuses to give access in the manner requested by the individual, KnowledgeSpace must take reasonable steps to give access in a way that meets the needs of the individual and KnowledgeSpace (e.g. deleting personal information for which there is a ground for refusing access and giving the redacted version to the individual, or giving a summary of the requested personal information to the individual).
Access may be given through the use of a mutually agreed intermediary.
KnowledgeSpace may impose a charge for giving access to personal information (such as copying costs, postage costs, costs associated with using an intermediary). This charge must not be used to discourage an individual from requesting access to personal information, and cannot be
applied to the making of the request.
Refusal to give access
Refusals by KnowledgeSpace to give access to personal information will be in writing and will state:
(a) The reasons for the refusal
(b) The mechanisms available to complain about the refusal
(c) Any other matter prescribed by the regulations
Where KnowledgeSpace has refused access due to evaluative information in connection with a commercially sensitive decision-making process, KnowledgeSpace may include an explanation for the commercially sensitive decision.
APP 13: Correction of Personal Information
Where KnowledgeSpace or an individual believes that personal information is inaccurate, out of date, incomplete, irrelevant or misleading, KnowledgeSpace will take reasonable steps to correct that information.
Notification of Correction to Third Parties
KnowledgeSpace will take reasonable steps to ensure that all third parties privy to personal information have been notified of a correction unless it is unlawful or unreasonable to notify.
Refusal to Correct Information
If KnowledgeSpace refuses to correct personal information as requested by the individual, a written notice will be provided that contains:
(a) The reasons for refusal
(b) The mechanisms available to complain about the refusal
(c) Any other matter prescribed by regulations
Request to Associate a Statement
Where KnowledgeSpace has refused to correct personal information and the individual has requested for an associated statement that the information is out of date, inaccurate, incomplete, irrelevant or misleading, KnowledgeSpace will take reasonable steps to associate the statement in such a way that will make the statement apparent to users of the information.
Dealing with Requests
KnowledgeSpace will respond to requests to associate a statement:
(a) Within 30 days (if request is from an agency)
(b) Within a reasonable period after the request is made
KnowledgeSpace will not charge an individual for making a request, for correcting information or associating a statement with the personal information.
KnowledgeSpace may amend and vary this policy from time to time.