Strategic Planning and Governance
22 May 2017
This purpose of this policy is to outline how the National Archives of Australia (the Archives) will manage personal information collected in the course of carrying out its business. Personal information is managed in accordance with the Australian Privacy Principles (APPs) as specified in the Privacy Act 1988 (Cth) (Privacy Act).
In accordance with the Privacy Act personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
This Policy applies to information in all formats created or received by the Archives’ in the performance of its business.
The Policy does not apply to Commonwealth records held in the Archives’ collection. These are administered in accordance with provisions in the Archives Act 1983 (Cth) (Archives Act).
This policy supports the principles outlined in the Privacy Act by promoting and facilitating an understanding of and compliance with the APPs and how they apply in the Archives context. This includes:
The Archives will only collect personal information when it is reasonably necessary for, or directly related to, the Archives business.
Personal information may be collected by the Archives in the performance of its business, including:
We may also collect or hold a range of sensitive information which is a type of personal information. This includes information or opinion about an individual's:
The Archives collects sensitive personal information about an individual only with the individual’s consent or if authorised by law to do so. The Archives ensures that any information it collects is relevant for the purpose for which it is collected and is used only for that purpose. Personal information will only be collected by lawful and ‘fair’ means.
The Archives uses forms, online systems and other electronic or paper documentation and will usually collect the information from the individual personally.
Personal information is held in the following ways:
The Archives will take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.
Digital information is protected in systems that comply with the Australian Government Protective Security Policy Framework. Information held in a physical formats are secured in locked cabinets and access is restricted to those with a ‘need to know’.
If a data breach occurs the Archives will respond as required by the Office of the Australian Information Commissioner’s Data breach notification – A guide to handling personal information security breaches.
Personal information held by the Archives is managed in accordance with the relevant records and information management policies and guidelines and disposed of in accordance with section 24 of the Archives Act.
The Archives is required under APP 12 to provide access on request of the individual to their personal information created or maintained by the Archives. Where access is requested the Archives must respond within 30 days. The Archives must take reasonable steps to provide access in a way that meets the Archives’ needs and the needs of the individual.
If the Archives make a decision not to grant access to an individual a written response will be provided listing reasons for the refusal and mechanisms available to complain about the refusal.
Under APP 13 the Archives will to take reasonable steps to correct personal information that it collects and holds to ensure that it is accurate, up-to-date, complete, relevant and not misleading. An individual may seek correction of their personal information through a request for amendment to the area of Archives responsible for the information (e.g. People Management and Development (PMC) for personnel and employment records). The Archives will notify the individual of the decision within 30 days and provide written reasons if the request to amend personal information is refused.
Under APP 6 the Archives uses the personal information it collects for the primary purpose for which it was collected. An example of this is where personal information gathered from a client who approaches the Archives with a reference inquiry, is used to respond to the reference inquiry.
The Archives may also use or disclose personal information for reasonably expected secondary purposes permitted under the Privacy Act including requirements or authorisation by law, or through the individual’s consent.
The Archives will notify the individual at the point of collection or as soon as practicable afterwards about disclosures that apply to particular collections of personal information.
The Archives will not usually disclose personal information overseas but in the event it does, the Archives will enter into a contractual arrangement that requires the overseas recipient to handle the personal information in accordance with the APPs.
The Archives is committed to timely and fair resolution of complaints including those relating to compliance with the APPs.
General enquiries about the Archives' compliance with the APPs can be made to the Archives' Privacy Contact Officer who can be contacted at firstname.lastname@example.org
Complaints about the Archives’ personal information handling practices can also be made directly to the Office of the Australian Information Commissioner.
If a complaint is received by the Archives about a breach to the APPs or any registered binding APP code, the Archives’ will investigate the complaint. The result of the investigation will be documented and communicated to the appropriate parties, including the complainant and/or the individual who is the subject of the personal information. The Archives will examine the processes around the collection, use and disclosure of personal information to ensure issues or gaps are identified and rectified to avoid future breaches.
This policy has been approved by:
22 May 2017