Privacy policy

1. Purpose

This policy provides guidance to Department of Environment, Parks and Water Security (DEPWS) staff for the protection of personal information in compliance with the Information Privacy Principles (IPP) in the Northern Territory Information Act 2002, and, where applicable, with the Australian Privacy Principles (APP) in the Commonwealth Privacy Act 1988.

The policy outlines the collection, use, disclosure and protection of personal information collected by the department through the delivery of services and programs. This policy should be read in addition to the NT Government’s copyright, disclaimer and privacy statements.

2. Scope

This policy describes the personal information that may be collected by the department and how information is protected.

It applies to all staff, including contracted service providers, and their employees, subcontractors or agents, or any other persons providing services to the department, to the extent of their involvement with the department’s personal information.

3. Policy position

The department respects and is committed to safeguarding the confidentiality and privacy of the information that it collects and handles, in accordance with the Northern Territory Information Act 2002.

The department collects, manages, uses and discloses information in accordance with:

• Information Act 2002 (Information Act) (NT)
• Information Regulations 2010 (NT)
• Privacy Act 1988 (Privacy Act) (Commonwealth) (to the extent applicable)
• Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Commonwealth)
• Privacy Amendment (Notifiable Data Breaches) Act 2017 (Commonwealth)
• NT Government Records and Archives Management Standards
• Public Sector Employment and Management Act 1993 and the NTPS Code of Conduct

4. Definitions

Australian Privacy Principles (APP) means the rules covering the handling, use and management of personal information including the right to access and correct personal information, in Schedule 1 of the Privacy Act 1988.

Eligible data breach means a breach of data that is likely to result in serious harm to any of the individuals to whom the information relates as defined by the Office of the Australian Information Commissioner.

Information Privacy Principles (IPP) means general rules that govern the collection, management, access and correction of personal information contained in Schedule 2 of the Information Act 2002.

Person means an individual and includes a deceased individual within the first five (5) years after death as defined in Section 4 of the Information Act 2002.

Personal information means government information containing personal details of an individual and any other information that directly or indirectly identifies a person, except where:

1. The disclosure identifies a person who is acting in an official capacity for the department; and
2. No other personal information about the person is disclosed, as defined in Section 4A of the Information Act 2002.

Privacy means privacy with respect to personal information Section 4A of the Information Act.

Notifiable Data Breach Scheme means established requirements for data breach notifications under the Privacy Act 1988 where entities must notify the Australian Information Commissioner and individuals of eligible data breaches.

Sensitive information is a subset of personal information and means personal information as set out in Section 4 of the Information Act 2002 relating to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional/trade association or trade union, sexual preferences or practices, criminal record or health information.

5. Information Privacy Principles

The Information Privacy Principles (IPPs) are a list of 10 rules for collecting and handling personal information that bind NT government organisations. They are found in the Schedule at the back of the Information Act 2002. The requirements of the IPPs can be divided into four categories.

5.1. Collection of information

IPPs 1, 7, 8 and 10

Personal information:

• will only be collected if it is necessary for the activities of the department
• must be collected in a lawful, fair and not unreasonably intrusive way
• must be collected from the individual, if that is reasonable and practicable

There are special limits on collection of sensitive information, identifying information and unique identifying codes (e.g. driver’s licence numbers). If the department collects personal information about an individual from another person, it will take reasonable steps to ensure that the individual is aware of these matters, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of the individual or another individual.

At the time personal information is collected, the department will ensure that individuals are aware of:

• the identity of the department and how to contact it
• the fact that the individual is able to have access to the information
• the purpose for which the information is collected
• the persons or bodies, or classes of persons or bodies, to which the department usually discloses information of the same kind
• any relevant laws that require the particular information to be collected
• the consequences if any, of not providing the information.

Reasonable steps will be taken to ensure the quality of the personal information collected, and that the information is accurate, complete and up to date.

5.2. Use and disclosure

IPPs 2, 7 and 9

Personal information can be used or disclosed for the purpose for which it was collected. The IPPs limit the other purposes (secondary purposes) for which personal information can be used or disclosed within or outside the department. Use or disclosure for secondary purposes is allowed:

• if the individual consents
• if it is required or authorised by law
• for some purposes related to the primary purpose
• for some law enforcement and health and safety purposes.

There are also limits on transferring information outside the Territory and on use and disclosure of unique identifying codes (e.g. driver's licence numbers).

5.3. Management of information

IPPs 3 and 4

The department must take reasonable steps to:

• ensure that personal information is accurate, complete and up to date
• protect personal information from misuse and loss and from unauthorised access, modification or disclosure
• destroy or permanently de-identify personal information if it is no longer needed for any purpose.

In the event of an eligible data breach, the department will act in accordance with the Notifiable Data Breach Scheme under the Privacy Act 1988. The department will seek to promptly determine the nature of the breach and secure against further breaches, alert authorities where criminal activity is suspected, assess the risk of harm to affected individuals, and notify individuals and the Information Commissioner if the breach is significant.

5.4. Openness

IPPs 1, 5 and 6

The department must:

• make available to the public a document in which it clearly expresses its policies for the management of personal information that it holds
• take reasonable steps to  inform the individual of the kind of personal information it holds, why it holds the information and how it collects, holds, uses and discloses the information.
• allow an individual to seek access to their personal information
• allow an individual to seek correction of inaccurate, incomplete or out-of-date information.

The IPPs set out general rules for organisations to apply. But those rules are subject to qualifications and exceptions that recognise those other interests.

Examples of those qualifications and exceptions are:

• IPP 1.4 requires that information about a person can only be collected from that person, so long as that is reasonable and practicable. This recognises that there can be cases where obtaining information directly from the individual would be unreasonable, e.g. where it might prejudice a covert police operation.
• IPP 2.1 prohibits use and disclosure of information for a purpose other than the purpose it was collected for, but then sets out a number of exceptions. This recognises that it can be in the public interest to use or disclose information that was originally collected for one purpose for other purposes, for example, for law enforcement purposes.
• IPP 6.1 provides a general right of access by an individual to his or her personal information. But it also lists cases in which access to particular information can be refused, e.g. if providing access would unreasonably interfere with the privacy of another person.
• Sections 69-71 of the Information Act 2002 provide for exclusion or variation from the IPPs in relation to some functions, including court proceedings, law enforcement activities and research.

6. Use of personal information

The department undertakes to use personal information for the primary purpose for which it was acquired, or for related secondary purposes. Reasonable steps will be taken to acquire a person's consent before disclosure of the information to third parties.

If clients do not wish to consent to the department using their personal information as outlined in this section, and there is no legal reason that requires this use, they may request the department not to use their information in this manner. Requests should be directed to the department’s Privacy Officer.

7. Data security

The department undertakes to maintain appropriate security and control of all information that it holds in relation to individuals, and to hold such information only for the appropriate period related to the legislation, business practice and historical/cultural context of the function for which the information has been collected.

8. Openness, access and correction

Any information the department holds concerning an individual may be accessed by that individual and in accordance with the provisions of the Information Act 2002.

These also establish procedures through which individuals may request the department to update or correct personal information the department holds about them.

Application forms to seek access to personal information, and to seek the correction of personal information, are available from the department's Privacy Officer.

9. Making a privacy complaint

Complaints about privacy should be directed to the department’s Privacy Officer to request a resolution. If unsatisfied with the response by this department, a complaint may be lodged with the Northern Territory Office of the Information Commissioner, within 12 months of becoming aware of the privacy matter.

To contact the department with a complaint or privacy question, please call the Privacy Officer on (08) 8999 4410 business days, 8.00am - 4.21pm or write to PO Box 496, Palmerston, NT 0831.

10. Legislation and associated documents

Northern Territory Information Act 2002

Information Privacy Principles (IPPs)

Commonwealth Privacy Act 1988

Commonwealth Freedom of Information Act 1982

Northern Territory Government Records and Archives Management Standards

Public Sector Employment and Management Act 1993 and NTPS Code of Conduct.