Privacy and Personal Information Policy
Introduction
Southern Regional Natural Resource Management Association Inc ABN 86 704 088 698 (NRM South) respects privacy and is committed to ensuring the personal information of individuals is managed in accordance with the Privacy Act 1988 (Cth) (Privacy Act), and the Personal Information Protection Act 2004 (Tas) (PIP Act) to the extent it is not inconsistent with or is in addition to the protections in the Privacy Act. This Policy explains how NRM South complies with privacy laws when collecting, using, disclosing, storing and destroying an individual’s personal information. It also explains how an individual can access or correct their personal information or make complaints about personal information held about them.
A copy of this Privacy Policy is available on our website at www.nrmsouth.org.au and in hard copy on request.
Definitions
Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. Under the PIP Act this also applies to personal information about an individual who has not been dead for more than 25 years.
Personal information may include ‘sensitive information’ about an individual such as a person’s race or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, memberships, sexual orientation or practices, criminal record or health, genetic or biometric information.
Health information includes information about a person’s health, disability or use of health services.
Policy
NRM South is one of 56 natural resource management organisations in Australia and one of three in Tasmania. Our role is to protect, sustainably manage and improve our natural resources for the shared environmental, social and economic benefit of the community.
Personal information collected
It is the policy of NRM South to collect personal information only if it is necessary for one or more of its functions, programs or activities.
Certain personal information is collected in order to comply with laws and regulations.
The kinds of personal information that NRM South commonly collect and hold from an individual or about an individual includes name, addresses, telephone numbers, date of birth, drivers licence details, ownership or occupation of land and observations about that land, together with any specific information about an individual that may be required for the purpose of completing NRM South functions.
NRM South may collect sensitive information from an individual or about an individual where there is a legal requirement to do so, or where we are otherwise permitted by law. In all other situations, we will specifically seek the individual’s consent.
How we collect and hold personal information
We aim to collect personal information about an individual only directly from them, unless it is unreasonable or impracticable for us to do so. For example, we will collect personal information from:
- forms completed by the individual;
- correspondence that the individual submits to us;
- telephone calls and meetings with us.
When someone browses our website or contact us electronically we may record details of the number of visitors to our website and any website from which they were directed to our website.
In some instances, we may receive personal information from third parties such as our stakeholders, landholders and community groups.
An individual can be anonymous or use a pseudonym when dealing with us, for instance if making a general enquiry. However, if use of an individual’s true identity is a legal requirement or it would be impractical for us to provide a service without that information, identification of the individual may be necessary.
NRM South do not assign unique identifiers to individuals unless it is necessary for us to carry out our functions efficiently or is required by law. We do not adopt as our unique identifiers the unique identifiers from other organisations. However, we may collect the unique identifiers assigned to an individual by another organisation, such as real property identification numbers but we will not disclose these without lawful authority.
How do we use personal information?
NRM South will use and disclose an individual’s personal information for the purpose for which we collected it. We may also use an individual’s personal information for related purposes which they would reasonably expect. We will take reasonable steps to ensure the information we use is accurate, up-to-date, complete and relevant, having regard to the reasons why it is being used.
We may disclose an individual’s personal information to third parties. For example, there may be a need to disclose some or all personal information collected to:
- government funding bodies at Federal and State level including their public sector agencies for instance, when responding to requests from the Federal Government for some personal information (but not in any way which would identify the individual to whom it relates) via the National Landcare Programme reporting such as requests for specific property information;
- contractors engaged by NRM South to deliver or co-provide services related to our activities and programs or provide services to us;
- our agents;
- law enforcement agencies, courts; or
- other authorised organisations under relevant legislation.
Contractors with NRM South are required to adhere to this Policy when dealing with any personal information they receive from NRM South.
NRM South is the custodian of personal information under the PIP Act. The PIP Act permits the disclosure of “basic personal information” (that is, name, residential address, postal address, date of birth and gender) to Tasmanian public sector bodies where necessary for the efficient storage and use of that information.
Some personal information collected may be used in research, statistical analysis, state or national reporting, awareness programs, public statements or training, but not in any way which would identify the individual to whom it relates.
Where we support on ground or other activities such as the assessment, monitoring, management and/or protection of native plants, animals and vegetation communities (including threatened species and communities) the location of these (as GPS coordinates) and any results from monitoring and assessment are provided to the Department of Primary Industries, Parks, Water and Environment (DPIPWE) for inclusion, for example, in the Natural Values Atlas which is available to the public.
Personal information in written submissions on policy matters or matters of public consultation may be disclosed in reports that are made public, unless the submission was submitted and/or accepted on a confidential basis.
How do we store personal information?
Personal information is generally held in our files or a computer database. Data storage locations for our cloud computing applications are hosted both in Australia and outside Australia. Our agreements with IT providers expressly require them to comply with the Privacy Act and PIP Act unless the country in which the data is hosted is subject to a law or binding scheme which protects personal information in a way that overall is similar to the way personal information privacy principles protect personal information. Personal information may also be held in a secure archiving facility.
Normally correspondence and documentation is scanned and stored in our computer system, with original copies of agreements returned to the relevant individual or retained and filed by us.
We will take reasonable steps to ensure that the personal information that we hold is protected from misuse and loss and from unauthorised access, modification and disclosure. Some of the measures that NRM South have adopted are having facilities for the secure storage of personal information, having secure offices and access controls for our computer systems.
We will also take reasonable steps to destroy or permanently de-identify personal information where it is no longer required except where required to be kept in compliance with the Archives Act (Tas) 1983. In general information is retained for seven years from the date it was last used.
Access to and correction of personal information
An individual can gain access to their personal information that we hold. This is subject to exceptions allowed by the Privacy Act or PIP Act such as where providing the individual with access would have an unreasonable impact upon the privacy of others. If we deny a request for access, we will provide the reasons for this decision. To request access please contact us (see our details below).
We may charge a reasonable fee to access that information, for example to recover the costs of photocopying or if we have to spend a significant amount of time to provide access. We may need to verify an individual’s identity before providing access to their personal information.
If we refuse access to an individual’s personal information, we will provide an explanation for that refusal. We will try to provide access to personal information within 14 days of receipt of the written request for access or within 20 working days where responding to the request is more complicated.
What if personal information is not correct?
We endeavour to take reasonable steps to ensure that the personal information that we collect, use or disclose is accurate, complete and up-to-date. If an individual believes that any of the personal information that we hold about them is not accurate, complete or up-to-date please contact us (see our details below) and provide us with evidence that it is not accurate, complete and/or up-to-date.
If we agree that the personal information requires correcting, we will take reasonable steps to do so. If we do not correct the personal information we will provide our reasons for not doing so. If the individual requests that we associate with their personal information a statement claiming that the information is not accurate, complete and up-to-date we will take reasonable steps to comply with this request.
If we refuse to correct an individual’s personal information, we will provide a written explanation for that refusal. We will try to resolve all requests within 14 days of receipt of the written request or within 20 working days where the matter is more complicated. We will not charge a fee to correct that information.
How does an individual complain about interference with their privacy?
An individual who is concerned about an interference with their privacy or this policy can submit a complaint in writing, marked to the attention of the Chief Executive Officer. We will consider and try to respond to the complaint within 14 days of receipt of the complaint, but no later than 20 working days. We will seek to resolve the complaint with the complainant. We prefer to address all matters in this manner prior to a complaint being taken further.
How do you contact us if you have a privacy issue?
An individual can obtain further information on request about the way in which we manage the personal information that we hold or an individual can raise any privacy issues with us, including a complaint about privacy, by:
Email: [email protected]
Post: PO Box 4657, Hobart TAS 7000
What other avenues of complaint exist?
Complaints about the handling of privacy and personal information may be made to the Office of the Australian Information Commissioner or the Ombudsman Tasmania. Their contact details are:
The Office of the Australian Information Commissioner
Email: [email protected]
Post: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Fax: 02 9284 9666
Ombudsman Tasmania Office
Email: [email protected]
Post: NAB House, Level 6, 86 Collins Street, Hobart TAS 7000
Phone: 1800 001 170
Policy Updated October 2016