Objective
The purpose of this policy is to inform individuals about how their personal information will be collected, used and managed by Natural Hazards Research Australia (NHRA).
Scope
This policy applies to NHRA staff who are employed as casual, part time or full time and the engagement of NHRA stakeholders in the course of its operations.
Policy Statement
Purpose
This Privacy Policy Statement is prepared in accordance with The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) which made many significant changes to the Privacy Act 1988 (Privacy Act) and the associated Australian Privacy Principles (APPs). Details of the changes to the Privacy Act can be found on the Office of Australian Information Commissioners’ website (www.oaic.gov.au).
The APPs set out minimum standards for the way in which organisations deal with individuals' personal information. Under the Act, personal information is defined as
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Privacy Commitment
This Privacy Policy Statement (Privacy Policy) explains how the Centre collects, stores, uses and discloses personal information and the rights of individuals to gain access to information held about them by the Centre.
What is Personal Information
‘Personal information’ is defined in the Privacy Act, and means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
In this Privacy Policy, whenever we use the term ‘personal information’, we are referring to this legal definition.
Personal information does not include aggregated or de-identified data.
We are required to comply with the Australian Privacy Principles (APPs) in the Privacy Act. The APPs regulate the manner in which personal information is managed by an organisation subject to the Privacy Act, from collection to use and disclosure, security, accessibility and disposal.
In certain circumstances, we may also be required to comply with more specific privacy legislation in some circumstances, such as:
- applicable State and Territory health privacy legislation (including the Victorian Health Records Act) when we collect and handle health information in the relevant jurisdiction; and
- the Spam Act and the Do Not Call Register Act.
Collection of personal information during research projects
The Centre is in the business of conducting research which will include the interviewing and surveying of members of the public and organisations. The collection of data in these circumstances will be covered by a higher level of privacy protection including obtaining Human Ethics approval through an Ethics Committee. This personal information will be treated in accordance with the requirements outlined in the ethics approval, for that activity. Any publication of material arising from this data will be suitably de-identified.
Collection of personal information
What we collect
The specific types of personal information collected and used by the Centre varies according to the purpose for collection. However, in general this information may include:
- Individuals' names, addresses, contact details (e.g. telephone number and email address, employer and role);
- Information about transactions or dealings between individuals and the Centre;
- Information about you that may be relevant to the interaction the Centre will have with you; and
- Individuals' areas of interest.
Why we collect personal information
The Centre only collects personal information which is necessary in connection with its business purposes. The purposes for which the Centre collects personal information include:
- when an individual or organisation communicates or interacts with the Centre;
- responding to issues addressed by an individual to the Centre;
- facilitating the conduct of business transactions and operations between the Centre and the individual;
- when an individual attends a function or event run or facilitated by the Centre;
- providing a subscription service to individuals;
- ensuring Centre websites remain relevant to individuals;
- when an individual applies for a position at the Centre; or
- where we are required to collect information by law.
How and when we collect personal information
We may collect this information:
- when you communicate with us;
- directly from you during conversations with our staff members (in person, via phone or online);
- when you make appointments or bookings with us;
- when you visit one of our premises;
- when you call us or we call you;
- when you use our online services (such as our websites, content sharing or our social media channels);
- when you make an enquiry, provide feedback, or make a complaint (via phone, email or in person); and
- as required by law.
The Centre collects most of the personal information it requires directly from the relevant individual by way of written forms voluntarily completed by the individual. The Centre may also collect information from individuals by telephone, in person, by its employees, or by written correspondence from time-to-time.
In certain circumstances, the Centre may also collect personal information about an individual from third parties. Where an individual, or entity, provides the Centre with personal information about another individual, they must first ensure that the other individual is aware of:
- the disclosure of their information to the Centre and the purposes for which the information is collected and used by the Centre; and
- the individual's ability to request access to the personal information held about them by the Centre, and to advise the Centre if they think the information is inaccurate, incomplete or out-of-date.
If you don’t provide personal information
It is important that the Centre collects the information it requires about an individual in order to provide services which remain relevant to that individual. In some cases, if you don't provide us with your personal information when requested, we may not be able to provide you with the product or service that you are seeking.
Sensitive information
Sensitive information is a subset of personal information that is generally afforded a higher level of privacy protection under the Privacy Act. ‘Sensitive information’ is defined in the Privacy Act and includes information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal records, health information and genetic information. We only collect sensitive information where it is reasonably necessary for our functions or activities and either:
- the individual has consented; or
- we are required or authorised by or under law (including the APPs) to do so.
For example, we may collect dietary requirements for catering purposes or information about any additional needs or preferences you may have when accessing our services, facilities or premises.
Use and Disclosure of Personal Information
We may share personal information with third parties where appropriate for the purposes set out in this Privacy Policy, including:
- to provide goods or services to the individual, including a newsletter or similar subscription service;
- to provide other relevant information;
- where required or authorised by law;
- to provide information to agents, contractors and service providers engaged by the Centre to deliver goods and services or otherwise act on behalf of the Centre, or to provide goods and services to the Centre, these providers will be bound by similar privacy conditions;
- to investigate and resolve complaints concerning the provision of services by the Centre or others associated with the Centre; and
- to provide individuals with updates and other information from time to time about the Centre’s goods, services and activities. Individuals may notify the Centre at any time if they do not wish to receive this information.
The Centre’s website and email systems are cloud-based services and therefore may be based outside Australia, however the Centre will only transfer personal information outside of Australia (including Canada, the European Union, Japan, the United Kingdom and the United States of America) in accordance with the APPs including:
- With the individual’s consent (this is deemed to have been given through the entering of information of the Centre’s website or through the use of the Centre’s email addresses);
- Where the Centre is under a contractual obligation (with the individual or another party) to do so, or there is some other benefit to the individual; or
- Where the Centre is satisfied that the recipient of the information will uphold principles for the fair handling of personal information, and will not deal with the personal information in a manner inconsistent with the APPs and this Privacy Policy.
Data quality storage and security
The Centre strives to ensure that all personal information held in its records is secure, accurate, complete and up-to-date.
Personal information is held in a combination of electronic and hard copy records stored securely at the Centre’s facilities or in cloud-based services. Hard copy information is stored in secure office facilities, at the Centre’s premises. Electronic information is protected by password security and other data protection measures.
Access to personal information is restricted in accordance with the Centre’s procedures to those personnel whose job functions require access to such information. Access to customer personal information is restricted to the Centre’s office staff. Certain administrative functions may from time to time be contracted out to third parties, and in these cases appropriate security measures are implemented to ensure the security and integrity of all personal information.
The Centre takes reasonable steps to:
- make sure that the personal information that it collects, uses and discloses is accurate, up to date and complete and (in the case of use and disclosure) relevant;
- protect the personal information that it holds from misuse, interference and loss and from unauthorised access, modification or disclosure; and
- destroy or permanently de-identify personal information that is no longer needed for any purpose permitted by the APPs.
Individuals can help us keep their information up to date, notifying the Centre of any changes to their details, such as the individual’s address, email address or phone number.
Direct marketing
The Centre may use or disclose personal information to let individuals know about the Centre, its goals and services, either where we have the individual’s express or implied consent, or where the Centre are otherwise permitted by law to do so. The Centre may contact individuals for these purposes in a variety of ways, including by mail, email, SMS, telephone.
Opting out
Where you have consented to receiving marketing communications from us, your consent will remain current until you advise us otherwise. However, you can opt out at any time, by:
- contacting us using the details set out below; or
- using the unsubscribe facility that the Centre includes in electronic messages (such as emails, SMSes and MMSes).
For cookies which use your personal information for direct marketing (such as targeted advertising) you can only opt-out by adjusting your device setting and online privacy settings (for advertising on certain websites and social media channels).
Further information regarding cookies is set out below.
Collection of information through our website
When individuals visit the Centre’s website, some of the information that is collected about the visit is not personal information, as it does not reveal the individual’s identity.
Website visit information
For example, the Centre records individuals’ server address, the date and time of visit, the pages visited, any documents downloaded, settings, the previous site the individual visited and the type of device, browser and operating system used to access Centre websites.
The Centre uses and discloses this information in anonymous, aggregated form only, for purposes including statistical analysis and to assist the Centre to improve the functionality and usability of its website. People are not individually identified, however the Centre reserves the right to use or disclose this information to try to locate an individual where the Centre reasonably believes that the individual may have engaged in any unlawful or inappropriate activity in connection with the websites, or the Centre otherwise required or authorised by law to do so.
Use of cookies
The Centre’s websites allow anonymous browsing and do not require a user to identify themselves, unless they wish to register for a service.
The Centre’s websites use cookies and session information cookies, which are pieces of information that a site sends to your computer or device's hard drive when you access information on our websites. Each time you use your computer or device to access the websites, the information that was previously received is sent back to the site by your browser. Cookies do not identify individual users.
The Centre will use information to create aggregate statistics about usage and other related site information that does not personally identify users. The information we collect through these cookies remains anonymous and is not linked to any personal information. If you do not agree to the use of cookies, you can set the preferences on your browser to remove all cookies and reject cookies in the future.
Third party links and sites
When you use the Centre’s websites or receive communications from us, links to websites which belong to other third parties may be included (and are provided for your convenience). You should make your own enquiries as to the privacy policies of these parties. The Centre is not responsible for information on, or the privacy practices of, any third-party websites.
Changes to the Privacy Policy
The Centre may review and update this Privacy Policy from time to time to reflect changes in the law, the Centre’s business practices and procedures and the community's changing privacy expectations. Changes to the Privacy Policy will not be notified to individuals, but the latest version of this Privacy Policy will be available from the Centre’s website.
Access to information
Please contact us if you would like to access a copy of your personal information or believe that the information we have about you is not up-to-date, complete or accurate. You have the right to request the correction of any information which relates to you and is inaccurate. If you would like the Centre to delete your personal information, please let us know and we will take all reasonable steps to delete it unless we are required by law to keep it.
We may decline your request to access or correct your information in certain circumstances in accordance with the applicable privacy laws. If we do refuse your request, we will provide you with a reason for our decision. In addition, if we refuse your request for correction, we will include a statement about your request with the personal information we store.
Complaints
If you have a complaint about how we have managed your personal information, please contact us using the details set out below.
We will endeavour to acknowledge receipt of a privacy complaint within five business days of receiving it and to complete our investigation into your complaint in a timely manner. This may include, for example, gathering the relevant facts, locating and reviewing relevant documents and speaking to relevant individuals.
In most cases, we expect that complaints will be investigated and a response provided within 30 business days of receipt of the complaint. If the matter is more complex and our investigation may take longer, we will write and let you know, and tell you when we expect to provide our response.
If you are not satisfied with our response to a complaint, or you consider that we may have breached the Privacy Act (including the Australian Privacy Principles), you are entitled to make a complaint to the Office of the Australian Information Commissioner (the Australian privacy regulator).
Point of contact
To request access to or correction of personal information held in the Centre’s records, to make a privacy related complaint, to obtain more information about the Privacy Policy or to enquire about privacy matters generally, please contact the Communications Director as follows:
Communications Director
Natural Hazards Research Australia
PO Box 116 Carlton South, VIC 3053
Email: office@naturalhazards.com.au
Except in the case of more complicated requests, we will endeavour to respond to access and correction requests within 30 business days.
More details of the Privacy Act can be obtained from the office of the Australian Information Commissioner www.oaic.gov.au.