Community Services Directorate Territory Privacy Principle
About this policy
This privacy statement sets out how the ACT Community Services Directorate manages personal information when performing its functions.
This policy is written in simple language for accessibility. The Information Privacy Act 2014 sets out the specific legal obligations under which the Community Services Directorate is to collect and handle personal information.
Within the Information Privacy Act 2014, there are 13 Territory Privacy Principles which outline the specifics under which the Community Services Directorate is to collect, hold, maintain and share personal information within its control. Below, each Privacy Principle is outlined and information is provided for members of the public and for those public service officers dealing with personal information.
This statement is made in accordance with Territory Privacy Principle 1.3 of the Information Privacy Act 2014
The Community Services Directorate will review and update this policy on a bi-annual basis and changes will be reflected on our website.
The Community Services Directorate collects, holds, uses and discloses personal information to carry out its functions under the following pieces of legislation:
- Aboriginal and Torres Strait Islander Elected Body 2008;
- Adoption Act 1993 (ACT);
- Children and Young People Act 2008;
- Community Housing Providers National Law (ACT) Act 2013;
- Disability Services Act 1991;
- Freedom of Information Act 2016;
- Health Records (Privacy and Access) Act 1997;
- Housing Assistance Act 2007;
- Native Title Act 1994;
- Public Sector Act 2014;
- Senior Practitioner Act 2018;
- Territory Records Act 2002;
- Work Health and Safety Act 2011; and
- Working with Vulnerable People (Background Checking) Act 2011.
The Community Services Directorate has responsibility for a wide range of human services functions in the ACT, including: multicultural, Aboriginal and Torres Strait Islander, women, seniors and veterans, public and community housing services and policy, homelessness and community services, children and young people, family support services and policy, disability services and policy, Child Development Services (therapy services), Child and Family Centres and Domestic and Family Safety.
Territory Privacy Principle 1 - open and transparent management of personal information
Key Principle: Agencies must have policies and procedures in place to ensure they manage information in an open and transparent way.
Territory Privacy Principle 2 - anonymity and pseudonymity
Key Principle: Agencies must give individuals the opportunity to deal with the agency on an anonymous basis or using a pseudonym (a made-up name).
Generally, when clients deal with the Community Services Directorate they have the option of remaining anonymous or using a pseudonym.
In some situations, however, you may need to provide your name to access appropriate assistance. For example, if you contact Housing ACT seeking housing assistance you will be required to provide your identity to ensure you are being appropriately assisted and your needs met or if you apply for information under the FOI Act 2016, you will be required to provide your personal ID.
Territory Privacy Principle 3 - collection of solicited personal information
Key Principle: An agency must not collect personal information unless the information is reasonably necessary or directly related to the agency’s functions.
The Community Services Directorate only collects personal information where the information relates to the role of the Directorate.
The main way the Directorate collects personal information is through receiving the information from the person directly, however it can also receive information from a third party.
Personal information may be provided in a number of different ways, including through paper, online forms, email, over the telephone and by fax.
Examples of when the Community Services Directorate may collect personal information:
- The Directorate is required or authorised by law or a Court or tribunal order to collect the information;
- Individuals participate in community consultations, forums or make submissions to the Directorate, and the individual consents to the collection of their personal information;
- Individuals seek access to Directorate services i.e. Housing ACT, or the Child and Family Centre and consents to the collection of their personal information;
- An individual makes a complaint about the way the Directorate has handled an agency function or seeks a review of a decision made by the Directorate; or
- A client asks for access to information the Community Services Directorate holds about them or other information about the Directorate’s operation.
Normally the Directorate will collect information directly from the individual unless it is unreasonable or impracticable to do so. In certain circumstances, for example where it is required by law, the Directorate may also obtain personal information collected by other Australian, state and territory government bodies or other organisations. For example, in relation to matters concerning the care and protection of a child or young person.
At all times, the Community Services Directorate only collect the minimum information required. The personal information the Directorate collects and holds will vary depending on what is required to perform the Directorate’s functions and responsibilities. Personal information may include:
- information about an individual’s identity (eg date of birth, country of birth, passport details, visa details and drivers licence);
- name, address and contact details (eg phone, email and fax);
- information about personal circumstances (eg age, gender, marital status and occupation);
- information about financial affairs (eg payment details, bank account details, and information about business and financial interests); and
- information about employment (eg applications for employment, work history, referee comments and remuneration).
Territory Privacy Principle 4 - dealing with unsolicited personal information
Key Principle: If an agency receives information without soliciting it (asking for it) or intending to collect it, the agency must decide if it could have collected the information in accordance with any of the Territory Privacy Principles.
If the Directorate could not have lawfully collected the information, and the information is not already in a Territory Record, the Directorate must destroy or de-identify the information as soon as practicable, but only if it is lawful and reasonable to do so.
Further, the Directorate will not keep any personal information which it does not have reason to collect or hold.
Territory Privacy Principle 5 - notification of the collection of personal information
Key Principle: Agencies must give timely notice to an individual when they collect personal information about that individual, or otherwise ensure the individual is fully aware of the collection.
When the Community Services Directorate is required to collect personal information from an individual, the Directorate will notify that individual about:
- who the Directorate is and the relevant contact information;
- the circumstances in which the Directorate may have collected personal information;
- the name of the law that requires the Directorate to collect this information (if any);
- why the Directorate is collecting the information;
- what may happen if the Directorate cannot collect the information required;
- who the Directorate may share the personal information with, including whether those recipients are overseas, and where;
- information about how an individual may access their personal information held by the Directorate and seek the correction of that information if necessary; and
Territory Privacy Principle 6 - use or disclosure of personal information
Key Principle: If an agency holds personal information about an individual that was collected for a particular (primary) purpose, the agency must not use or disclose the information for another (secondary) purpose without the individual’s consent unless an exception applies.
The Community Services Directorate will not use an individual’s personal information for a different reason or share personal information with other government agencies, private sector organisations or anyone else without the individuals consent, unless an exception applies.
Exceptions include when:
- the individual would reasonably expect the Directorate to use the information for another reason;
- the use or sharing of information is legally required or authorised by an Australian law, or court or tribunal order;
- the collection or sharing of information is reasonably necessary for an law enforcement-related activity. For example sharing with the AFP;
- the Directorate reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;
- the Directorate has reason to suspect unlawful activity, or misconduct of a serious nature, that relates to its functions and reasonably believes that collection of the information is necessary in order for appropriate action to be taken; or
- the Directorate reasonably believes that the collection is reasonably necessary to help locate a person who has been reported as missing.
The Community Services Directorate contracts non-government service providers to support the Directorate to carry out specific activities and functions. In some circumstances, it may be necessary for the Directorate to share personal information with these service providers to allow the service to complete their functions. In these situations, the Directorate will protect personal information by only entering into contracts with service providers who agree to comply with the Information Privacy Act 2014.
Territory Privacy Principle 7 – Direct Marketing
This Territory Privacy Principle does not exist. The numbering of the Territory Privacy Principles mirrors the Australian Privacy Principles within the Commonwealth legislation. The Australian Privacy Principle 7 does not relate to the Territory and as such has not been added to the Information Privacy Act 2014.
Territory Privacy Principle 8 – cross-border disclosure of personal information
Key Principle: Agencies must ensure that if they share information with overseas recipients, the information will be subject to similar standards of protection.
In some circumstances, the Directorate may need to share or store information with overseas recipients, for example in relation to Intercountry Adoptions. If this disclosure is necessary, the Directorate will take reasonable steps before disclosing the information to ensure that the recipient treats the personal information with the similar standard of care as is required by the Information Privacy Act 2014. Countries where sharing of information could occur with include Chile; China, Columbia, Hong Kong, South Africa, South Korea, Sri Lanka, Taiwan or Thailand.
Territory Privacy Principle 9 – Adoption, use or disclosure of government-related identifiers
This Territory Privacy Principle does not exist. The numbering of the Territory Privacy Principles mirrors the Australian Privacy Principles within the Commonwealth legislation. The Australian Privacy Principle 8 does not relate to the Territory and as such has not been added to the Information Privacy Act 2014.
Territory Privacy Principle 10 – quality of personal information
Key Principle: Information about an individual collected, used or disclosed by an agency should be accurate, up-to-date, complete and relevant, having regard to the purpose of the use or disclosure.
The Community Services Directorate is required to take reasonable steps to ensure that the personal information that is collected is accurate, up-to-date, and complete.
Personal information which is used or disclosed must also be relevant for the purpose for which the Directorate uses or discloses it. For example, the Directorate cannot share information that is incorrect or if the accuracy of the information is unknown.
Territory Privacy Principle 11 – security of personal information
Key Principle: If an agency holds personal information, the agency must take reasonable steps to keep it safe and secure, and to destroy or de-identify the information if the agency no longer needs the information and the information is not part of a Territory record or required to be kept by law.
The Community Services Directorate is required to take reasonable steps to ensure that the personal information it holds is safe and secure. The Directorate strives to protect personal information from misuse or unauthorised access, or disclosure in accordance with the Information Privacy Act 2014.
The Directorate is guided by the Territory Records Act 2002 for the management of personal information. This Act outlines how long Directorate information is to be stored before it can be destroyed.
The ACT Government’s ICT systems employ comprehensive protections to guard against unauthorised access.
As a part of the Directorate’s general practice, personal information is only available to staff who need to have access in order to perform their roles.
Territory Privacy Principle 12 – access to personal information
Key Principle: Individuals are entitled to request access to information the agency holds about them, in a suitable form without charge, unless the agency is exempt under another law.
Under the Information Privacy Act 2014 individuals have the right to ask for access to personal information that the Directorate holds about them.
If contact is made with the Directorate to request access to personal information under the Information Privacy Act 2014, the Directorate must provide the client with access to their information in an appropriate manner, if it is reasonable and practicable to do so. If it is not reasonable or practicable, the Directorate must respond to the request in writing within 30 days indicating why the Directorate is unable to provide access to that information.
There is no charge for making a request or providing access to personal information.
Individuals also have the right under the Freedom of Information Act 2016 to request access to documents/government information which the Directorate holds.
Each of these avenues can be discussed with the Directorate’s Privacy Officer (contact details are noted below).
Territory Privacy Principle 13 – correction of personal information
Key Principle: Individuals are entitled to request correction of information the agency holds about them, without charge.
Once the Directorate receives a request to correct personal information under the Information Privacy Act 2014, reasonable steps must be undertaken to correct the information if it is satisfied that it is incorrect, inaccurate, incomplete, irrelevant, out-of date or misleading.
If the Directorate agrees to correct information and that information has previously been shared with another agency, the individual may request that the Directorate notify the other agency of the possible need for them to correct that information.
There may be reasons why the Directorate refuses to correct personal information, for example if the Directorate is required or authorised by law not to correct the information.
If the Directorate refuses to correct the information, a written notice of why it has been refused and how the individual may complain about the decision must be provided within 30 days. However, if the Directorate refuses to correct personal information, the individual can attach a statement outlining that they believe the information is incorrect and why, to the information on file.
There is no charge for making the request for correction, correcting the information or attaching a statement to file.
Individuals also have the right under the Freedom of Information Act 2016 to ask for personal information that the Directorate holds to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading.
Each of these avenues can be discussed with the Directorate’s Privacy Officer (contact details are noted below).
How to make a complaint
Under the Information Privacy Act 2014, complaints about how the Community Services Directorate has managed your personal information need to be made in writing to the contact details below. The Directorate is able to assist individuals to lodge a complaint if required.
The Directorate will acknowledge a complaint and respond to the complaint within 30 days, as directed under the Information Privacy Act 2014.
If you are not satisfied with our response you may ask for a review by a more senior officer or you can make a formal privacy complaint to the Office of the Australian Information Commissioner under section 34 of the Information Privacy Act 2014. The Office of the Australian Information Commissioner is an independent body that will assess your complaint. If your complaint is upheld by the Commissioner you may be able seek a remedy in the Magistrates Court.
How to contact the Directorate
You can contact the Directorate through an allocated case worker, however if you do not have a current case worker or are not a client of the Directorate, please contact the Directorate’s Privacy Officer through one of the following means:
Telephone: (02) 6205 2582
Post: GPO Box 158
Canberra ACT 2601