Privacy Principles 1-13
Information obtained through the CSD Website
How to make a Complaint
How to contact the Directorate
About this Policy
This policy is written in simple language for accessibility. The Information Privacy Act 2014 sets out the specific legal obligations under which the Community Services Directorate is to collect and handle personal information.
Within the Information Privacy Act 2014, there are 13 Territory Privacy Principles which outline the specifics under which the Community Services Directorate is to collect, hold, maintain and share personal information within its control. Below, each Privacy Principle is outlined and information is provided for members of the public and for those public service officers dealing with personal information.
This policy is made in accordance with Territory Privacy Principle 1.3 of the Information Privacy Act 2014.
The Community Services Directorate will review and update this policy on a bi-annual basis and changes will be reflected on our website.
The Community Services Directorate collects, holds, uses and discloses personal information to carry out its functions under the following pieces of legislation:
- Aboriginal and Torres Strait Islander Elected Body 2008;
- Adoption Act 1993 (ACT);
- Children and Young People Act 2008;
- Disability Services Act 1991;
- Freedom of Information Act 2016;
- Health Records (Privacy and Access) Act 1997;
- Housing Assistance Act 2007;
- Native Title Act 1994;
- Public Sector Act 2014;
- Territory Records Act 2002; and
- Work health and Safety Act 2011.
The Community Services Directorate has responsibility for a wide range of human services functions in the ACT, including: multicultural, Aboriginal and Torres Strait Islander, women, older people, public and community housing services and policy, homelessness and community services, children and young people, family support services and policy, disability services and policy, therapy services, Child and Family Centres and Family Safety.
Territory Privacy Principle 1
open and transparent management of personal information
Key Principle: Agencies must have policies and procedures in place to ensure they manage information in an open and transparent way.
Territory Privacy Principle 2
anonymity and pseudonymity
Key Principle: Agencies must give individuals the opportunity to deal with the agency on an anonymous basis, or using a pseudonym (a made up name).
Generally when clients deal with the Community Services Directorate (for example when calling on the phone to make an enquiry) they have the option of remaining anonymous or using a pseudonym.
However, in some situations the Community Services Directorate will need the client to provide their name in order to provide services or assistance, or if the Directorate is authorised or required by law to deal with an identified individual. For example a Housing ACT client or prospective client will need to provide their name for the agency to provide appropriate assistance.
If it is impracticable or unlawful for the Directorate to deal with a client without them providing identifying information the staff member will advise the client why their personal information is required and what it will mean if the information is not collected.
Territory Privacy Principle 3
collection of solicited personal information
Key Principle: An agency must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the agency's functions. Sensitive information (as defined under the Information Privacy Act 2014) will normally also require that the individual consents unless an exception applies.
At all times the Community Services Directorate will try to only collect personal information where that information is reasonably necessary for, or directly related to, one or more of our functions or activities.
The main way in which the Community Services Directorate collects personal information is when it is received by the individual directly to the Directorate.
Personal information may be collected in a variety of ways, including through paper or online forms, in correspondence to and from the individual as well as email, over the telephone and by fax.
The Community Services Directorate collects personal information such as contact details and complaint or report details when:
- The Directorate is required or authorised by law or a Court or tribunal order to collect the information;
- individuals participate in community consultations, forums or make submissions to the Directorate, and the individual consents to the collection of their personal information;
- individuals seek access to Directorate services ie Housing ACT and consents to the collection of their personal information;
- an individual makes a complaint about the way the Directorate has handled an agency function or seeks a review of a decision made by the Directorate; or
- a client asks for access to information the Community Services Directorate holds about them or other information about the Directorate's operation.
Normally the Directorate will collect information directly from the individual unless it is unreasonable or impracticable to do so. In certain circumstances, for example where it is required by law, the Directorate may also obtain personal information collected by other Australian, state and territory government bodies or other organisations. For example, in relation to matters concerning the care and protection of a child or young person.
At all times the Community Services Directorate will try to only collect the minimum information required. The personal information the Directorate collects and holds will vary depending on what is required to perform the Directorate's functions and responsibilities. Personal information may include:
* information about an individual's identity (eg date of birth, country of birth, passport details, visa details and drivers licence)
* name, address and contact details (eg phone, email and fax)
* information about personal circumstances (eg age, gender, marital status and occupation)
* information about financial affairs (eg payment details, bank account details, and information about business and financial interests)
* information about employment (eg applications for employment, work history, referee comments and remuneration)
Under the Information Privacy Act 2014 ‘sensitive information’ is personal information that is about an individual's:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual orientation or practices; or
- criminal record; or
- genetic information; or
- biometric information (including photographs, voice or video recordings); or
- a biometric template that relates to the individual.
The Community Services Directorate will not collect sensitive information without the individuals consent unless the collection is required or authorised by a law, or court or tribunal order, or is necessary to prevent a threat to the life, health or safety of one or more individuals, or to public health or safety.
In essence, the Community Services Directorate will try not to collect personal information about you if it is not necessary.
Territory Privacy Principle 4
dealing with unsolicited personal information
Key Principle: If an agency receives information without soliciting it or intending to collect it, the agency must decide if it could have collected the information in accordance with any of the Territory Privacy Principles.
If the Directorate could not have lawfully collected the information, and the information is not already in a Territory Record, the Directorate must destroy or de-identify the information as soon as practicable, but only if it is lawful and reasonable to do so.
Further, the Directorate will not keep any personal information which it does not have reason to collect or hold.
Territory Privacy Principle 5
notification of the collection of personal information
Key Principle: Agencies must give timely notice to an individual when they collect personal information about that individual, or otherwise ensure the individual is fully aware of the collection.
When the Community Services Directorate is required to collect personal information from an individual, the Directorate will notify that individual about:
- who the Directorate is and how the relevant area can be contacted;
- the circumstances in which the Directorate may have collected personal information;
- the name of the law that requires the Directorate to collect this information (if any)
- the purposes for which the Directorate is collecting the information
- the consequences for the individual if the Directorate cannot collect the information required
- the details of any agencies or types of agencies which the Directorate normally shares personal information with, including whether those recipients are overseas, and which countries those recipients are located in
- information about how an individual may access their personal information held by the Directorate and seek the correction of that information if necessary
Territory Privacy Principle 6
use or disclosure of personal information
Key Principle: If an agency holds personal information about an individual that was collected for a particular (primary) purpose, the agency must not use or disclose the information for another (secondary) purpose without the individual's consent unless an exception applies.
The Community Services Directorate will not use an individual's personal information for a secondary purpose or share personal information with other government agencies, private sector organisations or anyone else without the individuals consent, unless an exception applies.
Exceptions include when:
- the individual would reasonably expect the Directorate to use the information for the secondary purpose that is related (or directly related - in the case of sensitive information) to the original purpose for which the information was collected
- the use or sharing of information is legally required or authorised by an Australian law, or court or tribunal order
- the collection is reasonably necessary for an law enforcement-related activity such as the prevention, detection, investigation prosecution or punishment of criminal offences or breaches of the law, intelligence gathering, surveillance, conduct of protective or custodial services
- the Directorate reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- the Directorate has reason to suspect unlawful activity, or misconduct of a serious nature, that relates to its functions and reasonably believes that collection of the information is necessary in order for appropriate action to be taken
- the Directorate reasonably believes that the collection is reasonably necessary to help locate a person who has been reported as missing.
The Community Services Directorate contracts non government service providers to support the Directorate to carry out specific activities and functions. In some circumstances it may be necessary for the Directorate to share personal information with these service providers to enable them to perform their functions efficiently and effectively. In these situations the Directorate will protect personal information by only entering into contracts with service providers who agree to comply with Territory Privacy Principle requirements for the protection of personal information.
The Community Services Directorate may disclose your personal information to Shared Services Finance, Chief Minister and Economic Development Directorate for the purposes of invoicing you for goods and services that you have received, and the recovery of any outstanding monies owed by you to the Territory in relation to the provision of these goods and services. The directorate may not provide your requested goods or services if you do not agree to this collection and disclosure.
Territory Privacy Principle 7
This Territory Privacy Principle does not exist. The numbering of the Territory Privacy Principles mirrors the Australian Privacy Principles within the Commonwealth legislation. The Australian Privacy Principle 7 does not relate to the Territory and as such has been omitted from the Information Privacy Act 2014.
Territory Privacy Principle 8
cross-border disclosure of personal information
Key Principle: Agencies must ensure that if they share information with overseas recipients, the information will be subject to similar standards of protection.
In some circumstances the Directorate may need to share or store information with overseas recipients. If this disclosure is necessary the Directorate will take reasonable steps before disclosing the information to ensure that the recipient treats the personal information with the similar standard of care as is required by the Information Privacy Act.
In some cases, the information will already be sufficiently protected under the law governing the overseas recipient, and clients can access mechanisms to enforce those protections.
If it is practical and reasonable to do so, the Directorate will obtain consent for overseas disclosure. An example of cross-border disclosure is in relation to inter-country adoptions however there may be other situations where information is disclosed overseas.
It is important to note that the Directorate will undertake reasonable steps to ensure the overseas recipient understands their requirements on obtaining the personal information.
Territory Privacy Principle 9
Adoption, use or disclosure of government-related identifiers
This Territory Privacy Principle does not exist. The numbering of the Territory Privacy Principles mirrors the Australian Privacy Principles within the Commonwealth legislation. The Australian Privacy Principle 8 does not relate to the Territory and as such has been omitted from the Information Privacy Act 2014.
Territory Privacy Principle 10
quality of personal information
Key Principle:Information about an individual collected, used or disclosed by an agency should be accurate, up-to-date, complete and relevant, having regard to the purpose of the use or disclosure.
The Community Services Directorate is required to take reasonable steps to ensure that the personal information that is collected is accurate, up-to-date, and complete.
Personal information which is used or disclosed must also be relevant for the purpose for which the Directorate uses or discloses it. For example, the Directorate cannot share information that is incorrect or if the accuracy of the information is unknown.
Territory Privacy Principle 11
security of personal information
Key Principle: If an agency holds personal information, the agency must take reasonable steps to keep it safe and secure, and to destroy or de-identify the information if the agency no longer needs the information and the information is not part of a Territory record or required to be kept by law.
The Community Services Directorate is required to take reasonable steps to ensure that the personal information it holds is safe and secure. The Directorate strives to protect personal information from misuse, interference or loss and from unauthorised access, use, modification or disclosure in accordance with the Information Privacy Act 2014.
The Territory Records Act 2002 establishes frameworks for the management of personal information if it is held within the files or data systems of the Community Services Directorate.
The ACT Government's IT systems employ comprehensive protections to guard against unauthorised access.
As a part of the Directorate's general practice, personal information is only available to staff who need to have access in order to perform their roles. Additionally, further legislative compliance is necessary when dealing with specific information such as information regarding children and young people under the Children and Young People Act 2008.
Territory Privacy Principle 12
access to personal information
Key Principle: Individuals are entitled to request access to information the agency holds about them, in a suitable form without charge, unless the agency is exempt under another law.
In accordance with the Information Privacy Act (Territory Privacy Principles 12 and 13) individuals have the right to ask for access to personal information that the Directorate holds about them. Individuals are also entitled to request that the Directorate correct that personal information, if it is believed it is no longer accurate or up-to-date.
If contact is made with the Directorate to request access to personal information, the Directorate must provide the client with access to their information in an appropriate manner, if it is reasonable and practicable to do so.
If it is not reasonable or practicable, the Directorate must respond to the request in writing within 30 days indicating why the Directorate is unable to provide access to that information.
There is no charge for making a request or providing access to documents.
Individuals also have the right under the Freedom of Information Act 2016 to request access to documents which the Directorate holds and ask for personal information that the Directorate holds to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading.
Each of these avenues can be discussed with an allocated case manager or with the Directorate’s Privacy Officer.
Territory Privacy Principle 13
correction of personal information
Key Principle: Individuals are entitled to request correction of information the agency holds about them, without charge.
Once the Community Services Directorate receives a request to correct personal information held by the Directorate, reasonable steps must be undertaken to correct the information if it is satisfied that it is incorrect, inaccurate, incomplete irrelevant, out-of date or misleading.
If the Directorate agrees to correct information and that information has previously been shared with another agency, the individual may request that the Directorate notify the other agency of the possible need for them to correct that information.
There may be reasons why the Directorate refuses to correct personal information, for example if the Directorate is required or authorised by law not to correct the information.
If the Directorate refuses to correct the information, a written notice of why it has been refused and how the individual may complain about the decision must be provided within 30 days.
If the Directorate refuses to correct personal information, the individual has the opportunity to attach or link a statement outlining that they believe the information is incorrect and why, to the information on file.
There is no charge for making the request for correction, correcting the information or attaching a statement to file.
Each of these avenues can be discussed with an allocated case manager or with the Directorate’s Privacy Officer.
How to make a Complaint
Complaints about how the Community Services Directorate has managed your personal information need to be made in writing to the contact details below. The Directorate is able to assist individuals to lodge a complaint if required.
The Directorate will consider a complaint to work out how it can be best resolved satisfactorily.
The Directorate will acknowledge a complaint and respond to the complaint within 30 days.
If you are not satisfied with our response you may ask for a review by a more senior officer or you can make a formal privacy complaint to the Australian Privacy Commission under section 34 of the Information Privacy Act 2014. The Australian Privacy Commission is an independent body that will assess your complaint and can make a determination that our actions are an interference with your privacy. If your complaint is upheld by the Commissioner you may be able seek a remedy in the Magistrates Court.
Information obtained through the CSD Website
The below information relates to the CSD website and includes the collection, use, security of and access to information that may be obtained through the use the Community Services Directorate website.
These websites are managed by the Community Services Directorate.
When a member of the community accesses the Community Services Directorate website to read or download information, Community Services Directorate automatically records the following information in their log files:
- Your Internet Protocol (IP) address. The IP Address is a unique numerical identifier used by computers and other devices to identify and communicate with each other over a network Community Services Directorate uses the IP Address to direct requested web pages to you where this is required.
- Top level domain name (eg: .com, .net, .gov, .au etc)
- The type of browser and operating system you used
- Date and time of your visit
- The previous site visited
- Which pages are accessed
- The time spent on individual pages and the site overall
- Which files were downloaded
- What keywords you used to search the site
This information is used to improve the content of web services and to help Community Services Directorate to understand how people are using these services.
Community Services Directorate analyses web server logs to continually improve the value of these website services. The logs do not collect or store personally identifiable information, and Community Services Directorate makes no attempt to identify individuals that browse these websites.
Personal information is defined as information about an individual whose identity is apparent or can reasonably be ascertained by that information.
Community Services Directorate will only collect personal information about you when you voluntarily participate in an activity that asks for information, such as:
- Sending an enquiry or feedback
- Participating in a survey
- Undertaking a payment or other transaction
- Suggesting a link
Community Services Directorate will collect personal and financial information (e.g. postal address and invoice numbers) where you choose to provide this information. The information requested in each case is required to complete the transaction.
If you choose not to provide personal information when completing one or more of these activities, you may not be able to complete that activity. If you choose not to participate in these activities, your choice will in no way affect your ability to browse these websites.
Google will not collect personal information about you and the reports provided by Google to us will only contain aggregate non personal data about your use of this website, (these reports may contain data relating to pages viewed, files downloaded or the completion of online subscriptions). Community Services Directorate will use the data collected by Google Analytics to improve the functionality of this website.
Community Services Directorate has taken several steps to safeguard the integrity of its telecommunications and computing infrastructure including, but not limited to, authentication, monitoring, auditing and encryption. Security measures have been integrated into the design, implementation and day-to-day practices of the entire Community Services Directorate operating environment as part of its continuing commitment to risk management.
Community Services Directorate has security measures in place to protect your information against loss, misuse and alteration. These security measures ensure the privacy of information while it is being transmitted across the Internet.
Your details, and the details of what you are paying for, are protected across the Internet by high-strength 128 bit SSL encryption provided you are using at least version 6.0 or later of Microsoft Internet Explorer.
Obligations for Australian Government Agencies
With respect to the collection, use and disclosure of personal information, Community Services Directorate is bound by the Territory Privacy Principles of the Information Privacy Act 2014. Community Services Directorate also follows the Guidelines for Federal and ACT Government Websites issued by the Office of the Privacy Commissioner. Community Services Directorate ensures that appropriate standards are used when government service provision is outsourced to the private sector.
Neither the ACT Government, nor any agency, officer nor employee of the ACT Government warrants the accuracy, reliability or timeliness of any information published by this system, nor endorses any content, viewpoints, products or services linked from this system and shall not be held liable for any losses caused by reliance on the accuracy, reliability or timeliness of such information.
Portions of such information may be incorrect or not current. It is your responsibility to verify all information provided by this web site and/or web sites linked to or from this site. Any person or entity that relies on any information obtained from this system does so at his or her own risk.
For more information, refer to our disclaimer statement.
You can contact the Directorate through an allocated case worker, however if you do not have a current case worker or are not a client of the Directorate, please contact the Directorate's Privacy Officer through one of the following means:
CSD Privacy Officer
Community Services Directorate
GPO Box 158
CANBERRA ACT 2601
Telephone: 6205 2583
Level 8, 11 Moore Street
Canberra City ACT 2601
If the issue is not resolved to your satisfaction you may wish to contact the Privacy Commissioner