To view or download this policy as a PDF click Community and General Policies Documents

Purpose

The purpose of this policy is to:

• explain how Central Desert Regional Council (Council) collects, uses, manages and discloses personal information;
• explain how individuals can make a complaint if they have concerns about how their personal information is being collected, used, managed or disclosed.

Council’s privacy policy complies with the Information Privacy Principles (IPPs) contained in the Commonwealth’s Privacy Act 1988, the Northern Territory Information Act 2002, and the Local Government Act 2019. Information Privacy Principles relate to the collection, storage, use and disclosure of personal information. The legislative provisions also cover contracted service providers and transfer of information outside of Australia. Council respects the right of an individual to have their privacy protected and commits to complying with Information Privacy Principles.

Council officers and Councillors also continue to be bound by the Code of Conduct and other existing legislative requirements relating to the handling of personal and confidential information, including the Northern Territory’s Local Government Act 2019 and the Information Act 2002.

Scope

This policy applies to all personal information collected, stored, used and disclosed by Council, its employees, Councillors, contractors and consultants, unless otherwise exempted by legislation. This policy covers personal information collected directly from individuals or from third parties in a variety of formats including correspondence, in person, over the phone and over the internet.

Personal Information is only collected when required by law, or with the individual’s consent, for a purpose directly related to the delivery of a service by Council. This includes information about clients who receive services from Aged Care, Children’s Services, the Community Development Program (CDP), Housing Maintenance, Tenancy Management, Community Safety Patrol, and Youth, Sport and Recreation. For example, this may include to assist a client of CDP obtain identification, a working with children card, or obtain a police check, as a step toward gaining employment.

It is important to note that this policy also applies to employee records.

This policy outlines Council’s obligations and commitments in relation to privacy of personal information. It provides a summary of legislative obligations to assist understanding. However, users should refer to the legislation for specific guidance and information regarding the legal requirements.

Definition and Terms

Collection notice: notification to an individual about the purpose of the collection of personal information, the use of the information, and whether it is likely to be disclosed. That notification may be oral provided a record is kept of that notification. The purpose of the collection notice is to provide evidence that Council has satisfied its obligations to take reasonable steps to protect the privacy of an individual and to ensure the individual understands why personal information is being collected. The collection notice may be oral or in writing and may take the following forms:-

• statements on forms to individuals;
• recorded messages on a telephone system;
• scripts for taking calls;
• pamphlets or brochures;
• signs on walls of Council offices;
• verbal communication;
• use of opt in opt out mechanisms.

Consent: means express or implied consent by an individual whether oral or in writing. Before consent is obtained Council employees must ensure that the individual has the capacity to give consent, is adequately informed, gives consent voluntarily and that consent is specific and current.

Contracted service provider: an external person or entity to which Council has entered into a contract or other arrangement for the provision of services on Council’s behalf.

Disclosure: personal information is disclosed to an external person or entity if:

that person/entity does not know the personal information and is not in a position to otherwise find it out; and the personal information is provided to the person/entity or placed in a position to enable them to find it out; and Council ceases to have control over the external person/entity in relation to who will know the personal information in the future.

Individual: a natural living person.

Normal business activities: in the context of Use / Disclosure of Information this relates to only using/disclosing personal information collected/obtained for the specific activity for which it was initially gathered (primary purpose) or a secondary activity related to that primary activity and where the individual would reasonably expect Council to use the information in that way.

Personal Information: is information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Some examples of a person’s “personal information” are their name, address, phone number, email address, signature, a photograph or other image of them, their credit card number, and anything else that can be reasonably used to identify them. Personal information includes employee information, of which there are two categories:

• routine work related personal information - the use and disclosure of which is not normally considered to be a breach of the IPPs;
• other employee personal information – which requires protection under the IPPs.

Privacy Statement: Council’s Privacy Statement.

Sensitive Information: includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, membership of a union or professional or trade association, religious or philosophical beliefs or affiliations, criminal record, health, impairment, and sexual preferences or practices (Schedule 2, Information Act). It also includes information about Aboriginal sacred site or Aboriginal tradition.

Storage: includes all means of storing personal information in whatever form (including hardcopy, electronic and any other methods of storage).

Third Party: in relation to personal information, a person or body other than Council and the individual who is the subject of the information. This includes contracted service providers.

Use: Council uses personal information if it:

• manipulates, searches or otherwise deals with the information; or
• takes the information into account in the making of a decision; or
• transfers the information from one part of Council having particular functions to another part having different functions.

Accordingly, this is when personal information is used internally – for example: undertaking searches, contacting customers, decision making, processing of applications and requests, transferring information from one unit to another unit etc. “Use” does not include disclosing the personal information to an external person or entity.

Legislation and Reference

Privacy Act 1988 (Commonwealth)
Information Act 2002 (NT)
Local Government Act 2019 (NT)

Policy Statement

Information Privacy Principles

Council will adhere to the Information Privacy Principles (IPPs) contained in the Schedule 2 of the Information Act 2002. The following includes a summary of those principles. For the complete wording of the IPPs, refer to the Information Act.

IPP 1, 2 and 3 – Collection of personal information (lawful and fair; requested from individual; relevance etc.)

In complying with its obligations under IPPs 1-3, Council will:

1. only collect personal information for a lawful purpose directly related to its functions or activities
2. only collect such personal information as is needed to fulfil the purpose, or directly related to the purpose
3. only collect personal information by transparent, lawful and fair means and not in an unreasonably intrusive way
4. ensure personal information collected is complete, relevant to the purpose for which it is collected and up to date.
5. at collection time, or as soon as practical thereafter, take reasonable steps to ensure that the person is generally aware of:
   • the purpose of the collection
   • if the collection is authorised or required under a law
   • if it is Council’s usual practice to disclose this type of personal information, and to whom it is disclosed to.

The taking of these reasonable steps (however that occurs) constitute a collection notice.

Exemptions to (e):

• personal information collected in the context of emergency service delivery
• if Council reasonably believes there would be little practical benefit to the individual
• the individual would not reasonably expect to be made aware of these matters
• law enforcement activities.

Additionally, Council will:

1. at collection time, obtain an individual’s consent, where Council wishes to use the personal information collected for purposes other than its normal business activities and allow individuals to change their consent anytime thereafter; and
2. make an individual aware at the time of collection when Council knows that the personal information collected will be transferred to a third-party (i.e. service provider), and/or stored outside of Australia, to allow individuals to consent to this; and
3. collect personal information about an individual directly from the individual or from the individual’s activities (including from the use of cookies, web bugs and smartcards), without unreasonably intruding on the personal affairs of an individual; and
4. make the individual aware when Council has collected information about the individual from a third party.

IPP 4 – Storage and security of personal information

Personal information is stored on a secure server and council employees will only have access to an individual’s personal information on a ‘need to know basis’ in order to enable them to carry out their duties.

In complying with its obligations under IPP 4, Council will:

1. take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
2. take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

IPP 5 – Openness

In complying with its obligations under IPP 5, Council will take reasonable steps to allow individuals to find out:

• generally what sort of personal information it holds;
• for what main purposes personal information is held; and
• what an individual should do to obtain access to documents containing personal information about them.

Additionally, Council will:

1. make its Privacy Statement accessible from all of its Offices; and
2. make its Privacy Statement accessible from the website.

IPP 6 – Access and Correction

In complying with its obligations under IPP 6, Council will:

1. inform individuals of the avenues available to allow them, and what they should do, to access and correct their personal information;
2. where possible and upon reasonable request allow individuals to access personal information about them;
3. where it is not possible for Council to allow an individual to access personal information about them, Council will provide reasons for refusal of access.

There are a number of administrative access avenues for individuals to access their personal information. For access requests outside of these, refer to:

• Information Act 2002 (Northern Territory)
• Privacy Act 1988 (Commonwealth)

In complying with its obligations under IPP 6, Council will take reasonable steps to correct/update the personal information of individuals when Council is informed that such information is irrelevant, inaccurate, incomplete or out of date. This is subject to any legislative limitations.

IPP 7 - Identifiers

In complying with its obligations under IPP 7; Council will:

1. not assign unique identifiers to individuals unless it is necessary to enable the organisation to perform its functions efficiently.
2. not adopt a unique identifier of an individual that has been assigned by another public sector organisation unless:
   • it is necessary to enable the organisation to perform its functions efficiently; or
   • it has obtained the consent of the individual to do so; or
   • it is an outsourcing organisation adopting the unique identifier created by a contract service provider in the performance of its obligations to the outsourcing organisation under a service contract.
3. not use or disclose a unique identifier assigned to an individual by another public sector organisation unless:
   • the use or disclosure is necessary for the Council to fulfil its obligations to that other organisation; or
   • it has obtained the consent of the individual to the use or disclosure.

IPP 8 - Anonymity

The Council will give individual entering transactions with the organisation the option of not identifying himself or herself unless it is required by law or it is not practicable that the individual is not identified. Generally it is not possible to deliver a service to an individual if they choose to remain anonymous.

IPP 9 - Trans border data flows

In complying with its obligations under IPP 9; Council will not transfer personal information about an individual to a person (other than the individual) outside the Territory unless it is within the guidelines of the Information Act 2002.

IPP 10 - Sensitive information

In complying with its obligations under IPP 10; Council will not:

(a)collect sensitive information about an individual unless:

• the individual consents to the collection; or
• the organisation is authorised or required by law to collect the information; or
• the individual is:
  • physically or legally incapable of giving consent to the collection; or
  • physically unable to communicate his or her consent to the collection;
  • and collecting the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual or another individual;
• collecting the information is necessary to establish, exercise or defend a legal or equitable claim; or
• there is no other reasonably practicable alternative to collecting the information for that purpose; and
• it is impracticable for the organisation to seek the individual's consent to the collection.

Contracted Service Providers

Council will take all reasonable steps to ensure that contracted service providers are required to comply with the requirements of the Information Act when they are provided with, or collect, personal information in order to provide services on Council’s behalf. This applies to all contracts or agreements entered into on or after 1 July 2012.

Employee Information

Council will protect the personal information of its employees, Councillors, contractors and consultants in accordance with this policy. Work-related personal information will only be disclosed where it is part of Council’s normal business activities (examples include name, officer designation, work phone numbers and so forth).

COMPLAINTS, CONCERNS OR REQUESTS FOR ACCESS

If an individual:

• has a complaint or concern about the way Central Desert Regional Council has collected, used, managed or disclosed personal information, or
• wishes to access or correct personal information about them held by Central Desert Regional Council

they should contact: The Executive Services Manager on 08 8958 9595.

Review History