Department of Finance Privacy Policy

1.1 About this Privacy Policy

The Privacy Act 1988 (Privacy Act) requires entities bound by the Australian Privacy Principles to have a Privacy Policy. This Privacy Policy outlines the personal information handling practices of the Department of Finance (Finance).

This policy is written in simple language. The specific legal obligations of Finance when collecting and handling your personal information are outlined in the Privacy Act and in particular in the Australian Privacy Principles (APPs) found in that Act. We will update this Privacy Policy when our information handling practices change. Updates will be publicised on our website.

1.2 Privacy Act

In general terms, the Privacy Act regulates how personal information about an individual is collected and handled. 

‘Personal information’ is information or an opinion about an identified individual or an individual who is reasonably identifiable:

• whether the information or opinion is true or not, or
• whether the information or opinion is recorded in a material form or not.

Personal information includes information such as:

• your name or address
• bank account details and credit card information
• photos
• internet clickstream
• cookies data, or
• information about your opinions.

The thirteen APPs in Schedule 1 of the Privacy Act regulate how agencies (including Finance) can:

• collect
• use
• disclose
• store, or
• access
• your personal information.

1.3 Who should read this Privacy Policy

This Privacy Policy is particularly relevant to you if you are:

• an individual whose personal information may be given to or held by Finance
• a contractor, consultant, supplier or vendor of goods or services to Finance
• a person seeking employment, or employed with Finance
• a person seeking employment, or employed under the Members of Parliament (Staff) Act 1984
• a person seeking employment, or employed with a client agency of the Service Delivery Office, or
• a person seeking employment, or employed with the Independent Parliamentary Expenses Authority (IPEA).

1.4 Finance and anonymity

Where possible, we will allow you to interact with us anonymously or using a pseudonym. However, for most of our functions and activities we usually need your name and contact information and enough information about the particular matter to enable us to fairly and efficiently handle your matter.

2.1 Collection of personal information

Personal information about you may be collected by Finance from you, from your agent or from a third party. Finance uses forms, online portals, electronic and paper correspondence as well as telephone and fax to collect this information.

Under the Privacy Act, we are required to take contractual measures to ensure that contracted service providers (including subcontractors) comply with the same privacy requirements applicable to us.

Broadly grouped, the personal information we collect and hold may include:

• documents or information relating to employment with Finance, IPEA, under the Members of Parliament (Staff) Act 1984, or with a client agency of the Service Delivery Office (e.g. personnel records, health information, email and telephone records, and information on work related travel or other expenses)
• documents relating to the appointments of persons to Commonwealth Boards
• distribution and mailing lists
• contact lists
• internet clickstream and cookies data
• comments on Finance social networking services
• information relating to persons who have applied for act of grace payments, waiver of debt, compensation and other claims
• information relating to work health and safety assessments, incidents and investigations
• 24-hour CCTV surveillance footage (including photographs and/or video recordings)
• financial and other information about tenderers, contractors and customers
• information that may be collected via Finance’s Whole of Government programs (for example curriculum vitae or email addresses)
• information relating to beneficiaries of pension schemes and superannuation administered by Finance (e.g. Judges, former Judges and former Governors-General)
• Tax File Number (TFN) information;
• information relating to current and former members of Parliament and their work expenses, or
• information relating to the delivery of COMCAR services to COMCAR clients and eligible passengers.

The APPs provide that Finance may only collect information for a lawful purpose that is directly related to a function or activity of Finance and when the collection is necessary for, or directly related to, that purpose. For example, Finance collects personal information to enable us to:

• administer relevant superannuation benefits
• manage employees, including to ensure or promote the health and safety of all employees
• manage the personnel records of employees of client agencies of the Service Delivery Office
• process work related expenses for employees of IPEA (for example corporate travel and other related expenses)
• manage appointments to Commonwealth Boards
• process applications for act of grace payments, waiver of debt, compensation and other claims
• process work expenses and manage the conditions of employment of persons employed by Finance, or under the Members of Parliament (Staff) Act 1984
• process work expenses for current and former members of Parliament
• deliver whole of government services, including information and communication technology services and parliamentary workflow solutions
• manage COMCAR functions and activities, or
• contact you (directly and/or via email subscription services).

2.2 Types of personal information Finance holds

Personal information we collect and hold may include:

• name, address and contact details (eg phone, email and fax)
• date of birth
• gender
• curriculum vitae
• qualifications and referee reports
• signature
• driver’s licence and passport information
• travel booking details
• bank account details and other financial information, or
• next of kin.

2.3 Sensitive information

We may also collect or hold a range of sensitive information about you, including your:

• racial or ethnic origin
• political opinions
• criminal record
• financial situation (this may be relevant if you have made an application for an act of grace payment, waiver of debt, compensation or other claim)
• health (including information about your medical history and ongoing medical information) where relevant to assessing an application, making reasonable adjustments in a recruitment process or the management of your health and safety or the health and safety of all employees, or
• information relevant to a work health and safety assessment, incident or investigation. 

If you or another person provides Finance with sensitive information, Finance will only retain the information if:

• you have consented to the collection of the information and it is reasonably necessary for, or directly related to, one of Finance’s functions or activities
• collection of the information is required or authorised by or under an Australian law or a court/tribunal order, or
• collection of the information is authorised for other purposes permitted under the Privacy Act – this includes where Finance:
  • suspects that unlawful activity, or serious misconduct, relating to Finance’s functions and activities has been, is being or may be engaged in, or
  • reasonably believes that the collection is necessary to lessen or prevent a serious threat to the health or safety of any individual, or to public health or safety. 

If the sensitive information does not fall within one of these categories, Finance will not keep a record of the information and instead we will arrange for its return or secure destruction if it is lawful and reasonable to do so.

2.4 TFN information

A TFN is a unique identifier issued by the Commissioner of Taxation. Finance may collect TFN information from individuals and employees for the purpose of carrying out its functions and activities.

Pursuant to sub-rule 8(2) of the Privacy (Tax File Number) Rule 2015, when collecting TFN information, Finance will notify you:

• of the taxation law, personal assistance law or superannuation law which authorises Finance to request or collect the TFN
• of the purpose(s) for which the TFN is requested or collected
• that declining to quote a TFN is not an offence, and
• of the consequence of declining to quote a TFN.

2.5 Privacy notice

At or before the time we collect your personal information (or as soon as practicable afterwards), we may provide you with a notice (also known as ‘Privacy Notice’ or ‘Australian Privacy Principle (APP) Notice’) containing the following information:

• the purpose for which the information is collected
• if the collection is required or authorised by law, or
• any person or body to whom we usually disclose the information. 

Finance provides this notification on online portals and application forms.

2.6 Use and disclosure of personal information

Finance may use and disclose collected personal and sensitive information for the primary purpose for which it was collected, including to:

• process applications for work expenses of current and former Parliamentarians and their employees
• process applications for act of grace payments, waiver of debt, compensation and other claims
• respond to correspondence
• provide secretariat services
• manage appointment processes to Commonwealth Boards
• maintain contact with stakeholders, and other Government agencies
• provide external communications via electronic mail subscription services
• analyse Finance website access and downloads
• carry out ordinary government functions and activities such as briefing Ministers, responding to parliamentary questions and inquiries
• manage human resources and manage finances, including corporate travel and expenses for employees of Finance, IPEA, and client agencies of the Service Delivery Office
• manage Finance’s workforce and assist in complying with Finance’s workplace health and safety obligations
• manage human resources for individuals employed under the Members of Parliament (Staff) Act 1984 (MOP(S) Act) and assist in complying with Finance’s workplace health and safety obligations, including ensuring appropriate support and referral procedures are in place, including:
  • disclosing personal and sensitive information to the Parliamentary Workplace Support Service to assist performance of its functions, including investigating and providing support for serious incidents or misconduct relating to a parliamentarian and/or a MOP(S) Act employee.
• manage COMCAR functions and activities, including managing bookings, tracking driver and travel locations, and vehicle incident reporting, or
• perform Finance’s other functions

Some of the above information may be disclosed to contracted service providers (for example IT providers or other relevant vendors) where those services providers have been contracted to assist Finance in performing these functions.

Finance may also use or disclose your personal information for a secondary purpose where an exception applies. Exceptions may include:

• an individual has consented to a secondary use or disclosure
• an individual would reasonably expect the secondary use or disclosure, and that is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose, including:
  • where Finance may need to liaise with the Parliamentary Workplace Support Service on serious incidents or misconduct relating to a parliamentarian and/or a MOP(S) Act employee.
• the secondary use or disclosure of the personal information is required or authorised by or under an Australian law or a court/tribunal order
• a permitted general situation exists in relation to the secondary use or disclosure of the personal information – this includes where Finance:
  • suspects that unlawful activity, or serious misconduct, relating to Finance’s functions and activities has been, is being or may be engaged in, or
  • reasonably believes that the further use is necessary to lessen or prevent a serious threat to the health or safety of any individual, or to the public health or safety
• Finance reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
• your biometrics (including photographs and voice or video recordings of you).  
• Finance may also disclose your personal information to an overseas recipient for the primary purpose for which it was collected. Your personal information may, for example, be hosted on servers in the United States of America, Singapore or Hong Kong.  Finance will inform you before any disclosure to an overseas recipient.
• Finance also has a regime for publishing the use of Parliamentary work expenses; this information is available on the Finance website.

2.7 Unsolicited personal information

From time to time, we receive personal information that is additional to information that we have solicited or information that we have not taken active steps to collect. This is known as ‘unsolicited personal information’ and includes:

• misdirected mail received by us
• correspondence to us, our Ministers from members of the community, or other unsolicited correspondence
• a petition sent to us that contains names and addresses 
• employment, internship, work experience or volunteering applications sent to us on an individual’s own initiative and not in response to an advertised vacancy 
• a promotional flyer or email containing personal information, sent to us by an individual promoting the individual’s business or services, or
• court documents for proceedings to which we are a party or may have an interest.

If we receive unsolicited personal information and we decide that we are not permitted to collect it in accordance with the APPs, we will take reasonable steps to destroy or de-identify the information as soon as practicable, unless it is contained in a ‘Commonwealth record’ or it is unlawful or unreasonable to do so.

2.8 Access to and correction of personal information

Finance takes steps to ensure that the personal information we collect is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.

Under the Privacy Act you have the right to ask for access to personal information that we hold about, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take responsible steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.

2.9 Storage and security

Finance has controls in place to protect the information we collect from loss, unauthorised access or disclosure and from any other misuse. Our controls include:

• access to personal information collected is restricted to authorised persons
• our internal network and databases are protected using firewall, intrusion detection and other technologies
• paper files containing personal and sensitive information are protected in accordance with Australian Government security policy and secured in locked cabinets, Australian Government-approved security containers or secure rooms with restricted access
• Finance’s premises are under 24-hour surveillance and access is via security passes only, with all access and attempted access logged electronically, and
• Finance conducts system audits and staff training to ensure adherence to our established protective and computer security practices.

2.10 Cloud based storage

Finance may use a cloud computing environment provided by a third-party to collect and store personal information.
In order to protect personal information once it leaves the Finance environment for the cloud computing environment, Finance:

• ensures that its cloud service providers are contractually bound to protect personal information in accordance with the Privacy Act
• ensures cloud service providers offer personal information security measures that are at least equal to those used by Finance, and
• ensures contractual arrangements are in place with cloud service providers to destroy or de-identify personal information once it is no longer needed.

Finance’s use of cloud computing environments is informed by the following document:

• Commonwealth of Australia (Digital Transformation Agency) Secure Cloud Strategy

2.11 Cookies, Google Analytics, and Clickstream data

When you visit the Finance website, we use a range of tools provided by third parties such as Google to collect or view website traffic information. These websites have their own privacy policies. We also use cookies and session tools to improve your experience when accessing our website. Information collected when you visit the Finance website may include the IP address of the device you are using and information about sites that IP address has come from. Finance uses this information to maintain, secure and improve our website. In relation to Google Analytics, you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.

2.12 Social Networking Services

Finance uses social networking services such as Twitter, Facebook, and YouTube to communicate to the public and potential employees. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies.

3.1 How to make a complaint

If you consider that Finance has interfered with your privacy, you should first make a complaint to Finance by emailing the Privacy Team. Please allow an adequate opportunity for the complaint to be dealt with by Finance, generally giving 30 days for a response.

Upon receipt of your complaint, Finance will:

• gather the facts relevant to the complaint
• investigate the issues raised and consider how your request regarding outcomes can be met
• communicate our response to you in person and in writing, and invite you to reply to our response
• identify any systemic issues raised and possible responses, and
• record your complaint and outcome. 

These steps will be taken in accordance with the Office of the Australian Information Commissioner (OAIC) checklist for addressing privacy complaints.

3.2 How to make a complaint to the Office of the Australian Information Commissioner

If you are not satisfied with Finance’s response to your complaint, you may make a complaint to the OAIC. Where appropriate, the Commissioner can make preliminary enquiries into the matter, investigate and/or attempt to resolve the complaint by conciliation.

In some circumstances, the Commissioner may decline to investigate complaints.  If a complaint is not resolved, the Commissioner may make a determination about whether an interference with privacy has occurred. 

More information about the Commissioner’s privacy complaint handling process can be found here

Contact Finance’s Privacy Contact Officer if you want to:

• obtain access to your personal information
• request a correction to your personal information
• make a complaint about a breach of your privacy
• query how your personal information is collected, used or disclosed
• make a suggestion or comment in relation to our Privacy Policy, or
• ask questions about our Privacy Policy.