The ANAO may collect personal information in the course of undertaking its audit program and for operational purposes not related to its audit work. This policy outlines our personal information handling practices, how we handle specific types of personal information and the information collected online by the ANAO.

Introduction

The ANAO may collect personal information in the course of undertaking its audit program and for operational purposes not related to its audit work. The ANAO Privacy Policy explains the type of personal information collected by the ANAO and the ANAO’s personal information handling practices, including how we handle specific types of personal information. Given specific provisions relating to confidentiality included in the Auditor-General Act 1997 (the Act), the policy has particular application to information collection not related to audit work.

On 12 March 2014, new Australian Privacy Principles (APPs) came into effect to support the Privacy Act 1988 (Privacy Act), replacing the previous Information Privacy Principles (IPPs). The APPs set out enhanced standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. The Auditor-General and the ANAO are exempt from the Privacy Act and therefore are not legally required to comply with the APPs. While the ANAO is not obliged to comply with the APPs, the APPs do provide relevant context for the handling of information collected as part of our non-audit work.

Outline of this policy

Part A—General Personal Information Handling Practices: explains our general information handling practices across the agency including information about how we collect, use, disclose and store your personal information.

Part B—Specific Types of Personal Information: offers further detail by explaining our personal information handling practices in relation to specific ANAO functions or activities. Here you can find out what sort of records we keep and why.

Part C— Information Collected Online: explains our personal information handling practices when you visit our website.

Part A – Personal information handling practices

Our obligations under the Auditor-General Act 1997

The APPs do not affect the information gathering activities we undertake relating to our audit work, provided these activities are conducted in accordance with the Act. The Act imposes strict confidentiality requirements on the Auditor-General and on ANAO personnel to protect any personal information collected as part of our audit work. This includes information collected through our ‘contribute to an audit in progress’ or enquiries on current audits through our ‘contact us’ functions.

General personal information not related to audit work

This ANAO Privacy Policy sets out how we handle the personal information we gather as part of the ANAO’s general administration. In this context ‘personal information’ will have the same meaning as section 6 of the Privacy Act:

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

Collection

The ANAO collects personal information as part of general administration either directly from the individual or their authorised representative. Sometimes we collect personal information from a third party or a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way. This information is mainly related to employment services, human resource management and other corporate service functions.

Other examples of where we may collect personal information are listed below:

  • When an individual contacts us asking for information or advice about the ANAO’s functions and its legislation.
  • When we manage the personal and corporate service functions of the ANAO.
  • When people ask us to be on an email or mailing list so that the ANAO can send them information about its activities and publications;
  • When we record who we have had contact with in relation to media or other public relations events; or
  • When we conduct events or deliver training.

Use and disclosure

The ANAO only uses personal information for the purposes for which it was given to us, or for purposes which are directly related to one of our functions or activities, and we do not give it to other government agencies, organisations or anyone else unless one of the following applies:

  • The individual has consented;
  • The individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies;
  • It is otherwise required or authorised by law;
  • It will prevent or lessen a serious and imminent threat to somebody’s life or health; or
  • It is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

We do, in some instances, provide de-identified metrics to the external agencies including Comcare, the Australian Bureau of Statistics (ABS) and the Australian Public Service Commission (APSC) relating to employee characteristics for statistical purposes only.

The ANAO provides employment data of all current and former APS employees to the APS Employment Database (APSED). This database is administered by the APSC. The APSC website explains what data is collected for APSED and how the data is stored. This information is accessible from the following link:http://www.apsc.gov.au/about-the-apsc/commission-services/apsed. ANAO staff are advised of this collection process in their ‘New Starter Pack’ upon commencement of employment with the ANAO.

Part 7 of the Act provides for audit of the ANAO by the Independent Auditor who has the same powers in relation to auditing the ANAO as the ANAO does when conducting audits in accordance with the Auditor-General functions. While this is unlikely to occur regularly, the ANAO will provide personal information to the Independent Auditor in response to a request or direction of the Independent Auditor. The Act imposes strict confidentiality requirements on the Independent Auditor and its personnel to protect any personal information collected as part of its audit work.

Data quality and security

The ANAO takes appropriate steps to ensure that the personal information we collect is accurate, up-to-date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times, as necessary.

We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. This includes password protection for accessing our electronic IT system, securing paper files in locked cabinets and physical access restrictions.

When no longer required, personal information is destroyed in a secure manner, or deleted according to the ANAO Recordkeeping Policy requirements, which are informed by the National Archives of Australia legislation and the ANAO Records Authority. For further information please refer to www.naa.gov.au.

Access and correction

If an individual requests access to the personal information held about them, or requests a change to that personal information, the ANAO will allow access or make the changes unless we consider that there is a sound reason under the Act to withhold the information or not make the change. If we do not agree to modify the information, we will allow an individual to present a statement for attachment to the record that they sought to be modified.

How to contact us

Individuals can obtain further information in relation to this privacy policy, provide comments, request access to information held about them or request changes to that personal information by:

Post

Australian National Audit Office
GPO Box 707
Canberra ACT 2601
AUSTRALIA

Email

webmaster@anao.gov.au

Part B: Specific types of personal information

Administrative Files

Purpose

We maintain administrative files for employment related purposes or as otherwise required by law. The personal information in these files may include, but is not limited to:

  • Application(s) for employment including the employee’s resume(s), statement(s) addressing the criteria, practical exercises, referee reports and selection reports;
  • The employee’s employment contract, and other records relating to their terms and conditions of employment;
  • Details of financial and other personal interests supplied by some employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest;
  • Proof of Australian citizenship;
  • Certified copies of academic qualifications;
  • Records relating to the employee’s salary, benefits and leave;
  • Medical certificates or health related information supplied by an employee, a medical practitioner or their rehabilitation consultant;
  • Individual and emergency contact details;
  • Taxation and superannuation details;
  • Information relating to the employee’s training and development;
  • Information relating to security clearances; or
  • Call logs to the IT help desk.

The purpose of keeping records on candidates for employment (applicant files) is to allow us to assess the suitability of candidates for employment at the ANAO.

Collection

We generally collect personal information directly from employees and applicants but may also collect personal information from intermediaries such as recruitment agencies and personnel providers.

We may also collect personal information about employees and applicants from third parties when it is relevant to the selection process, for example referee checks.

Use and disclosure

Information in personal and administrative files is only used for the purpose of maintaining current employee data and information for business and employment related purposes.

The ANAO does not give personal information held in these files to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

We do, however, provide anonymised metrics to some Australian Public Service Agencies such as the ABS, the APSC or Comcare regarding employee characteristics for statistical purposes only. In these occurrences all identifying personal information is removed.

Data quality

We update and maintain personal information in our personnel and administrative files as necessary, or when we are advised by individuals that their personal information has changed.

Data security

We take all reasonable steps to ensure the integrity and security of the administrative files in our possession to protect against loss, unauthorised access, misuse, disclosure or modification and to ensure that only authorised employees have access to such material.

Personal files are stored in a secure file room which only human resource, records management staff and those with master access, can access. We do import limited amounts of personal information such as birth certificates, educational qualifications and citizenship certificates into our secure, electronic database.

Applicant files are stored electronically on a secure database. Strict access controls ensure that only those staff on a ‘need-to-know’ basis (such as recruitment and HR staff) are able to view or edit the personal information held within.

Access and correction

For information about how to access or correct personal information in our contact lists, see ‘Access and correction’ in Part A of this document.

Contact Lists

Purpose

We maintain contact lists that include information about individuals who may have an interest in our audit products and other services. We use these contact lists to distribute information about our activities and publications.

Collection

It is our usual practice to collect personal information in contact lists directly from individuals, for example, where they have asked to be added to a contact lists.

Sometimes we collect personal information from a third party or publicly available source such as a website or telephone directory. We usually only collect information in this way if the individual would reasonably expect us to, or has given their consent. This is done generally when we are of the view that the individual concerned would have an interest in, or be affected by, the release of one of our products. Specific detail about our collection of information online is contained in Part C of this policy.

Use and disclosure

We use the personal information within our contact lists only for the purposes for which it was collected, to distribute information to interested parties who have expressed an interest in such information.

We do not give personal information about an individual to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.

We use a number of online channels, including social networking services, to communicate with individuals and organisations with an interest in our audit products and related materials. The use of these services is governed by the online channel’s terms and conditions and privacy policies. Users may be required to supply some personal information such as their name and email address to use these channels to communicate with us. Using these services to communicate with us may make some personal information visible to us and third parties.

Data quality

We maintain and update personal information in our contact lists when we are advised by individuals that their personal information has changed. We also regularly review contact lists to check the currency of the contact information. We remove contact information of individuals who advise us that they no longer wish to be contacted.

Data security

The personal information in the contact lists is stored in either the ANAO secure Electronic Document Records Management System or in locked cabinets in paper form.

Routine access to contact lists is limited to the database operators who have responsibility for maintaining the contact lists. Other staff members have access to the personal information in contact lists on a need-to- know basis.

Access and correction

For information about how to access or correct personal information in our contact lists see ‘Access and correction’ in Part A of this document.

Part C: Information collected online

Information collected

The information requested will only be used for the purpose for which you have provided it and will not be added to a mailing list for any other purpose. We will not use your email address for any other purpose, and will not disclose it, without your consent.

For your information, the ANAO collects clickstream data every time the ANAO website is accessed. When you look at this website, our server makes a record of your visit and logs the following information:

  • the user’s server address;
  • the user’s top level domain name (for example.com,.gov,.au,.uk, etc);
  • the date and time of visit to the site;
  • the pages accessed and documents viewed;
  • the previous site visited;
  • the type of operating system used; and
  • the type of browser used.

Purpose

The data listed above is collected for the following purposes:

  • website and system administration, including monitoring to prevent security breaches;
  • enhancement of the website to the user’s needs; and
  • research and development.

No attempt will be made to identify users or their browsing activities, except in the unlikely event that a law enforcement (or other government) agency exercises a legal authority to inspect ISP logs (e.g., by warrant, subpoena, or notice to produce).

Cookies

A cookie is a small amount of information that is stored on your computer by our employment website server if you apply for a job at the ANAO. It is information that your web browser sends back to our employment website server whenever you visit it again. The cookie includes the identifier you entered when you created an employment account to apply for a job at the ANAO. It is used for the ongoing management of a resume or job application that you have lodged and it remains on your computer permanently.

People should be aware that the internet is an unsecured environment.

Google Analytics

In addition to web server logs, the ANAO website uses Google Analytics, a web analytics service. Reports obtained from Google Analytics are used to help improve the efficiency and usability of the ANAO website.

Google Analytics uses ‘cookies’ to help analyse how users use this site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States of America.

Google will use this information for the purpose of evaluating your use of the ANAO website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.

By using the ANAO website, you consent to Google processing data about you in the manner and for the purposes set out above. Please refer to Google’s Privacy Policy.

Third Party Providers

Some functionality of the ANAO website is not run by the ANAO and third parties may capture and store your personal information outside Australia. These third parties include (but are not limited to) Facebook, MailChimp, SurveyMonkey, Twitter and Google, which may not be subject to the Privacy Act. The ANAO is not responsible for the privacy practices of these third parties and encourages website users to examine each website’s privacy policies and make their own decisions regarding the reliability of these third party providers.

MailChimp

The ANAO uses MailChimp to provide e-mail notifications to subscribers.

To provide our news and status updates we use Mailchimp, which provides online tools that can be used to create, send, and manage emails. MailChimp may collect personal information, such as distribution lists which contain email addresses, and other information relating to those email addresses. For further information about the type of personal information MailChimp collects, please refer to the MailChimp’s Privacy Policy and the Mailchimp Terms of Use.

MailChimp will use the information collected from you for the purpose of hosting the online platform to enable the ANAO to create, send and manage e-mail notifications. MailChimp will also use this information to measure the performance of the ANAO’s email campaigns.

MailChimp may transfer this information to its contractors or other third parties who process the information on MailChimp’s behalf, or where otherwise required to do so by law.

MailChimp is based in the United States of America (USA) and is subject to the laws of the USA. Your information (including your IP address) will be transmitted to and stored by MailChimp on servers located outside Australia.

By signing up to ANAO e-mail notifications, you:

  • consent to your personal information being collected, used and disclosed as set out in these terms and conditions, and in MailChimp’s Privacy Policy and Terms of Use;
  • consent to your personal information being sent and stored overseas, and acknowledge that Australian Privacy Principle 8.1 contained in Schedule 1 to the Privacy Act 1988 (Cth) will not apply to the use of the information;
  • acknowledge that MailChimp is not subject to the Privacy Act 1988 (Cth) and you will not be able to seek redress under the Privacy Act 1988 (Cth) for any privacy breaches by Mailchimp but will need to seek redress under the laws of the USA.

You can unsubscribe at any time by selecting the “unsubscribe” option in every email sent to you by Mailchimp.

If you have any questions or concerns relating to the use of your personal data please contact ag1@anao.gov.au.

Use of personal information collected

Any personal information you choose to provide will only be used for the purpose for which it was provided. We do not give personal information collected online to other agencies, organisations otherwise than in accordance with the circumstances described under the ‘Use and Disclosure’ heading in Part A of this policy.

The Internet is an insecure medium and users should be aware that there are inherent risks transmitting information across the Internet.

Information submitted unencrypted via electronic mail or web forms may be at risk of being intercepted, read or modified. If you do not wish to email or send an online form to the ANAO, you can send mail by post.

Data quality

We will delete or correct any personal information that we hold about you on request.

If you are on one of our automated email lists, you may opt out of further contact from us by clicking the ‘unsubscribe’ link at the bottom of the email.

Data security

There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms. In relation to our own servers, we take all reasonable steps to manage data stored on our servers to ensure data security.

Access and correction

For information about how to access or correct personal information collected on our website see ‘Access and correction’ in Part A of this document.