The ANAO may collect personal information in the course of undertaking its audit program and for operational purposes not related to its audit work. This policy outlines our personal information handling practices, how we handle specific types of personal information and the information collected online by the ANAO.
On 12 March 2014, new Australian Privacy Principles (APPs) came into effect to support the Privacy Act 1988, replacing the previous Information Privacy Principles (IPPs). The APPs set out enhanced standards, rights and obligations in relation to handling, holding, accessing and correcting personal information.
The ANAO may collect personal information in the course of undertaking its audit program and for operational purposes not related to its audit work. This policy explains how, as an organisation, the ANAO manages the handling of personal information it collects.
Given specific provisions relating to confidentiality included in the Auditor-General Act 1997 (the Act), the policy has particular application to information collection not related to audit work. The APPs do provide relevant context for the handling of information collected as part of our audit work.
Part A – Our personal information handling practices
Personal information collected as part of our audit work
Our obligations under the Auditor-General Act 1997
The APPs do not affect the information gathering activities we undertake relating to our audit work, provided these activities are conducted in accordance with the Act. The Act imposes strict confidentiality requirements on the Auditor-General and on ANAO personnel to protect any personal information collected as part of our audit work. This includes information through our ‘contribute to an audit in progress’ or enquiries on current audits through our ‘contact us’ functions.
Personal information not related to audit work
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable:
(a) Whether the information or opinion is true or not; and
(b) Whether the information or opinion is recorded in a material form or not.
The ANAO collects personal information as part of general administration either directly from the individual or their authorised representative. Sometimes we collect personal information from a third party or a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way. This information is mainly related to employment services, human resource management and other corporate service functions.
Other examples of where we may collect personal information are listed below:
- When an individual contacts us asking for information or advice about the ANAO’s functions and its legislation.
- When we manage the personal and corporate service functions of the ANAO.
Public awareness and education
- When people ask us to be on an email or mailing list so that the ANAO can send them information about its activities and publications;
- When we record who we have had contact with in relation to media or other public relations events; or
- When we conduct events or deliver training.
Use and disclosure
The ANAO only uses personal information for the purposes for which it was given to us, or for purposes which are directly related to one of our functions or activities, and we do not give it to other government agencies, organisations or anyone else unless one of the following applies:
- The individual has consented;
- The individual would reasonably expect, or has been told, that information of that kind is usually passed to those individuals, bodies or agencies;
- It is otherwise required or authorised by law;
- It will prevent or lessen a serious and imminent threat to somebody’s life or health; or
- It is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.
We do, in some instances, provide de-identified metrics to the external agencies including Comcare, the Australian Bureau of Statistics (ABS) and the Australian Public Service Commission (APSC) relating to employee characteristics for statistical purposes only.
The ANAO provides employment data of all current and former APS employees to the APS Employment Database (APSED). This database is administered by the APSC. The APSC website explains what data is collected for APSED and how the data is stored. This information is accessible from the following link: http://www.apsc.gov.au/about-the-apsc/commission-services/apsed. ANAO staff are also advised of this collection process on the welcome screen to the ANAO’s Human Resource Management System.
Data quality and security
The ANAO takes appropriate steps to ensure that the personal information we collect is accurate, up-to-date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times, as necessary.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. This includes password protection for accessing our electronic IT system, securing paper files in locked cabinets and physical access restrictions.
When no longer required, personal information is destroyed in a secure manner, or deleted according to the ANAO Recordkeeping Policy requirements, which are informed by the National Archives of Australia legislation and the ANAO Records Authority. For further information please refer to www.naa.gov.au.
Access and correction
If an individual requests access to the personal information held about them, or requests a change to that personal information, the ANAO will allow access or make the changes unless we consider that there is a sound reason under the Act to withhold the information or not make the change. If we do not agree to modify the information, we will allow an individual to present a statement for attachment to the record that they sought to be modified.
How to contact us
(02) 6203 7300 (or from outside Australia +612 6203 7300)
Australian National Audit Office
GPO Box 707
Canberra ACT 2601
Part B: How we handle specific types of personal information
Personal Information and Contact Lists
We maintain contact lists that include information about individuals who may have an interest in our audit products and other services. We use these contact lists to distribute information about our activities and publications.
It is our usual practice to collect personal information in contact lists directly from individuals, for example, where they have asked to be added to a contact lists.
Sometimes we collect personal information from a third party or publicly available source such as a website or telephone directory. We usually only collect information in this way if the individual would reasonably expect us to, or has given their consent. This is done generally when we are of the view that the individual concerned would have an interest in, or be affected by, the release of one of our products.
Use and disclosure
We use the personal information within our contact lists only for the purposes for which it was collected, to distribute information to interested parties who have expressed an interest in such information.
We do not give personal information about an individual to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.
We use a number of online channels, including social networking services, to communicate with individuals and organisations with an interest in our audit products and related materials. The use of these services is governed by the online channel’s terms and conditions and privacy policies. Users may be required to supply some personal information such as their name and email address to use these channels to communicate with us. Using these services to communicate with us may make some personal information visible to us and third parties.
We maintain and update personal information in our contact lists when we are advised by individuals that their personal information has changed. We also regularly audit contact lists to check the currency of the contact information. We will remove contact information of individuals who advise us that they no longer wish to be contacted.
The personal information in the contact lists is stored in either the ANAO secure Electronic Document Records Management System or in locked cabinets in paper form.
Routine access to contact lists is limited to the database operators who have responsibility for maintaining the contact lists. Other staff members have access to the personal information in contact lists on a need-to-know basis.
Access and correction
For information about how to access or correct personal information in our contact lists see ‘Access and correction’ in Part A of this document.
We maintain administrative files for employment related purposes or as otherwise required by law. The personal information in these files may include, but is not limited to:
- Application(s) for employment including the employee’s resume(s), statement(s) addressing the criteria, practical exercises, referee reports and selection reports;
- The employee’s employment contract, and other records relating to their terms and conditions of employment;
- Details of financial and other personal interests supplied by some employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest;
- Proof of Australian citizenship;
- Certified copies of academic qualifications;
- Records relating to the employee’s salary, benefits and leave;
- Medical certificates or health related information supplied by an employee, a medical practitioner or their rehabilitation consultant;
- Individual and emergency contact details;
- Taxation and superannuation details;
- Information relating to the employee’s training and development;
- Information relating to security clearances; or
- Call logs to the IT help desk.
The purpose of keeping records on candidates for employment (applicant files) is to allow us to assess the suitability of candidates for employment at the ANAO.
We generally collect personal information directly from employees and applicants but may also collect personal information from intermediaries such as recruitment agencies and personnel providers.
We may also collect personal information about employees and applicants from third parties when it is relevant to the selection process, for example referee checks.
Use and disclosure
Information in personal and administrative files is only used for the purpose of maintaining current employee data and information for business and employment related purposes.
The ANAO does not give personal information held in these files to other agencies, organisations or anyone else without consent unless the individual would reasonably expect, or has been told, that information of that kind is usually passed to those agencies, organisations or individuals, or the disclosure is otherwise required or authorised by law.
We do, however, provide anonymised metrics to some Australian Public Service Agencies such as the ABS, the APSC or Comcare regarding employee characteristics for statistical purposes only. In these occurrences all identifying personal information is removed.
We update and maintain personal information in our personnel and administrative files as necessary, or when we are advised by individuals that their personal information has changed.
We take all reasonable steps to ensure the integrity and security of the administrative files in our possession to protect against loss, unauthorised access, misuse, disclosure or modification and to ensure that only authorised employees have access to such material.
Personal files are stored in a secure file room which only human resource, records management staff and those with master access, can access. We do import limited amounts of personal information such as birth certificates, educational qualifications and citizenship certificates into our secure, electronic database.
Applicant files are stored electronically on a secure database. Strict access controls ensure that only those staff on a ‘need-to-know’ basis (such as recruitment and HR staff) are able to view or edit the personal information held within.
Access and correction
For information about how to access or correct personal information in our contact lists, see ‘Access and correction’ in Part A of this document.
Part C: Information collected online by the ANAO
The information requested will only be used for the purpose for which you have provided it and will not be added to a mailing list for any other purpose. We will not use your email address for any other purpose, and will not disclose it, without your consent.
For your information, the ANAO collects clickstream data every time the ANAO website is accessed. When you look at this website, our server makes a record of your visit and logs the following information:
- the user’s server address;
- the user’s top level domain name (for example.com,.gov,.au,.uk, etc);
- the date and time of visit to the site;
- the pages accessed and documents viewed;
- the previous site visited;
- the type of operating system used; and
- the type of browser used.
The data listed above is collected for the following purposes:
- website and system administration, including monitoring to prevent security breaches;
- enhancement of the website to the user’s needs; and
- research and development.
No attempt will be made to identify users or their browsing activities, except in the unlikely event that a law enforcement (or other government) agency exercises a legal authority to inspect ISP logs (e.g., by warrant, subpoena, or notice to produce).
A cookie is a small amount of information that is stored on your computer by our employment website server if you apply for a job at the ANAO. It is information that your web browser sends back to our employment website server whenever you visit it again. The cookie includes the identifier you entered when you created an employment account to apply for a job at the ANAO. It is used for the ongoing management of a resume or job application that you have lodged and it remains on your computer permanently. Except for the operation of an employment account you may create, the remainder of the ANAO website is cookie-free.
People should be aware that the internet is an unsecured environment.
In addition to web server logs, the ANAO website uses Google Analytics, a web analytics service. Reports obtained from Google Analytics are used to help improve the efficiency and usability of the ANAO website.
Google Analytics uses ‘cookies’ to help analyse how users use this site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States of America.
Google will use this information for the purpose of evaluating your use of the ANAO website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
Third Party Providers
Some functionality of the ANAO website is not run by the ANAO and third parties may capture and store your personal information outside Australia. These third parties include (but are not limited to) Facebook, MailChimp, SurveyMonkey, Twitter and Google, which may not be subject to the Privacy Act. The ANAO is not responsible for the privacy practices of these third parties and encourages website users to examine each website’s privacy policies and make their own decisions regarding the reliability of these third party providers.