APP1 Open & transparent management of personal information
CHL is committed to managing personal information in an open and transparent way. CHL will provide this policy free of charge and in an appropriate format.
APP2 Anonymity and pseudonymity
Whenever it is lawful and practicable, individuals will have the option of not identifying themselves by dealing with us anonymously or by using a pseudonym.
APP 3 – Collection of solicited personal information
Personal information will only be collected when it’s reasonably necessary for one or more of CHL’s functions or activities. Personal information will be collected using lawful and fair means and not in an unreasonably intrusive way. CHL will only collect personal information from the individual, unless it is unreasonable or impracticable to do so.
What personal information we collect
We may collect the following types of personal information from you:
• Phone number
• Fax number
• Household makeup
• Financial situation
• Rental history
• Information from enquiries you have made
• Communications between us
Sensitive information may also be collected about an individual:
• if required or authorised by or under an Australian law or a court/tribunal order
• when a permitted general situation or permitted health situation applies
Permitted general situations include the collection of sensitive information where:
• CHL reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection
• CHL has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to CHL’s functions or activities has been, is being or may be engaged in, and CHL reasonably believes that the collection is necessary for CHL to take appropriate action in relation to the matter
• CHL reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing
APP 4 – Dealing with unsolicited personal information
Unsolicited personal information will be afforded the same privacy protection as solicited personal information. Where CHL receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that information.
If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, CHL will destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so.
APP 5 – Notification of the collection of personal information
1. At the time of collection (or as soon as practicable afterwards) CHL will take reasonable steps to ensure that the individual is told:
• how he or she may contact CHL
• that they can access the information;
• why the information is collected;
• the disclosure practices of CHL;
• any law that requires the particular information to be collected and the main consequences (if any) for the individual if all or part of the information is not provided;
2. If CHL collects the personal information from someone other than the individual, or the individual may not be aware that CHL has collected the personal information we will also take reasonable steps to notify an individual, or otherwise ensure that the individual is aware that CHL collects or has collected the information, and of the circumstances of that collection.
3. CHL does not disclose information to overseas recipients.
4. CHL will take reasonable steps to notify an individual, or otherwise ensure that the individual is aware that its APP policy contains information about how to access and seek correction of personal information, and information about CHL’s complaints process.
APP 6 – Use and disclosure of personal information
CHL will use or disclose personal information for the primary purpose for which it was collected.
CHL will use personal information for another purpose (secondary purpose) if:
1. the individual has consented; or
2. the secondary purpose is related to the primary purpose and the individual would reasonably expect CHL to use or disclose the information for the secondary purpose. If the personal information is sensitive information, the secondary purpose must be directly related to the primary purpose of collection; or
3. CHL reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or a serious threat to public health or public safety; or
4. CHL has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant authorities or persons; or
5. The use or disclosure is required or authorised by or under law; or
6. CHL reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
• the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
• the enforcement of laws relating to the confiscation of the proceeds of crime; or
• the protection of the public revenue; or
• the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
• the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
• As with the IPPs and NPPs, when enacted, the APPs will regulate the collection, holding, use and disclosure of personal information that is included in records. The APPs will apply to government agencies to which the IPPs currently apply and to private sector organisations to which the NPPs currently apply (collectively referred to as APP entities in the Bill).To assist any APP entity, body or person to locate a person who has been reported as missing (where CHL reasonably believes that this use or disclosure is reasonably necessary, and where that use or disclosure complies with rules made by the Commissioner under s 16A(2)) (APP 6.2(c), permitted general situation 3 (s 16 A (1), item 3))
• for the establishment, exercise or defence of a legal or equitable claim (APP 6.2(c), permitted general situation 4 (s 16A(1), item 4))
• for the purposes of a confidential alternative dispute resolution process (APP 6.2(c), permitted general situation 5 (s 16A(1), item 5)).
Any personal information used or disclosed for any of the reasons in this paragraph, must be recorded in writing
APP 7 – Direct marketing
CHL will obtain the consent of the individual before using or disclosing sensitive information for the purpose of direct marketing.
CHL will only use or disclose personal information for direct marketing purposes if an exception, listed in APPs 7.2 to 7.5, applies.
Under APP 7.2, CHL may use or disclose personal information (other than sensitive information) about an individual if:
• it collected the information from the individual
• the individual would reasonably expect that their personal information would be used or disclosed for direct marketing
CHL has provided a simple means by which the individual can request not to receive direct marketing, and the individual has not made such a request.
Where an individual would not reasonably expect his or her personal information to be used for direct marketing, or the information has been collected from a third party, CHL may only use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
• the individual has consented to the use or disclosure for this purpose, or it is impracticable to seek this consent
• CHL has provided a simple means by which the individual can opt out of direct marketing and the individual has not opted out, and
• in each direct marketing communication the organisation must include a prominent statement telling the individual that he or she may request to no longer receive direct marketing, and no request is made.
• If CHL is a contracted service provider for a Commonwealth contract, it may use or disclose personal information for the purpose of direct marketing if doing so meets an obligation under the contract.
• Individuals have the right to contact CHL to:
o request not to receive direct marketing communications from CHL
o request CHL not to disclose their personal information to other organisations for the purposes of direct marketing or
o request CHL to provide its source of the individual’s personal information
CHL will comply with these requests within a reasonable period and free of charge.
CHL does not need to comply with requests to disclose the source of information if it is impracticable or unreasonable to do so.
APP 7 is subject to the operation of other direct marketing legislation, including the Do Not Call Register Act 2006 and the Spam Act 2003 (APP 7.8).
APP 8 – Cross border disclosure of personal information
Before CHL discloses personal information to an overseas recipient, we will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.
The above does not apply where:
• CHL reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is, overall, substantially similar to the APPs; and there are mechanisms available to the individual to enforce that protection or scheme
• an individual consents to the cross-border disclosure, after CHL informs them that APP 8.1 will no longer apply if they give their consent
• where the cross border disclosure is required or authorised by or under an Australian law, or a court/tribunal order
• where CHL reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety where CHL reasonably believes that the disclosure is necessary to take action in relation to the suspicion of unlawful activity or misconduct of a serious nature that relates to CHL’s functions or activities where CHL reasonably believes that the disclosure is necessary to assist any APP entity, body or person to locate a person who has been reported as missing
APP 9 – Adoption, use or disclosure of government related identifiers
CHL will not adopt, use or disclose a government related identifier of an individual as its own identifier of the individual unless one of the following exceptions applies.
• where the adoption of the identifier is authorised by or under an Australian law or a court/tribunal order.
• where the use or disclosure of the identifier is reasonably necessary for CHL to verify the identity of the individual for the purposes of CHL’s activities or functions
• where the use or disclosure is required or authorised by a court/tribunal order
• where the use or disclosure is reasonably necessary for an enforcement related activity being conducted by, or on behalf of, an enforcement body
APP 10 – quality of personal information
CHL will take reasonable steps to ensure that the personal information that it collects is accurate, up-to-date and complete. For uses and disclosures, CHL will take reasonable steps to ensure that the personal information is accurate, up-to-date, and complete as well as relevant, having regard to the purpose of that use or disclosure.
APP 11 – security of personal information
CHL will take reasonable steps to protect personal information it holds from misuse and loss and from unauthorised access, modification, interference or disclosure. CHL will also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed in accordance with the APPs as long as:
• it is not contained in a Commonwealth record, and
• CHL is not required by or under an Australian law, or a court/tribunal order, to retain the information
APP 12 – access to personal information
1. CHL will give an individual access to their personal information, at the request of that individual unless:
• giving access would pose a serious threat to the life or health of any individual
• access should be withheld based on a serious threat to public health or safety
• denying access is required or authorised by or under Australian law or a court/tribunal order
• providing access would be likely to prejudice an investigation of possible unlawful activity
• providing access would be likely to prejudice actions by or on behalf of an enforcement body in relation to unlawful activity or seriously improper conduct
2. CHL is not required to give an individual access to their personal information if:
• CHL has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and
• giving access would be likely to prejudice the taking of appropriate action in relation to the matter.
• CHL will not give an individual access to their personal information if giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body
3. Where CHL refuses access on one of the specified grounds of refusal, CHL will take reasonable steps to give access in a way that meets the needs of the entity and the individual. This could include giving access through the use of a mutually agreed intermediary.
4. If CHL refuses to give access we will provide a written notice that outlines:
• the reasons for the refusal, unless, having regards to the grounds for the refusal, it would be unreasonable to do so
• the complaint mechanisms available to the individual, and
• any other matters prescribed by the regulations .
5. If CHL levies charges for providing access to personal information, those charges:
• will not be excessive; and
• will not apply to lodging a request for access.
APP 13 – correction of personal information
1. If CHL is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete or irrelevant or misleading, or the individual to whom the personal information relates requests CHL to correct the information CHL must take reasonable steps to correct the personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading.
2. If CHL corrects personal information about an individual that it has previously disclosed to another APP entity, CHL must take reasonable steps to notify the other APP entity of the correction, where that notification is requested by the individual.
3. If CHL refuses to correct the personal information as requested by the individual CHL must provide written notice. The written notice must set out:
• the reason for refusal (unless this would be unreasonable)
• the mechanisms available to complain about the refusal, and
• any other matter prescribed by regulation.
4. If CHL refuses to make a correction, and an individual requests that a statement be attached to the record stating that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, CHL generally needs to attach this statement in a way that will make the statement apparent to users of the information.
5. CHL will respond to a correction request within a reasonable period. CHL will not charge the individual for making the request, for correcting the information or for associating the statement with the personal information.
Procedure for making a complaint
A person may make a complaint if they feel their personal information has been handled inappropriately. See the CHL Complaints Policy for external Complaints.
If any internal or external complainant is not satisfied with CHL’s response or the manner in which CHL has dealt with the complaint, the individual may make a formal complaint to the Office of the Australian Information Commissioner (OAIC)). The OAIC will provide CHL with the opportunity to respond to the complaint. Following its enquiries, if the OAIC decides that there is insufficient evidence to support the complaint, the OAIC may dismiss the complaint.
Alternatively, if the OAIC believes there is enough evidence to support the complaint, it will try to conciliate the matter.
If conciliation does not resolve the complaint, depending on the circumstances, the OAIC may either close the file or make a determination. A determination could include a requirement that CHL issue an apology, improve practices to reduce likelihood of a breach of the Privacy Act, or compensation to be paid to the complainant.
If the OAIC closes the file, the complainant may apply to the Federal Court or the Federal Magistrates Court by way of appeal. Either party may also appeal to the Administrative Appeal Tribunal for a review of any compensation amount ordered by the OAIC.