This policy outlines the collection, use, disclosure and protection of personal information collected by the Department of Trade, Business and Innovation through the delivery of services and programs of the department. This policy should be read in addition to the Northern Territory Government’s copyright, disclaimer and privacy statements.
1. Policy objectives
This policy provides guidance to the Department of Trade, Business and Innovation (DTBI) staff for the protection of personal information in compliance with the Information Privacy Principles in the Northern Territory Information Act 2002 and with the Australian Privacy Principles (APP) in the Commonwealth Privacy Act 1988.
2. Policy scope
This policy describes the personal information that may be collected by the department and how that information is protected. It applies to DTBI staff, and includes its contracted service providers and their employees, subcontractors or agents, or any other persons providing services to the DTBI, to the extent of their involvement in handling the department’s personal information.
3. Policy statement
DTBI is committed to protecting the privacy of the personal information it collects relating to the officers and entities with whom it engages. Some of these entities include but are not limited to; businesses and associations across industry sectors and their employees, apprentices and trainees, skilled migrant applicants, students, and any other individuals that the department collects personal information from.
The department collects, manages, uses and discloses information in accordance with:
- Information Act 2002 (Information Act) (NT)
- Information Regulations 2010 (NT)
- Privacy Act 1988 (Commonwealth)
- Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Commonwealth), and
- Privacy Amendment (Notifiable Data Breaches) Act 2017 (Commonwealth).
Australian Privacy Principles (APP) means the rules covering the handling, use and management of personal information including the right to access and correct personal information, in Schedule 1 of the Privacy Act.
Eligible data breach means a breach of data that is likely to result in serious harm to any of the individuals to whom the information relates as defined by the Office of the Australian Information Commissioner.
Information Privacy Principles (IPP) means general rules that govern the collection, management, access and correction of personal information contained in Schedule 2 of the Information Act.
Person means an individual and includes a deceased individual within the first five years after death as defined in Section 4 of the Information Act.
Personal information means government information containing personal details of an individual and any other information that directly or indirectly identifies a person, except where:
- the disclosure identifies a person who is acting in an official capacity for DTBI, and
- no other personal information about the person is disclosed, as defined in Section 4A of the Information Act.
Privacy means privacy with respect to personal information Section 4A of the Information Act.
Notifiable Data Breach Scheme means established requirements for data breach notifications under the Privacy Act where entities must notify the Australian Information Commissioner and individuals of eligible data breaches.
Sensitive information is a subset of personal information and means personal information as set out in Section 4 of the Information Act relating to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional / trade association or trade union, sexual preferences or practices, criminal record or health information.
3.2.1 Collection of personal and sensitive information
The department will only collect information that is necessary for its functions by reasonable and lawful means and in most instances, directly from the individual. At the time personal information is collected, the department will ensure that individuals are aware of the purpose for which the information is collected and disclosed, any relevant laws, how to contact DTBI, and the consequences if any, of not providing the information.
DTBI will only collect sensitive information with an individual’s consent, unless it is otherwise required by law, or the individual is incapable of communicating consent and the information would prevent or lessen a serious threat to life and health, or it is required in relation to a legal claim.
Reasonable steps will be taken to ensure the quality of the personal information collected, and that the information is accurate, complete and up to date.
3.2.2 Use and disclosure
DTBI uses personal information only for purposes consistent with the reasons it was collected, or for a related purpose where the individual would reasonably expect the department to do so. Other than for its primary purpose, DTBI will not use or disclose personal information except where:
- consent has been provided
- the information is to be used for research in the public interest and does not identify individuals, it is impractical to seek consent and it is reasonably believed the recipient will not disclose the personal information
- it is necessary to prevent a serious threat to public health and safety or to someone’s life, health and safety, or a serious or imminent threat of harm to, or exploitation of, a child, or
- it is necessary to help prevent or investigate unlawful conduct, or it is authorised or required by law.
In the case of sensitive information, any secondary use of the information would be directly related to the primary purpose for which it was collected and an individual would reasonably expect that use.
3.2.3 Accessing and updating personal information
Except in certain circumstances, DTBI will take reasonable steps to allow individuals to access their personal information, and to correct the information where necessary or associate a statement outlining their concerns with the information. The department will always provide reasons for refusing to provide access to or correct personal information, and give its reasons for delays in responding to requests within a reasonable time.
3.2.4 Keeping personal information secure
DTBI will take reasonable steps to ensure that the personal information it collects is protected from misuse and loss and from unauthorised access, modification or disclosure. Reasonable steps to destroy or de-identify personal information that is no longer needed will be done in accordance with the department’s retention and disposal schedules and / or in accordance with any formal agreements governing the information.
In the event of an eligible data breach, DTBI will act in accordance with the Notifiable Data Breach Scheme under the Privacy Act. The department will seek to promptly determine the nature of the breach and secure against further breaches, alert authorities where criminal activity is suspected, assess the risk of harm to affected individuals, and notify individuals and the Information Commissioner if the breach is significant.
DTBI will not assign unique identifiers to individuals unless it is necessary to enable functions to be performed efficiently. Identifiers from other public sector organisations will not be adopted unless it is necessary to conduct business, or consent has been obtained, or it is necessary for the provision of an outsourced service. Unique identifiers assigned by other public sector organisations will not be used or disclosed except where the person has provided consent, or it is necessary to:
- fulfil obligations to the organisation
- prevent a serious threat to public health and safety or to someone’s life, health and safety, or a serious or imminent threat of harm to, or exploitation of, a child, or
- help prevent or investigate unlawful conduct, or it is authorised or required by law.
DTBI will not ask individuals to provide a unique identifier unless authorised by law or it is connected to the purpose for which the unique identifier was assigned or for a directly related purpose.
Individuals may have the option of dealing anonymously or by pseudonym with DTBI except in circumstances where it is required by law, and where it is impracticable for DTBI to deal with individuals who have not identified themselves. For example, it may be impracticable to resolve an individual’s complaint about how they have been treated by DTBI, if the individual does not provide their name or other information that allows DTBI to identify the circumstances of the complaint.
3.2.8 Trans border data flows
In most cases, DTBI will not transfer personal information outside of the Territory unless the transfer is required or authorised by law, or the person has consented to the transfer, or it is reasonably believed the transfer is necessary and would benefit the individual, or it is impractical to obtain consent and the individual would likely agree to the transfer. The department will only transfer information where it is believed it will be handled in a manner consistent with these principles.
Where contracts and agreements with third parties require the transfer of personal information, privacy and confidentiality clauses within the contracts and agreements will require compliance with the Information Act and the IPPs, or the Privacy Act and the APPs as appropriate.
3.2.9 Confidentiality obligations
Staff members, contractors and third parties of DTBI have a responsibility to collect, use and disclose personal information in the course of official employment or engagement consistent with the IPPs and APPs. Information shall only be released in accordance with the Information Act and the Privacy Act, and with advice of the privacy officer. Unauthorised access to personal information must be reported to DTBI’s privacy officer and to the responsible owner of the information. The handling of confidential information is outlined in the department’s confidentiality policy.
3.2.10 Making a privacy complaint
Complaints about privacy should be directed to DTBI’s privacy officer to request a resolution. If unsatisfied with the response by this department, a complaint may be lodged with the Northern Territory Information Commissioner, within 12 months of becoming aware of the privacy matter.
To contact us with a complaint or privacy question, you can write to us at
GPO Box 3200
Darwin NT 0801
Phone: 08 8999 1792
Opening hours: Monday to Friday, 8am to 4.21pm CST
Last updated: 09 April 2019