DITT privacy policy

This policy provides guidance to the Department of Industry, Tourism and Trade (DITT or the department) staff for the protection of personal information in compliance with the Information Privacy Principles (IPP) in the Northern Territory Information Act 2002 and, where applicable, with the Australian Privacy Principles (APP) in the Commonwealth Privacy Act 1988.

In the case of vocational education and training related matters, DITT also complies with the Commonwealth Student Identifiers Act 2014 and the Student Identifiers Regulation 2014.

This policy describes the personal information that may be collected by the department and how that information is protected. It applies to DITT staff, and includes its contracted service providers and their employees, subcontractors or agents, or any other persons providing services to the DITT, to the extent of their involvement in handling the department’s personal information.

DITT is committed to protecting the privacy of the personal information it collects relating to the officers and entities with whom it engages. Some of these entities include but are not limited to: businesses and associations across industry sectors and their employees, apprentices and trainees, skilled migrant applicants, students, and any other individuals that the department collects personal information from.

The department collects, manages, uses and discloses information in accordance with:

• Information Act 2002 (Information Act) (NT)
• Information Regulations 2010 (NT)
• Privacy Act 1988 (Privacy Act) (Commonwealth) (to the extent applicable)
• Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Commonwealth)
• Privacy Amendment (Notifiable Data Breaches) Act 2017 (Commonwealth)
• Student Identifiers Act 2014 (Commonwealth), and
• Student Identifiers Regulation 2014 (Commonwealth).

3.1. Definitions

Australian Privacy Principles (APP) means therules covering the handling, use and management of personal information including the right to access and correct personal information, in schedule 1 of the Privacy Act.

Eligible data breach means a breach of data that is likely to result in serious harm to any of the individuals to whom the information relates as defined by the Office of the Australian Information Commissioner.

Information Privacy Principles (IPP) means general rules that govern the collection, management, access and correction of personal information contained in schedule 2 of the Information Act.

Person means an individual and includes a deceased individual within the first five years after death as defined in section 4 of the Information Act.

Personal information means government information containing personal details of an individual and any other information that directly or indirectly identifies a person, except where:

1. she disclosure identifies a person who is acting in an official capacity for DITT, and
2. no other personal information about the person is disclosed, as defined in section 4A of the Information Act.

Privacy means privacy with respect to personal information section 4A of the Information Act.

Notifiable Data Breach Scheme means established requirements for data breach notifications under the Privacy Act where entities must notify the Australian Information Commissioner and individuals of eligible data breaches.

Sensitive information is a subset of personal information and means personal information as set out in section 4 of the Information Act relating to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional / trade association or trade union, sexual preferences or practices, criminal record or health information.

3.2. Principles

3.2.1. Collection of personal and sensitive information

The department will only collect information that is necessary for any of its functions or activities by reasonable and lawful means and in most instances, directly from the individual.

In vocational education and training related matters, information may be provided by third parties such as the National Centre for Vocational Education Research Limited.

At the time personal information is collected, the department will ensure that individuals are aware of:

• the identity of the department and how to contact it
• the purpose for which the information is collected
• the fact that the individual is able to have access to the information
• the persons or bodies, or classes of persons or bodies, to which the department usually discloses information of the same kind
• any relevant laws that require the particular information to be collected, and
• the consequences if any, of not providing the information.

If the department collects personal information about an individual from another person, DITT will take reasonable steps to ensure that the individual is aware of these matters, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of the individual or another individual.

DITT will only collect personal information about an individual directly with an individual’s consent, unless it is otherwise required by law, or the individual is incapable of communicating consent and the information would prevent or lessen a serious threat to life and health, or it is required in relation to a legal claim.

Reasonable steps will be taken to ensure the quality of the personal information collected, and that the information is accurate, complete and up to date.

3.2.2. Use and disclosure

DITT will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose for which it was collected unless one or more of the following apply:

• consent has been provided
• if the information is sensitive information, the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the department to use or disclose the information for the secondary purpose
• if the information is not sensitive information, the secondary purpose is related to the primary purpose and the individual would reasonably expect the department to use or disclose the information for the secondary purpose
• the use and disclosure is necessary for research or the compilation or analysis of statistics in the public interest and will not be published in a form that identifies an individual, it is impracticable to seek consent and it is reasonably satisfied the recipient of the information will not disclose the personal information
• DITT has reason to suspect that unlawful activity has been, is being or may be engaged in and uses or discloses the information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities
• DITT reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:
  • preventing, detecting, investigating, prosecuting or punishing an offence or a breach of a prescribed law
  • enforcing a law relating to the confiscation of proceeds of crime
  • protecting public revenue
  • preventing, detecting, investigating or remedying seriously improper conduct or prescribed conduct
  • preparing for or conducting proceedings before a court or tribunal or implementing the orders of a court or tribunal
• other circumstances set out in IPP 2.

3.2.3. Accessing and updating personal information

Except in certain circumstances, DITT will take reasonable steps to allow individuals to access their personal information, and to correct the information where necessary or associate a statement outlining their concerns with the information. The department will always provide reasons for refusing to provide access to or correct personal information, and give its reasons for delays in responding to requests within a reasonable time.

3.2.4. Keeping personal information secure

DITT will take reasonable steps to ensure that the personal information it collects is protected from misuse and loss and from unauthorised access, modification or disclosure. Reasonable steps to destroy or de-identify personal information that is no longer needed will be done in accordance with the department’s retention and disposal schedules and / or in accordance with any formal agreements governing the information.

In the event of an eligible data breach, DITT will act in accordance with the Notifiable Data Breach Scheme under the Privacy Act. The department will seek to promptly determine the nature of the breach and secure against further breaches, alert authorities where criminal activity is suspected, assess the risk of harm to affected individuals, and notify individuals and the Information Commissioner if the breach is significant.

3.2.5. Openness

This privacy policy can be accessed from DITT's website and intranet. Any questions not addressed in this policy can be directed to the privacy officer under making a privacy complaint below.

3.2.6. Identifiers

DITT will not assign unique identifiers to individuals unless it is necessary to enable it to perform its functions efficiently.

Unique identifiers of an individual that have been assigned by another public sector organisations will not be adopted unless:

• it is necessary to enable DITT to perform its functions efficiently
• DITT has obtained consent from the individual to do so, or
• it is an outsourcing organisation adopting the unique identifier, created by a contract service provider in the performance of its obligations to the outsourcing organisation under a service contract.

Unique identifiers assigned by another public sector organisation will not be used or disclosed by DITT except where:

• the person has provided consent, or
• it is necessary to fulfil obligations to that other organisation
• the use or disclosure is required or authorised by law
• DITT reasonably believes that the use and disclosure is necessary to lessen or prevent:
  • a serious threat to public health or safety
  • a serious or imminent threat to someone’s life, health and safety, or
  • a serious or imminent threat of harm to, or exploitation of, a child
• DITT has reason to suspect that unlawful activity has been, is being or may be engaged in and uses or discloses the information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities
• DITT reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:
  • preventing, detecting, investigating, prosecuting or punishing an offence or a breach of a prescribed law
  • enforcing a law relating to the confiscation of proceeds of crime
  • protecting public revenue
  • preventing, detecting, investigating or remedying seriously improper conduct or prescribed conduct
  • preparing for or conducting proceedings before a court or tribunal or implementing the orders of a court or tribunal.

DITT will not ask individuals to provide a unique identifier unless the provision of a unique identifier is required or authorised by law or is in connection with the purpose for which the unique identifier was assigned or for a directly related purpose.

3.2.7. Anonymity

Individuals may have the option of dealing anonymously or by pseudonym with DITT except in circumstances where it is required by law, and where it is impracticable for DITT to deal with individuals who have not identified themselves. For example, it may be impracticable to resolve an individual’s complaint about how they have been treated by DITT, if the individual does not provide their name or other information that allows DITT to identify the circumstances of the complaint.

3.2.8. Trans border data flows

In most cases, DITT will not transfer personal information outside of the Territory unless the transfer is required or authorised by a law of the Territory or the Commonwealth, or the person has consented to the transfer, or DITT reasonably believes the transfer is necessary for performance or completion of a contract between DITT and a third party that would benefit the individual, or it is impracticable to obtain consent and the individual would likely agree to the transfer. The department will only transfer information where it is reasonably satisfied it will be handled in a manner consistent with these principles and others set out in IPP 9.

Where contracts and agreements with third parties require the transfer of personal information, privacy and confidentiality clauses within the contracts and agreements will require compliance with the Information Act and the IPPs, or the Privacy Act and the APPs as appropriate.

3.2.9. Confidentiality obligations

Staff members, contractors and third parties of DITT have a responsibility to collect, use and disclose personal information in the course of official employment or engagement consistent with the IPPs and APPs (where the latter are applicable). Information shall only be released in accordance with the Information Act and the Privacy Act (where the latter applies), and with advice of the privacy officer. Unauthorised access to personal information must be reported to DITT's privacy officer and to the responsible owner of the information. The handling of confidential information is outlined in the department’s confidentiality policy.

3.2.10. Making a privacy complaint

Complaints about privacy should be directed to DITT's privacy officer to request a resolution. If unsatisfied with the response by this department, a complaint may be lodged with the Northern Territory Office of the Information Commissioner, within 12 months of becoming aware of the privacy matter.

To contact us with a complaint or privacy question, you can contact us at:

Privacy Officer
Department of Industry, Tourism and Trade
GPO Box 3200
Darwin NT 0801
Phone: 08 8999 1792
Opening hours: Monday to Friday, 8am to 4:21pm CST

4.1. Legislation

Information Act 2002

Information Regulations 2003

Privacy Act 1988

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Privacy Amendment (Notifiable Data Breaches) Act 2017

Student Identifiers Act 2014

Student Identifiers Regulations 2014

4.2 Other relevant policies / key documents

Confidentiality policy on the DITT intranet.