Privacy and Legals

Privacy

The Commonwealth Grants Commission (CGC) collects a range of personal information from a wide range of people in carrying out its functions. Our Privacy Policy sets out how the CGC collects, uses, discloses and stores personal information.

The CGC also maintains a Register of Privacy Impact Assessments.

About this policy

This privacy policy seeks to enhance transparency by setting out how the CGC collects, uses, discloses and stores personal information.

Our privacy policy also explains:

  • how you can access the information we hold about you and ask for that information to be corrected
  • how you can make a complaint about the way we have handled your personal information

The Privacy Act

The Privacy Act 1988 (Privacy Act) protects personal information of individuals and requires the CGC to comply with the Australian Privacy Principles (APPs) in Schedule 1 to that Act.

The APPs set out standards, rights and obligations around personal information. ‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.

Personal information includes ‘sensitive information’, which is a particular category of personal information. While we recognise that protecting all personal information is important in gaining and maintaining your trust, sensitive information is often afforded a higher level of protection.

How we collect personal information

We collect and hold a broad range of personal information in records relating to:

  • correspondence from members of the public or organisations addressed to us or our portfolio Ministers;
  • correspondence from other Australian Government ministers and agencies;
  • employment and personnel matters relating to staff and contractors;
  • facilitating appointments;
  • facilitating meetings (for example, meetings with the CGC);
  • research we have commissioned;
  • contract management ;
  • Royal Commissions;
  • complaints (including privacy complaints) and feedback provided to us;
  • requests under the Freedom of Information Act 1982 (FOI Act);
  • legal advice provided by internal and external lawyers; and
  • the performance of legislative and administrative functions.

We collect this personal information in a variety of ways. These include:

  • correspondence and submissions;
  • paper-based forms;
  • online (web-based forms and email); and
  • phone calls, faxes and face-to-face meetings.

The CGC often collects personal information directly from you or your representative (for example, your lawyer). However, in some circumstances we may also collect information about you from another Australian, State or Territory government body, or from another organisation.

We only collect personal information where that information is reasonably necessary for, or directly related to, one or more of our functions or activities.

Types of information we hold

The personal information we collect and hold varies depending on what we need to perform our functions and responsibilities. It may include:

  • your name, address and contact details (for example your phone number or email address);
  • information about your identity (such as date of birth, country of birth, passport details, visa details and driver's licence);
  • information about your personal circumstances (for example age, gender, marital status and occupation);
  • information about your financial affairs (for example payment details, bank account details, and business and financial interests);
  • information about your employment (for example applications for employment, work history, referee comments and remuneration); and
  • government identifiers.

Sensitive information

We may also collect or hold ‘sensitive information’ which is a subset of personal information under the Privacy Act.

Generally, we will only collect sensitive information if you have consented and its collection is reasonably necessary for, or directly related to, one or more of our functions or activities or the collection is required or authorised by law.

The definition of sensitive information includes information about the following:

  • your health;
  • your next of kin or designated emergency contacts;
  • your membership of a professional or trade association, or a trade union;
  • your racial or ethnic origin;
  • criminal activities you may have been involved in; and
  • your biometrics (including photographs and voice or video recordings of you).

Protected information

Some personal information collected by the CGC may be protected information under its portfolio legislation. Information that is protected information generally contains rules for the collection, use and disclosure of information under the relevant legislation.

Privacy notices

In addition to our privacy policy, we may need to explain specific privacy practices in more detail. In such circumstances, we develop and provide separate privacy notices to describe how we will handle the personal information that we collect.

Our website

The CGC website is internally managed. Generally, the CGC only collects personal information from its website where a person chooses to provide that information (for example, in submitting a web form).

If you visit our website to read or download information, the CGC records a range of technical information which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time of your visit to the website. This information is used for statistical and development purposes.

No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.

The CGC makes use of third-party sites, to deliver some functionality of the CGC website. These third parties may capture and store your personal information outside Australia and may not be subject to the Privacy Act in the same way as the CGC or at all. The CGC is not responsible for the privacy practices of these third parties and encourages you to examine each party's privacy policies and make your own decisions regarding their reliability.

The CGC website also contains links to other websites. The CGC is not responsible for the content and privacy practices of other websites and encourages you to examine each website's privacy policies and make your own decisions regarding their reliability.

Cookies

Cookies are used to maintain contact with a user throughout a website session. A cookie is a small file supplied by the Treasury web server and stored by your web browser software on your computer’s hard drive when you access the CGC website. Cookies allow the CGC to recognise an individual web user as they browse the agency’s website. When you close your browser the session cookie set by the CGC's website is destroyed and no personal information is maintained which might identify you should you visit the CGC's website at a later date.

Electronic communication

There are inherent risks associated with the transmission of information over the internet, including via email. You should be aware of this when sending personal information to us via email or via the CGC website. If this is of concern to you then you may use other methods of communication with the CGC, such as post or phone (although these also have risks associated with them).

The CGC only records email addresses when a person sends a message or subscribes to a mailing list. Any personal information provided, including email addresses, will only be used or disclosed for the purpose for which it was provided.

Use and disclosure of personal information

We will not provide your personal information to other government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:

  • you would reasonably expect us to use the information for that purpose
  • it is legally required or authorised, such as by an Australian law, or a court or tribunal order
  • it is reasonably necessary for an enforcement-related activity
  • we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
  • we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
  • we reasonably believe that it is necessary to help locate a person who has been reported as missing
  • it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
  • it is reasonably necessary for the purposes of a confidential alternative dispute resolution process, or
  • we reasonably believe that it is necessary for our diplomatic or consular functions or activities.

The third parties that we may disclose your personal information to or who may collect personal information on our behalf, include but are not limited to:

  • suppliers and other third parties with whom we have commercial relationships (for example, for research and programs directly related to one of our functions), and
  • any organisations for any authorised purpose that directly related to one of our functions, with your express consent.

We will ensure that appropriate protections of your personal information are in place with these third parties, in accordance with our obligations under the Privacy Act. This includes ensuring that research we commission involves the collection of de-identified (anonymised) data.

Disclosure to overseas recipients

We may need to provide your personal information to an overseas recipient as part of our work.

In some cases, we may have to disclose limited personal information to recipients overseas under legislation or international information sharing agreements. This may occur, for example, in relation to a law enforcement matter such as a criminal investigation.

However, where there is no requirement for us to disclose personal information to an overseas recipient, we will either seek your consent or amend the information to ensure your personal information is not identifiable. The most common example of disclosure of personal information overseas will be to arrange overseas travel for CGC staff.

Storage and data security

We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse. The CGC will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.

Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the Australian Government's records management regime. When the personal information we collect is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order.

For example, under the Archives Act 1983, we must maintain personal information that is, or forms part of, a Commonwealth record. We must also maintain records for certain other purposes, including where the National Archives of Australia issues a disposal freeze in response to prominent or controversial issues or events. Find out more about current disposal freezes on the National Archives of Australia.

The CGC and its contractors are subject to the Notifiable Data Breaches Scheme under the Privacy Act, and we will act in accordance with the requirements of the Scheme and Office of the Australian Information Commissioner's (OAIC) Data breach preparation and response in assessing and responding to suspected notifiable data breaches.

Where a breach of personal information occurs that is likely to cause serious harm to individuals, we will notify OAIC and affected individuals as required. We will aim to provide you with timely advice to ensure you are able to manage any loss—financial or otherwise—that could result from the breach.

Access and correction

You have a right to request access to the personal information the CGC holds about you and to request its correction in accordance with APPs 12 and 13 in the Privacy Act.

The Privacy Act permits access to be refused in certain cases, including where an exemption under the FOI Act would apply. There is no charge for making an access or correction request.

For a correction request, where we are satisfied that your personal information is incomplete, incorrect, out-of-date, irrelevant or misleading, we may amend the record. Where we agree to amend a record, we must, as far as possible, retain the text of the record as it was prior to the amendment. Where an amendment request is refused, we must provide reasons for the refusal and the mechanisms available to you to dispute that decision.

To request access or correction to your personal information held by the CGC, you can contact the agency’s Privacy Officer using the details outlined in the ‘How to contact us’ section below. We will discuss the nature of your request with you and can provide guidance on whether your request is better dealt with under the Privacy Act, the FOI Act or another arrangement. This will likely depend on your circumstances.

For example, for complex access requests, we may suggest that you use the FOI Act instead of the Privacy Act for the following reasons:

  • an FOI access request can relate to any document held by an agency and is not limited to personal information
  • the FOI Act has a consultation process for dealing with documents that contain the personal or business information of third parties
  • the FOI Act includes a right to apply for internal review or Information Commissioner review of an access refusal decision

Evidence of identity

In all cases where a request relates to documents that contain your personal information, we will ask you to provide evidence of your identity before we deal with your request. Your request should include a physical address, as we prefer to forward documents containing personal information to you by registered post rather than email.

If another person has authorised you to make a request on their behalf, we will ask you for the letter authorising you to make the request. If you are seeking documents containing personal information on behalf of another person, we will ask for evidence of both identities, showing clearly that you are the person who is authorised to apply on behalf of the other person.

Acceptable identity documents include: a passport, an Australian driver’s licence or any other official identification in the English language which contains your photo, signature and address. Copies of identification documents should be certified as true copies of the originals by a person with the power to witness a Commonwealth statutory declaration.

Privacy complaints

If you have a complaint about the way the CGC has handled your personal information, you may contact our Privacy Officer using our contact details set out at ‘How to contact us’ below.

A complaint may be made on behalf of a complainant by a guardian, friend, advocate or family member, but the person acting on behalf of the complainant must have written authorisation and verify their identity.

There are no fees or charges for making a privacy complaint to the CGC. Your complaint should include:

  • a brief description of your privacy problem, including:
    • what happened
    • when it happened
  • what personal information of yours was affected
  • the name of the relevant agency area or contact person
  • your contact details

We will use your contact details to contact you about your complaint. Sometimes we may ask you for additional information in order to investigate your complaint. If you do not provide this, it may affect how we handle your complaint.

If we receive a complaint from you we will decide what action, if any, we should take to resolve the complaint.

You may also complain to OAIC about how the department handled your personal information. However, before you can lodge a complaint with OAIC, you will need to first complain directly to the Treasury and allow 30 days for us to investigate, unless OAIC decides that a complaint to the department is not appropriate in the circumstances. If you do not receive a response after 30 days, or you are dissatisfied with the CGC’s response to your complaint, you may complain to OAIC and the Commissioner will attempt to resolve the complaint.

How to contact us

You can contact the Privacy Officer if you want to:

  • ask a question about our privacy policy, or how we manage personal information
  • obtain access to or seek correction of your personal information held by the CGC
  • make a privacy complaint about the CGC
  • obtain a copy of this policy in another format

You can contact the Privacy Officer by any of the following ways:

Email: services@cgc.gov.au

Post:

Privacy Officer
Commonwealth Grants Commission
PO Box 1899
CANBERRA CITY ACT 2601

Phone:

From inside Australia: (02) 6218 5700
From overseas: +61 2 6218 5700

You can obtain further information about the Privacy Act from the Office of the Australian Information Commissioner website or on 1300 363 992 (10 am to 4 pm, Monday to Friday AEST/AEDT).

We review this policy regularly and may update it from time to time.

Privacy Impact Assessment Register

The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (the Privacy Code) requires that all agencies, including the CGC, must conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects.

A project may be a high privacy risk project if the CGC considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. The CGC is also required to conduct a PIA if directed to do so by the Office of the Australian Information Commissioner (OAIC).

The CGC is required to maintain a register of all PIAs it conducts and must publish that register, or a version of that register, on its website.

The PIA register below sets out the PIAs the CGC has completed since 1 July 2018. This register will be updated as PIAs are completed*.

PIA ReferenceTitle of PIACompleted
---

* No PIAs have been conducted.

Copyright

The CGC encourages the dissemination and exchange of information provided on this website.

The Commonwealth owns the copyright in all material produced by this department.

All material presented on this website is provided under a Creative Commons Attribution 4.0 International licence, with the exception of:

  • the Commonwealth Coat of Arms
  • this Commission's logo
  • content supplied by third parties.

The details of the relevant licence conditions are available on the Creative Commons website.

Content from the CGC website should be attributed as: Commonwealth Grants Commission, [name of document or web page].

Last updated