CMTEDD privacy

Information privacy

The Information Privacy Act 2014 (the Information Privacy Act) is the law that we, (the Chief Minister, Treasury and Economic Development Directorate or CMTEDD) and all ACT public sector agencies must follow when handling your personal information.
The Information Privacy Act has a set of 13 principles called the Territory Privacy Principles (TPPs). We must apply the TPPs when we collect, store, use, disclose, provide access to or correct your personal information.
The Information Privacy Act also requires that we:

• have a current and up to date Privacy Policy that tells you how we will handle personal information when carrying out our functions and activities; and
• provide you with a Privacy Notice that tell you about why we are collecting your personal information and how we might use or disclose it.

Read about our Information Privacy Policy:

• CMTEDD Information Privacy Policy [PDF 755 KB]
• CMTEDD Information Privacy Policy [DOC 402 KB]

Find out about our CMTEDD Privacy Notice:

• CMTEDD Privacy Notice [PDF 412 KB]
• CMTEDD Privacy Notice [DOC 182 KB]

What is personal information?

Personal information has a meaning given by the Information Privacy Act as the following.

Under the Information Privacy Act, personal information does not include personal health information. Personal health information or health records we handle are protected and governed by the Health Records (Privacy and Access) Act 1997.

Access and correction

You have the right to ask for (access) your personal information that we hold about you. You can ask:

• in person
• over the phone
• in writing.

If you ask for access, we will take steps to verify your identity before we will disclose your personal information.

If you have asked another person to access your personal information on your behalf, prior to granting access, we will take steps to verify their identity and confirm they have your consent and authority to receive that information, before disclosing your personal information.

If your personal information is held by a business unit that provides public access or over-the-counter services, you may be able to ask for access in person. However, we have the right to refuse your request where:

• your personal information is not readily accessible, or is contained in a physical file that is stored somewhere else;
• the personal information in your record also contains the personal information of other people or third parties; or
• another law protects or tells us how the information must be disclosed i.e. secrecy laws or laws which require a fee or form that must be used for disclosure.

If we cannot give you access in person, you may be asked to:

• make a written request;
• use or complete an approved form (if one applies including any lawful fee); or
• make an FOI request where;
• there is third party personal information present, or
• if the amount of information is too big for counter staff to process.

If you request access to your personal information, we must provide you with access (in the way you requested if reasonable) within 30 days. If we refuse to provide access, we must advise you in writing (within 30 days of your request) of the reasons for refusal. Reasons for refusal may include where the information is subject to an exemption under the FOI Act, or where disclosure is not permitted under another law.

There are no review rights if we refuse a request for access. You may instead wish to make a request for access under the FOI Act (which does have review rights) or, make a complaint to the Office of the Australian Information Commissioner (OAIC).

Further information about our FOI arrangements, including how you can apply for access, can be found on our Freedom of Information website.

How to request access

When requesting access, you should ask the relevant CMTEDD business unit or officer who you believe holds your personal information in the first instance.

You can also make a request for access or correction by contacting the CMTEDD Privacy Contact Officer by:

Are there any charges for access?

No, you will not be charged for making the request or accessing your personal information, unless a fee is required by law for the information. For example, births, deaths and marriages certificates requests may require you to pay a fee.

Correction

You can ask us to correct your personal information we hold if you believe it is:

• incorrect
• out-of-date
• incomplete
• irrelevant
• misleading.

If you ask us to correct your personal information, we are required to take reasonable steps to do so, if having regard to the purpose for which it was collected, we agree the information is incorrect, out-of-date, incomplete, irrelevant, or misleading.

We may refuse a request to correct your personal information where we believe another applicable law prevents the correction, or if we do not agree that the information is incorrect, out-of-date, incomplete, irrelevant, or misleading.

If we refuse to correct your record, and you ask us to make an associated statement (the statement can say why you believe the personal information is incorrect, out-of-date, incomplete, irrelevant, or misleading), we will do so. We are not required to make an associated statement unless you specifically ask us to make one.

There are no review rights under the Information Privacy Act if we refuse to correct your personal information. You can, however, seek amendment of your personal information under the FOI Act, which does have review rights, or make a complaint to the OAIC.

How to make a privacy complaint or report a privacy breach

Making a privacy complaint

If you want to complaint about how we have handled your personal information you can phone us, however, if you phone us we will still ask you where not unreasonable to put your complaint in writing, provide us with your name, address and phone number for contact, and enough information about the business unit or person you are making the complaint about. We can assist you to lodge your complaint if you need help.

We will acknowledge receipt of your complaint within five working days and we will undertake an investigation into your complaint. In general, we aim to have completed our investigation within 21 working days and will endeavour to keep you update regularly throughout the investigation.

Information about our information privacy complaints process can be found in our information privacy complaints handling policy:

• CMTEDD Complaints Handling Policy and Procedures [PDF 171 KB]
• CMTEDD Complaints Handling Policy and Procedures [DOC 64 KB]

Reporting a privacy data breach

We take your privacy seriously and will deal promptly with any unauthorised access, use or disclosure of your personal information.

The Office of the Australian Information Commissioner's (OAIC's) Notifiable Data Breaches Scheme (NDBS) does not apply to CMTEDD or other ACT public sector agencies unless:

• the information subject of the breach includes Tax File Numbers (TFN's); or
• personal health information or is part of a health record.

Generally, the NDBS requires agencies to notify individuals whose personal information is involved in a data breach and to notify the OAIC where the breach is likely to result in serious harm to those individuals.

Although we are not required to notify under the NDBS, it is our policy to voluntarily report any significant privacy data breaches to the OAIC. We will seek the OAIC's advice and assistance where we consider a breach may result in serious harm to affected individuals. This is aligns with the NDBS and is keeping with best privacy practice.

Complaining to the Information Privacy Commissioner

You can make a formal privacy complaint to the ACT Information Privacy Commissioner if you do not agree or are not happy with our response to your complaint, or you believe we have breached your privacy.

The ACT Human Rights Commission (HRC) carries out the functions of the Information Privacy Commissioner and manages complaints against ACT public sector agencies. The HRC will assess your complaint and can decide if our actions are an interference with your privacy.

Complaints must be in writing and include your name, address and telephone number, and provide details of the subject of your complaint. If you cannot write the complaint down, you can call and HRC can assist you to write the complaint down.

The HRC can be contacted via:

If your complaint or alleged breach is upheld by the HRC and a decision is made, we will comply with any determination made by the HRC. The HRC's decision may include remedies such as an apology, compensation, and to undertake actions such as amend policies, operations or processes to prevent further or similar interferences with privacy.

Contact us