We are bound by the Privacy Act 1988 (Privacy Act) when collecting, holding, using and disclosing your personal information. The Privacy Act contains 13 Australian Privacy Principles which outline government agencies’ responsibilities and individuals’ rights in relation to personal information (including sensitive information) designed to protect privacy.
This policy applies to our dealings with personal information, whether it relates to a review applicant, a person subject of an investigation, an employee, or another person. This policy describes how we comply with the Privacy Act and explains:
- the types of personal information we collect
- how this information is used
- when it can be disclosed, and
- who it can be disclosed to.
We regularly review this policy to ensure it contains up-to-date information about how we manage your personal information. A .pdf version of this policy is also available:
We collect, hold, use and disclose personal information to carry out our functions and activities, including when we:
- conduct merits review of employment-related actions
- conduct merits review of promotion decisions
- handle complaints about final entitlements on leaving the APS or Parliamentary Service
- conduct investigations, inquiries, and undertake other statutory functions
- advise, assist and provide services to employers via our Employer Advisory Services
- respond to enquiries from employees, agencies, employers and members of the public
- respond to access to information requests
- facilitate events such as our Community of Practice, information sessions or webinars
- communicate with the public, stakeholders and the media
- publish information on our website
- conduct or facilitate surveys (either directly or through a third party provider)
- recruit and hire staff.
Collecting your personal information
We collect personal information when it is reasonably necessary for, or directly related to, the exercise of our functions and related powers under the Public Service Act 1999 and the Parliamentary Service Act 1999 (The Acts) and the Australian Federal Police Act 1979 and the Auditor General Act 1997.
The types of personal information we collect include:
- names, addresses, telephone numbers and email addresses
- letters of offer, employment conditions and entitlements, rosters, pay slips and other personnel information
- performance management records, work samples, emails and other records related to reviewable actions
- misconduct investigation records including witness statements, investigation reports, email and other documentary evidence
- statements taken by us which identify individuals
- health information (for example, medical certificates).
We only collect personal information using lawful and fair means.
Collecting personal information directly from you
The main way we collect personal information about you is when you give it to us, in connections with the exercise of our functions and related powers, including when:
- you contact us by phone, email or through our website
- you request assistance from us
- you lodge an application for review directly with us, or via your agency, or request us to undertake another statutory function
- you participate in a survey conducted or facilitated by us or through a third party provider
- you join our Community of Practice, webinar, or information session
- we conduct an investigation or inquiry.
Collecting your personal information from others
We may collect personal information about you from other people or publicly available records in connection with the exercise of our functions and related powers. We do this when:
- it is unreasonable or impractical to collect the information from you
- you consent to it or
- we are required or authorised to do so by law.
For example, we may use internet search engines, white pages, internet articles and social media in the performance of our statutory functions, such as merits reviews or investigations.
We may also collect your personal information when you lodge a request with your agency for the MPC to undertake a statutory function, and your agency then sends that information to us.
There are some circumstances where it may not be reasonable or possible to tell you that we are collecting your personal information from a third party. This includes when we collect information in a review or investigation, such as if you are not a party to the review or investigation, and your information is provided to us by a review applicant, subject officer or agency. In these circumstances, it will not usually be practicable to advise you that we have collected your information.
Sometimes we may need to collect sensitive information about you with your consent, including information about your health, your membership of a professional or trade association or trade union, or your criminal record. We will only do this with your consent, when authorised by law or in accordance with the Privacy Act.
Dealing with us anonymously
In certain circumstances, you can remain anonymous or use a pseudonym when communicating with us, for example, if you are making a complaint or requesting us to conduct an inquiry.
If you choose to remain anonymous, this may limit our ability to help you because we often need your name and information about your matter to handle your enquiry, request or feedback effectively and thoroughly.
If you are seeking to lodge a review of action application under the Acts, we will need to know your identity as we cannot generally undertake this statutory function without knowing who you are. This is because we can only review an action that relates to a particular person. We also need to know details about you, your work environment, and the action you are seeking review of so we can make appropriate recommendations to your agency.
We will tell you if we need to collect your name or any other personal information to help you further.
Refer to Australian Privacy Principle 2.2(b) for further information.
Visiting our website
When you visit our website, anonymous information about your visit is recorded. The information recorded only tells us how you used the site (which may include your server address, the date and time of your visit, the pages you accessed, the information you downloaded and the type of internet browser you used). Our website does not record any personal information about you.
We use this information to improve our online products and services.
Email lists and registration forms
If you subscribe to our email list or register your interest in one of our services, your email address and any other contact details you provide will be collected. We only use this information to send you regular updates on our activities and to administer these lists. For example, if you ask to join our Community of Practice, or you register your interest in an upcoming information session.
Social networking services
The social networking services will also handle your personal information for their own purposes. These services have their own privacy policies.
Using and disclosing personal information
We only use personal information for the purpose for which it is collected in connection with the exercise of our functions and related powers unless an exception applies in accordance with the Privacy Act, or in accordance with other legislation. Some of the situations where we use or disclose personal information are listed below.
Our statutory functions
We usually need to use and disclose your personal information when we perform functions or exercise of our functions and related powers, including the conduct of reviews and investigations.
For example, if you request assistance from us, the personal information you provide (such as your personnel records) may be used to determine whether the action you seek review of may be eligible for review, or a fair and reasonable decision in the circumstances. Other personal information that you provide (such as your contact details) may be used to contact you and keep you up-to-date with your enquiry or application.
During a review or investigation process, we may give personal information relating to one party to the review (for example, the employee) to the other party (for example, the employer) for the purpose of resolving the matter and contributing to procedural fairness.
We may share your personal information with other agencies where another agency has regulatory responsibility under their legislation and in connection with the exercise of our functions and related powers. For example, we may use or disclose your personal information in the public interest of the effective and ethical management of the APS or Parliamentary Service if we become aware of information that suggests that an APS or Parliamentary Service employee may have breached the Code of Conduct. We may refer that information to the relevant agency head, in connection with the exercise of our functions and related powers.
We may use and disclose your personal information as part of large scale activities to monitor and review employment-related matters in the public interest across the APS and Parliamentary Service in connection with the exercise of our functions and related powers. This may involve the exchange of information with other government agencies.
Personal information is collected from staff to ensure our employee information is up-to-date for employment-related purposes. We may also collect information from staff where we are authorised or required to by the Public Service Act 1999, the Acts or other legislation.
This information can include job applications, notes made by selection committees during selection processes, employment contracts, copies of academic qualifications, bank account details, medical certificates, or health related information.
We may also use and disclose information where the Merit Protection Commissioner considers it to be in the public interest, or that of the individual or agency, including in accordance with s 72B(5) of the Public Service Act and s 65AB of the Parliamentary Service Act. Such circumstances may include a risk to health and safety or security, or unlawful or improper practices.
Public health and safety concerns
We may need to urgently disclose personal information to a State or Commonwealth authority for the purpose of virus contact tracing or management (e.g. COVID-19), in order to prevent the spread of a communicable disease and fulfill our work health and safety obligations. We might also share limited personal information to an infected individual’s work colleagues or other contacts, if the disclosure is necessary to lessen or prevent a serious threat to the health or safety of others. Where reasonable, we will obtain the consent of the relevant individual before any such disclosure if made. Such disclosures are authorised under public health laws and under the Privacy Act.
Advisers, contractors and outsourcing
Sometimes we engage recognised expert advisers from outside the MPC office for assistance and advice. We may use external lawyers to provide advice about matters and to represent us in court. The information we provide to our external lawyers, which is protected by legal professional privilege, often necessarily includes personal information.
We also engage specialised advisers or consultants to assist us with particular projects or the performance of particular statutory functions.
If a third party is contracted to carry out some of our functions, such as providing legal, project or other services, the contractor and its employees are bound by the Privacy Act when dealing with personal information. This would apply where they provided services through their own websites.
We also ensure that the privacy and confidentiality of your personal information is addressed in these contracts.
We disclose personal information to a number of service providers including IT service providers that host our website servers, manage our IT and store our information (including human resources information).
Enquiries, education and business improvement
We may also use your personal information to:
- contact you about an enquiry you have made or information you have provided
- tell you about the assistance or information we can give you, or
- seek feedback about your dealings with us for business improvement, training and reporting purposes.
Freedom of information requests
We may be required to disclose information in response to an application made under the Freedom of Information Act 1982. This legislation provides any person with the right to apply to obtain documents held by us, other than exempt documents, and the right to ask for information held by us about them to be corrected or annotated if it is incomplete, incorrect, out of date, or misleading.
The information we disclose under this legislation may include your personal information, but we will consult with you where appropriate before such a disclosure is made.
Overseas disclosure of personal information
It is unlikely that we will disclose your personal information to people or organisations located overseas.
If we need to do this (for example, if a review applicant or agency representative is located overseas), we will make the overseas disclosure in accordance with the Privacy Act.
Web traffic information is disclosed to Google Analytics when you visit our website. Google stores information across multiple countries. For further information see Google Data Centres and Google Locations.
Accessing and correcting your personal information
You can ask to access the personal information we have about you, or ask that we change this information if it is inaccurate, out-of-date, incomplete, irrelevant or misleading.
We may ask you to put your request in writing and give us proof of identification before we release or change your personal information. We will respond to your request within 30 days and there are no fees for requesting access to your personal information.
If we refuse to give you access to or correct your personal information, we will give you written reasons why. If you want to access or correct your personal information, please contact our Privacy Officer. The Privacy Officer’s contact details are given below.
Storage and security of personal information
We use a range of physical and electronic security measures to protect your personal information from loss, misuse, interference, unauthorised access, modification or disclosure. We have policies and systems in place aimed at ensuring your personal information will only be accessed by employees or contractors on a need to know basis.
Disposal of personal information
When we receive personal information about you (whether solicited or unsolicited) the information will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them, generally either in accordance with:
- A ‘records authority’ issued or agreed to by the National Archives – a records authority determines how long we hold information and when we dispose of it.
- ‘Normal administrative practice’ – which permits the destruction of information that is duplicated, unimportant or of short-term facilitative value.
You can complain to us about the handling of your personal information by emailing us at firstname.lastname@example.org.
We will make all attempts to respond to and deal with your complaint quickly and within a reasonable time. If we decide that a complaint should be investigated further, it will usually be handled by a more senior officer than the officer whose actions you are complaining about.
If you are not satisfied with our response, you can complain to the Privacy Commissioner. For more information, visit the Office of the Australian Information Commissioner's website or phone 1300 363 992.
If you are not satisfied with our complaint handling process in response to your privacy complaint, you have the option of contacting the Commonwealth Ombudsman.
For questions about your privacy, you can contact our Privacy Officer by emailing email@example.com or writing to:
Merit Protection Commissioner
PO Box 20636
World Square NSW 2002
Privacy Impact Assessment Register
Under the Privacy (Australian Government Agencies – Governance) APP Code 2017, we must conduct Privacy Impact Assessments for all high privacy risk projects. A project may be a high privacy risk project if we reasonably consider that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
We have not conducted any Privacy Impact Assessments since the Code came into force on 1 July 2018, however if we do any assessments in the future, we will publish them on this register:
|Date finalised||Subject of PIA|