Privacy

Purpose

The Privacy Policy and associated guidelines set out the basis by which the Department collects, stores, uses, corrects and discloses personal information, in keeping with the Department of the Premier and Cabinet Circular: PC012 – Information Privacy Principles Instruction (IPPS).

Public sector employees are also bound by the Code of Ethics for the South Australian Public Sector issued under the Public Sector Act 2009, which requires public sector employees to “…ensure that the privacy of individuals is maintained and will only release information in accordance with relevant legislation, industrial instruments, policy or lawful and reasonable direction.”

The Department collects a range of personal information in its dealings with members of the public and clients in the normal course of business. Personal information collected during business will generally only be used in relation to the purpose for which it was collected. 

Generally, clients can gain access to their personal information that they have provided, however, in some cases, this may require an application under the Freedom of Information Act 1991.

Scope

This Policy applies to the Department and its employees. This Policy also extends to agency staff, contractors, volunteers and other persons undertaking work at any Department work location. 

Policy Detail

The collection, management and use of personal information by South Australian Government agencies, is governed by PC012 Information Privacy Principles Instruction. 
The Public Sector Data Sharing Act 2016 (SA) provides boundaries around specific uses of the personal information collected and held by agencies. Confidentiality must be maintained of all clients’ personal information. Release of information to unauthorized parties may result in breaches of confidentiality resulting in disadvantage to the client. Personal information that may be incomplete, incorrect, out-of-date or misleading, may also affect the provision of products or services to that client. 

Amendment of the erroneous details must be undertaken to ensure no disadvantage to the Department’s clients. Personal information data breaches may occur in several ways, including accidental loss, internal errors or deliberate actions of trusted employees, theft of physical assets or the theft or misuse of electronic information (e.g. a cyber-attack). 

Where it has been identified that there has been a personal information data breach, the Department will take action to deal with the breach and inform appropriate parties, where appropriate. In accordance with the Department of the Premier and Cabinet Guideline – Personal information data breaches, each incidence needs to be assessed on a case-by-case basis, to determine whether notification is required. 

Use and Disclosure of Personal Information 

Personal information must not be used or disclosed to a third party, for any purpose other than the purpose for which the information was collected, except under the following 
circumstances: 

• The client has expressly or impliedly consented to the use or disclosure

• The use or disclosure is required or authorised by or under law

• There are reasonable grounds justifying the disclosure to prevent or lessen a serious  threat to the life, health or safety of the record subject or some other person

• There are reasonable grounds that the use or disclosure of the information is  reasonably necessary for the enforcement of the criminal law, or of a law imposing a  pecuniary penalty

• There are reasonable grounds that the use or disclosures are necessary due to the 
suspicion of unlawful activity relating to Departmental business activities and 
functions; and 

• There are reasonable grounds that the use or disclosures are necessary due to the 
suspicion of illegal conduct or serious misconduct by an individual. 

Reporting, Recording and Investigating Personal Information Data Breaches

The Department’s Agency Security Plan, developed in accordance with PC030 Protective Security Management Framework (PSMF), provide guidance and procedures for reporting, recording, and investigating security incidents, which include personal information data breaches. 

Refer to the Protective or Information Technology Security Incidents Procedure. 

Commonwealth Privacy Act and Notifiable Data Breaches Scheme 

The Commonwealth Privacy Act1988 (the Privacy Act) does not generally apply to South Australian Government agencies. However, under an amendment to the Privacy Act, 
agencies that hold tax file number (TFN) information are required to comply with the 
Commonwealth’s Notifiable Data Breaches scheme, but only in respect to TFN 
information. For additional advice, refer to Premier and Cabinet - Personal information 
data breaches guideline.

Access and Correction and Privacy Complaints

Individuals have a right to apply for access to their own personal information and can seek to have it corrected under the Freedom of Information Act 1991(SA) if they consider it to be incomplete, incorrect, out-of-date or misleading.

In relation to complaints, members of the public and clients should make privacy complaints directly to the Department in the first instance, to be resolved through the complaints handling process. If a privacy complaint is unable to be resolved directly by the Department, the individual may choose to complain to the Privacy Committee of South Australia or the Ombudsman SA. 

Terms and Definitions