Purpose and Scope

Era Advisory Pty Ltd ABN 21 681 443 103 (Era) is a Hobart based consultancy providing engagement services.

By following this policy and related procedure, Era employees can ensure compliance with both federal and state privacy laws and regulations when collecting and managing personal information obtained during Engagement Work. It applies when undertaking Engagement Work.

Era is at all times bound by the Privacy Act 1988 (Cth) (the PA Act) for the collection, maintenance, use, correction and disclosure of personal information. Era may also be obligated to comply with the Personal Information Protection Act 2004 (TAS) (the PIP Act) where it supplies services to Tasmanian government authorities or councils. For simplicity, this policy has combined the requirements under both pieces of legislation.

Era’s Privacy Policy is a separate policy and available to the public on the Era Website. This policy is Era’s external policy statement as required by privacy laws.

Definitions

The below definitions are summarised from the PIP Act and PA Act.

Australian Privacy Principles means the laws which apply in Australia and are located in Schedule 1 of the PA Act. Complaints can be made about an alleged breach of one or more of these principles. Click here for a summary.

Engagement Work means any work undertaken by Era on behalf of a client, whether paid or not, that includes the collection of Personal Information from individuals, including but not limited to, members of the public that is for the purposes of collecting information to inform the progression of a project and any decisions associated with that project.

Personal Information is defined similarly in the PIP Act and PA Act as any information or opinion (regardless of whether it is true or not) about an individual whose identity is apparent or is reasonably ascertainable from the information or opinion whether the information or opinion is recorded in a material form or not. This includes, for example, an individual’s name, gender, age, address, email address, phone number, education details, marital status or employment status.

• Era should not collect financial information.

• The information can be in writing, images, video or an audio recording.

• Generally, feedback or comments provided during the engagement period such as, meeting notes or correspondence are not personal information unless they are ‘about an individual’

• The law only applies to protect individuals, not organisations. Other laws apply to protect companies, for example, intellectual property laws and confidentiality principles.

Personal information custodian is from the PIP Act and means a public authority, any organisation or person who has entered into a personal information contract relating to personal information or a prescribed body (for example, state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies). The definition also extends to organisations providing services for the State in some circumstances.

• Era becomes a personal information custodian and therefore liable under the PIP Act where it collects, uses or stores personal information on behalf of a public information custodian as described above. For example, by running an online survey for a council and then downloading that data to our Z Drive, the PIP Act applies.

Personal Information Protection Principles means the laws which apply in Tasmania and are located in Schedule 1 of the PIP Act. Complaints can be made about an alleged breach of one or more of these principles. Click here for a summary.

Sensitive Information means personal information or an opinion relating to an individual’s personal information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, and health information.

• The PIP Act and PA Act place special restrictions on the collection of sensitive information.

• An example of this type of information is an individual’s Aboriginal or Torres Strait Islander status.

• A photo may include sensitive information where the individual is reasonable identifiable and a category of Sensitive Information is also identifiable, such as when their religious beliefs are apparent from the image.

• Health information can include disabilities, illnesses or injuries disclosed by an individual.

Policy Statement

The following policy rules must be followed by Era staff undertaking Engagement Work.

1. Era must comply with the PA Act, and if applicable, the PIP Act, at all times.

2. Only Era employees that understand this policy shall undertake Engagement Work.

3. Era may collect Personal Information and Sensitive Information when undertaking Engagement Work if:

   1. in the case of Personal Information, the Personal Information is reasonably necessary for the Engagement Work; and

   2. in the case of Sensitive Information, the relevant individual consents to the collection of the information and the Sensitive Information is reasonably necessary for the Engagement Work.

4. Era may use Personal Information and Sensitive Information when undertaking Engagement Work if the Personal Information and Sensitive Information was collected for use in the Engagement Work or if:

   1. the relevant individual has consented to the use of Personal Information and Sensitive Information in the Engagement Work;

   2. in the case of Personal Information, the Engagement Work is related to the primary purpose the Personal Information was collected; or

   3. in the case of Sensitive Information, the Engagement Work is directly related to the primary purpose the Sensitive Information as collected for.

5. When collecting Personal Information and Sensitive Information, Era must state why the information is being collected and how it will be used.

6. Era must consider whether Personal Information is required to be collected or not and enable the option for individuals to remain anonymous.

7. When collecting Personal Information, Era must provide individual’s the following information:

   1. Era’s contact information and how to access their Personal Information.

   2. If lawful and practicable, outlining how individuals can remain anonymous.

   3. Information about any disadvantages associated with not supplying the requested personal information (e.g. if an individual would like to remain anonymous then they cannot be contacted).

8. When recording and storing Personal Information, Era must ensure the following:

   1. Personal information is accurate, complete, up to date and relevant to its functions.

   2. Personal information is protected from misuse, loss, unauthorised access, modification or disclosure.

   3. Personal information is destroyed or permanently de-identified when it is no longer needed provided that it is not required by an Australian law, or a court/tribunal order to retain the information.

   4. Ensure this policy is regularly updated and includes processes for the management of personal information.

   5. Personal information is not provided to any other individual or organisation unless required by law.

9. If requested by an individual, Era must at a minimum be able to:

   1. Easily disclose what information it holds, how it collects the information or how it was collected and why it was collected.

   2. Easily work with the individual to update any information or make corrections.

10. Era must not create and use unique identifiers to identify individuals (for example, create a code of letters or numbers and assign it to each individual and use that code as a way to identify that individual).

Policy implementation

1. Era staff should follow the Engagement Privacy Procedure to effectively comply with this policy.

2. Era staff should seek direct from the Era Advisory Engagement Team for assistance in interpreting this policy and applying the related procedure in the first instance.

3. Era staff should refer to the specific details of the PIP Act and/or PA Act in situations of doubt in the application of this policy.

4. In situations where both the PIP Act and PA Act applies, the PA Act applies to the extent of any inconsistency (PIP Act s 4; Commonwealth of Australia Constitution Act s 109).