About this policy
This policy applies to personal information collected by the National Mental Health Commission. The Commission is bound by the provisions of the Privacy Act 1988, including the Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for how we handle and maintain personal information. This includes how we collect, store, use, disclose, quality assure and secure personal information, as well as your rights to access or correct your personal information.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. Information is identifiable if the relevant person can be identified. Examples might include your name, email or phone number. If we ask you to provide additional personal information (for example, on a form), we will explain:
- why we need this information
- how we will use it
If you choose not to provide the information it may affect our ability to respond and deliver services.
You will generally be able to remain anonymous or use a pseudonym when interacting with us. However, it may not always be possible for this to occur—for example, when we are required by law to deal only with individuals who have identified themselves or we need to verify your identity before you can represent an entity. We will inform you if you are unable to remain anonymous or use a pseudonym when dealing with us.
Types of personal information that we hold
The Commission only collects your personal information where the collection is necessary for, or directly related to its functions or activities. It may include:
- personal contact details
- personnel/employee records including educational qualifications
- complaint and feedback information
- financial payment records
- contract, tender and submission documents
- litigation and compensation records
- grants information
- employee conflict of interest declarations
- mailing and subscription lists (i.e. eNews)
- FOI applications
- ministerial or Commission correspondence, and
- submissions to consultations or reviews that we administer
We may also collect and hold a range of sensitive information, including:
- health information – where you provide details of your medical history to us (such as in a submission to a review we are conducting); or the health information of staff (such as rehabilitation and compensation case files, next of kin or details of disabilities or injuries);
- racial or ethnic origin – of staff members for reporting purposes, or
- criminal records – as part of pre-employment screening.
When the Commission collects sensitive personal information, it is usually collected with the consent of the individual concerned. In limited circumstances, we may collect personal information from a third party such as when a court order exists or it is authorised under an Australian law. If personal information about an individual is collected from another source, reasonable steps will be taken in the circumstances to notify the individual of the circumstances of the collection.
Our personal information handling practices
We may collect personal information directly from you, your representative or a third party. In limited circumstances, we may also collect your personal information from other Australian, state and territory government bodies or other organisations.
We collect personal information in a variety of ways, including paper-based forms, online (through our websites as well as email), via social media websites and accounts, over the telephone and by fax.
We only collect personal information where it is reasonably necessary for, or directly related to, one or more of our functions or activities. Generally, we will only collect sensitive information (such as health information) if you consent and it is reasonably necessary for, or directly related to, one or more of our functions or activities. We will not collect any personal information if we do not need it.
The purpose for which we collect your personal information is important as it restricts how we can use and disclose your personal information.
At the time of collection, you will generally be informed of the purpose for the collection and how we will handle your personal information via privacy collection notices on our forms and online portals. Some common purposes for the collection of your person information include, for example, to inform the Commission’s mental health policy advice to the Australian Government or to support the Commission’s monitoring and reporting on the mental health and suicide prevention systems.
Use and disclosure of personal information
We will only use or disclose your personal information for the purpose it was collected or as otherwise allowed under the Privacy Act. Except as provided in this policy, we will not use or disclose your personal information for a secondary purpose unless you consent or one of the following exceptions applies:
- you would reasonably expect us to use your personal information for that other purpose
- your personal information it is legally required or authorised, such as by an Australian law, or court or tribunal order
- it is reasonably necessary to use or disclose your personal information for an enforcement-related activity
- a permitted general situation under s 16A of the Privacy Act applies to the use or disclosure of your personal information.
As general guide, the Commission routinely shares personal information to contracted service providers that assist in the Commission’s human resources, communications, information technology or other corporate or administrative functions. The Commission routinely discloses personal information to other government agencies and private sector organisations.
Disclosure to overseas recipients
We do not routinely disclose personal information to overseas recipients, except for Campaign Monitor as described below.
If, at some point, disclosure of information to an overseas recipient becomes necessary, we will only provide your personal information to an overseas recipient if we are allowed to do so under the Privacy Act. We will also take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to your personal information.
Privacy data breaches
The Commission takes all privacy data breaches seriously. In accordance with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, we will notify you (if you are an affected individual) and the Australian Information Commissioner where we determine that a privacy breach is an ‘eligible data breach’. An ‘eligible data breach’ occurs where:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information, and
- a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.
The Commission follows internal data breach response procedures that are consistent with the Office of the Australian Information Commissioner’s Data Breach Preparation and Response Guide.
Quality of personal information
The Privacy Act requires us to take reasonable steps to ensure that the personal information we hold is safe and secure. We are also required to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date, and complete. This may include correcting your personal information where it is appropriate to do so.
How we store personal information
The Commission stores all personal information securely and restricts access to those employees who need access in order to perform their duties or to assist individuals. In general, personal information is stored electronically in record keeping systems, on hard drives, secure online business systems or in emails.
We take all necessary steps to ensure that personal information is protected from misuse, loss and interference. When personal information is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order. This situation might arise where the Archives Act 1983 requires that we maintain your personal information because it forms part of a Commonwealth record.
Personal information held by third parties
Under the Privacy Act, we are required to take measures to ensure that when your personal information is to be held by a third party, that the third party complies with the same privacy requirements applicable to the Commission.
Except as specified in this policy, the Commission includes privacy clauses in its contractual agreements with third parties, including funding agreements, consultancy and services contracts. This is to ensure that the third parties handle personal information in accordance with the APPs.
Accessing and correcting your personal information
You have a right to access personal information we hold about you. You also have a right under the Privacy Act to request corrections to any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
There is no charge associated with making a request and notification of the outcome will be provided, in most cases, within 30 days. For security reasons, and to protect the privacy of other individuals, applicants may be asked to provide proof of their identity.
To access personal information, a written request should be sent to the Commission’s Privacy Officer by email at [email protected] or in writing to:
The Privacy Officer
PO Box R1463 Royal Exchange
We can decline access to, or correction of, personal information under circumstances set out in the Privacy Act. Generally, where we refuse to give you access or correct information, we will give you written notice of the reasons for refusal and the mechanisms available to you to dispute that decision.
The Privacy Officer can be contacted on (02) 8229 7550 to discuss any privacy issues.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.
From 1 July 2018, the Australian Government Agencies Privacy Code require agencies to conduct a PIA for all high privacy risk projects. A high privacy risk project is one that involves a new or changed way of handling personal information that is likely to have a significant impact on the privacy of individuals. A register of PIAs completed by the Commission are available on our Privacy Impact Assessment Register.
Making a privacy complaint
You may complain about the way the Commission has handled your personal information. Complaints should be in writing and sent to the Privacy Officer using the contact details provided.
The complaint should provide sufficient detail so that your issues and concerns can be investigated.
If you are not satisfied with the outcome of an investigation, a complaint can be submitted to the Office of the Australian Information Commissioner (OAIC). Further details about making a privacy complaint to the OAIC can be found at the OAIC website.
What happens when you visit our website or engage with us online
Protecting your privacy online
The Commission is committed to protecting privacy online in accordance with the Guide to securing personal information issued by the OAIC.
While every effort is made to secure information transmitted to this site over the internet, there is a possibility that this information could be accessed by a third party while in transit.
When visiting the Commission’s websites, a record of your visit is logged and information may be collected by the internet browser, cookies and/or Google Analytics. This information, including personal information, is recorded for statistical purposes only and is used to help improve this website. This may include:
- Your server address
- Your operating system (for example Windows, Mac OS X etc)
- Your top level domain name (for example .com, .gov, .au, .uk etc)
- the date and time of your visit to the site
- the pages accessed and the documents downloaded, and
- your type of browser used.
No attempt will be made to identify you or your browsing activities except in the unlikely event of an investigation, where a law enforcement agency (or other government agency) exercises a legal authority to inspect Internet Service Provider (ISP) logs (eg. by warrant, subpoena or notice to produce).
Cookies are pieces of information that a website can transfer to your computer when you access information on that site. Cookies can make websites easier to use by storing information about your preferences on a particular website. This information remains on your computer after you close your browser.
Collection of personal information
When you e-mail us:
- we will record your e-mail address
- we will only use your e-mail address for the purpose for which you provided it
- it will not be added to a mailing list, unless provided by you specifically for that purpose
- we will not use your e-mail address for any other purpose
- we will not disclose it without your consent.
Other personal information is collected by us when you subscribe to a Commission subscription service. To manage our stakeholder and subscription services and provide subscribers with information about the Commission, we disclose limited information to our 3rd party service providers, Campaign Monitor and Darzin (Simply Stakeholder).
We will only use the information you provide to create, send and manage emails relating to the Commission’s work and measure email campaign performance.
Campaign Monitor may transfer this information to third parties where required to do so by law, or where such third parties process the information on Campaign Monitor’s behalf. Campaign Monitor collects information about when you use the services such as your browser type and version, your operating system and other similar information.
Campaign Monitor is based in the United States of America (USA) and the information collected about your use of the website (including your IP address) will be transmitted to and stored by Campaign Monitor on servers located outside Australia.
By subscribing to our eNewsletter:
- You consent to your personal information being collected, used and disclosed by Campaign Monitor to deliver the subscription service.
- You understand and acknowledge that this service utilises a Campaign Monitor platform, which is located in the USA and relevant legislation of the USA will apply.
- You acknowledge that the Commission will not be responsible under the Privacy Act for how Campaign Monitor or any of their subcontractors handles your personal information.
Darzin is an Australian company that provides us with a stakeholder management service via Simply Stakeholder. Darzin stores the information you provide us when you subscribe on Australian servers and is subject to the Privacy Act. Please see the Simply Stakeholder privacy statement for further information.
Unsubscribe to subscriptions
You can opt out of our mailing list by clicking the ‘unsubscribe’ link provided by Campaign Monitor in every email, or contact the Commission.
Online engagement - Have your Say
As part of its functions the Commission actively seeks to engage with a broad cross section of the community, particularly people with a lived experience of mental illness, their families and carers. One mechanism we use to do that is surveys and other forms of online consultation.
Surveys are usually conducted electronically via the Commission’s Have Your Say page, an online consultation site operated and hosted by Bang the Table for the National Mental Health Commission.
The Commission will collect, via Have Your Say, the personal information of respondents at the time that they register to use Have Your Say and when they contribute to a consultation.
For further detail on how the Commission handles personal information collected via Have Your Say, please see the Commission’s Privacy Notice for the site.
Our websites generally do not provide facilities for the secure transmission of information across the Internet. Users should be aware that there are inherent risks in transmitting information across the Internet. As an alternative, users are able to make comments and suggestions by writing to:
National Mental Health Commission
Post Box R1463
Royal Exchange NSW 2000
Links to other sites
This policy was last updated in June 2023