About this policy
This policy applies to personal information collected by the National Mental Health Commission. The Commission is bound by the provisions of the Privacy Act 1988, including the Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for how we handle and maintain personal information. This includes how we collect, store, use, disclose, quality assure and secure personal information, as well as your rights to access or correct your personal information.
Personal information is information or an opinion about an identified individual, or an
individual who is reasonably identifiable. Information is identifiable if the relevant person can be identified. Examples might include your name, email or phone number. If we ask you to provide additional personal information (for example, on a form), we will explain:
- why we need this information
- how we will use it
If you choose not to provide the information it may affect our ability to respond and deliver services.
You will generally be able to remain anonymous or use a pseudonym when interacting with us. However, it may not always be possible for this to occur—for example, when we are authorised or required under the law to deal with individuals who have identified themselves. We will inform you if you are unable to remain anonymous or use a pseudonym when dealing with us.
Types of personal information that we hold
The Commission only collects personal information that is necessary for, or directly related to its functions or activities. It may include:
- personal contact details
- personnel/employee records including educational qualifications
- complaint and feedback information
- financial payment records
- contract, tender and submission documents
- litigation and compensation records
- grants information
- employee conflict of interest declarations
- mailing and subscription lists (i.e. eNews)
- FOI applications
- ministerial or Commission correspondence, and
- submissions to consultations or reviews that we administer.
We may also collect and hold a range of sensitive information, including:
- health information – where you provide details of your medical history to us (such as in a submission to a review we are conducting); or the health information of staff (such as rehabilitation and compensation case files, next of kin or details of disabilities or injuries);
- racial or ethnic origin – of staff members for reporting purposes, or
- criminal records – as part of pre-employment screening.
When the Commission collects sensitive personal information, it is usually collected with the consent of the individual concerned. In limited circumstances we may collect personal information from a third party such as when a court order exists or it is authorised under an Australian law. If personal information about an individual is collected from another source, reasonable steps will be taken in the circumstances to notify the individual of the circumstances of the collection.
Our personal information handling practices
We may collect personal information directly from you, your representative or a third party. We primarily collect information directly from you or another individual, but in certain circumstances we may also obtain personal information collected by other Australian, state and territory government bodies or other organisations.
We collect personal information in a variety of ways, including paper-based forms, online (through our website as well as email), via social media websites and accounts, over the telephone and by fax.
We only collect personal information where it is reasonably necessary for, or directly related to, one or more of our functions or activities. Generally, we will only collect sensitive information (such as health information) if you consent and it is reasonably necessary for, or directly related to, one or more of our functions or activities. We will not collect any personal information if we do not need it.
The purpose for which we collect your personal information is important as it restricts how we can use and disclose your personal information.
At the time of collection, you will generally be informed of the purpose for the collection and how we will handle your personal information via privacy collection notices on our forms and online portals.
Use and disclosure of personal information
The Commission will only use or disclose your personal information for the purpose it was collected or as otherwise allowed under the Privacy Act. Except as provided in this policy we will not disclose your personal information to other government agencies, private sector organisations, or anyone else unless you consent or one of the following exceptions applies:
- you would reasonably expect us to use the information for that other purpose
- it is legally required or authorised, such as by an Australian law, or court or tribunal order
- it is reasonably necessary for an enforcement-related activity
- we reasonably believe that it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and we reasonably believe that it is necessary in order for us to take appropriate action in relation to the matter
- we believe that it is reasonably necessary to help locate a person who has been reported as missing
- it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim
- it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
As a general guide, the Commission routinely discloses personal information to contracted service providers that assist in the Commission’s human resources, communications, information technology or other corporate or administrative functions.
Disclosure to overseas recipients
We do not routinely disclose personal information to overseas recipients. If, at some point, disclosure of information to an overseas recipient becomes necessary, we will only provide personal information to an overseas recipient if we are allowed to do so under the Privacy Act. We will also take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to the information.
Privacy data breaches
The Commission takes all privacy data breaches seriously. A privacy data breach occurs where there is unauthorised access, use, modification, disclosure or loss of personal information. The Notifiable Data Breaches scheme in Part IIIC of the Privacy Act commenced on 22 February 2018 and requires agencies to undertake an assessment of all privacy data breaches within 30 days and notify affected individuals and the Australian Information Commissioner where the agency determines that the breach is an ‘eligible data breach’. An ‘eligible data breach’ occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information, and a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.
The Commission follows internal data breach response procedures that are consistent with the Office of the Australian Information Commissioner’s Data Breach Preparation and Response Guide.
Quality of personal information
The Privacy Act requires us to take reasonable steps to ensure that the personal information we hold is safe and secure. We are also required to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date, and complete. This may include correcting your personal information where it is appropriate to do so.
How we store personal information
The Commission stores all personal information securely and restricts access to those employees who need access in order to perform their duties or to assist individuals. In general, personal information is stored electronically in record keeping systems, on hard drives or in emails.
We take all necessary steps to ensure that personal information is protected from misuse, loss and interference. When personal information is no longer required, we delete or destroy it in a secure manner, unless we are required to maintain it because of a law, or court or tribunal order. This situation might arise where the Archives Act 1983 requires that we maintain your personal information because it forms part of a Commonwealth record.
Personal information held by third parties
Under the Privacy Act, we are required to take measures to ensure that when your personal information is to be held by a third party, that the third party complies with the same privacy requirements applicable to the Commission.
Except as specified in this policy, the Commission includes privacy clauses in its contractual agreements with third parties, including funding agreements, consultancy and services contracts. This is to ensure that the third parties handle personal information in accordance with the APPs.
Accessing and correcting your personal information
You have a right to access personal information we hold about you. You also have a right under the Privacy Act to request corrections to any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
There is no charge associated with making a request and notification of the outcome will be provided, in most cases, within 30 days. For security reasons, and to protect other person’s privacy, applicants may be asked to provide proof of their identity.
To access personal information, a written request should be sent to the Commission’s Privacy Officer by email at [email protected] or in writing to:
The Privacy Officer
PO Box R1463 Royal Exchange
We can decline access to, or correction of, personal information under circumstances set out in the Privacy Act. Generally, where we refuse to give you access, we will give you written notice of the reasons for refusal and the mechanisms available to you to dispute that decision.
The Privacy Officer can be contacted on (02) 8229 7550 to discuss any privacy issues.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.
From 1 July 2018, the Australian Government Agencies Privacy Code require agencies to conduct a PIA for all high privacy risk projects. A high privacy risk project is one that involves a new or changed way of handling personal information that is likely to have a significant impact on the privacy of individuals.
A register of PIAs completed by the Commission is available on our Privacy Impact Assessment Register.
Making a privacy complaint
You may complain about the way the Commission has handled your personal information. Complaints should be in writing and sent to the Privacy Officer using the contact details provided.
The complaint should provide sufficient detail so the issues and concerns can be investigated.
If you are not satisfied with the outcome of an investigation, a complaint can be submitted to the Office of the Australian Information Commissioner (OAIC). Further details about making a privacy complaint to the OAIC can be found at the OAIC website.
What happens when you visit our website or engage with us online
Protecting your privacy online
The Commission is committed to protecting privacy online in accordance with the Guide to securing personal information issued by the OAIC.
While every effort is made to secure information transmitted to this site over the internet, there is a possibility that this information could be accessed by a third party while in transit.
When visiting this website, a record of your visit is logged and information may be collected by the internet browser, cookies and/or Google Analytics. This information, including personal information, is recorded for statistical purposes only and is used to help improve this website. This may include:
- Your server address
- Your operating system (for example Windows, Mac OS X etc)
- Your top level domain name (for example .com, .gov, .au, .uk etc)
- the date and time of your visit to the site
- the pages accessed and the documents downloaded, and
- your type of browser used.
This information is used for statistical purposes only. No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation, where a law enforcement agency (or other government agency) exercises a legal authority to inspect Internet Service Provider (ISP) logs (eg. by warrant, subpoena or notice to produce).
Cookies are pieces of information that a website can transfer to your computer when you access information on that site. Cookies can make websites easier to use by storing information about your preferences on a particular website. This information remains on your computer after you close your browser.
Collection of personal information
When you e-mail us:
- we will record your e-mail address
- we will only use your e-mail address for the purpose for which you provided it
- it will not be added to a mailing list, unless provided by you specifically for that purpose
- we will not use your e-mail address for any other purpose
- we will not disclose it without your consent.
Other personal information is collected by us when you subscribe to a National Mental Health Commission subscription service. To manage our stakeholder and subscription services and provide subscribers with information about the Commission, we disclose limited information to our 3rd party service providers, Campaign Monitor and Darzin (Simply Stakeholder).
Campaign Monitor may collect personal information, such as distribution lists that contain email addresses, and other information relating to those email addresses. For further information about the type of personal information Campaign Monitor collects, refer to the Campaign Monitor privacy notice.
We will only use the information you provide to create, send and manage emails relating to the Commission’s work and measure email campaign performance.
Campaign Monitor may transfer this information to third parties where required to do so by law, or where such third parties process the information on Campaign Monitor’s behalf. Campaign Monitor collects information about when you use the services such as your browser type and version, your operating system and other similar information.
Campaign Monitor is based in the United States of America (USA) and the information collected about your use of the website (including your IP address) will be transmitted to and stored by Campaign Monitor on servers located outside Australia.
By subscribing to our eNewsletter:
- You understand and acknowledge that this service utilises a Campaign Monitor platform, which is located in the USA and relevant legislation of the USA will apply.
- You acknowledge that Australian Privacy Principle 8.1 contained in Schedule 1 of the Privacy Act will not apply and that the Commission will therefore not have an obligation to take reasonable steps to ensure that Campaign Monitor does not breach the Australian Privacy Principles in relation to personal information that is given to it.
Darzin is an Australian company that provides us with a stakeholder management service via Simply Stakeholder. Darzin stores the information you provide us when you subscribe on Australian servers and is subject to the Privacy Act. Please see the Simply Stakeholder privacy statement for further information.
You can opt out of our mailing list by clicking the ‘unsubscribe’ link provided by Campaign Monitor in every email, or contact the Commission.
Online engagement - Have your Say
As part of its functions the Commission actively seeks to engage with a broad cross section of the community, particularly people with a lived experience of mental illness, their families and carers. One mechanism we use to do that is surveys and other forms of online consultation.
Surveys are usually conducted electronically via the Commission’s Have Your Say page, an online consultation site operated and hosted by Bang the Table for the National Mental Health Commission.
The Commission will collect, via Have Your Say, the personal information of respondents at the time that they register to use Have Your Say and when they contribute to a consultation.
For further detail on how the Commission handles personal information collected via Have Your Say, please see the Commission’s Privacy Notice for the site.
This site does not provide facilities for the secure transmission of information across the Internet. Users should be aware that there are inherent risks in transmitting information across the Internet. As an alternative, users are able to make comments and suggestions by writing to:
National Mental Health Commission
Post Box R1463
Royal Exchange NSW 2000
Links to other sites
This policy was last updated in April 2022