A close-up image of audio equipment that has been tinted orange
https://www.nfsa.gov.au/sites/default/files/2024-01/Privacy-policy-Hero-image-1600-X-775-144-dpi.jpg

Privacy Policy

NFSA Privacy Policy

NFSA PRIVACY POLICY

1. Introduction
2. Personal information handling practices
3. Use and disclosure of personal information
4. Data quality
5. Storage and data security
6. Records management
7. Email communication
8. NFSA websites – NFSA Website Privacy Statement
9. Complaints
10. NFSA Privacy Policy updates
11. How to contact the NFSA Privacy Contact Officer
Appendix 1 – Australian Privacy Principles — a summary for APP entities

 

1. Introduction

1.1 Purpose

The National Film and Sound Archive of Australia (the NFSA) has this NFSA Privacy Policy for the management of 'personal information' and 'sensitive information' in accordance with the NFSA's obligations as an APP entity under the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act).

The 13 APPs are summarised in Appendix A of this policy and are available in full in Schedule 1 of the Privacy Act.

Some terms defined in legislation are identified using inverted commas (' ').

 

1.2 Scope

This NFSA Privacy Policy applies to 'personal information' and 'sensitive information' in records created, collected or held by the NFSA in the performance of its functions and powers under the National Film and Sound Archive of Australia Act 2008 (NFSA Act).

The NFSA collects personal information to perform its functions in the NFSA Act to:

  • develop, preserve, maintain, promote and provide access to a national collection of programs and related material;
  • support and promote the collection by others of programs and related material in Australia;
  •  support, promote or engage in:

- the preservation and maintenance of programs and related material that are not in the national collection; and

- the provision of access to programs and related material that are not in the national collection;

  • support and promote greater understanding and awareness in Australia of programs; and
  • undertake any other function conferred on it by any other law of the Commonwealth.

These functions are performed within the NFSA's powers to do all things necessary or convenient to be done for or in connection with the performance of the NFSA's functions, including but not limited to the powers to:

  • accept gifts, devises, bequests and assignments;
  • act as trustee of money, programs or other property vested in the NFSA on trust;
  • act on behalf of the Commonwealth or an authority of the Commonwealth of the Commonwealth in the administration of a trust relating to programs or to matters connected with programs; and
  • do anything incidental to its functions.

This NFSA Privacy Policy has limited application to the 'national collection of programs and relation material' defined the NFSA Act - also known as the National Audiovisual Collection - for example, where the 'personal information':

  • Is not collected by the NFSA for inclusion in a 'record' or a 'generally available publication';
  • Is in an item kept by the NFSA for the purposes of reference, study or exhibition and therefore is not a 'record' under the Privacy Act; or
  • Is in a 'Commonwealth record' administered in accordance with provisions contained in the Archives Act 1983 (Cth) therefore is not a 'record' under the Privacy Act.

 

1.3 Personal information and sensitive information

The Privacy Act defines terms including 'personal information' and 'sensitive information'.
'Personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

'Sensitive information' includes:

  • 'personal information' that is information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record;
  • health or genetic information about an individual;
  •  genetic information about an individual that is not otherwise health information;
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; and
  • biometric templates

 

1.4 Overview of this NFSA Privacy Policy

In compliance with APP 1, the NFSA takes steps as are reasonable in the circumstances to implement practices, procedures and systems that ensure compliance with the APPs and any relevant APP code, including for dealing with any related enquiries or complaints.

This NFSA Privacy Policy explains how the NFSA manages personal information, including:

  • the kinds of personal information that the NFSA collects and holds;
  • how the NFSA collects and holds personal information;
  • the purposes for which the NFSA collects, holds, uses and discloses personal information;
  • how an individual may access personal information about the individual that is held by the NFSA and seek the correction of such information;
  • how an individual may complain about an alleged breach of the APPs, or any relevant APP code, and how the NFSA will deal with any complaints;
  • whether the NFSA is likely to disclose personal information to overseas recipients and, if so, the countries where recipients are likely to be located.

 

2. Personal information handling practices

2.1 The kinds of personal information the NFSA collects and holds

The NFSA may collect personal information from an individual, or from a third party. The NFSA uses forms, online systems and other electronic or paper correspondence, as well as telephone and face-to-face interactions, to collect personal information.

The NFSA collects and holds over 19 classes of personal information which may include;

  • contact details – staff and clients
  • employment history and educational qualifications of staff
  • complaint details
  • reference and user enquiries
  • corporate mailing list
  • financial information and accounting system
  • mailing and membership list of Friends of the NFSA
  • sponsorship and fundraising information
  • volunteers of the NFSA
  • user feedback database
  • registration to websites (nfsa.gov.au, player.nfsa.gov.au and aso.gov.au)
  • subscriptions to newsletters (online and print)
  • entries to social media competitions
  • online event ticketing
  • details of donors, lenders and rights owners of items in the National Audiovisual Collection
  • biographical information, including career history information
  • published and broadcast commentary and opinion
  • unpublished recordings and manuscripts
  • oral histories

 

2.2 About personal information the NFSA collects

The personal information collected in connection with the operations of the NFSA may be in relation to:

  • Requests for access to the National Audiovisual Collection
  • Details of volunteers
  • Processing of financial transactions
  • Establishing ownership of intellectual property rights
  • Archival research and interpretation
  • Applications for grants, fellowships and scholarships (including internships and 'in-residence' programs)
  • Compliance with Government regulations and legislation
  • Donor liaison, sponsorship and fundraising activities
  • Recording user feedback on services and activities including surveys and evaluations
  • Electronic mailing lists relating to the activities of the NFSA
  • Corporate mailing lists
  • Registration details for the organisation's websites, including nfsa.gov.au, player.nfsa.gov.au and aso.gov.au
  • Access to digital content (paid and unpaid)
  • Subscription information
  • Online event ticketing
  • Oral histories
  • Employee records
  • Membership records of Friends of the National Film and Sound Archive
  • Footage from closed circuit cameras.

 

2.3 How the NFSA collects personal information

In collecting information within its functions and powers, the NFSA will not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related, to one or more of the NFSA's functions or powers.  Any personal information that the NFSA collects will be relevant for the purpose to which it is collected.  The NFSA will only collect personal information by lawful and fair means and will generally collect the information about an individual from the individual personally, unless the individual consents otherwise, or it is unreasonable or impractical to do so.

Unsolicited personal information will be collected if the NFSA determines that it could have otherwise collected the information, or de-identify or destroy the information if the NFSA could not have collected the information and it is not contained in a Commonwealth record.

Where it is reasonable in the circumstances, the NFSA will notify individuals about the collection of their information by reference to this NFSA Privacy Policy or will otherwise ensure that the individual is aware of relevant matters as required by the APPs.

 

2.4 How the NFSA holds personal information

  • The NFSA holds personal information in the following ways:
  • The records for the corporate mailing list are held in electronic and paper files
  • The records for donors are held on MediaFlex, the collection management database and in electronic and paper files
  • The records for requests for access to the collection are held in electronic and paper files
  • The records for financial transactions are held on the Finance One database.
  • The records for membership of the Friends of the NFSA are held in electronic and paper files
  • The records of relating to sponsorship and fund raising are held in electronic and paper files
  • The records for volunteers are held in electronic and paper files
  • The records for user feedback is held in electronic and paper files
  • The records of online event ticketing are held in both electronic and paper files
  • Oral histories are held in electronic and paper files
  • Employee records are held in electronic and paper files

 

2.5 Access to and correction of personal information

An individual may apply to access or correct their personal information by application to the Privacy Contact Officer.

  • Access to personal information (APP 12)

Individuals have a right to access the personal information that the NFSA holds about that individual. The right of access is subject to the relevant exemptions in the FOI Act and any Act of the Commonwealth.  The NFSA will respond to the individual's request within 30 days after the receipt of a request from the individual, to grant access or to give written reasons for any refusal to grant access to the information.

  • Amendment of personal information (APP 13)

The NFSA will take reasonable steps to correct personal information that it holds to ensure that it is accurate, up-to-date, complete, relevant and not misleading.

Individuals can request information that the NFSA holds about them to be corrected.  The NFSA will notify the individual of a decision within 30 days after the receipt of a request from the individual and will provide written reasons if the request to amend personal information is refused.

 

3. Use and disclosure of personal information (APP 6)

3.1 General use and disclosure

The NFSA holds personal information that is collected for a primary purpose and will not use or disclose it for another purpose, except where an individual provides consent or in compliance with APP6, including where:

  • the individual would reasonably expect the sensitive information to be used for a purpose directly related to the primary purpose records;
  • the individual would reasonably expect the personal information (not sensitive information) to be used for a purpose related to the primary purpose;
  • it is required or authorised by law or a court/tribunal order;
  • a 'permitted general situation' exists; or
  • the NFSA believes it is reasonably necessary for the activities conducted by or on behalf of an enforcement body.

 

3.2 Disclosure of personal information to overseas recipients (APP 8)

The NFSA is not likely to disclose information to overseas recipients.  

APP 8 places obligations on the NFSA for disclosure of personal information to overseas entities, when the recipient is not in Australia or an external entity Territory, and is not the entity or the individual.  Before any personal information is disclosed overseas, the NFSA will take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information.

 

3.3 Accidental or unauthorised disclosure of personal information

The NFSA protects personal information the NFSA holds and will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.

External service providers who handle personal information about the NFSA’s staff, users or other individuals are ordinarily bound contractually to comply with the Privacy Act and may themselves have statutory obligations as APP entities.

It is also ordinarily a requirement for staff, contractors and service providers to comply with the Privacy Act in fulfilment of their obligations under:

  • Public Service Act 1999
  • Public Service Regulations 1999
  • Australian Public Service (APS) Values
  • APS Code of Conduct.

If employees disclose official information without authority they may face disciplinary sanctions including, in the most serious cases, termination of employment.

 

4. Data quality

Collection systems aid in the automated correction of identified errors within Mediaflex dataset when required - identification and resolution method are determined by Collection Information Section. Additionally, Collection Information Section upgrades data as part of their regular work.

In terms of securing personal data collected via acquisition work processes, this is achieved by limiting access to the Mediaflex system to staff and endorsed researchers. This information is also withheld from the Mediaflex public interface (Search the Collection).

 

5. Storage and data security (APP 11)

The NFSA takes reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.

The NFSA manages its online services and IT systems in accordance with the Australian Government Protective Security Policy Framework and the Australian Government Information Security Manual.

 

6. Records management

Storage of information (and the disposal of information when no longer required) is managed in accordance with Australian Government records management regulations, guidelines and authorities, including the Archives Act, Records Authorities and General Disposal Authorities.

 

7. Email communication

There are inherent risks associated with the transmission of information over the internet, including via email. Individuals should be aware of this when sending personal information to the NFSA via email. If this is of concern to any individual, they should use other methods of communication with the NFSA, such as post, fax, or phone. The NFSA does not endorse the sending of credit card details to the NFSA.

 

8. NFSA websites - NFSA Website Privacy Statement

The NFSA publishes a privacy statement on its website explaining the privacy aspects of visiting the website, web analytics, cookies and email. 

View the NFSA Website Privacy Statement.

 

9. Complaints

9.1 How to make a complaint

In accordance with APP 1, an individual may complain about an alleged breach of the APPs by contacting the Privacy Contact Officer using the details at the end of this NFSA Privacy Policy.

 

9.2 NFSA complaint-handling commitment

In accordance with APP 1, the NFSA will take reasonable steps in the circumstances to deal with enquiries or complaints about compliance with the APPs. The NFSA will send a considered response to a complaint or suggestion within 30 days if contact details are provided. The NFSA is committed to quick and fair resolution of any complaints and will ensure the complaint is taken seriously.

 

9.3 How to make a complaint to the Federal Privacy Commissioner

Any complaints about the NFSA's personal information handling practices can be made to the Privacy Contact Officer (above) or to the Office of the Australian Information Commissioner.

 

10. NFSA Privacy Policy updates

In accordance with APP 1 this NFSA Privacy Policy will be reviewed every 12 months to ensure that it is up-to-date.

 

11. How to contact the NFSA Privacy Contact Officer

In accordance with APP1, an individual may contact the Privacy Contact Officer to:

  • obtain access to their personal information
  • make a complaint about a breach of their privacy
  • query how their personal information is collected, used or disclosed
  • request a free copy of this NFSA Privacy Policy, or
  • ask questions about this NFSA Privacy Policy.

The NFSA’s Privacy Contact Officer may be contacted by any of these contact points:

Privacy Contact Officer
(Senior Manager, Procurement and Legal)
National Film and Sound Archive of Australia
Post: GPO Box 2002, Canberra ACT 2601

Email: privacy@nfsa.gov.au
Telephone: 02 6248 2000 (Toll free within Australia: 1800 067 274)

 

Appendix 1 - Australian Privacy Principles — a summary for APP entities

Dated 12 March 2014, from the Office of the Australian Information Commissioner.

APP 1 - Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up-to-date NFSA privacy policy.

 

APP 2 - Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

 

APP 3 - Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

 

APP 4 - Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

 

APP 5 - Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

 

APP 6 - Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

 

APP 7 - Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

 

APP 8 - Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

 

APP 9 - Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

 

APP 10 - Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

 

APP 11 - Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

 

APP 12 - Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

 

APP 13 - Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.