2. Personal information handling practices
3. Use and disclosure of personal information
4. Data quality
5. Storage and data security
6. Records management
7. Email communication
8. NFSA websites – NFSA Website Privacy Statement
11. How to contact the NFSA Privacy Contact Officer
Appendix 1 – Australian Privacy Principles — a summary for APP entities
The 13 APPs are summarised in Appendix A of this policy and are available in full in Schedule 1 of the Privacy Act.
Some terms defined in legislation are identified using inverted commas (' ').
The NFSA collects personal information to perform its functions in the NFSA Act to:
- the preservation and maintenance of programs and related material that are not in the national collection; and
- the provision of access to programs and related material that are not in the national collection;
These functions are performed within the NFSA's powers to do all things necessary or convenient to be done for or in connection with the performance of the NFSA's functions, including but not limited to the powers to:
1.3 Personal information and sensitive information
The Privacy Act defines terms including 'personal information' and 'sensitive information'.
'Personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
'Sensitive information' includes:
In compliance with APP 1, the NFSA takes steps as are reasonable in the circumstances to implement practices, procedures and systems that ensure compliance with the APPs and any relevant APP code, including for dealing with any related enquiries or complaints.
2.1 The kinds of personal information the NFSA collects and holds
The NFSA may collect personal information from an individual, or from a third party. The NFSA uses forms, online systems and other electronic or paper correspondence, as well as telephone and face-to-face interactions, to collect personal information.
The NFSA collects and holds over 19 classes of personal information which may include;
2.2 About personal information the NFSA collects
The personal information collected in connection with the operations of the NFSA may be in relation to:
2.3 How the NFSA collects personal information
In collecting information within its functions and powers, the NFSA will not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related, to one or more of the NFSA's functions or powers. Any personal information that the NFSA collects will be relevant for the purpose to which it is collected. The NFSA will only collect personal information by lawful and fair means and will generally collect the information about an individual from the individual personally, unless the individual consents otherwise, or it is unreasonable or impractical to do so.
Unsolicited personal information will be collected if the NFSA determines that it could have otherwise collected the information, or de-identify or destroy the information if the NFSA could not have collected the information and it is not contained in a Commonwealth record.
2.4 How the NFSA holds personal information
2.5 Access to and correction of personal information
An individual may apply to access or correct their personal information by application to the Privacy Contact Officer.
Individuals have a right to access the personal information that the NFSA holds about that individual. The right of access is subject to the relevant exemptions in the FOI Act and any Act of the Commonwealth. The NFSA will respond to the individual's request within 30 days after the receipt of a request from the individual, to grant access or to give written reasons for any refusal to grant access to the information.
The NFSA will take reasonable steps to correct personal information that it holds to ensure that it is accurate, up-to-date, complete, relevant and not misleading.
Individuals can request information that the NFSA holds about them to be corrected. The NFSA will notify the individual of a decision within 30 days after the receipt of a request from the individual and will provide written reasons if the request to amend personal information is refused.
3.1 General use and disclosure
The NFSA holds personal information that is collected for a primary purpose and will not use or disclose it for another purpose, except where an individual provides consent or in compliance with APP6, including where:
3.2 Disclosure of personal information to overseas recipients (APP 8)
The NFSA is not likely to disclose information to overseas recipients.
APP 8 places obligations on the NFSA for disclosure of personal information to overseas entities, when the recipient is not in Australia or an external entity Territory, and is not the entity or the individual. Before any personal information is disclosed overseas, the NFSA will take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information.
3.3 Accidental or unauthorised disclosure of personal information
The NFSA protects personal information the NFSA holds and will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.
External service providers who handle personal information about the NFSA’s staff, users or other individuals are ordinarily bound contractually to comply with the Privacy Act and may themselves have statutory obligations as APP entities.
It is also ordinarily a requirement for staff, contractors and service providers to comply with the Privacy Act in fulfilment of their obligations under:
If employees disclose official information without authority they may face disciplinary sanctions including, in the most serious cases, termination of employment.
Collection systems aid in the automated correction of identified errors within Mediaflex dataset when required - identification and resolution method are determined by Collection Information Section. Additionally, Collection Information Section upgrades data as part of their regular work.
In terms of securing personal data collected via acquisition work processes, this is achieved by limiting access to the Mediaflex system to staff and endorsed researchers. This information is also withheld from the Mediaflex public interface (Search the Collection).
The NFSA takes reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.
The NFSA manages its online services and IT systems in accordance with the Australian Government Protective Security Policy Framework and the Australian Government Information Security Manual.
Storage of information (and the disposal of information when no longer required) is managed in accordance with Australian Government records management regulations, guidelines and authorities, including the Archives Act, Records Authorities and General Disposal Authorities.
There are inherent risks associated with the transmission of information over the internet, including via email. Individuals should be aware of this when sending personal information to the NFSA via email. If this is of concern to any individual, they should use other methods of communication with the NFSA, such as post, fax, or phone. The NFSA does not endorse the sending of credit card details to the NFSA.
The NFSA publishes a privacy statement on its website explaining the privacy aspects of visiting the website, web analytics, cookies and email.
View the NFSA Website Privacy Statement.
9.1 How to make a complaint
9.2 NFSA complaint-handling commitment
In accordance with APP 1, the NFSA will take reasonable steps in the circumstances to deal with enquiries or complaints about compliance with the APPs. The NFSA will send a considered response to a complaint or suggestion within 30 days if contact details are provided. The NFSA is committed to quick and fair resolution of any complaints and will ensure the complaint is taken seriously.
9.3 How to make a complaint to the Federal Privacy Commissioner
Any complaints about the NFSA's personal information handling practices can be made to the Privacy Contact Officer (above) or to the Office of the Australian Information Commissioner.
In accordance with APP1, an individual may contact the Privacy Contact Officer to:
The NFSA’s Privacy Contact Officer may be contacted by any of these contact points:
Privacy Contact Officer
(Senior Manager, Procurement and Legal)
National Film and Sound Archive of Australia
Post: GPO Box 2002, Canberra ACT 2601
Fax: 02 6248 2165 (+61 2 6248 2165 for callers outside Australia)
Telephone: 02 6248 2056 (+61 2 6248 2056 for callers outside Australia)
Dated 12 March 2014, from the Office of the Australian Information Commissioner.
APP 1 - Open and transparent management of personal information
APP 2 - Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 - Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 - Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
APP 5 - Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
APP 6 - Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 - Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 - Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9 - Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10 - Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 - Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 - Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 - Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.