Privacy Management Plan
The Australian Museum takes the protection of individual privacy seriously and supports the standards provided in the Privacy and Personal information Protection Act 1998 for public sector agencies in relation to the collection and use of personal information.
Foreword By the Director
The Australian Museum deals with personal information in relation to its main functions - collections, research, exhibitions and public programs - and the activities that support these functions eg publishing, publicity and sponsorship. Much of this information involves names and basic contact information, supplied by individuals who wish to be involved in, or know about, Museum activities.
The Australian Museum has a major commitment to providing public access to its collections and the provision of information services relating to its research and collections: this commitment has always been balanced by the following of any restrictions or sensitivities that may apply to that access. A sensitivity and concern for privacy sits easily with our long tradition of professional management of culturally sensitive and/or restricted material.
This Privacy Management Plan outlines how the Museum complies with the Privacy and Personal information Protection Act 1998 and the standards outlined in the Information Protection Principles. The Plan outlines the personal information held by the Museum and strategies to ensure the Museum effectively meets its responsibilities under the Act.
The Australian Museum Director
1. Introduction
The objectives of the Privacy and Personal information Protection Act 1998 are to protect the privacy of individuals, to give individuals a degree of control over information about them held by public sector agencies, and to provide a mechanism for complaints.
Personal information is defined in the Act as
information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Personal information does not include
- information about an individual who has been dead for more than 30 years
- information about an individual that is contained in a publicly available publication
- information or an opinion about an individual's suitability for appointment or employment as a public sector official
The Act allows other exceptions which relate to law enforcement agencies.
Personal information can be found in paper files, electronic records, videos and photographs, genetic material and fingerprints.
2. Requirements of the act
The Act requires each public sector agency to prepare and implement a Privacy Management Plan which outlines what personal information an agency collects and uses, and assess the collection, storage, use and disclosure of this personal information against the 12 Information Protection Principles outlined in the Act. These principles establish standards for using personal information in the public sector.
This Plan therefore outlines how the Museum complies with the Information Protection Principles, identifies personal information held, outlines strategies to address specific issues, and details the review process available to an individual (the right to make a complaint about possible misuse of personal information).
2.1 The Information Protection Principles
Public sector agencies must assess their holding and use of personal information against the standard outlined in the twelve Information Protection Principles (IPPs) of the Act [sections 8-19]. The Information Protection Principles cover the collection, storage, use and disclosure of personal information, and are summarised briefly as follows:
- Personal information must be collected for a lawful purpose ie related to a function or activity of an agency, and where the collection is necessary for the purpose [section 8]
- Collection must be direct from the individual to whom the information relates, unless otherwise authorised [section 9]
- An individual must be aware that the information is being collected, the purpose for collecting it, intended recipients of the information, whether the supply is mandatory or voluntary, and the rights to access and correct the information [section 10]
- Reasonable steps must be taken to ensure the personal information collected is relevant to the purpose, accurate, up to date, complete and not excessive [section 11]
- Personal information must be protected by reasonable security safeguards, kept no longer than necessary, protected from unauthorised use or disclosure when made available to a third party for the provision of a service to the agency, and disposed of securely and appropriately, in accordance with requirements of the State Records Act [section 12]
- A person should be able to ascertain if an agency holds personal information about them and the nature of that information and entitlement of access to it [section 13]
- An individual has a right to access to personal information held by an agency on themselves and this access should be provided without excessive delay or expense [section 14]
- An individual can request to have personal information held by an agency amended (by correction, deletion or addition) to ensure the information is accurate, up to date, complete and not misleading. [section 15]
- An agency must take reasonable steps to check the accuracy of personal information before its use. [section 16]
- Personal information should only be used for the purpose for which it was collected, for a directly related purpose, or for a purpose to which the individual has consented. [section 17]
- Disclosure of personal information should only be for a purpose directly related to a purpose of collection and where the individual is unlikely to object [section 18]
- Special restrictions apply on disclosure: a person's ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership should not be disclosed unless subject to an applicable exception. [section 19]
Exceptions can affect the operation of these Principles, and are outlined in the Act, and in associated Codes of Practice.
See the Privacy and Personal information Protection Act 1998 sections 8-19 for full details on the Information Protection Principles or A Guide to the Information Protection Principles published by Privacy NSW (1999).
2.2 Privacy Codes Of Practice
Privacy Codes of Practice are statements of how agencies depart from the Information Protection Principles or public register provisions of the Act. Standardised Codes are being developed by Privacy NSW to deal with generic issues: For example, Codes to cover information exchange with organisations outside NSW and between organisations within the NSW public sector.
The Australian Museum will adopt these Codes if applicable to issues that may be encountered.
The draft Code of Practice re Access to records of public sector agencies for research purposes has been issued, and comments have been provided by the Museum to the Privacy Commissioner. It is an important Code as it addresses the issue of 'deposited records' [ie collections of private papers] held by state collecting institutions, including the Museum. The Museum will decide on acceptance of the Code after the final version has been released.
2.3 Public Registers
A public register is a register of personal information that is required by law to be publicly available or open to public inspection eg Registers of Births, Deaths and Marriages.
The Australian Museum has not identified any public registers.
2.4 Other Legal Requirements Affecting Privacy
The duty of confidentiality applies to some records (eg commercial in confidence). Confidentiality is an obligation restricting use or disclosure of information in a way contrary to the interests of the person/organisation who provided it.
The Australian Museum is subject to other legislation and government policies that involve privacy protection, primarily the State Records Act 1998, Freedom of Information Act 1989, ICAC Act 1988 and Protected Disclosures Act 1994.
Internal policies also help the Museum comply with the Privacy Act:
- Records Management Policy and Procedures
- Code of Conduct
- LAN Information Security Management policy
- Internet Access and Usage
- Email policy
- Grievance and Dispute Handling Procedures
- Guidelines on Research Practice
- Collection Development and Maintenance policy
Museum staff are also bound by codes of practice relating to specific professional practices eg Australian Society of Archivists Position Paper on Privacy;
ALIA Statement on professional ethics (which includes the commitment to the protection of users rights to privacy with respect to information sought or received and materials consulted, or borrowed.)
3 Personal information held by the Australian Museum
The Australian Museum is part of the NSW Department of Enterprise Investment and Trade and is governed by the Australian Museum Trust Act 1975 No. 95, which outlines the constitution, powers, duties and functions of the Australian Museum Trust. The Australian Museum is one of Australia's major natural history museums, with collections covering anthropology, invertebrate and vertebrate zoology, and the earth sciences.
The Museum's mission is to increase understanding of, and influence public debate on, the natural environment, human societies and human interaction with the environment. Its legislative foundation, the Australian Museum Trust Act, requires the Museum to collect and preserve collections, provide exhibits, publications and other educational instruction, provide scientific information and undertake scientific research. Information on the Museum and its activities can be found on the Australian Museum's website.
The Museum collects some personal information in carrying out its functions: personal information relating to the collections (e.g. acquisition information); mailing and contact lists for educational activities, exhibition and public program promotions, market and audience research, and commercial activities; membership and subscription databases used for the museum's publications and fundraising foundations; scientific research (e.g. grant applications or where projects involve the community); information services (details of public enquiries); information relating to people who are the subject of or involved in exhibitions and public programs; community contact information for public programs and programs relating to the Museum's work with Indigenous communities; personnel records of Museum staff, volunteers, work experience or other people who work at the Museum; and personal information held in the Museum Archives (institutional and private records).
3.1 Collection records
One of the major functions of the Australian Museum is collection management: the acquisition, storage, preservation, and research use of the natural history collections, collected and held by the Museum since its inception in 1827.
The Australian Museum houses extensive anthropological and natural history collections. The collections document, preserve, represent and assist in the description of cultural, biological, mineralogical and palaeontological diversity. Although the majority of the collections are from eastern Australia and adjacent waters, other parts of Australia, the south-west Pacific and other parts of the world are well represented.
The Museum is committed to providing information about, and access to, its collections to the general public, students, researchers, other museum workers, Indigenous peoples and relevant communities within the broader Australian society. Collections and collection data are also used for scientific illustrations, artistic reference and environmental impact statement assessments. Items from the collections are used in the exhibitions in the Museum and elsewhere.
Acquisition can be by donation, bequest, purchase or exchange and information on whom the object was acquired from is essential information on the provenance of the object. Donor/vendor and collector names are recorded in deeds of gift, accession schedules, collection registers and/or databases. Information on acquisitions under the Cultural Gifts program is provided to the federal agency administering the scheme, the Committee on Taxation Incentives for the Arts. Loans to and from the Museum record use of the collections for exhibitions and scientific research.
As well as information on individuals kept as part of the collection record, information is also recorded on artefact makers/artists where applicable. Information on research requests is kept, where these document or augment knowledge about the collection. For the Indigenous collections, communities provide information about the objects and the people involved in that object: this information is critical for any interpretation of the objects and their use/access.
Each collection is managed by a Collection Manager, responsible for the care, maintenance and use of the collections. Collection data is stored securely and accessed only by designated staff. Collection Managers are sensitive to any issues affecting their collections, including disclosure of acquisition and other sensitive information.
3.2 Mailing and contact lists
The Museum works with many mailing and contact lists in carrying out its programs and activities. Staff involved in educational programs maintain school and outreach program contact lists. Market and audience research holds details of people willing to participate in survey work, with participants asked at times if they wish to continue to be listed. Exhibition and public programs involve many contact lists: people involved in exhibition content (eg copyright or other permissions). Promotional activity lists are maintained by the Public Relations section (e.g. media contacts) Details of potential and actual sponsors are kept as part of general marketing. General mailing lists for information on What's On at the Museum are kept by community relations staff.
The Museum's commercial activities involved contact lists: the Business Services unit with lists of clients; the Nature Focus photograph library unit with lists of photographers and user details for invoicing; the shop with details of people for orders and invoicing.
All these contact lists involve names, addresses and basic contact details of individuals and are only used for the Museum program or function involved. The information is collected from the individual concerned. Keeping contact information up to date and accurate is desired and individuals are encouraged to notify the Museum of any changes to their details, or to have their details removed.
The information is only accessed by the staff involved in the activity for which it is collected, and the information discarded when no longer relevant or up to date. The lists are maintained usually as small databases on the network, with access protected by the network security policy. Mailing lists are not provided to any external person/organisation.
3.3 Subscription and membership databases
The Marketing Unit maintains subscriptions databases, relating to the Museum's magazine and other publications, for distribution and billing. The Museum has a long history of publishing, as an important way to communicate science to the public. The magazine, Explore, and a series of scientific publications, which publish original research in anthropology, geology and zoology, are the major publications.
The Australian Museum’s Members’ team maintains its membership database. A separate fundraising body, the Australian Museum Foundation also involves a membership database. The Lizard Island Reef Research Foundation, which raises funds for the Museum's research station on Lizard Island, has a membership database. Fundraising programs aim to raise funds for the Museum.
These databases are maintained by Museum staff involved in the activity, and only used for the purpose for which they are set up. Information is collected direct from the person concerned, records may be appended with information available in the public domain. Data is stored in databases, with restricted access to designated staff. Details of the databases are not provided to any external party.
3.4 Commercial activities
The Museum undertakes commercial activities, the purpose of which are to raise funds for the Museum. Personal information is collected in carrying out these activities eg details relating to purchase orders and invoicing. The commercial photograph library, Nature Focus, maintains details regarding photographers who supply images, and has personal information relating to orders, copyright, information requests and invoicing. Venue bookings collect personal details required to organise and carry out functions.
The information is only accessed by the staff involved, and only used for the purpose for which the information is collected. The data is stored in databases, stored on the network, with access protected by the network security policy.
3.5 Scientific research
Scientific research is a core activity of the Museum, and is carried out in the main disciplines of zoology, earth sciences, environmental science, anthropology and material conservation. Personal information is to be found in grant applications, made by Museum research scientists to external funding bodies, and on applications made from external people for Museum-funded grants and fellowships. Referee reports on grant applications are involved. Resumes, referee reports and other assessments are used in the selection process. Students sometimes are placed in the science sections, with supervision and assessments part of their academic process.
Research practice is carried out under the Museum's Guidelines on Research Practice. Scientific collection and research work must comply with legislative requirements eg licences and permits and animal ethics. Work with Indigenous communities complies with legislative requirements eg NPWS permits and also with the approval of the Indigenous communities involved. Some environmental research projects undertaken by museum scientists involve private citizens: eg permissions to work on private property or the involvement in communities in survey projects. This personal information is managed by the scientist involved, used for no other purpose, and not provided to any other party.
The Museum also administers the Eureka science prizes. Applications, judging and assessor reports involve personal information. Retention and disposal are carried out in accordance with the Museum's Disposal Schedule.
Records relating to the scientific records are part of the Museum records, which are managed in accordance with the State Records Act.
3.6 Information enquiries
The provision of information to the public is a core activity of the Museum, and an expected role of the Museum. The Museum handles large numbers of information enquiries from the general public: enquiries relating to exhibitions and public programs, the museum's collections and enquiries asking for information on Australia's natural and cultural history. Most enquiries on scientific matters from the public are handled by the search & discover section. The Research Library and the Archives also deal with public information requests, as do scientific staff. Details of the person enquiring are kept for internal use and for statistical purposes. Information is collected on the type of research enquiry, which allows the planning of improved information services. Information on routine requests are destroyed under the approved disposal authority.
3.7 Public Programs and Exhibitions
Public programs and exhibitions are major activities of the Museum. Some personal information is held in public program and exhibition files. This relates to the content of the program or exhibition (eg details of people who appear in the program or exhibition), permissions relating to personal information used, contact information for promotional functions and events. The files are part of the Museum's records and managed as state records, in accordance with the State Records Act.
Visitor evaluation of museum programs is important to the Museum's analysis of the public impact of its programs. Focus groups are undertaken for front-end evaluation. Participants consent in writing to participate in the sessions, the videotapes of the sessions are held securely by the Evaluation Unit and only accessed by relevant staff. Survey forms are kept until analysis of the data is summarised into a survey report: individuals are not identified by name in any reports. The survey questionnaires are disposed of when their use is complete, and in accordance with the Museum's Disposal Schedule, as are the focus group evaluation tapes.
3.8 Information relating to Indigenous Peoples
The Museum works actively with Indigenous Australian communities through its education and public programs, Anthropological collections, scientific research, and the outreach programs managed by the Aboriginal Heritage Unit. Much liaison is handled by the Museum's Aboriginal Heritage Unit, who advise Museum staff on protocols and procedures to be observed. The Museum's Indigenous staff assist on matters relating to activities involving Indigenous communities. Personal information is not always handled on an individual basis, but on a community basis: those who have a right to know and access certain information.
Issues of secret/sacred and restricted material are managed by the Anthropology department. Issues of protocols and cultural sensitivities are advised on by the Museum's Indigenous staff, especially through the Anthropology department, and the Museum's Cultural Protocols Advisory Group.
3.9 Personnel records
Personnel records are kept on Museum staff by the Organisational Development section, in accordance with public sector policies and procedures, the NSW Personnel Handbook, and Public Sector Management Act. Staff are aware of the purposes of personnel files. Personnel information is also kept on volunteers, work experience and training placement people, consultants and contractors, and people working in the Museum on grant or other external funding. People seeking employment also send resumes in which are kept on file for a short period of time. Personal details are held on Trustees and on potential Trustees, when recommendations are made when vacancies occur.
Records include personnel files, payroll and recruitment records; sick leave and other leave forms, performance management, grievance, workers compensation, OH&S and EEO related matters: all are kept securely with very restricted and controlled access. Disposal is in accordance with General Disposal Schedule for Personnel Records.
3.10 Archives
The Australian Museum Archives manages the Museum's institutional records. These records are public records, which come under the State Records Act and are managed in accordance with that Act, including the provisions for access. As well as these records, the Archives hold some collections of private deposited records: papers relating to the collections, research or work of the Museum from people who have been associated with the Museum. These private papers are managed in accordance with donor conditions and general archival practice. The recent draft Code of Practice relating to Access to records of public sector agencies for research is currently under discussion.
3.11 Website
The Australian Museum website provides significant information on the work and activities of the Museum and online delivery of some Museum services. Enquiries are managed as per 3.6 above. Information on website visitors is collected for statistical purposes, but at the summary information level: users are not identified individually. Online forms only collect personal details for the purpose specified, and not used as the basis for any other mailings. Interactive forums only disclose personal details with the permission of the individual concerned. A website privacy policy will be developed which will be published and which will outline how privacy is managed.
4. Compliance with Information Protection Principles
4.1 Collection of information
Personal information collected for mailing and contact lists is collected from the individual direct, as is that for subscription and membership databases, and commercial activities. The purpose is clear and evident, and only used for the purpose of collection. Forms will be reviewed to ensure there is no uncertainty in meeting the Privacy requirements.
The personal information collected in regard to the museum specimen and object collections is vital to documentation of the collections, their provenance and interpretation. Collecting and collection management, use and access is a legislative requirement of the Museum. Collection procedures will be reviewed and amended to ensure privacy obligations are met.
Personal information used in public programs and exhibitions is always collected with the proper permissions and clearances. Details of people's cultural backgrounds are collected - with the permission of the individual concerned (to participate or provide information/content) and/or the involvement of the cultural community concerned.
4.2 Storage
Personal information is recorded on both paper and electronic files. The Museum's records are public records, and are managed in accordance with the provisions of the State Records Act. The Australian Museum Archives holds the Museum's records that are appraised as archival records, and provides access and storage in accordance with the State Records Act. State Records Authority guidelines include AS4390 the Australian Standard on Records Management, part 6 of which relates to storage, and the recently issued Standard on the Physical Storage of State Records.
The Museum's current records are managed under the Museums' Records Management Policy and Procedures, which complies with the State Records Act. Locked cabinets are used for restricted and other sensitive records storage. Disposal of records is undertaken in accordance with the Australian Museum Disposal Schedule and the NSW General Disposal Schedules. Destruction of confidential or sensitive records is done by secure destruction process of the Government Records Repository. All disposal is managed and authorised by the Manager, Archives and Records.
Collection management is the responsibility of Collection Managers, who manage the use of and access to collection registration records, and are sensitive to any issues or legislative requirements affecting use and access.
Electronic records stored on the Museum's network are stored and managed in accordance with the Museum's LAN Information Security Management policy, which outlines procedures and policies for network and data security.
Personnel files are managed by the Organisational Development section, with secure and restricted access.
4.3 Access
An individual can make enquiries to determine if personal information about them is held by the Australian Museum, or about how to access that information, to the Privacy Contact Officer, Australian Museum, 6 College Street, SYDNEY NSW 2010 telephone: 9320 6148; fax: 9320 6050 Correction/amendment of contact details will be made on request. An application fee of $30.00 will generally apply to formal applications. FOI procedures (with the associated fees and charges) will apply when dealing with complex applications e.g when mixed personal and non-personal information is involved. Please contact the Privacy Contact Officer for further details.
This Plan will be available to the public by being published on the Museum's website.
4.4 Use and Disclosure
The Australian Museum is sensitive to privacy issues in dealing with personal information. The use and access of information relating to Indigenous peoples is handled in accordance with advice by the Museum's Aboriginal Heritage Unit, who also manage secret/sacred and restricted material. Issues of protocols and cultural sensitivities are advised on by the Unit and the Museum's Cultural Protocols Advisory Group.
The principles outlined in Museum Australia's policy, 'Previous Possessions New Obligations' and the Aboriginal and Torres Strait Islander Protocols for Libraries, Archives and Information Services (1995) provide guidelines for the Museum's use of and access to Indigenous collections.
Access to the Museum's records is managed in accordance with the State Records Act. For information on the Museum's archives, contact the Manager, Archives & Records. There is a general entitlement of access to state records in the open access period ie those at least 30 years old.
- Right of review
If a person has a complaint about the Australian Museum's conduct in relation to the collection, storage, use or disclosure of personal information, a written request should be forwarded to the Museum so that an internal review may be undertaken.
The procedures for an internal review are outlined in Part 5 of the Act and are briefly detailed below.
An application:
- must be in writing;
- be addressed to the Australian Museum;
- specify an address in Australia to which a notice under subsection (8) may be sent
- be lodged with the Australian Museum within 6 months (or such later date as the Museum may allow) from the time the applicant first became aware of the conduct of the subject of the application; and
- comply with such other requirements as may be prescribed by the regulations.
The application will be dealt with by an individual within the Museum who is directed by the Director to deal with the application. This individual will not substantially be involved in any matter relating to the conduct which is the subject of the application.
The review must be completed as soon as is reasonably practicable in the circumstances. If not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application to the NSW Administrative Decisions Tribunal.
After the completion of the review, the Australian Museum may:
- take no further action on the matter
- make a formal apology to the applicant
- take such remedial action as it thinks appropriate
- provide undertakings that the conduct will not occur again
- implement administrative measures to ensure that the conduct will not occur again.
The Australian Museum will write to the applicant as soon as practicable (in within 14 days) of the findings of the review (and the reasons for the findings), the action proposed to be taken by the Museum and the right of the person to have those findings, and the proposed action, reviewed by the Tribunal.
When the Museum receives an application, it must notify the Privacy Commissioner, keep the Commissioner informed of the progress of the review and of the findings and proposed action. The Privacy Commissioner is entitled to make submissions on the subject matter of the application and may undertake the review itself if the Museum so requests.
- Staff awareness
Information sessions on the Privacy and Personal information Protection Act have been given to staff and will continue as required. Material will be prepared as part of the induction of new staff. The Privacy Management Plan will be published on the Museum's intranet.
The Museum's Annual Report will include a statement of the action taken to comply with the Act and publish statistical details of any review carried out under Part 5. Any legislative changes, especially the development and application of Codes of Practice that may apply to the Museum will be incorporated in updates of the Plan, and staff advised of these changes.
Issue | Strategy | Responsibility |
---|---|---|
Information collected on application or registration forms | Review, and amend where necessary, forms where people leave their personal details to ensure the purpose and use for collection is clearly stated and an opt-out option is available where appropriate | Division Heads |
Mailing and contact lists | Review procedures, and amend where necessary, to ensure compliance with IPPs | Division Heads |
Staff awareness | Publish Privacy Management Plan on the intranet, Prepare induction material for new staff, Provide information briefings on the Privacy Act as required | Privacy Contact Officer |
Public awareness |
Publish Privacy Management Plan on Museum website Publish privacy statement on website |
Privacy Contact Officer |
Personnel records | Review forms and procedures to ensure collection, storage, use and disclosure is within the IPPs | Manager, Organisational Development |
Collection records | Review the collection, use and disclosure of personal information collected in association with the collections to develop Access Directions for these records in accordance with State Records Act and Privacy Act | Collection Managers |
Timely and appropriate disposal | Continue to implement the Disposal Schedules | |
Issue guidelines to staff on Normal Administrative | ||
Practice procedures for handling temporary records | ||
Internal policies and guidelines | Review internal policies and guidelines and amend to include Privacy provisions where appropriate | Management Team |
Holdings of personal information | Continue to identify personal information held by the Museum and ensure its management complies with the IPPs | Privacy Contact Officer |
8. Useful References
The following are useful for further reading and useful links:
Privacy NSW, The Privacy and Personal information Protection Act 1998 A Plain English Guide (1999)