CSIRO and the Australian Privacy Principles - Privacy Policy

This document describes the policies and procedures that we have in place for the management and protection of personal information that CSIRO collects and holds.

The Privacy Act regulates the collection, use, disclosure, storage and security of personal information of government agencies and private organisations. The Privacy Act includes 13 binding Australian Privacy Principles (“APPs”) with which CSIRO must comply in relation to its management of personal information.

CSIRO is a body corporate established by section 8 of the Science and Industry Research Act 1949 (Cth) (“SIR Act’) and is bound by the Privacy Act 1988 (Cth) , as an agency.

The Privacy Act 1988 (Cth) (“Privacy Act”) regulates the collection, use, disclosure, storage and security of personal information of government agencies and private organisations. CSIRO is a body corporate established by section 8 of the Science and Industry Research Act 1949 (Cth) (“SIR Act’) and is bound by the Privacy Act 1988 (Cth), as an agency. The Privacy Act includes 13 binding Australian Privacy Principles (“APPs”) with which we must comply in relation to our management of personal information.

What sorts of personal information does CSIRO collect and hold?

Personal information is:

information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

We collect personal information from staff, contractors, partners and from the public from a wide range of areas across CSIRO. For example, we may hold personal information in the following types of records:

• Research data for projects involving human participants
• Client records
• Project files with research partners
• Personnel records
• Recruitment records
• Contractor information
• Statutory appointment information (e.g. Board members)
• Occupational Health and Safety records
• Rehabilitation case management files
• Security Files
• Freedom of Information Requests
• Subscription details (e.g. for CSIRO publications)
• Legal files
• Education files
• Ministerial correspondence
• Complaint details

These types of files held by us from time to time may include personal information such as:

• name, residential address, occupation and residential email and telephone contact details;
• opinions and reactions to testing and research;
• health information; and
• credit card or other personal financial details.

The personal information on some of these files may also include sensitive information, including information about a person’s race or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information or genetic information.

How does CSIRO collect and hold personal information?

Where it is reasonably practicable to do so, we collect personal information directly from you. However, on occasions, we may need to collect personal information from other sources such as public records, parents or guardians of children under the age of 18 years and third parties. When dealing with children, we seek parental consent prior to the collection of personal information, including photographs.

We may collect personal information in various ways, including via:

• Online forms (such as subscription forms or registration forms for an event);
• Surveys (hard copy or online);
• Information associated with accessing and using CSIRO websites;
• Over the telephone ;
• The use of biometric technology;
• In person in a meeting or interview scenario;
• Via emails or other correspondence sent to CSIRO;
• By taking photographs or videos at CSIRO events;
• Third parties, for example reports from referees of prospective employees; or
• From publicly available information, such as interactions with CSIRO via social media sites.

For what purposes does CSIRO collect, hold and use personal information?

With CSIRO’s extensive and diverse activities, we collect, hold and use personal information throughout CSIRO for many different purposes and via different methods. We only collect personal information for purposes directly related to our functions or activities under the SIR Act and only where it is necessary for or directly related to such purposes.

When we collect personal information from you for certain specific activities, where required, we will use a collection notice that deals specifically with that collection, including a description of the purposes for which we will use the personal information collected in that instance. Where relevant, our internal procedures and systems embed privacy protections to ensure we comply with our obligations under the Privacy Act.

We may use or hold personal information for the following general purposes:

• to provide scientific and research services to both public and private sector clients;
• to manage our employees and contractors, including to consider prospective employees;
• to undertake research and testing as part of our functions under the SIR Act (such as information about individuals participating in focus group testing, including health information for food testing and information about physical reactions to food additives);
• to maintain membership or subscriber records for our publications or club members (such as the Double Helix Club); and
• to promote and market our activities.

From time to time, we may need to disclose personal information to our joint venture partners or share information with contractors or agents who provide services to us, such as off-site file storage facilities and financial institutions which transmit payments on our behalf.

We will collect personal information from you for the purposes described in a collection notice and will only use or disclose your personal information for other purposes if:

• you have consented to the other use;
• you would reasonably expect, or have been told, that your personal information is usually passed on to other entities;
• it is required or authorised by law;
• it will prevent or lessen a serious threat to someone’s life, health or safety (including public health and safety);
• required to take appropriate action in relation to suspected unlawful activity or serious misconduct;
• required to locate a missing person; or
• required to assert a legal or equitable claim or to conduct an alternative dispute resolution process.

Set out below is some further detail of how we may use personal information collected for certain of our main activities.

Visiting the CSIRO website

When visiting www.csiro.au, a record of your visit is logged. The following information, supplied by your browser, is recorded for statistical purposes to help improve the CSIRO website:

• user's server address (IP address)
• user’s internet service provider (ISP)
• user's operating system (for example Windows, Mac etc)
• user's top level domain name (for example .com, .gov, .au, .uk etc)
• date and time of the visit to the site
• pages accessed and the documents downloaded
• previous site visited if you visited from a hyperlink to our website via another web page
• exit link
• screen resolution
• type of browser used.

No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation required by law where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider's logs.

We will not release your personal information collected via the CSIRO website to any person unless the law requires or permits it or your permission is given. We provide a secure environment and a reliable system but you should be aware that there are inherent risks associated with the transmission of information via the Internet. For those who do not wish to use the Internet, we provide alternative ways of obtaining and providing information; e.g. by contacting CSIRO Enquiries by phone or e-mail.

Emailing CSIRO

When you send an e-mail to a CSIRO address (name@csiro.au), the content and your details, including your e-mail address, become part of our records. Your e-mail address, acquired in this way, will not be added to any mailing list unless specified in a collection statement or unless we obtain your consent.

Completing an online form

Should you decide to complete and submit an online form on any part of the CSIRO website, we:

• may record personal details provided by you such as; e-mail address, street address, telephone number, occupation, company, areas of interest etc to the extent they are relevant to the purpose for which we are collecting them.
• will only used this information for the purpose for which it was collected.
• will not disclose this information without your consent except where CSIRO may be required by law to disclose the information.

Research activities

We may conduct research involving human participants and this research may involve the collection of personal information, including health information, genetic information, or information about a person as part of social research. The collection of such information may also have ethical approval requirements.

When dealing with personal information in a research context, we will usually de-identify that information. If personal information is not de-identified, we will deal with personal information collected in the course of research in accordance with the Privacy Act.

We may also deal with personal information of research partners or clients when providing scientific research services and testing services to both public and private sector clients. This may include the following sorts of personal information:

• Name, address, occupation and residential email and telephone contact details;
• Opinions and reactions to testing and research; or
• Health information.
• Client information;
• credit card or other personal financial details.

If we collect your personal information as part of our research activities, we will use that information for the purposes of the specific research activity and we may also add it to a database for the purpose of contacting you about future CSIRO activities, but only where you would reasonably expect this or have consented.

CSIRO Enquiries service

When you contact us for general information about our activities or about science and technology generally, we will:

• Log the contact (online or otherwise) in a secure database;
• Record your name and other contact details, and information about the nature of the enquiry and response provided;
• Record phone calls for the purpose of quality assurance and coaching;
• Not add you to a mailing list, but may seek consent to contact you to provide feedback on the service provided.
• Not disclose the information collected without your consent except where CSIRO may be required by law to disclose the information.

Direct communication from CSIRO

We store the contact details of a wide range of clients and stakeholders, ranging from direct subscribers to periodical publications, to business, research and community contacts. This information may be used to disseminate information and to facilitate participation in events and CSIRO activities. In managing this information, we will:

• hold all personal information in secure databases, both at onsite and offsite locations.
• ensure that at any time, a recipient of e-mailed mass communication may ask to “unsubscribe” from our central marketing/communication database.
• ensure that a direct link to “unsubscribe” is generally made available in mass communications from us. Alternatively, unsubscribe requests can be made directly to CSIRO Enquiries.

Managing our personnel and other support services functions

CSIRO will collect personal information from prospective employees for the purposes of administering a recruitment process. Unlike the private sector, CSIRO’s employee records are subject to the Privacy Act and we use the personal information of CSIRO staff for the purposes of administering their employment with CSIRO. This may include using and disclosing personal information for:

• general management of employment;
• performance management (misconduct, grievance, probation);
• financial, legal, security, information technology and communications matters related to a staff member’s employment.

Engaging with the public about science

We collect personal information in the course of promoting and marketing our activities to the public, including via the following:

• Promotions / competitions;
• Photographs of individuals taken at CSIRO events;
• Collecting data about the public’s opinions on science (e.g. feedback via social media);
• Sending marketing material to clients;
• maintaining membership or subscriber records for our publications or club members (such as the Double Helix Club);
• CSIRO Education programs and publications.

Freedom of Information requests

We collect personal information when administering an individual’s request for access to documents under the Freedom of Information Act 1984 (Cth).

CSIRO as a contracted service provider to other Commonwealth agencies

We may, from time to time, engage service providers to provide services to us. Where those services involve a service provider dealing with personal information on our behalf, we will ensure that our contract with the service provider obliges the service provider to comply with the same level privacy obligations as CSIRO.

How does CSIRO store personal information?

Each area of CSIRO that collects personal information stores that information securely on CSIRO’s IT systems. These systems are password protected and where required, only certain people are authorised to access the information. We also have recordkeeping obligations under the Archives Act 1983 (Cth), and have record keeping codes specific to particular areas of CSIRO activity. We are also required to comply with other government policies in relation to storage and security of information, including the Australian Government Policy and Risk Management Guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements and theProtective Security Policy Framework, complemented by the Australian Government Information Security Manual.

We may use third parties to store some personal information on servers in Australia or overseas, but only where steps have been taken to ensure that the third parties comply with our privacy obligations.

Disclosures of personal information overseas

We may disclose personal information overseas from time to time, for example in the course of a research project with an overseas entity, through publishing information or by storing information on a server located overseas. Where we may be transferring personal information overseas, we will either inform you and seek your consent to the arrangement or ensure that appropriate contractual measures are in place to ensure that the overseas entity protects the personal information to the same level as required of CSIRO under the Privacy Act.

Access to and amendment of personal information held by CSIRO

We will provide you with access to your personal information that we hold, subject to any applicable exceptions under the Privacy Act. We will require you to verify your identity and specify, as clearly as possible, the information that you wish to access. We will not charge you for lodging a request for access to your own personal information but may charge for reasonable administrative costs. The fee will be determined on a case by case basis and you will be informed beforehand of the likely cost.

CSIRO employees seeking their employment details should initially do so in accordance with CSIRO’s human resources processes. CSIRO is also subject to the Freedom of Information Act 1984 (Cth) and this operates alongside your right to access your personal information under the Privacy ACT.

If you can establish that information held by us about you is inaccurate, irrelevant, out of date, incomplete or misleading, we will take reasonable steps to amend it. If we disagree with your view about the status of this information, we will provide reasons for the refusal and record a statement in our records of your view.

Complaints

If you have a privacy related complaint about us, please contact CSIRO’s Privacy Officer on (02) 6276 6123 or FOI@csiro.au.