CSIRO is committed to protecting your personal information and complying with the Privacy Act 1988 (Cth) (“Privacy Act”) and Australian Privacy Principles (APPs).
This document describes the policies and procedures that we have in place for the management and protection of personal information that CSIRO collects and holds.
The Privacy Act regulates the collection, use, disclosure, storage and security of personal information of government agencies and private organisations. The Privacy Act includes 13 binding Australian Privacy Principles (“APPs”) with which CSIRO must comply in relation to its management of personal information.
CSIRO is a body corporate established by section 8 of the Science and Industry Research Act 1949 (Cth) (“SIR Act’) and is bound by the Privacy Act 1988 (Cth) , as an agency.
The Privacy Act 1988 (Cth) (“Privacy Act”) regulates the collection, use, disclosure, storage and security of personal information of government agencies and private organisations. CSIRO is a body corporate established by section 8 of the Science and Industry Research Act 1949 (Cth) (“SIR Act’) and is bound by the Privacy Act 1988 (Cth), as an agency. The Privacy Act includes 13 binding Australian Privacy Principles (“APPs”) with which we must comply in relation to our management of personal information.
Personal information is:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
We collect personal information from staff, contractors, partners and from the public from a wide range of areas across CSIRO. For example, we may hold personal information in the following types of records:
These types of files held by us from time to time may include personal information such as:
The personal information on some of these files may also include sensitive information, including information about a person’s race or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information or genetic information.
Where it is reasonably practicable to do so, we collect personal information directly from you. However, on occasions, we may need to collect personal information from other sources such as public records, parents or guardians of children under the age of 18 years and third parties. When dealing with children, we seek parental consent prior to the collection of personal information, including photographs.
We may collect personal information in various ways, including via:
With CSIRO’s extensive and diverse activities, we collect, hold and use personal information throughout CSIRO for many different purposes and via different methods. We only collect personal information for purposes directly related to our functions or activities under the SIR Act and only where it is necessary for or directly related to such purposes.
When we collect personal information from you for certain specific activities, where required, we will use a collection notice that deals specifically with that collection, including a description of the purposes for which we will use the personal information collected in that instance. Where relevant, our internal procedures and systems embed privacy protections to ensure we comply with our obligations under the Privacy Act.
We may use or hold personal information for the following general purposes:
From time to time, we may need to disclose personal information to our joint venture partners or share information with contractors or agents who provide services to us, such as off-site file storage facilities and financial institutions which transmit payments on our behalf.
We will collect personal information from you for the purposes described in a collection notice and will only use or disclose your personal information for other purposes if:
Set out below is some further detail of how we may use personal information collected for certain of our main activities.
When visiting www.csiro.au, a record of your visit is logged. The following information, supplied by your browser, is recorded for statistical purposes to help improve the CSIRO website:
No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation required by law where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider's logs.
We will not release your personal information collected via the CSIRO website to any person unless the law requires or permits it or your permission is given. We provide a secure environment and a reliable system but you should be aware that there are inherent risks associated with the transmission of information via the Internet. For those who do not wish to use the Internet, we provide alternative ways of obtaining and providing information; e.g. by contacting CSIRO Enquiries by phone or e-mail.
When you send an e-mail to a CSIRO address (name@csiro.au), the content and your details, including your e-mail address, become part of our records. Your e-mail address, acquired in this way, will not be added to any mailing list unless specified in a collection statement or unless we obtain your consent.
Should you decide to complete and submit an online form on any part of the CSIRO website, we:
We may conduct research involving human participants and this research may involve the collection of personal information, including health information, genetic information, or information about a person as part of social research. The collection of such information may also have ethical approval requirements.
When dealing with personal information in a research context, we will usually de-identify that information. If personal information is not de-identified, we will deal with personal information collected in the course of research in accordance with the Privacy Act.
We may also deal with personal information of research partners or clients when providing scientific research services and testing services to both public and private sector clients. This may include the following sorts of personal information:
If we collect your personal information as part of our research activities, we will use that information for the purposes of the specific research activity and we may also add it to a database for the purpose of contacting you about future CSIRO activities, but only where you would reasonably expect this or have consented.
When you contact us for general information about our activities or about science and technology generally, we will:
We store the contact details of a wide range of clients and stakeholders, ranging from direct subscribers to periodical publications, to business, research and community contacts. This information may be used to disseminate information and to facilitate participation in events and CSIRO activities. In managing this information, we will:
CSIRO will collect personal information from prospective employees for the purposes of administering a recruitment process. Unlike the private sector, CSIRO’s employee records are subject to the Privacy Act and we use the personal information of CSIRO staff for the purposes of administering their employment with CSIRO. This may include using and disclosing personal information for:
We collect personal information in the course of promoting and marketing our activities to the public, including via the following:
We collect personal information when administering an individual’s request for access to documents under the Freedom of Information Act 1984 (Cth).
We may, from time to time, engage service providers to provide services to us. Where those services involve a service provider dealing with personal information on our behalf, we will ensure that our contract with the service provider obliges the service provider to comply with the same level privacy obligations as CSIRO.
Each area of CSIRO that collects personal information stores that information securely on CSIRO’s IT systems. These systems are password protected and where required, only certain people are authorised to access the information. We also have recordkeeping obligations under the Archives Act 1983 (Cth), and have record keeping codes specific to particular areas of CSIRO activity. We are also required to comply with other government policies in relation to storage and security of information, including the Australian Government Policy and Risk Management Guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements and theProtective Security Policy Framework, complemented by the Australian Government Information Security Manual.
We may use third parties to store some personal information on servers in Australia or overseas.
We may disclose personal information overseas from time to time, for example in the course of a research project with an overseas entity, through publishing information or by storing information on a server located overseas. CSIRO will only disclose your information overseas in accordance with APP 8 and where certain conditions are met, for example, where the recipient is subject to a law or binding scheme substantially similar to the APPs, including mechanisms for enforcement, we have sought your consent, or we have ensured appropriate contractual measurements are met.
We will provide you with access to your personal information that we hold, subject to any applicable exceptions under the Privacy Act. We will require you to verify your identity and specify, as clearly as possible, the information that you wish to access. We will not charge you for lodging a request for access to your own personal information but may charge for reasonable administrative costs. The fee will be determined on a case by case basis and you will be informed beforehand of the likely cost.
CSIRO employees seeking their employment details should initially do so in accordance with CSIRO’s human resources processes. CSIRO is also subject to the Freedom of Information Act 1984 (Cth) and this operates alongside your right to access your personal information under the Privacy ACT.
If you can establish that information held by us about you is inaccurate, irrelevant, out of date, incomplete or misleading, we will take reasonable steps to amend it. If we disagree with your view about the status of this information, we will provide reasons for the refusal and record a statement in our records of your view.
If you have a privacy related complaint about us, please contact CSIRO’s Privacy Officer at privacy@csiro.au.