Ms Kate Maloney
Privacy Officer (Governance)
This document describes the policies and procedures that we have in place for the management and protection of personal information that CSIRO collects and holds.
CSIRO is a body corporate established by section 8 of the Science and Industry Research Act 1949 (Cth) (“SIR Act’) and is bound by the Privacy Act 1988 (Cth), as an agency.
The Privacy Act regulates the collection, use, disclosure, storage and security of personal information of government agencies and private organisations. The Privacy Act includes 13 binding Australian Privacy Principles ('APPs') with which CSIRO must comply in relation to its management of personal information.
What sorts of personal information does CSIRO collect and hold?
Personal information is:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
We collect personal information from staff, contractors, partners and from the public from a wide range of areas across CSIRO. For example, we may hold personal information in the following types of records:
- Research data for projects involving human participants
- Client records
- Project files with research partners
- Personnel records
- Recruitment records
- Contractor information
- Statutory appointment information (e.g. Board members)
- Occupational Health and Safety records
- Rehabilitation case management files
- Security Files
- Freedom of Information Requests
- Subscription details (e.g. for CSIRO publications)
- Legal files
- Education files
- Ministerial correspondence
- Complaint details
These types of files held by us from time to time may include personal information such as:
- name, residential address, occupation, email address and telephone contact details;
- opinions and reactions to testing and research;
- health information; and
- credit card or other personal financial details.
The personal information on some of these files may also include sensitive information, including information about a person’s race or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information or genetic information.
How does CSIRO collect and hold personal information?
Where it is reasonably practicable to do so, we collect personal information directly from you. However, on occasions, we may need to collect personal information from other sources such as public records, parents or guardians of children under the age of 18 years and third parties. When dealing with children, we seek parental consent prior to the collection of personal information, including photographs.
We may collect personal information in various ways, including via:
- Online forms (such as subscription forms or registration forms for an event e.g. hosted on Microsoft Forms);
- Surveys (hard copy or online);
- Research projects;
- Pathology providers;
- Information associated with accessing and using CSIRO websites;
- Over the telephone;
- Via video call/conferencing platforms e.g. WebEx and their features e.g. chat functions;
- The use of biometric technology;
- In person in a meeting or interview scenario;
- Innovation programs;
- Via emails or other correspondence sent to CSIRO;
- By taking photographs or videos at CSIRO events;
- Third parties, for example reports from referees of prospective employees; or
- From publicly available information, such as interactions with CSIRO via social media sites.
For what purposes does CSIRO collect, hold and use personal information?
With CSIRO’s extensive and diverse activities, we collect, hold and use personal information throughout CSIRO for many different purposes and via different methods. We only collect personal information for purposes directly related to our functions or activities under the SIR Act and only where it is necessary for or directly related to such purposes.
When we collect personal information from you for certain specific activities, where required, we will use a collection notice that deals specifically with that collection, including a description of the purposes for which we will use the personal information collected in that instance. Where relevant, our internal procedures and systems embed privacy protections to ensure we comply with our obligations under the Privacy Act.
We may use or hold personal and sensitive information for the following general purposes:
- to provide scientific and research services to both public and private sector clients;
- to deliver programs, such as Innovation Programs and Hackathons;
- to manage our employees and contractors, including to consider prospective employees;
- to undertake research and testing as part of our functions under the SIR Act (such as information about individuals participating in focus group testing, including health information for food testing and information about physical reactions to food additives);
- to maintain membership or subscriber records for our publications or club members (such as the Double Helix Club); and
- to promote and market our activities.
From time to time, we may need to disclose personal information to our joint venture partners or share information with contractors or agents who provide services to us, such as off-site file storage facilities and financial institutions which transmit payments on our behalf.
We will collect personal information from you for the purposes described in a collection notice and will only use or disclose your personal information for other purposes if:
- you have consented to the other use;
- you would reasonably expect, or have been told, that your personal information is usually passed on to other entities;
- it is required or authorised by law;
- it will prevent or lessen a serious threat to someone’s life, health or safety (including public health and safety);
- required to take appropriate action in relation to suspected unlawful activity or serious misconduct;
- required to locate a missing person; or
- required to assert a legal or equitable claim or to conduct an alternative dispute resolution process.
Set out below is some further detail of how we may use personal information collected for certain of our main activities.
When you visit our website
Some services that run on our sites, such as those provided by Google, Facebook and Vimeo, may also create or read their own cookies on your browser.
We use Google Analytics and Clicky to collect anonymised data about your interaction with our websites, which are hosted by a third party provider. We may also use our own analytics on our websites.
The types of data collected may include your IP address, browser and operating system, screen size, geographic location, search terms and pages visited, actions performed on pages, and date and time of webpage access. Where you provide your email address, that information may be linked to your interactions with the websites.
This data is collected for the purposes providing you with a better experience of, and improving our websites. Occasionally, we may also use this data for scientific research, including measuring the impact and outcomes of research.
When you send an email to a CSIRO address (email@example.com), the content and your details, including your email address, become part of our records. Your email address, acquired in this way, will not be added to any mailing list unless specified in a collection statement or unless we obtain your consent.
Completing an online form
Should you decide to complete and submit an online form on any part of the CSIRO website, we:
- may record personal details provided by you such as; e-mail address, street address, telephone number, occupation, company, areas of interest etc to the extent they are relevant to the purpose for which we are collecting them.
- will only use this information for the purpose for which it was collected.
- will not disclose this information without your consent except where CSIRO may be required by law to disclose the information.
Online forms and surveys hosted by third parties
CSIRO may use online forms and surveys which are hosted by third parties to facilitate internal CSIRO procedures or our research activities e.g. Microsoft Forms or Survey Monkey. Where CSIRO uses a third party for these purposes, CSIRO will ensure that the platform provider is subject to a law or binding scheme substantially similar to the APPs, including mechanisms for enforcement, we have sought your consent, or we have ensured appropriate contractual measurements are met.
We may conduct research involving human participants and this research may involve the collection of personal information, including health information, genetic information, or information about a person as part of social research. The collection of such information may also have ethical approval requirements.
When dealing with personal information in a research context, we will usually de-identify that information. If personal information is not de-identified, we will deal with personal information collected during research in accordance with the Privacy Act.
We may also deal with personal information of research partners or clients when providing scientific research services and testing services to both public and private sector clients. This may include the following sorts of personal information:
- Name, address, occupation, and email and telephone contact details;
- Opinions and reactions to testing and research;
- Health information;
- Client information;
- Credit card or other personal financial details.
If we collect your personal information as part of our research activities, we will use that information for the purposes of the specific research activity and we may also add it to a database for the purpose of contacting you about future CSIRO activities, but only where you would reasonably expect this or have consented.
CSIRO Enquiries service
When you contact us for general information about our activities or about science and technology generally, we will:
- Log the contact (online or otherwise) in a secure database;
- Record your name and other contact details, and information about the nature of the enquiry and response provided;
- Record phone calls for the purpose of quality assurance and coaching;
- Not add you to a mailing list, but may seek consent to contact you to provide feedback on the service provided.
- Not disclose the information collected without your consent, except where CSIRO may be required by law to disclose the information.
Direct communication from CSIRO
We store the contact details of a wide range of clients and stakeholders, ranging from direct subscribers to periodical publications, to business, research and community contacts. This information may be used to disseminate information and to facilitate participation in events and CSIRO activities. In managing this information, we will:
- hold all personal information in secure databases, both at onsite and offsite locations.
- ensure that at any time, a recipient of e-mailed mass communication may ask to “unsubscribe” from our central marketing/communication database.
- ensure that a direct link to “unsubscribe” is generally made available in mass communications from us. Alternatively, unsubscribe requests can be made directly to CSIRO Enquiries.
Managing our personnel and other support services functions
CSIRO collects, uses and discloses and handles personal and sensitive information to enable us to properly manage our business affairs, legal obligations and the employment, engagement and management of staff and affiliates, which may include, but is not limited to:
- assessing suitability and/or eligibility for appointment/engagement;
- compliance activities;
- assessing staff capability requirements and resourcing;
- business development and improvement;
- training, development, research and evaluation;
- audit and assurance;
- financial, legal, security, information technology and communications matters related to a staff member's employment;
- the management, investigation and/or resolution of any issues that may arise during the course of an individual's employment or engagement, including workplace issues (whether conduct or non-conduct related), probation, medical-related issues, and work, health and safety matters; and
- managing natural disasters, health crises such as Covid-19, and other risks to CSIRO staff members and affiliates
Engaging with the public about science
We collect personal information in the course of promoting and marketing our activities to the public, including via the following:
- Promotions / competitions;
- Photographs of individuals taken at CSIRO events;
- Collecting data about the public’s opinions on science (e.g. feedback via social media);
- Sending marketing material to clients;
- maintaining membership or subscriber records for our publications or club members (such as the Double Helix Club);
- CSIRO Education programs and publications.
Freedom of Information requests
We collect personal information when administering an individual’s request for access to documents under the Freedom of Information Act 1984 (Cth).
Where CSIRO contracts service providers to provide a service to CSIRO
CSIRO frequently engages third-party service providers (including some that are located overseas) to provide software, platforms and other services, which may collect personal information on CSIRO's behalf. CSIRO takes appropriate contractual measures to ensure that any agreements with these platforms provide appropriate privacy protections. These providers also have their own privacy policies or service standards for where they hold, or are otherwise in control of, your personal information. Third-party service providers that CSIRO regularly engage with include:
- Microsoft Privacy Statement
- Webex Cisco Online Privacy Statement
- SurveyMonkey Privacy Notice
- Qualtrics Privacy Statement
How does CSIRO store personal information?
Each area of CSIRO that collects personal information stores that information securely on CSIRO’s IT systems. These systems are password protected and, where required, only certain people are authorised to access the information. We also have recordkeeping obligations under the Archives Act 1983 (Cth), and have record keeping codes specific to particular areas of CSIRO activity. We are also required to comply with other government policies in relation to storage and security of information, including the Australian Government Policy and Risk Management Guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements and the Protective Security Policy Framework, complemented by the Australian Government Information Security Manual.
We may use third parties to store some personal information on servers and cloud services in Australia or overseas.
Disclosures of personal information overseas
We may disclose personal information overseas from time to time, for example in the course of a research project with an overseas entity, through publishing information or by storing information on a server located overseas. CSIRO will only disclose your information overseas in accordance with APP 8 and where certain conditions are met, for example, where the recipient is subject to a law or binding scheme substantially similar to the APPs, including mechanisms for enforcement, we have sought your consent, or we have ensured appropriate contractual measurements are met.
Access to and amendment of personal information held by CSIRO
We will provide you with access to your personal information that we hold, subject to any applicable exceptions under the Privacy Act. We will require you to verify your identity and specify, as clearly as possible, the information that you wish to access. We will not charge you for lodging a request for access to your own personal information but may charge for reasonable administrative costs. The fee will be determined on a case by case basis and you will be informed beforehand of the likely cost.
CSIRO employees seeking their employment details should initially do so in accordance with CSIRO’s human resources processes. CSIRO is also subject to the Freedom of Information Act 1984 (Cth) and this operates alongside your right to access your personal information under the Privacy Act.
If you can establish that information held by us about you is inaccurate, irrelevant, out of date, incomplete or misleading, we will take reasonable steps to amend the information. If we disagree with your view about the status of this information, we will provide reasons for the refusal and record a statement in our records of your view.
If you have a privacy related complaint about us, please contact CSIRO’s Privacy Officer at firstname.lastname@example.org.
Last updated 27 May 2022