You are here: Home About Us IFS Privacy Information Protection Policy
Document Actions

IFS Privacy Information Protection Policy

by Tim Farrell last modified 06:44 27-04-2009

Background

The Personal Information Protection Act 2004 (the Act) was enacted in September 2005. The Act applies to all Personal Information collected or stored by the Inland Fisheries Service and is designed to provide principles of security and integrity for the information.

 

Personal information (PI) is information, recorded in any format, where an individual’s identity is apparent or is reasonably ascertainable, whether the individual is living or has been deceased for less than 25 years.  

 

Note: The Act does not apply to either business or public information. Note that public information includes any personal information that is contained in a publicly available record or publication, or taken to be public information under any Act.

Intent of the PIP Act

The intent of the Act is that any personal information collected by the IFS staff in the course of performing duties is used appropriately for the purposes for which it is collected. This means that personal information is protected from inappropriate use or dissemination, with the nature of use being disclosed at the point of collection.

 

The Act applies to anyone working on behalf of the IFS and includes:

  • all employees;
  • contractors working for the Service; and
  • volunteers.

The Principles of the PIP Act

The basic principles for the collection and storage of personal information, as outlined in the PIP Act, are as follows:

  • Collect only what is necessary for the primary purpose, or other purposes disclosed to the individual.
  • Preferably collect information only from the person to whom it relates. Do it lawfully and fairly. Tell people it is being collected, especially if it may be used for purposes other than the primary purpose (the service being provided).
  • Endeavour to ensure that the information is accurate, complete and up to date before being used.
  • Keep information secure against unauthorised access, use or disclosure.
  • Use information only for the purpose for which it was collected, or a related purpose that the individual would reasonably expect. Some important interests, such as protecting health and safety, welfare, or the prevention and investigation of crimes can justify use and disclosure without consent. Otherwise, unless the use or disclosure is required by law, consent must be obtained.
  • Individuals have the right to see their information and correct it if necessary (the PIP Act applies the procedures of the FOI Act).
  • Minimise the creating and sharing of ID numbers that can be used to match or collate information about individuals from other sources.
  • If an individual’s information is passed to other organisations, first ensure that equivalent privacy protection will continue to apply.
  • Sensitive information about individuals, which may include, but is not limited to, health status, ethnic background, religion, sexual preference or criminal record, has special protection under law. Don’t collect, use or disclose it without first checking the rules.
  • Basic personal information (names, addresses, date-of-birth and gender) can, in certain circumstances, be disclosed by Government Agencies to other Government Agencies without consent.

 

In all instances the object of the PIP Act is to protect personal information.

What This Means

Collection:  The IFS must take all reasonable steps, before, during or as soon as possible after the collection of personal information from an individual, to ensure that the individual is aware of:

  • the data custodians identity and how to contact it;
  • their right of access to the information;
  • the purpose for which the information is collected;
  • the intended recipients of the information; and
  • the laws or legislation requiring the information to be collected.


A simple and effective means of complying with the PIP Act is to provide a Privacy Statement, covering the matters listed above whenever personal information is collected. Individuals need only be informed of the Privacy Statement once. Subsequent related transactions, such as licence renewals or changes of address, will not require the individual to be repeatedly informed of the Privacy Statement.

 

Storage and Access: the access, use and maintenance of databases must be consistent with the principles of the PIP Act, and maintain both the integrity and security of the personal information.

Collection Forms

All IFS forms that collect personal information must contain a ‘Privacy Statement’, indicating the purpose for which the information was collected, the reason for collection and any legislation which requires the information to be collected. Examples of documents include those used in the sale of recreational fishing licences, competitions, promotions, surveys, correspondence, permit applications, commercial licences and enforcement. Refer to the IFS Personal  Information Protection Manual for examples of the Privacy Statement prepared for inclusion on various collection documents.

Information Collected Verbally

If information is collected verbally, it is incumbent upon the person collecting the information to inform the individual: the purpose for which the information is being collected, the reason for collection and any legislation under which the information is being collected. In a face to face transaction, a small poster on the counter for example, will fulfil the requirements of the PIP Act. With information collected over the telephone, a short statement should be read to the client. Refer to the Refer to the IFS Personal  Information Protection Manual for an example of a verbal statement for use over the phone or in a face to face meeting.


 

Submissions Received through Public Consultation

Any submissions received as part of a public consultation process are considered to be public information and are therefore exempt from the provisions of the PIP Act.

Commercial in Confidence Information

Generally the intent of commercial in confidence and the PIP Act support each other. In most cases commercial in confidence information is submitted by organisations rather than by individuals, therefore the PIP Act does not apply.

However, where information is collected and it contains personal information, the PIP Act does apply. This means that the materials submitted as commercial in confidence can only be used for the purposes they were intended for, and only accessed by those who require the documents to undertake tasks directly associated with that purpose.

Personal Information Collected before the Act Commences

Personal information collected before the implementation of the PIP Act must be treated in accordance with the principles of the Act. The only exceptions are the initial collection principle, which did not apply at the time of collection and the principles relating to unique identifiers, anonymity and sensitive information.

This means that for most practical purposes, the Act still applies, and the information can only be used for the purposes that the person would reasonably expect it to be used for.

The PIP Act and Personal Databases

The IFS must not use or disclose personal information about an individual for a purpose other than the purpose for which it was collected.

 

The IFS must ensure that the personal information it collects, uses, or holds is accurate complete, up-to-date and relevant to its functions or activities. It must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure.

Note: the details of business contacts, such as commercial or Government organisations and their representatives, are not regarded as personal information and the Act does not apply.

De-Identification or Destruction of Records

The storage of all information is subject to the Archives Act. The IFS must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. As a general principle, information that is no longer being used should be deleted.

If the information has been de-identified (eg in the case of aggregation and statistical analysis) it ceases to be regarded as personal information, as the individual’s identity can longer be determined.

Exemptions

The PIP Act contains exemptions that may apply to information collected and stored by the Service in certain instances.

 

These include:

1. Public Information, which is information contained in a publicly available record or taken to be public information under any other Act;

2. Law Enforcement Information which relates to the prevention, detection, investigation or prosecution of criminal offences under the Inland Fisheries Act, or in connection with any other proceedings in any court or tribunal.

3. Unsolicited Information, which is information provided to the Service without the Service asking for it. However, the use and dissemination of that information must be treated under the general Principles of the Act, and the information must not be used for purposes other than for what would reasonably be expected.

4. Employee Information, which relates to collecting information about a person only from that person, the use of unique identifiers and the collection of sensitive information.

5. Basic Personal Information (eg name, address, date of birth and gender) may be used or disclosed for a purpose other than the primary purpose of collection without the individual’s consent only if the use or disclosure is reasonably necessary for efficient storage and use of that information, and if the collection, use and disclosure is by public sector bodies.

 

Where personal information is disclosed for a purpose other than the principle purpose of collection, as a result of any exemption, a file note must be made detailing the use and disclosure.

PIP Act in Relation to Other Legislation

The PIP Act is subordinate to any other legislation. This means, that where other legislation is inconsistent with the PIP Act (eg it explicitly allows the use or dissemination of personal information), then the other legislation over rides the PIP Act. However, the PIP Act requires that the person providing their personal information understands the use to which the information may be put and any relevant legislation which guides or requires its use.

PIP Act and the FOI Act

The Freedom of Information Act over-rides the PIP Act. Any request for release of personal information under the FOI Act must be made and dealt with in accordance with that Act.
Go Buy
Buy, renew or  change the details on your Angling Licence
Go Fish
Find out about fish, waters, and regulations.
CheckIt
Before you go fishing check latest weather, stocking information, and regulations.