Your Right to Privacy
Everyone has the right to Privacy and is protected by the National Privacy Principles (“NPPs”) which are set out in the Privacy Act 1988 (the Act). These principles are designed to regulate how Remote Area Dive collects, uses, discloses and otherwise handles personal information. You can obtain detailed descriptions of the NPPs by visiting the website for the Privacy Commissioner at www.privacy.gov.au.
Our Commitment to Privacy
Remote Area Dive holds a large amount of personal information concerning staff, students and other persons, as a natural consequence of our teaching, business and administrative functions. Some personal information is collected from the persons concerned, while other information is generated by Remote Area Dive in the course of our business activities. The privacy of persons about whom Remote Area Dive holds personal information must be respected and Remote Area Dive’s policy addresses the circumstances in which privacy issues may arise.
Personal information is information not in the public domain which identifies an individual and is capable of being associated with a specified individual. In Remote Area Dive context, examples of personal information include home address, home telephone number, date of birth, marital status, next of kin; salaries and wages of Remote Area Dive staff; all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and information concerning persons who apply to Remote Area Dive for appointment. It may also include visual information, such as photographs of people. For the purposes of this policy, personal information is given a broader meaning than in the Freedom of Information Act 1992 (the FOI Act refers to "personal affairs information", meaning matters of private concern to individuals).
Collection of personal information
Information should be collected only where it is necessary to carry out a particular function or administrative activity. For instance, it is rare that information concerning a student's marital status is required for normal administrative functions associated with enrolment or study. Where the information is not required for any specific purpose, it should not be collected.
Where information is collected for a particular purpose, it should not normally be used for any other purpose. For instance, it is not acceptable to supply the names and addresses of students to commercial providers of goods or services, even where particular benefits may be offered to those students, since such information has been collected by Remote Area Dive only for enrolment in diver training and business purposes. If personal information is likely to be used for some other purpose, this should be disclosed at least by the time that information is collected and preferably before it is requested.
Access to and use of personal information stored in records
There are several important principles which staff should consider when dealing with personal information held by Remote Area Dive.
Personal information should be accessed and used only for Remote Area Dive business purposes.
Access to either paper-based or computerized records should be sought and granted only where there is a demonstrated need for this because of a staff member's functions or responsibilities. Even where access is granted, it would be inappropriate, for instance, if an address, home telephone number or other information was accessed and used by a staff member for private reasons, e.g. to forward personal information to a supposed friend or colleague, or to ascertain the results of friends and associates. This is so even if the person to whom the information relates gives permission.
Personal information should be secured.
Paper-based records should not be left where members of the public, or others to whom the information they contain is not generally made available, may access them. Records containing personal information should be filed securely.
Appropriate arrangements should be put in place at the instructional level to ensure that access to computerized records is granted only to staff requiring such access in the course of their duties. Computer access passwords are intended as security devices and hence staff should not disclose their password to others
Sometimes personal information will be obtained orally, for instance, in an interview with a student concerning course progress. The information may or may not be recorded in documentary form. Nonetheless, privacy should be respected, and the information should not be discussed with others, except where this is necessary to undertake functions concerning the student or staff member who has provided the information.
Personal information should not be disclosed to third parties
Personal information should not be disclosed to third parties except in the circumstances outlined below.
As a general rule, information not publicly known concerning staff and students should be treated as confidential, and should not be disclosed to anyone but Remote Area Dive staff who have a demonstrated need for this information to carry out their duties. There are several exceptions to this general rule.
a. Disclosure to the staff member or student to whom the personal information relates:
Information privacy principles in general entitle those about whom information is held to access that information. This enables them to ensure that information about them is accurate, relevant, up-to-date, complete and not misleading. Thus, a staff member or a student would be entitled to request access to their personal file or to view information held in computerized formats about them. This general entitlement is given effect by the Queensland Freedom of Information Act, and is subject to its detailed provisions.
In most cases where access is requested, it will be possible for access to be obtained without the need to make a formal application under the FOI Act. For further advice on dealing with requests, refer to management.
Sometimes, persons supply original documents to Remote Area Dive, such as dive certificates, or dive medicals. Where it is practicable to do so, original documents supplied by a person may be returned to them, and should be returned upon request. If this occurs, Remote Area Dive records relevant to the transaction should include either a copy or an annotation indicating that original documents have been sighted and returned.
b. Disclosure to third parties only with the consent of the student or staff member concerned:
Personal information may be disclosed to third parties with the consent of the student or staff member concerned. Such consent cannot be assumed, and should be given expressly and in writing. It cannot be assumed, for instance, that Remote Area Dive has implied consent to routinely supply client details to professional associations, potential employers or parents.
Except in the special cases mentioned below (see items d and e below), the fact that the enquirer may hold an official position, for example, as an officer of a government department, or in some other way may claim a special or even official right to get information makes no difference to this position. Nor does it matter whether the enquiry is made informally or by means of a formal written document.
Details of a student's record should not be given to third parties. If an enquiry concerning a student's record is made by a person or body clearly having a valid reason for seeking the information, e.g. another training organisation or a prospective employer forwarding details of the record as furnished to the enquirer by the student, the enquiry should be referred to management, who will, if appropriate, verify the record so furnished.
Management staff may from time to time receive enquiries, often by telephone, from credit providers, in connection with applications by staff for credit facilities, and from real estate agents, in connection with rental of premises by staff. The enquirer usually asks for confirmation of employment and salary. Remote Area Dive is willing to assist the staff member in these cases and will provide confirmation of employment and salary level. This should only be done however where the staff member in question has advised the management in advance that an enquiry may be made by a credit provider or real estate agent and the staff member consents to the release of the information sought.
Where no prior advice has been received from the staff member concerning the possibility of an inquiry by the credit provider or other enquirer, the enquirer should be advised to make a request in writing. Such a request should include written evidence that release of this information has the staff member's consent or be checked with the staff member before any information is given.
c. Disclosure of matters of public record:
The fact that a student is enrolled at Remote Area Dive is not treated as a matter of public record. Consequently, such information should be disclosed only in the circumstances outlined in this policy.
It should not automatically be assumed that divulging apparently innocuous information, such as DMC candidates or staff, is acceptable. This is because of the opportunities which exist for using sophisticated software technologies to consolidate that information with other publicly available information and produce selected mailing list, for example, for the direct marketing industry. Such requests should be referred to management.
d. Disclosure of personal information under statutory or other legal authority:
In some cases, legislation has conferred upon certain public officers the right to demand and receive information, even though it would otherwise be regarded as confidential. A typical example is the Income Tax Assessment Act under which the Commissioner can authorise officers of that company to require any person to answer any question or to produce any document for inspection. The Commonwealth Departments of Education, Training and Youth Affairs, Social Security, or Immigration may also have powers to obtain access to personal information in specific circumstances.
Furthermore, Remote Area Dive must observe the Information Privacy Principles (IPP’s) set out in Information Standard 42 – Information Privacy, which mirror those of the Commonwealth Privacy Act. Under IPP No.11, although generally personal information should not be disclosed, it may be if disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.
In cases where enquiries are received from public officials, the relevant statutory authority to obtain access to such information should be requested. Statutory authority should be detailed in writing, as should written verification of appointment as a person entitled to require the information. When this authority is produced, the enquiry should be referred to management for confirmation.
Until such confirmation is obtained, inspection of Remote Area Dive documents is not permitted, no personal information should be released verbally and copies of documents should not be provided.
Similarly, where disclosure is sought in the course of legal proceedings, e.g. by service of a subpoena or notice of third party disclosure, this must at all times be referred promptly to the Remote Area Dive management for action.
e. Disclosure in instances of wrongdoing associated with Remote Area Dive activities:
Where staff suspect that some form of record falsification or other wrongdoing has occurred, any reporting of the issue should be to their supervisor in the first instance and then to the senior management. At no time should staff disclose such information directly to entities outside Remote Area Dive.
Occasionally, police officers involved in investigations of offences associated with Remote Area Dive or the misuse of Remote Area Dive property will make enquiries for personal information about staff or students to assist with their enquiries. In exceptional circumstances, Remote Area Dive may consider release of such information. All such enquiries must be referred to management.
f. Requests associated with bona fide research activities:
Remote Area Dive is willing to assist bona fide researchers undertaking studies, for example, by the distribution of questionnaires within the dive community. Any assistance must be approved by management.
Material to which such requests relate and which will be forwarded to staff/students must contain a clear statement of purpose, and responses must be entirely voluntary and made directly to the researcher.
Usually, Remote Area Dive will either distribute the material within Remote Area Dive E mail system or provide name/address labels under stringent conditions associated with the preservation of individual privacy. Costs will normally be recovered from the researcher. Remote Area Dive will provide no other follow-up or forwarding services.
Reporting breaches of privacy
Staff must report any breaches of this policy to the management as soon as practicable after the breach has been identified. Following notification, management will:
For minor breaches of the policy – liaise with the relevant supervisor on the necessary actions required to prevent a similar breach from occurring; or
For major breaches of the policy – instigate an investigation into the breach.
Supervisors must inform management of breaches of this policy and any actions arising out of any investigations.
Privacy issues can be discussed with management, if necessary, on a confidential basis. If an individual believes that their privacy has been breached, a complaint may be made in writing to management. In order to enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. Anonymous complaints will not be dealt with.
An investigation will be conducted in consultation with the relevant supervisors. Management will have final responsibility for resolving the complaint.