Our commitment to privacy
The Centre for Invasive Species Solutions (CISS) is committed to the protection of privacy and is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) and the EU General Data Protection Regulation 2016/679, where applicable.
‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- Whether the information or opinion is true of not; and
- Whether the information or opinion is recorded in a material form or not.’.
This policy outlines the CISS practices and policies for the collection, storage, use and management of Personal Information. It covers all Personal Information (including Sensitive Information) collected by CISS and applies where Personal Information is collected directly and where it is sourced from third parties.
In this policy:
- “APPs” means the Australian Privacy Principles set out in the Privacy Act 1988 (Cth).
- “Data Protection Laws” means all applicable EU laws and regulations governing the use of processing of Personal Data, including (where applicable) the GDPR (from 25 May 2018)
- “Privacy Law” means the Privacy Act 1988 (Cth), and any applicable Commonwealth, State or Territory law about the protection of Personal Information or health information.
- “Personal Information” has the meaning as noted above and includes Sensitive Information.
- “Personal Data” means any information relating to an identified or identifiable natural person – one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.
- “Sensitive Information” means Personal Information that is about:
- Racial, or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual preferences or practices
- Criminal record
- Education Information
- Health information
- Genetic information that is not otherwise health information.
Our collection of Personal Information
In performing its functions, CISS may need to collect Personal Information about:
- People who are wanting to receive or are receiving services from or through CISS (CISS) (‘service clients‘)
- Employees, research students and other individuals who are affiliated with organisations that are investor partners of CISS (‘research affiliates‘)
- CISS employees, and contractors and service providers and their employees (‘workers and suppliers‘);
CISS may need to collect names and contact details from people with whom we deal. However, where practicable we will allow people to deal with us anonymously or using a pseudonym, although this is usually only practicable in the case of preliminary or general inquiries.
The types of information we collect and the purposes for which we collect it vary according to the type of individual it relates to.
While CISS does not provide services directly, we provide information and conduct a range of other activities relating to management and research services provided through CISS.
For this purpose, we may need to collect sensitive information and Personal Information about:
- subscribers to newsletters and media lists,
- registrants to competitions, workshops or public events,
- providers of management and research services.
We use this information for a range of purposes related to the research services of CISS, including to review and evaluate services and programs and to undertake service planning and analysis activities. Some of this information may be required to be provided to funding bodies.
Such information is generally collected, used and disclosed in de-identified form only. If we need to identify an individual recipient of research or other services, we will ensure that the individual’s consent has been obtained. Aggregated and de-identified data may also be used in CISS evaluation studies and reports, and in feedback material provided to funders, other research professionals or professional bodies.
CISS tries to collect Personal Information about an individual only from that individual, but in some circumstances, we may need to obtain Personal Information from a third party. For example, where it is necessary to provide an urgent referral, we may collect Personal Information from a family member, carer or treating practitioner of a service client. Unless we are otherwise required or authorised by law, we will only collect sensitive information with the individual’s consent.
If you do not provide the information we require, we may not be able to provide or refer you to appropriate information or services.
If you are a research affiliate, CISS may collect your Personal Information in order to:
- Provide services and programs for, or support services and programs offered by, your organisation and its staff;
- Receive and deal with complaints or queries about programs and services provided by your organisation; and
- Conduct planning and evaluation activities in relation to research programs and activities.
CISS may need to collect your name, age, gender, the organisation you work for or represent, its ABN or ACN, your work address, postal address, telephone and fax numbers and email address. We may also collect other Personal Information, including health information, information about your professional interests and experience, information about scholarships, education progress and post submission employment details, where it is relevant to a particular program or activity. Where necessary and with your consent, we may supplement the information we receive from you with information from third party sources, such as your employer or nominating organisation (if you are on a committee).
If you do not provide the information we require, we may not be able to provide any or all of the services CISS offers.
Workers and suppliers
If you are a worker, the information CISS collects will usually include your name, age, gender, your physical address, postal address, telephone and fax numbers and email address as well as direct credit or other banking details. We may collect information about your work history, and previous employment or engagements that are relevant to your work for CISS. We may also collect other Personal Information, including health information, information about your professional interests and experience, information about scholarships, education progress and post submission employment details, where it is relevant.
If you are one of our suppliers or provide services to us, we may also collect other information about you that is necessary to engage the provider or administer the provider contract, such as the products and services that you provide, quotes that you provide and direct credit or other banking details. We may from time to time need to check professional or trade references, which we will only do with consent.
If the information we require is not provided, we may not be able to utilise or fully utilise the services that workers and suppliers are able to provide.
Collection of information required by law
We may be required by law to collect information about providers of research services that require certain information to be collected for funding, evaluation and fraud prevention purposes.
How is Personal Information collected?
The means by which CISS collects Personal Information depends on the circumstances and the purpose for which it is collected. CISS also agrees to comply with the Data Protection Laws applicable whilst such Personal Data is in its control.
CISS usually collects Personal Information whenever a person uses or requests a product or service, completes a survey, questionnaire or enrolment form or communicates with CISS. This may happen by email, via our website, via a Customer Relationship Management (CRM) system, via third-party subscription services (i.e. MailChimp, SurveyMonkey) by telephone or fax, in writing, or in person.
CISS also collects Personal Information from individuals who apply to provide services to or employment at CISS through our staff recruitment and selection process.
CISS also collects Personal Information from the public domain sources, including public directories and membership lists published by professional registration boards.
What do we tell you about our collection of Personal Information?
When we collect Personal Information, we are required by the APPs to take reasonable steps to ensure that the individual is aware of certain details relating to the collection of Personal Information. We are required to do this whether we collect the information directly from the individual or indirectly via a third party.
Usually, CISS does this by ensuring that a privacy notice is provided at the time the Personal Information is collected. This information will also be provided when Personal Information is collected by telephone and is displayed or via our website.
The privacy notice will generally include information about:
- The purposes for which we are collecting the information in the particular circumstances;
- The types of organisations that that information may be disclosed to;
- The consequences if we are unable to collect the information;
- Whether there is any legal requirement for the information to be collected;
- Whether any of the information is likely to be disclosed outside Australia;
- Obtaining access to Personal Information we hold; and
- Making a privacy complaint.
We may also inform people about our collection of Personal Information by other means, including through the media, through mail-outs or notices on our website.
How is Personal Information protected?
CISS will take reasonable steps to protect the Personal Information we hold from misuse and loss and from unauthorised access, modification or disclosure. We maintain physical, technical and administrative safeguards including:
- Limiting physical access to our premises;
- Using contractual measures that require all contractors and service providers to comply with Privacy Laws and to take reasonable steps to protect Personal Information they collect in providing services to us or on our behalf. All contracts that flow to CISS e.g. from the funders, and contracts that CISS enters into with Partners, research professionals and other service providers, require compliance with the Privacy Act and contain confidentiality and privacy clauses.
- Maintaining the confidentiality and security of Personal Information by restricting access to only those staff and service providers with a legitimate need to access it. Security measures are in place to prevent the misuse, unauthorised access, modification or disclosure of Personal Information
- Having in place industry standard physical, electronic and procedural safety measures.
Our use and disclosure of Personal Information
CISS uses the Personal Information it collects for a range of purposes connected with CISS, including to:
- Provide information (such as publications, promotional resources, subscriptions, training materials and products) to research organisations, research professionals, research students and others;
- Coordinate / collaborate research development and extension services provided by CISS and our investor parties;
- Monitor participation in, and use of, CISS educational materials and products by research professionals, research students and educational institutions;
- Promote and organise educational and training activities, including events and conferences; and
- Perform our corporate and contractual obligations.
CISS promotional and educational activities may involve collecting individual research stories and publishing and/or broadcasting them to promote research and collaboration. We do not publish names or other identifying information (such as photographs) that may enable identification of an individual service client, a research affiliate or employee without first obtaining that person’s written consent.
Where CISS provides or administers education or participation activities for community members, research professionals or research students, we may disclose Personal Information to:
- Relevant institutions for the purposes of monitoring the participation (e.g. course or institution requirements); and
- Partner organisations for the purpose of recording professional development.
In some cases, information on the education or participation activity status of research professionals and research students is provided to an educational institution, provided the consent of the research professional or research student has been obtained.
CISS may disclose Personal Information to contractors or service providers to whom CISS out-sources certain functions or which provide services to CISS, such as:
- IT service providers;
- Bodies that undertake or assist in research or analysis; and
- Print, data capture, mailing and distribution houses.
CISS may also disclose Personal Information in circumstances where it is required or authorised to do so by law. This includes where we consider disclosure is reasonably necessary to avoid serious risks to health or safety or for the investigation of unlawful or seriously improper conduct, or where we are required to disclose by the order of a court or tribunal.
If you attend or participate in a CISS conference or event, your name, organisation and contact details may be used to compile a delegate list that is made available to other delegates, speakers, event organiser, accommodation providers, service providers, event sponsors and persons associated with related events. However, when collecting the information, we will always give you the opportunity to elect that your Personal Information not be used or disclosed for this purpose.
CISS does not supply, sell or rent the Personal Information it collects to unrelated third parties for the purpose of marketing those third parties’ products or services. CISS may send you information from time to time about its own activities, programs and services. If you do not want to receive such information you should contact the CISS Office Manager, Building 22, University of Canberra, Bruce ACT 2617. We will then remove you from our mailing lists.
CISS uses contracted IT service providers who may store Personal Information in or route Personal Information through servers and or data storage facilities located outside Australia, which may include Asia and the United States.
To improve your experience on our sites, we may use ‘cookies’. When you visit the CISS website or CISS related websites, our web server may download a cookie to your computer. A cookie is a small piece of information sent by our server to your browser. To protect your privacy, your browser only permits a web site to access the cookies it has already sent to you, not the cookies sent to you by other sites. If you do not wish to receive any cookies, you may set your browser to refuse them; go to the browser’s help menu for instructions. Cookies do not contain Personal Information about users. However, cookies can identify a user’s browser. The cookies transferred by CISS and CISS related websites are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website.
Access and correction
At any time, you can advise CISS of changes to your Personal Information.
You have the right to ask for access to any Personal Information we hold about you, and to ask us to correct any inaccuracy in and / or to withdraw that information. There are some exceptions to this set out in the Privacy Act 1988.
If you make a request for access, correction or withdrawal, CISS will ask you to verify your identify and specify what information you require. CISS may ask the reason for your request so we can assist you most effectively. However, you are under no obligation to provide a reason if you do not wish to.
Updates to this Policy
This policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices or procedures and the changing business environment.
Complaints about Privacy
CISS takes breaches seriously and has a Data Breach Response Plan and policy in place. These procedures help identify and resolve a breach, potential breach or complaint as quickly as possible. This includes appropriate escalation processes to the CISS Data Management Response Team, the Executive Management Team and CEO and notification processes in the event of a breach.
If you wish to make a privacy complaint, you should contact the CISS Office Manager Building 22, University of Canberra, Bruce ACT 02 6201 2887 or email@example.com about the way we handle your Personal Information. Complaints are forwarded to the General Manager for investigation. You will be notified of the process for dealing with the breach or potential breach. Your complaint will be investigated, and a genuine attempt made to negotiate a resolution with you.
If you are not satisfied with the resolution of your complaint by CISS, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.com.au/privacy. The OAIC may investigate your compliant and has the power to award compensation against CISS in appropriate circumstances.