Privacy and Personal Information Protection Management Plan

Privacy and Personal Information Protection Management Plan Last reviewed: July 2009 AGNSW Privacy and Personal Information Protection Management Plan Policy Statement: The following privacy management plan has been prepared in line with the key protection principles to ensure the Gallery’s compliance with the Privacy and Personal Information Protection Act, 1988 (PPIP) and the Health Records and Information Protection Act, 2002 (HRIP). The Art Gallery has appointed a designated Privacy Officer. Contact details are: Manager, Human Resources Services, Art Gallery New South Wales, Art Gallery Road, The Domain, NSW 2000. Telephone: (02) 9225-1795 or Fax: (02) 92228-1622. Personal information held includes data relating to employees, trustees, supporters and donors, art prize and scholarship applications, arts industry professional network contacts, business suppliers, and general public that elect to register for newsletters or enter competition prizes. As most personal information held by the Gallery is provided directly by the individual to whom it relates, it is assumed that the information is accurate. The Gallery undertakes periodic reviews in an attempt to validate the currency and accuracy of data held. The AGNSW Employee Privacy & Personal Information Protection Policy Statement is posted on the Gallery’s intranet (Policy & Procedures section) and a hardcopy version is provided to new staff upon induction. The AGNSW Website Privacy Policy is available on-line from links in both the ‘About Us’ and ‘Shop’ (e-commerce) sections of the website (www.artgallery.nsw.gov.au). If an individual has a complaint about the conduct of the Gallery in relation to the collection, storage, use or disclosure of personal information, an Internal Review Application Form has been developed to assist with this process. Additionally, the Gallery has developed a Privacy Complaint Internal Review Checklist to ensure that the investigation into any complaint is handled in compliance with the PPIP Act requirements. The Gallery is required to notify the Privacy Commissioner of an application for internal review and provide a report of the findings of the review and any action taken by the Gallery relating to the matter. In addition to the PPIP Act, the Gallery observes other legislation and associated government policies and procedures which confer or support a right to privacy in certain circumstances. For example: State Records Act 2005; Protected Disclosures Act 1994; Freedom of Information Act 1989; ICAC Act 1988. The following Gallery policies also enable compliance with the PPIP Act: Code of Conduct for staff; Code of Conduct for Trustees; Corruption Prevention Policy and Procedures (including Protected Disclosures Policy and Procedures); Internet and Email Access Policy; Grievance and Dispute Handling Policies and Procedures. The Gallery will undertake to monitor and review amendments to this management plan every three years (or sooner if amendments to the legislation require it). An update on the implementation of the management plan and any complaints received will be included in the Art Gallery’s Annual Report to Parliament. To date the Art Gallery has received no privacy protection complaints. Last 3 year review completed: July 2009 Summary of Actions Staff Records: Principle Grouping Collection Strategy Outcome Staff members are aware of what personal information is retained for Gallery records. No unauthorised person has access to personal information contained in official personal files. No unauthorised person has access to personal information. Due Date On-going – Data collected at entry on duty / induction training sessions etc. On-going. Current Status 100% Completed. Responsible officer Human Resources Officers. Human Resources Officers. Computerised System Administrators and System Users. Personal information about Gallery staff to be collected directly from staff members wherever possible. Storage Personal information about staff stored on hard copy personal files is kept secure within the Human Resources offices. Personal information about staff stored electronically in computerise systems such as CHRIS, SUN, TRIM is security controlled by limited access via username / password permissions. Access and Staff may access their personal accuracy records under supervision of a Human Resources Officer. Staff are entitled to have their information amended to ensure that the information is accurate, relevant, up-to-date, complete and not misleading. Human Resources undertake an annual review to ensure staff personal information is up-todate and accurate. Note: It is the employee’s responsibility to advise the HR department of any relevant changes in their personal information. 100% Completed On-going. 100% Completed All staff have open and transparent access to their personal information but can not altered or remove records without informing / permission of Human Resources officers. Information about current employees is as up-to-date as possible. On-going. 100% Completed. Human Resources Officers. On-going 100% Completed. Human Resources Officers. Use and disclosure Identifiers and anonymity Transfer and linkage Personal information about staff is only used for specifically collected purpose or a directly related purpose that staff would expect. The Gallery’s Privacy & Personal Information Protection Policy Statement is circulated to all staff and stored on the intranet. Minimise possibility of a staff member being identified by personal information required to be submitted to NSW government central agencies / ABS census in the form of generic workplace surveys / audits etc. Health information will only be transferred outside of NSW in accordance with HRIP Act. A staff member’s health information will only be included in a system to link health records across more than one organisation with the expressed consent of relevant staff member. Personal information is only used in accordance with the intent of the PPIP and HRIP Acts. The Gallery has disclosed to staff what and how their personal information is collected, stored and used. The Gallery complies with official requests for workplace / workforce data without unnecessarily revealing personal information of staff. On-going. 100% Completed. Human Resources Officers. On-going. 100% Completed. Administration Manager. On-going. 100% Completed. Human Resources Manager. Any health information transferred outside NSW is in compliance with HRIP Act. Any health information included in a system to link health records across more than one organisation is in compliance with HRIP Act. On-going. On-going. 100% Completed. 100% Completed. Human Resources Manager. Human Resources Manager. Donors and Supporters Records: Principle Grouping Collection Strategy Personal information about Art Gallery donors and supporters to be collected directly from the individual. Outcome All donors / supporters are aware of what personal information is retained for Art Gallery records. Due Date On-going – Data collected at initial time of support or donation recognition. Current Status 100% Completed. Responsible officer Supporter and Donor Managers. Storage Personal information about supporters and donors stored on hardcopy files is kept secure with relevant manager’s offices. Personal information about supporters and donors stored electronically in computerised systems such as the CRM database is security controlled by limited access via username / password permissions. Access and Supporter and Donors may accuracy access his/her personal records under supervision of the relevant donor / support group Manager. Supporters and Donors are entitled to have their information amended to ensure that the information is accurate, relevant, up-to-date, complete and not misleading. The donor / supporter databases are regularly maintained to ensure personal information recorded is current and accurate. Use and disclosure Personal information about donors / supporters is only used for specifically collected purposes or a directly related purpose that they would expect. No unauthorised person has access to personal information contained in official personal files. No unauthorised person has access to personal information. On-going. 100% Completed On-going. 100% Completed Supporter and Donor Managers and Administrative Officers. Computerised System Administrators and System Users. All supporter and donors have open access to their personal information but can not altered or remove records without informing / permission of relevant group administrator. On-going. 100% Completed. CRM Administrator and administrative officer for specific groups. Information about current donors / supporters is as up-todate as possible. On-going. 100% Completed. Donor / Supporter Managers and administrative officers. Personal information is only used in accordance with the intent of the PPIP Act. On-going. 100% Completed. Donor / Supporter Managers and administrative officers. Artist Research and Art Prizes Records: Principle Grouping Collection Strategy By signing the Interview Permission Form the general public participating in the Gallery’s oral history program grants approval for access to personal information collected for research purposes. Seek s.41 permanent exemption to PPIP Act relating to personal information contained in archival materials currently contained, and obtained in the future, in the Art Gallery’s Research Library and Archive collections. Personal information is only collected from the general public who wish to be included in the Art Prizes database. Hardcopy requests are securely destroyed once data has been entered into the electronic database. Outcome Living artists grant permission for collection of personal data and understand it will be used for research purposes. Due Date On-going - Permission form signed before commencement of recorded interview. Current Status 100% Completed. Responsible officer Research Library Archivist / Curatorial Staff. Arts institutions with collecting mandates are exempt from the PPIP Act. Permanent exemption for the Gallery’s Research Library granted from 1st September, 2005 under clause 4 of the PPIP Regulations 2005. On-going. 100% Complete. Administration Manager. Mailing lists for art prize entry forms is opt-in only with access to unsubscribe at any time. 100% Completed. Administrative Services Officer. Storage Personal information stored in the Gallery’s Research Library Collection is secured as archival material and not available without access granted by Archivist. Personal information stored in the Art Prizes database is secure with limited access via system username and password permission controls. Archival materials are stored securely. On-going. 100% Completed Archivist. No unauthorised person has access to personal information. On-going. 100% Completed. Administrative Services Officer. Access and Requests from the general accuracy public for addition to or removal from the Gallery’s art prizes database processed promptly. Use and disclosure Personal information of general public registered on the Gallery’s art prizes database is only used for specifically collected purposes or a directly related purpose that they would expect. Application form for Access to Archival Collections contains opt-in questions relating to the sharing of researchers work and inclusion on Research Register. No personal information on the Gallery’s art prizes database will be shared with any third party. Only general public that request inclusion are added to database. Currency of listing also maintained via ‘return to sender’ entry applications. Personal information is only used in accordance with the intent of the PPIP Act. On-going. 100% Completed. Administrative Services Officer. On-going. 100% Completed. Administrative Services Officer. Identifiers and anonymity Researchers given opportunity to share ‘end product’. On-going. 100% Completed. Research Library Archivist The anonymity of registered users is preserved. On-going 100% Completed. Administrative Services Officer. Market Research, Customer Surveys and Competition Entry Records: Principle Grouping Collection Strategy Personal information collected from the general public who register or permit registration on the Gallery’s electronic internet and email databases is in line with specific permissions agreement. Exhibition competitions (and/or sponsorship promotional arrangements) that includes access to the general public’s personal information is conducted with a clearly marked opt-in/opt-out requirement and details of the associated third party/parties involved in the promotion. Hardcopy personal information permission forms for registration on the Gallery’s electronic databases (internet and/or email) are securely stored until data is entered into electronic system, at which time the hardcopy form is shredded. General public personal information stored in electronic database within any social network applications (internet) is securely controlled with limited access via username and password system permissions. Outcome Electronic database registerers are aware of what personal information is retained as Art Gallery records. Due Date On-going – Data collected at initial time registration or on completion of a permissions form. On-going. Current Status 100% Completed. Responsible officer Manager, Information and Website and system administrators. The general public is aware when completing exhibition competition or other promotional entry forms that their personal information maybe be shared with the nominated third party. 100% Completed. General Manager, Marketing and Business Development. Storage No unauthorised person has access to personal information. On-going. 100% Completed General Manger Marketing and Data Entry Operators. No unauthorised person has access to personal information. On-going. 100% Completed Manager Information & Website and system administrators for specific listings. Access and Requests from the general accuracy public for addition to or removal from the Gallery’s internet electronic database / mailing lists are processed promptly. Use and disclosure Personal information of general public registered on the Gallery’s internet and email databases is only used for specifically collected purposes or a directly related purpose that they would expect. The Gallery’s website Privacy Policy is posted on our official website www.artgallery.nsw.gov.au. No personal information of the registered general public on the Gallery’s internet and email databases will be shared with a third party. Only ‘opt-in’ users are registered in ArtMail email newsletters database and the listing is current at each issue. Each issue has an unsubscribe option. Personal information is only used in accordance with the intent of the PPIP Act. On-going. 100% Completed. Unsubscribe link on every email sent. 100% Completed. Manager, Information & Website, Marketing Manager and email newsletter administrators. Manager, Information & Website, and database administrators. On-going. Identifiers and anonymity The general public access to the Gallery’s official Website Privacy Protection Policy and contract details for further information, if desired. The anonymity of registered users is preserved. On-going – Link for policy in the ‘About Us’ section of the website. On-going 100% Completed Manager, Information & Website and Manager, Administration. Manager, Information & Website, and system administrators. 100% Completed. General Administration of Privacy Protection Act: Strategy The Gallery’s official records are reviewed and allocated either an OPA or CPA direction in accordance with the State Records Act 1998. The Gallery will undertake a review every 3 years to determine what personal information records are being held, for what purpose, and where they are securely stored – central record to be updated accordingly. Outcome Sensitive personal information requiring a Closed Public Access (CPA) directive are identified and processed accordingly. Ensure the Gallery has a consolidated overview of records being kept within operational departments. Due Date On-going – Review undertaken prior to releasing any requested documents from official files. On-going - Every 3 years. Previously undertaken in January 2006. Current Status 100% Completed. Responsible officer Research Library Archivist / Administration Records Coordinator. Administration Manager. 100% Completed.