Department of Treasury and Finance logo

Department of Treasury and Finance
Personal Information Protection Act
 
Options

Background

The Personal Information Protection Act 2004 (the PIP Act) commenced operation on 5 September 2005. The following policy statement addresses the principles that, I as the Commissioner of State Revenue (the Commissioner), apply in order to protect your personal information.

Information Collected
The Commissioner’s primary function is to administer the following Acts:

  • Taxation Administration Act 1997;
  • Duties Act 2001;
  • First Home Owner Grant Act 2000;
  • Pay-roll Tax Act 1971;
  • Land Tax Act 2000; and
  • Land Tax Rating Act 2000.

In the course of administering these Acts, personal information is collected as required and authorised under the various provisions of these Act/s and Regulations made by or under these Acts.

These Acts authorise me to collect and disclose personal and non personal information in the course of carrying out my administrative functions and activities. In this regard, it should be noted that Section 4 of the PIP Act provides that, where the provisions of the PIP Act are inconsistent with the provisions of other Acts, then the provisions of those other Acts prevail.

Under the PIP Act, as Commissioner, I am the custodian of personal information and the collection, use and disclosure of that information is governed by that Act. However, the statutory office of the Commissioner is also a “law enforcement agency”1 and I consider that non-compliance with some of the Personal Information Protection Principles (PIPP)2 is reasonably necessary to allow me to carry out my functions or activities. This non-compliance is restricted to where the information collected meets the definition of “law enforcement information”3 I will elaborate on this further in the sections below.

In terms of the collection of personal information, this non-compliance means that I am not required to disclose the purposes for which the information is collected nor am I restricted in collecting information about that individual solely from that individual.

In most cases, I collect information directly from the individual or agent or solicitor acting on behalf of the individual. I may also collect personal information from third parties for the purposes of revenue management or revenue protection functions under the Acts that I administer. I regularly collect or receive information from a range of third parties including the Australian Taxation Office, the Australian Securities & Investment Commission and Workplace Standards Tasmania. This information is used for my law enforcement activities in relation to compliance with the Acts that I administer and for verification purposes.

I am also responsible for the administration of a number of administrative schemes4 where, under the Business Undertakings Assistance Act 1984 and the Local Government (Rates & Charges Remissions) Act 1991, I am required to consider applications for assistance and, where satisfied that the relevant criteria have been met, approve payment of a grant, rebate or subsidy as appropriate. The personal information collected as part of the administration of these schemes is not considered to be law enforcement information. Accordingly, all ten PIPP’s apply to this information.

The type of personal information I collect includes names, addresses and telephone numbers, together with any specific information about a person that may be required to enable me to undertake my statutory responsibilities.

I will take reasonable steps to ensure that the personal information I hold is accurate, complete and up to date. Where practicable, my staff will check on the accuracy of your personal information before it is used.

Sensitive Information
Sensitive information includes things like health information, criminal record, racial origin and sexual preferences.

As a law enforcement agency, I consider that non-compliance with the provisions of PIPP 10(1)(a)(b)(c) and (e) is reasonably necessary for the purpose of carrying out my functions and activities where I am collecting personal information that is also law enforcement information. However, sensitive information will only be collected where necessary for the purpose of the Acts that I administer.

Anonymity
If you are making a general enquiry, or providing information to me regarding non-compliance with one of the Acts I administer, it may not be necessary to identify yourself. However, if you are making an enquiry about your own affairs or seeking to obtain a service, identification will be necessary.

Unique Identifiers
As a law enforcement agency I consider that non-compliance with the provisions of PIPP 7 is reasonably necessary for the purpose of carrying out my functions and activities where I am collecting personal information that is also law enforcement information. In this regard, I use unique identifiers in carrying out my statutory responsibilities.

In some cases, it is necessary to adopt unique identifiers from other organisations and I may also collect the unique identifiers assigned to you by another organisation; however, these unique identifiers will not be disclosed without lawful authority.

Disclosure of information outside Tasmania
As a law enforcement agency, I consider that non-compliance with the provisions of PIPP 9 is reasonably necessary for the purpose of carrying out my functions and activities where I am collecting personal information that is also law enforcement information.

However, in disclosing information outside Tasmania, I must comply with strict legislative provisions together with various Memoranda of Understanding and Service Level Agreements with external bodies such as the Australian Taxation Office and other State and Territory Revenue Offices.

Access to and Correction of Information Collected
The PIP Act provides that you can access your personal information that I hold. If you consider the personal information to be incorrect, incomplete, out of date or misleading, you can request that the information be amended.
Requests to access or correct your personal information held by the Department will be processed in accordance with the provisions of the Freedom of Information Act 1991.

For further information refer to the Department of Treasury & Finance web page (www.treasury.tas.gov.au) or contact the Revenue Branch’s Freedom of Information Officer:

      Assistant Director, Research Analysis & Legislative Review
      80 Elizabeth Street
      Hobart TAS 7000
      Telephone: (03 6233 2694)
      email: foi@treasury.tas.gov.au
If you are not satisfied with the handling or outcome of your request for access to or correction of your personal information, you can lodge a complaint with the Ombudsman. The Ombudsman's Office can be contacted on 03 6233 6217, or 1800001170 (cost of local call outside Hobart area) and by email at ombudsman@justice.tas.gov.au.

Use and Disclosure of Personal Information
My staff are only provided with, or have access to, the information that is necessary for them to carry out their functions. Additionally, all staff are bound by strict confidentiality requirements imposed under the Acts I administer..

As a law enforcement agency, I consider that non-compliance with the provisions of PIPP 2(1) is reasonably necessary for the purpose of carrying out my functions and activities where I am collecting personal information that is also law enforcement information.

Personal information will be used only for the purposes described in the Information Collected section above. Your personal information can only be disclosed as authorised by law. Specifically, my staff and I are bound by secrecy provisions in relation to the administrative activities undertaken and can only disclose information collected in accordance with those secrecy provisions (that is, as authorised by law) which enable disclosure:

(i)with your consent; or
(ii)in connection with the administration or execution of the Acts administered, (including for the purposes of legal proceedings); or
(iii)to specified persons, such as the Ombudsman, the Australian Securities and Investment Commission, a member of the police force, the Australian Statistician, the Auditor General, or other prescribed person; or
(iv)as required by another Act.
I also disclose personal information to service providers for the purposes of administrative functions associated with Acts that I administer. Service providers engaged by me are also required to comply with the requirements of the PIP Act and relevant secrecy provisions.

Some de-identified personal information5 I collect may be used in research, statistical analysis, state or national reporting, awareness programs, public statements or training, but not in a way to compromise the protection of personal information.

I also conduct some data matching activities for the purposes of ascertaining compliance with Acts that I administer and for the protection of public revenue.

Security of Personal Information
My staff and I use a number of procedural, physical, and technical safeguards, including access controls, secure methods of communication and back-up and recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure.

Generally, there is an intention that information is destroyed or permanently de-identified when it is no longer required, but this can only be done in accordance with processes approved by the State Archivist under the Archives Act 1983.


Peter Coe
COMMISSIONER OF STATE REVENUE

5 September 2005


1 a "law enforcement agency" includes a personal information custodian responsible for the protection of public revenue under any Act.

2 Refer to Attachment 1 for details of the Personal Information Protection Principles.

3 "law enforcement information" is information referred to in section 28(1) of the Freedom of Information Act 1991 (the FOI Act) as information which, if disclosed under the FOI Act would, or would be reasonably likely to
(a) prejudice –
(i) the investigation of a breach or possible breach of the law; or
(ii) the enforcement or proper administration of the law in a particular instance; or
(iii) the fair trial of a person; or
(iv) the impartial adjudication of a particular case; or
(b) disclose, or enable a person to ascertain, the identity of a confidential source of information in relation to the enforcement or administration of the law; or
(c) disclose methods or procedures for preventing, detecting, investigating or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures; or
(d) endanger the life or physical safety of a person.

4 Current schemes include:
  • Tasmanian Trainee & Apprentice Incentive Scheme (TTAIS)
  • Payroll Tax assistance to companies operating in the Information Technology industry
  • On-Road Diesel Fuel Subsidy by Bulk End Users
  • Off-Road Diesel Fuel Subsidy by Distributors

5 De-identified personal information has had details removed such that it is not possible to identify the person to whom the information relates.
ATTACHMENT 1
Personal Information Protection Principles (PIPP’s)

Note: As a law enforcement agency, the Commissioner of State Revenue has determined that non-compliance with the PIPP’s highlighted in italics is reasonably necessary for the purpose of carrying out his functions and activities where he is collecting personal information that is also law enforcement information.

Collection
1. (1) A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities.
(2) A personal information custodian must collect personal information only by lawful means.
(3) Before collection, during collection or as soon as practicable after collection of personal information about an individual from the individual, the personal information custodian must take any reasonable steps necessary to ensure that the individual is aware of the following:
      (a) its identity and how to contact it;

      (b) the individual's right of access to the information;

      (c) the purposes for which the information is collected;

      (d) the intended recipients or class of recipients of the information;

      (e) any law that requires the information to be collected;

      (f) the main consequences for the individual if all or part of the information is not provided.

(4) If it is reasonable and practicable to do so, a personal information custodian must collect personal information about an individual only from that individual.
(5) If a personal information custodian collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is made aware of the matters referred to in subclause (3) unless doing so would pose a serious threat to the life, safety, health or welfare of any individual.

Use and disclosure
2. (1) A personal information custodian must not use or disclose personal information about an individual for a purpose other than the purpose for which it was collected unless –
      (a) both of the following apply:
          (i) that purpose is related to the primary purpose and, if the personal information is sensitive information, that information is directly related to the primary purpose;

          (ii) the individual would reasonably expect the personal information custodian to use or disclose the information for that purpose; or

      (b) the individual has consented to the use or disclosure; or
      (c) if the use or disclosure is necessary for research or the compilation or analysis of statistics in the public interest, other than for publication in a form that identifies any particular individual –
          (i) it is impracticable for the personal information custodian to seek the individual's consent before the use or disclosure; or

          (ii) the personal information custodian reasonably believes that the recipient of the information is not likely to disclose the information; or

      (d) the personal information custodian reasonably believes that the use or disclosure is necessary to lessen or prevent –
          (i) a serious threat to an individual's life, health, safety or welfare; or

          (ii) a serious threat to public health or public safety; or

      (e) the personal information custodian has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
      (f) the use or disclosure is required or authorised by or under law; or
      (g) the personal information custodian reasonably believes that the use or disclosure is reasonably necessary for any of the following purposes by or on behalf of a law enforcement agency:
          (i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;

          (ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

          (iii) the protection of the public revenue;

          (iv) the prevention, detection, investigation or remedying of conduct that is in the opinion of the personal information custodian seriously improper conduct;

          (v) the preparation for, or conduct of, proceedings before any court or tribunal or implementation of any order of a court or tribunal;

          (vi) the investigation of missing persons;

          (vii) the investigation of a matter under the Coroners Act 1995; or

      (h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the personal information custodian to disclose the personal information and –
          (i) the disclosure is made to an officer or employee of ASIO or ASIS appropriately authorised in writing to receive the disclosure; and

          (ii) an officer or employee of ASIO or ASIS so authorised certifies that the disclosure is connected with the performance by ASIO or ASIS of its functions; or

      (i) the personal information is to be used as employee information in relation to –
          (i) the suitability of the individual for appointment; or

          (ii) the suitability of the individual for employment held by the individual; or

      (j) the personal information is employee information which is being transferred from one personal information custodian to another personal information custodian for use as employee information relating to the individual; or
      (k) subclause (4) or section 12 applies.
(2) If a personal information custodian uses or discloses personal information under subclause (1)(g), it must make a written note of the use or disclosure.
(3) Subclause (1) applies to personal information collected by a personal information custodian that is a body corporate from a related body corporate as if the primary purpose of that collection were the primary purpose for which the related body corporate collected the information.
(4) A personal information custodian that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if –
      (a) the individual is –
          (i) physically or legally incapable of giving consent to the disclosure; or

          (ii) physically unable to communicate consent to the disclosure; and

      (b) the natural person providing the health service for the personal information custodian is satisfied that the disclosure –
          (i) is necessary to provide appropriate care or treatment of the individual; or

          (ii) is made for compassionate reasons; and

      (c) the disclosure is not contrary to any wish –
          (i) expressed by the individual before the individual became unable to give or communicate consent; and

          (ii) of which the natural person is aware, or of which he or she could reasonably be expected to be aware; and

      (d) the disclosure is limited to the extent reasonable and necessary for the purpose mentioned in paragraph (b).
(5) A person is responsible for an individual if the person –
      (a) is a parent of the individual; or

      (b) is a child or sibling of the individual and at least 18 years of age; or

      (c) is a spouse of the individual; or

      (d) is in a personal relationship, within the meaning of the Relationships Act 2003, with the individual; or

      (e) is a relative of the individual, at least 18 years of age and a member of the individual's household; or

      (f) is a guardian of the individual; or

      (g) is exercising enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

      (h) is nominated by the individual to be contacted in case of emergency.


Data quality
3. A personal information custodian must take reasonable steps to ensure that, having regard to the purpose for which the personal information is to be used, the personal information it collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to its functions or activities.

Data security
4. (1) A personal information custodian must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure.
(2) A personal information custodian must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.
(3) A personal information custodian, the records of which are subject to the Archives Act 1983, must take the reasonable steps referred to in subclause (2) only with the approval of the State Archivist.

Openness
5. (1) A personal information custodian must clearly set out in a document its policies on its management of personal information.
(2) A personal information custodian must make the document available to anyone who asks for it.
(3) On request by a person, a personal information custodian must take reasonable steps to advise the person, in general terms, of –
      (a) the sort of personal information it holds; and

      (b) the purposes for which it holds the information; and

      (c) how it collects, holds, uses and discloses that information.

Access and correction
6. (1) If a personal information custodian holds personal information about an individual, it must provide the individual with access to the information in accordance with Parts 2 and 3 of the Freedom of Information Act 1991, as if it were subject to that Act, and as if a reference to an agency or Minister in that Act were a reference to a personal information custodian.
(2) An individual may request amendment of his or her personal information in accordance with Part 4 of the Freedom of Information Act 1991 if that information is incorrect, incomplete, out of date or misleading, whether or not the personal information custodian is subject to that Act, as if a reference to an agency or Minister in that Act were a reference to a personal information custodian.

Unique identifiers
7. (1) A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently.
(2) A personal information custodian must not adopt as its own unique identifier of an individual a unique identifier that has been assigned to the individual by another personal information custodian unless –
      (a) that adoption is necessary for it to carry out any of its functions efficiently; or

      (b) it has obtained the consent of the individual to the use of the unique identifier; or

      (c) it is a body, an organisation or an individual adopting the unique identifier created by a personal information custodian in the performance of its obligations to the personal information custodian under a personal information contract.

(3) A personal information custodian must not use or disclose a unique identifier assigned to an individual by another personal information custodian unless –
      (a) the use or disclosure is necessary for it to fulfil its obligations to the other personal information custodian; or

      (b) clause 2(1) applies.

(4) A personal information custodian must not require an individual to provide a unique identifier in order to obtain a service unless the provision –
      (a) is required or authorised by law; or

      (b) is in connection with the purpose, or a directly related purpose, for which the unique identifier was assigned.

Anonymity
8. Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian.

Disclosure of information outside Tasmania
9. A personal information custodian may disclose personal information about an individual to another person or other body who is outside Tasmania only if –
      (a) the personal information custodian reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that has principles for fair handling of the information that are substantially similar to the personal information protection principles; or

      (b) the individual consents to the disclosure; or

      (c) the disclosure is necessary for –

          (i) the performance of a contract between the individual and the personal information custodian; or

          (ii) the conclusion or performance of a contract concluded in the interest of the individual between the personal information custodian and a third party; or

      (d) the personal information custodian has taken reasonable steps to ensure that the information which it has disclosed is not to be held, used or disclosed by the recipient of the information inconsistently with the personal information protection principles; or
      (e) the disclosure is authorised or required by any other law.
Sensitive information
10. (1) A personal information custodian must not collect sensitive information about an individual unless –
      (a) the individual has consented; or

      (b) the collection is required or permitted by law; or

      (c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual and the individual to whom the information relates –

          (i) is physically or legally incapable of giving consent to the collection; or

          (ii) physically cannot communicate consent to the collection; or

          (iii) is subject to a guardianship order under the Guardianship and Administration Act 1995 or the Mental Health Act 1996; or

      (d) the information is collected in the course of the activities of a non-profit personal information custodian that has only racial, ethnic, political, religious, philosophical, professional, trade or trade union aims and –
          (i) the information relates solely to the members of that personal information custodian or to individuals who have regular contact with it in connection with its activities; and

          (ii) at or before the time of collection, the personal information custodian undertakes to the individual to whom the information relates that it will not disclose the information without the individual's consent; or

      (e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or
      (f) subclause (2), (3), (4) or (6) applies.
(2) A personal information custodian may collect sensitive information about an individual if –
      (a) either of the following applies:
          (i) the collection is necessary for research or the compilation or analysis of statistics in the public interest and any resulting publication does not identify the individual;

          (ii) the information relates to an individual's racial or ethnic origin and is collected for the purpose of welfare or educational services funded by government; and

      (b) there is no reasonably practicable alternative to collecting the information for a purpose referred to in paragraph (a); and
      (c) it is impracticable for the personal information custodian to seek the individual's consent to the collection.
(3) A personal information custodian may collect sensitive information that is health information about an individual if –
      (a) the information is necessary to provide a health service to the individual; and

      (b) the information is collected –

          (i) as required by law, other than this Act; or

          (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(4) A personal information custodian may collect sensitive information that is health information about an individual if –
      (a) the collection is necessary for any of the following purposes:
          (i) research relevant to public health or public safety;

          (ii) the compilation or analysis of statistics relevant to public health or public safety;

          (iii) the management, funding or monitoring of a health service; and

      (b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
      (c) it is impracticable for the personal information custodian to seek the individual's consent to the collection; and
      (d) the information is collected –
          (i) as required by law, other than this Act; or

          (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(5) If a personal information custodian collects sensitive information that is health information about an individual in accordance with subclause (4), it must take reasonable steps to permanently de-identify the information before disclosing it.
(6) A personal information custodian may collect sensitive information that is health information from an individual about another person without the consent of that other person if both the following apply:
      (a) the collection is necessary for the provision of any health service provided to the individual;

      (b) the information is relevant to the social or family history of the individual.

Sections