Privacy policy

About this policy

This privacy policy explains how the Independent Parliamentary Expenses Authority (IPEA) manages the personal information it collects. The purpose of this privacy policy is to:

• clearly communicate the personal information handling practices of IPEA,
• enhance the transparency of IPEA’s operations, and
• give individuals a better understanding of the nature of the personal information IPEA holds, and the way IPEA handles that information.

1. Our privacy obligations

1.1 IPEA values your privacy and takes its obligations under the Privacy Act 1988 (Privacy Act) seriously. IPEA has obligations for handling personal information as outlined in the:

• the Privacy Act;
• Australian Privacy Principles (APPs) (which are contained in Schedule 1 to the Privacy Act);
• Australian Government Agencies Privacy Code (the Privacy Code); and
• Archives Act 1983 (the Archives Act).

1.2 The Privacy Act legislates the way in which IPEA collects, stores, provides access to, amends, uses and discloses an individual's personal information.

1.3 This privacy policy helps to explain your rights and IPEA's obligations under the Privacy Act.

2. What is privacy?

2.1 IPEA requires individuals to provide certain personal and sensitive information so that we can provide them with particular services as parliamentarians, staff employed under the Members of Parliament (Staff) Act 1984 (MOPS Act staff), the nominees of members of parliament or to manage the employment of IPEA staff.

2.2 The Privacy Act does not regulate all of IPEA’s information. It only regulates information relating to individuals.

2.3 As an individual you can generally expect to know:

• when your personal information is being collected by IPEA,
• who will have access to this information,
• what the information will be used for,
• how it will be stored and for how long, and
• whether it will be disclosed to a person or entity other than IPEA.

3. What certain terms in this policy mean

3.1 Personal and sensitive information

Personal information is defined in the Privacy Act to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not, and

2. whether the information or opinion is recorded in a material form or not.

Sensitive information is a subset of personal information and includes information or an opinion about an individual's:

• racial or ethnic origin,
• political opinions,
• religious beliefs or affiliations,
• philosophical beliefs,
• sexual orientation,
• criminal record,
• health information, and
• genetic information.

Any sensitive information that IPEA holds is subject to additional protection under the Privacy Act.

4. Collection of personal information

4.1 IPEA collects personal information for purposes relating to the administration of its functions under the Independent Parliamentary Expenses Authority Act 2017 (IPEA Act), including:

• processing claims for travel expenses and travel allowances in relation to current and former Members of Parliament, their staff and eligible nominees,
• administering and monitoring payments under the parliamentary business resources framework,
• auditing a parliamentarians' use of work resources,
• giving advice to current and former Members of Parliament about travel expenditure matters; and
• providing secretariat support to the Members of IPEA.

IPEA also collects personal information for IPEA employment related purposes, including:

• recruitment,
• staff management,
• workers' compensation claims and rehabilitation,
• workplace health and safety obligations,
• public interest disclosures,
• administering relevant superannuation benefits, and
• processing entitlements and managing the conditions of employment of persons employed by IPEA.

5. Dealing with IPEA without being identified or using a pseudonym

5.1 IPEA will allow you to remain anonymous or use a pseudonym if you wish when dealing with IPEA, unless it is impractical or not possible to do so. Situations where you do not have to identify yourself or you can use a pseudonym may include when you seek general information from IPEA or where making a complaint or providing feedback. Identification will generally only be necessary where it would be appropriate or necessary to identify yourself.

6. How we safeguard personal information

6.1 IPEA takes its obligations to protect the personal information it holds seriously. We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure.

These steps include:

• classifying and storing records securely per Australian government security guidelines,
• internal access to information is only granted on a 'need to know' basis and only by authorised personnel,
• monitoring system access, and only permitting access by authenticated credentials,
• ensuring IPEA’s building is secure with 24 hour security surveillance, and
• regularly updating and auditing IPEA’s storage and data security systems.

6.2 When personal information about you is collected from a third party, IPEA takes steps to inform you of this collection. This may occur through this Privacy Policy, notices or discussions with our staff.

6.3 If personal information that IPEA holds is lost, or subject to unauthorised access or disclosure, we will respond in line with the Office of the Australian Information Commissioner's Data breach preparation and response - a guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) and our own Data Breach Response Plan. We aim to provide timely advice to affected individuals if a data breach is likely to result in serious harm.

7. The kinds of information we hold

7.1 In performing our functions, IPEA may collect and hold the following kinds of personal and sensitive information:

• information relating to current and former Members of Parliament and their nominees for the administration, monitoring and auditing of work expenses, including financial information,
• names, addresses and phone numbers of parliamentarians and their staff,
• information about parliamentarians' work, including work in their electorate.
• schedules and travel itineraries,
• sensitive information, for example, information about a person's political party membership and associated activities engaged in by that person,
• information about job applicants and employees relating to employment with IPEA (e.g. personal details, referee and emergency contact details, banking information, superannuation details, employment contracts, training and development, performance management, leave records, etc.),
• information relating to staff employed under the Members of Parliament (Staff) Act 1984 in the context of the administration, monitoring and auditing of travel expenses, including financial information,
• comments on IPEA social networking services, and
• information relating to the performance of IPEA's obligations as an employer, for example work health and safety assessments, incidents and investigations in accordance with the Work Health and Safety Act 2011.

7.2 IPEA may also collect information about how you use our online services and applications. For example, we may use social networking services such as Facebook, Twitter and LinkedIn to communicate with the public and our staff. When you talk with us using these services we may collect your personal information to communicate with you and the public. These social networking services will also handle your personal information for their own purposes. These services have their own privacy policies. You can access the privacy policies for these services on their websites.

8. Sensitive information

8.1 IPEA may collect and hold sensitive information about you in certain circumstances. This information may include:

• racial or ethnic origin,
• political opinions,
• criminal record (for example, in the context of recruitment activities or security assessments), and
• health information (for example, medical history, or information relating to a work-related injury in the context of a work health and safety assessment/incident/investigation or workers' compensation claim).

9. How we use and disclose information

9.1 IPEA may use and disclose collected personal information for the purpose it was first collected (the primary purpose). We will take reasonable steps to give you information about the reason for collection at the time of collection, or as soon as practicable after collection. IPEA will only use and disclose your personal information for a secondary purpose if Australian Privacy Principle 6 (APP 6) allows it.

Australian Privacy Principle 6 - use or disclosure of personal information

Use or disclosure

6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:

1. the individual has consented to the use or disclosure of the information; or
2. subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.

9.2 Regulation 9.2 of the Public Service Regulations 1999 also provides authority for personal information about APS employees to be disclosed by IPEA in certain circumstances.

PUBLIC SERVICE REGULATIONS 1999 - REG 9.2

Use and disclosure of personal information (Acts 72E)

For paragraph 72E(a) of the Act, an Agency Head may use personal information in the possession, or under the control, of the Agency Head, if the use is necessary for, or relevant to, the performance or exercise of the employer powers of the Agency Head.

For paragraph 72E (a) of the Act, an Agency Head may disclose personal information in the possession, or under the control, of the Agency Head if the disclosure is necessary for, or relevant to:

1. the performance or exercise of the employer powers of the Agency Head or another Agency Head; or
2. the exercise of a power or performance of a function of the Australian Public Service Commissioner; or
3. the exercise of a power or performance of a function of the Merit Protection Commissioner; or
4. the performance of a function of an Independent Selection Advisory Committee (ISAC).

Australian Privacy Principle 8 -cross-border disclosure of personal information

9.3 IPEA may disclose personal information to overseas entities (such as a foreign government or agency) where this is a necessary part of our work. We will only do this with your consent or in other circumstances allowed by APP 8.

9.4 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

1. who is not in Australia or an external Territory; and
2. who is not the entity or the individual;

The entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

9.5 IPEA may also use third party providers or website such as Facebook, Twitter, Campaign Monitor, LinkedIn, YouTube and others to deliver or otherwise communicate content. Such third-party sites have their own privacy policies and may send their own cookies to your computer. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.

10. Collection through the IPEA website

How the information is collected and held (including data quality and security)

10.1 IPEA does not automatically collect personal information about you when you visit the IPEA website. You can use this website without telling us who you are or revealing other personal information.

10.2 If you fill out the IPEA feedback or subscription form, you do not need to identify yourself or use your real name.

10.3 If you fill in a feedback, subscription or contact form, we may collect the email address you provide and any other identifying information you include, such as a name or phone number.

How we protect your personal information

10.4 The IPEA website is hosted in Australia in secure, government-accredited facilities. 

10.5 In compliance with APP 11 IPEA has a range of security measures in place to protect personal information. For example:

• access to information collected from clients is restricted to authorised persons on a need-to-know basis,
• our internal networks and databases are protected using firewall, intrusion detection and other technologies
• submissions made using forms on our website are encrypted
• our premises are under 24-hour surveillance. Access is via security passes only, with all access and attempted access logged electronically
• we regularly conduct system audits and staff training. This ensures we adhere to our established protective and computer security practices.

Purposes for which information is collected, held, used and disclosed

10.6 IPEA does not use information from its website to identify individuals. De-identified information may be disclosed to the IPEA's information and communications technology (ICT) providers.

Email lists and feedback

10.7 IPEA will collect information that you provide to us when signing up to mailing lists and when submitting feedback through our website.

Collection through our website

10.8 We use cookies and other similar tracking technologies so that we can improve our content and provide you with the best user experience. Cookies are text files which are downloaded to your device when you visit our website and allow our website to recognise your preferences and settings.

10.9 In addition, our website uses Google Analytics to help us better understand and analyse our website/application traffic and usage. Google Analytics uses cookies which generates information about your use of our website (including your IP address). This information is transmitted to and stored by Google on servers in the United States.

10.10 By using the IPEA website, you consent to the processing of data about you by Google in the manner described in 'How Google uses data when you use our partners' sites or apps' which is located at www.google.com/policies/privacy/partners/ (or any other URL Google may provide from time to time). You can configure your browser to accept or reject all cookies, including opting-out of Google Analytic cookies at: bJ:Jps://tools.google.com/dlpage/gaoptout.

11. Accessing and correcting personal information

11.1 IPEA allows individuals to have access to their personal information that we hold and we will correct an individual's personal information if it is inaccurate (subject to restrictions on such access/alteration of records under the applicable provisions of any law of the Commonwealth).

11.2 To request access to, or correction of, your personal information please contact our Privacy Officer by email privacy@ipea.gov.au . Discussing your request with our Privacy Officer will help us give you early guidance about your request. This may include guidance about whether your request is best dealt with under the Privacy Act, the FOI Act or another arrangement.

11.3 The Freedom of Information Act 1982 also provides an opportunity to request access to documents in the possession of IPEA. An individual who wishes to access the personal information the agency holds about them and to seek correction of that information can email their request to foi@ipea.gov.au .

12. Privacy Impact Assessments

The Privacy (Australian Government Agencies - Governance) Australian Privacy Principles Code 2017 (the Code) requires agencies, including IPEA, to conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects. A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

12.1 PIAs completed by IPEA, since the Code commenced on 1 July 2018, are listed on IPEA’s website at Privacy Impact Assessment (PIA) Register | Independent Parliamentary Expenses Authority.

13. Roles and Responsibilities- Privacy Champion and Privacy Officer

13.1 Privacy Officer

IPEA’s Privacy Officer is the primary point of contact for advice on privacy matters and is responsible for:

• handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Act,
• maintaining a record of IPEA's personal information holdings,
• assisting with the preparation of privacy impact assessments (PIAs),
• maintaining IPEA's register of PIAs, and
• measuring and documenting IPEA's performance against its privacy management plan (PMP) at least annually.

13.2 Privacy Champion

The IPEA Privacy Champion is the Chief of Transparency, Integrity and Legal (TIL) who is responsible for:

• promoting a culture of privacy within IPEA that values and protects personal information,
• providing leadership within IPEA on broader strategic privacy issues,
• reviewing and/or approving IPEA's PMP, and documented reviews of IPEA's progress against the PMP, and
• providing regular reports to IPEA's executive, including about any privacy issues arising from IPEA's handling of personal information.

13.3 How to contact our Privacy Officer

Contact IPEA's Privacy Officer if you want to:

• ask questions about our Privacy Policy, or if you need a copy of this Policy in an alternative format;
• obtain access to or seek correction of your personal information held by IPEA; or
• make a privacy complaint about IPEA. 

You can contact us by:

Post: Privacy Officer

Independent Parliamentary Expenses Authority One Canberra Avenue

FORREST ACT 2603

Email: privacy@ipea.gov.au

14. How to make a privacy complaint

14.1 IPEA has a formal complaint management process for privacy complaints. If you are not satisfied with how we have collected, held, used or disclosed your personal information, you can make a formal complaint to our Privacy Officer on the contact details listed above.

14.2 You have the option to remain anonymous, although this may inhibit IPEA's ability to appropriately investigate your concerns.

14.3 In responding to enquiries and complaints, IPEA takes all reasonable steps to ensure it does not disclose personal information inappropriately.

14.4 Your complaint should include:

A short description of your privacy concern,

• any action or dealings you have had with IPEA staff to address your concern; and
• your preferred contact details so we can contact you about your complaint.

If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

14.5 The OAIC can receive privacy complaints through:

• the online Privacy Complaint form:
• by email (email that is not encrypted can be copied or tracked) at enquiries@oaic.gov.au
• by mail (if a person has concerns about postal security, they might want to consider sending their complaint by registered mail).

Post: Office of the Australian Information Commissioner 

GPO Box 5218

Sydney NSW 2001

14.6 IPEA will review this policy periodically to ensure that it continues to provide transparent and current information about how IPEA's policies and practices affect your personal and sensitive information

15. Privacy Management Plan

15.1 IPEA maintains a Privacy Management Plan (PMP) that identifies its specific, measurable privacy targets and goals. The PMP also explains how IPEA meets its compliance obligations under APP 1.2.

15.2 The IPEA PMP is updated as needed.

Schedule A - Australian Privacy Principles Quick Reference Guide