Skip to main content
Go to search page

Privacy Policy

Introduction

The Murray-Darling Basin Authority (MDBA) is subject to the Privacy Act 1988 (Cth) (the Privacy Act), and the requirements of the Australian Privacy Principles (APPs) at Schedule 1 of the Privacy Act.

The APPs regulate how agencies collect, use, disclose and store personal information, including sensitive information and how individuals may access and correct records containing their personal information. The MDBA has implemented a 'privacy by design' approach to ensuring that privacy compliance and governance is robust. This includes ensuring that privacy compliance is included in the design of information systems and agency practices and in the implementation of those arrangements.

The role of the MDBA's Privacy Officers and its Privacy Champion are central to this commitment. All MDBA staff and contract service providers who undertake work on behalf of the MDBA must comply with the APPs. We also require all staff to undertake annual Privacy training.

This Privacy Policy was last updated in April 2019. This Privacy Policy will next be reviewed in February 2020 or earlier as required and any changes will be notified on our website.

The MDBA reviews privacy risks, all relevant privacy processes, policies, notices and any other relevant privacy documentation and consults with Executive to measure privacy performance annually. The results of these reviews are then used to improve our privacy processes and practices through the consideration of existing and/or emerging privacy issues. The Executive will be provided with an annual report on the agencies privacy performance.

If appropriate the MDBA will consider external review/audit of our privacy processes and practices.

This is the complete version of our Privacy Policy.

What is personal information?

When used in this Privacy Policy, the terms 'personal information' and 'sensitive information' have the meaning given to them by the Privacy Act under section 6.

Personal information means 'any information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not'.

Examples include an individual's name, signature, address, telephone number, date of birth, medical records, bank account details, photos and videos.

Sensitive information means:

that is also personal information; or

  1. information or an opinion about an individual's:
    1. racial or ethnic origin; or
    2. political opinions; or
    3. membership of a political association; or
    4. religious beliefs or affiliations; or
    5. philosophical beliefs; or
    6. membership of a professional or trade association; or
    7. membership of a trade union; or
    8. sexual orientation or practices; or
    9. criminal record;
  2. health information about an individual; or
  3. genetic information about an individual that is not otherwise health information; or
  4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  5. biometric templates.

Additional protections apply to the collection and handling of sensitive information.

Types of personal information we collect

  • The main kinds of personal information we collect and hold relate to:
  • personnel, payroll, and recruitment, Fringe Benefits Tax return, worker's compensation returns;
  • program records related to our business activities and functions;
  • our enforcement functions;
  • procurement and contracts, including tenders;
  • contact and mailing lists;
  • requests for publications;
  • Freedom of Information and Privacy requests and responses; and
  • access to ICT equipment and security passes.

Personal information we collect may include (but is not limited to):

  • name, address and contact details;
  • photos, videos and audio recordings;
  • information about personal circumstances and identity, including marriage status, age, gender, date of birth and occupation;
  • business and financial details and assets including bank, property and water license details;
  • water usage details; and
  • employment details, including employment history and payroll details.

We maintain a centralised record of the types of personal information we hold called a Personal Information Holdings Register.

How we collect your information

Collection of personal information

  • The MDBA collects personal information only where it is reasonably necessary for, or directly related to, the MDBA's functions or activities. When collecting personal information, the MDBA may collect it in a number of ways that include:
  • through correspondence and application forms;
  • during conversations;
  • through subscription for information and updates of programs and functions administered by us;
  • through contact and mailing lists;
  • through participation in our stakeholder engagement processes and public and statutory consultations;
  • as part of the complaints process; and
  • use of our website.
  • We will usually collect personal information directly from the person concerned, however we may collect personal information from a third party with consent of the person concerned, where it is unreasonable or impracticable to collect the information from the person concerned or where we are authorised or required by law to collect the information from someone else. We may obtain personal information collected by other Australian Government agencies, state or territory governments, our service providers and contractors, other third parties, including the Murray-Darling Basin Commission, or from publically available sources, in the circumstances set out above.
  • When we receive personal information that we did not ask for we deal with it as if we had requested it.
  • When we collect personal information, we are required under the APPs to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information, including if those persons or bodies are located overseas. We usually provide this notification by including privacy notices on our forms and online portals.

Collection of sensitive information

In carrying out our functions or activities we may collect personal information that is sensitive information. The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information from you:

  • if you consent and the information is reasonably necessary for, or directly related to, one or more of our functions or activities;
  • if required or authorised by law; or
  • where a permitted general situation exists (e.g. to lessen or prevent a serious threat to life, health or safety1 ).

We may also collect sensitive information, where authorised to do so, for the purposes of human resource management, detection and investigation of fraud and misconduct, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.

Remaining anonymous or using a pseudonym

  • You have the option of dealing with us without revealing your identify. You may remain anonymous or use a pseudonym, unless we are required or authorised by law to deal only with an identified person, or it is impracticable for us to respond to you if you have not identified yourself, e.g. to deliver a publication to you, or provide you with feedback.
  • If you use a pseudonym, MDBA will not link other personal information to the pseudonym unless required or authorised by law, it is impracticable for us to act differently, or you have consented to a link.
  • The MDBA may seek submissions and comments from the Murray–Darling Basin community and stakeholder groups on the implementation of the Basin Plan and may also publish them. You will need to provide your name with the submission but you may use a pseudonym for publication purposes.

Information storage and security

Information storage

  • Personal information is stored in paper and electronic form, including cloud storage.
  • Storage of personal information (and the disposal of information when no longer required for business purposes) is managed in accordance with the Australian Government's records management regime, including the Archives Act 1983 (Cth), General Records Authorities and Agency-specific records authorities.

Information security

  • MDBA uses a range of physical and electronic systems to store the personal information and takes all reasonable steps to secure the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
  • These measures include, but are not limited to, restricted physical access to our offices; secure cupboards and storage containers for paper records; secure computer systems and networks for electronic records; controlled access to databases by authorisation, training and passwords; workplace policies; and regular review and testing of our physical and electronic systems.
  • Commonwealth Government policy requires the MDBA to create and maintain an effective protective security environment as outlined in the Protective Security Policy Framework (PSPF) and it is mandatory for all staff to protect our assets and information from theft, unauthorised access and disclosure. Security risks are continually reviewed and assessed and staff are instructed in proper security practices, including a clear desk policy and the use of appropriate security containers reflecting the type and security classification of the personal information.
  • All internal electronic records are processed, stored and maintained in accordance with the MDBA's information security management system which is designed to protect the confidentiality, integrity, and availability of electronic information. It is mandatory for all staff who use the MDBA computer systems, including contractors, consultants and volunteers, to comply with the Acceptable Use of Information and Communication Technology Resources. All records held externally are stored and secured in accordance with the PSPF.
  • We will consider the privacy implications of new technologies and new security risks and threats in consultation with the Chief Information Officer (CIO).

The purposes for which the MDBA collects, holds, uses and discloses personal information

The MDBA collects personal information for a variety of different purposes relating to the MDBA's functions and activities including:    

  • performing our employment and personnel functions in relation to our staff, contractors and service providers;
  • performing our legislative and administrative functions, including under the Water Act 2007 (Cth);
  • policy development, research and evaluation;
  • compliance purposes, including complaints handling;
  • to engage with and educate stakeholders and the Basin community in the planning, management and use of the Basin's resources;
  • to implement the Murray–Darling Basin Plan, including public consultation, water resource planning and water trading rules;
  • program management; and
  • contract management.
  • The MDBA carries out its functions directly and through Basin state government agencies in partnership with the Australian Government. More information about the MDBA's role and structure can be found in Part 9, Division 2 of the Water Act 2007 (Cth) on our website, in our Annual Report and in our Information Publication Scheme.

In most cases, we use and disclose personal information for the primary purpose for which it is collected. There are some circumstances in which the MDBA is permitted to use or disclose personal information for another purpose. Those other purposes include where:

  • we can obtain your consent to use the information for that other purpose;
  • you would reasonably expect us to use or disclose the information for a secondary purpose that is related to the primary purpose (for sensitive information, this secondary purpose must be directly related to the primary purpose);
  • where required or authorised under law;
  • we reasonably believe the disclosure is necessary for an enforcement related purpose; and/or
  • a permitted general situation exists (e.g. to lessen or prevent a serious threat to life, health or safety).

For additional information regarding use or disclosure of personal information, please refer to the APP 6 Guidelines developed by the the Office of the Australian Information Commissioner (OAIC).

Likely secondary purposes for which we many use or disclose your personal information include but are not limited to:

  • quality assurance;
  • auditing;
  • reporting;
  • research, evaluation and analysis;
  • investigations of fraud or misconduct; and
  • promotional/engagement purposes.

Disclosure of personal information overseas

  • The MDBA is not likely to disclose personal information to overseas recipients.

Accidental or unauthorised disclose of personal information

We follow the OAIC's Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) when handling accidental or unauthorised disclosures of personal information, as well as Part IIIC of the Privacy Act, which deals with the notification of 'eligible data breaches' (data breaches a reasonable person would conclude would be likely to result in serious harm to an individual).

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act came into force in February 2018.

The MDBA among other organisations is obligated under the NDB scheme to notify affected individuals and the Commissioner of data breaches that may cause serious harm. This can include data breaches that are likely to result in serious financial harm, or harm to affected individuals' mental or physical well-being. The MDBA has developed a tailored plan to follow if a data breach has occurred. If you are subject to a data breach and you experience emotional distress, there are support services that can help you. More guidance about data breaches is available on the OAIC's website.

Our website and social media accounts

Visiting our website

  • Our website has been developed consistently with the APPs and we also follow the Guidelines for Federal and ACT Government websites issued by the OAIC.
  • When you visit our website to read or download information, we may record, through our web server log files or Google Analytics, the following non-personal information for statistical purposes:
  • your server address;
  • your top level domain name (e.g. '.gov', '.com', '.edu', '.org', '.au', '.nz' etc.);
  • the pages you accessed and the documents you downloaded;
  • the search terms you used;
  • the date and time you visited the site;
  • the previous site you visited;
  • your operating system (e.g. Windows, Macintosh); and
  • the type of browser you use (e.g. Internet Explorer).
  • This data helps us manage our website efficiently and securely, including monitoring to prevent security breaches and to enhance the website to meet your needs. No attempt is made to identify you or your browsing activities, except in the unlikely event of a criminal investigation, e.g. where a law enforcement agency may exercise a warrant to inspect our Internet Service Provider's (ISP) logs.

Google Analytics

We use Google Analytics to collect data about your interaction with our website. The sole purpose of collecting your data in this way is to improve your experience when using our site. The types of data we collect with Google Analytics include:

  • your device's IP address (collected and stored in an anonymized format);
  • device type, operating system and browser information;
  • geographic location (country and state only);
  • referring domain and out link if applicable;
  • search terms, pages visited, files downloaded and any other click event while browsing the mdba.gov.au pages;
  • date and time when website pages were accessed; and
  • how long you spend on each 'mdba.gov.au' page.

This data helps us manage our website efficiently and securely, including monitoring to prevent security breaches and to enhance the website to meet your needs. No attempt is made to identify you or your browsing activities, except in the unlikely event of a criminal investigation, e.g. where a law enforcement agency may exercise a warrant to inspect our Internet Service Provider's (ISP) logs.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Please refer to Google's privacy policy. You can opt out of Google Analytics if you disable or refuse the cookie, disable javascript, or use Google's opt-out service.

Cookies

  • Cookies are pieces of information that a website can transfer to your web browser. Parts of our website may store cookies on your browser in order to service you better when you next visit the site.
  • You can change your web browser's settings to reject cookies or to prompt you each time a website wishes to add a cookie to your browser. Some functionality on the website may be affected by this.
  • For more information about cookies and instructions on how to adjust your browser settings to restrict or disable cookies, see the Office of the Australian Information Commissioner's Privacy Fact Sheet 4 or the Interactive Advertising Bureau website.

Security

  • The MDBA maintains the same level of security for personal information collected electronically as it does for personal information collected on paper. However, if you are providing personal information via an email or an online form you should be aware that there are some risks to transmitting data via the Internet.

Links to external web sites

  • The MDBA's web site contains links to other web sites. The MDBA is not responsible for the content and the privacy practices of other web sites and encourages you to examine each web site's privacy policy and make your own decisions regarding the accuracy, reliability and correctness of material and information found.

Accessing our social media accounts

  • When using Free Flow – the MDBA blog, or Facebook, Twitter or YouTube, the information posted on their pages is used only to administer the pages and to consider and respond to any comments you make. No attempt will be made to further identify you except where authorised or required by law.
  • Free Flow is managed by the MDBA and is hosted on govspace, the whole of government blog and website platform managed by the Department of Finance. We only record your personal information if you comment on the blog or send us an email. We use Google Analytics to collect statistical web traffic information.

The MDBA is not responsible for the privacy practices of Facebook, Twitter or YouTube and you should refer to their privacy policies on their websites: Facebook privacy policy; Twitter privacy policy; and YouTube privacy policy.

Accessing and correcting your personal information

How to request access to and correction of personal information

  • You have the right to apply for access to or request correction of the personal information that we hold about you under the Privacy Act if you think the information is inaccurate, out of date, incomplete, irrelevant or misleading.
  • To protect your privacy and the privacy of others, when you contact us we may need to verify your identify.
  • To access or seek correction of personal information we hold about you, please contact us using the details provided under the contact us section below. The Privacy Act does not require you to seek access to your personal information in any particular way. However to ensure your request for access is efficiently identified and processed, the MDBA prefers that you make your request via email.
  • Former MDBA employees seeking their employment details should initially do so in accordance with our personnel procedures. Please contact the Director, People, Policy and Planning Section, Corporate and Business Services Division.

Our access and correction process

  • If you request access to or correction of your personal information, we will acknowledge within 5 working days that we have received your request and we will respond to your request within 30 days.
  • If we refuse to give you access to your personal information or to correct it we will give you written reasons for the refusal, unless it is unreasonable to do so, for example, if providing a reason could prejudice a legal action. We will also provide you with information about how you can complain about our refusal, if you wish to do so.
  • It is also possible to access and correct documents held by the MDBA under the Freedom of Information Act 1982(Cth). For more information on Freedom of Information requests please see our website.

Complaints

If you have any concerns about the way we handle your personal information and wish to make a complaint about a breach of the APPs, please contact the Privacy Contact Officer using the details provided under the contact us section below.

The MDBA is committed to the consistent, fair and confidential handling of a complaint. We are also committed to resolving complaints as quickly as possible, generally within 20 working days. You can also expect us to acknowledge your complaint and to keep you advised of progress.

If you are not satisfied with our response, you may request us to reconsider it. You may also make your complaint directly to the OAIC. However, in most cases the OAIC will refer you to us to make the complaint in the first instance.

Privacy Management Plan

A Privacy Management Plan (PMP) identifies specific, measurable goals and targets, and sets out how an agency will meet its compliance obligations under APP 1.2. The Australian Government Agencies Privacy Code requires agencies to have a privacy management plan, and to measure and document performance against the plan at least annually.

The MDBA's PMP outlines the actions we will be taking within the next 12 months to ensure we are compliant under APP 1.2, which has been endorsed by the Privacy Champion.

Privacy Impact and Threshold Assessments

The MDBA has mandated that a Privacy Threshold Assessment (PTA) must be conducted at the beginning of any body of work that will involve any personal information being collected, stored, used or disclosed. If the project or program is identified as high risk then we are required to conduct a Privacy Impact Assessment (PIA).

A PIA is a systematic assessment of a project that identifies the impacts that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact. More information about PIAs is available on the OAIC website.

We maintain a PIA register on our website.

Contact us

Privacy Contact Officer
Murray–Darling Basin Authority
GPO Box 1801
CANBERRA ACT 2601
Email: privacy@mdba.gov.au
Phone: (02) 6279 0100 and ask for the Privacy Contact Officer
Fax: (02) 6248 8053

You have the option to contact us without identifying yourself or of using a pseudonym. Further information on dealing with us anonymously or by using a pseudonym is set out under the collection section above.

1Permitted general situations are set out in Section 16A of the Privacy Act 1988.