Indigenous Business Australia Privacy Policy

1. Purpose of this policy

The purpose of this privacy policy is to clearly explain how Indigenous Business Australia (​“IBA”​) handles your personal information, and to let you know about the sorts of personal information we collect and hold.

2. What this policy deals with

IBA is legally bound by the ​Privacy Act 1988 ​(​“Privacy Act”​). There are now 13 Australian Privacy Principles (“APPs”​​) within the Privacy Act that set out your rights with respect to privacy.

The Privacy Act legislates the way in which IBA collects, stores, provides access to, amends, uses and discloses an individual’s personal and sensitive information.

This privacy policy will help explain your rights and IBA’s obligations under the Privacy Act.

Credit Information Policy

IBA is a credit provider for the purposes of the Privacy Act. The Privacy Act places strict limitations on IBA’s right to collect an individual’s credit information. IBA will only collect information about a client’s credit history with their consent and in strict accordance with its obligations under the Privacy Act. IBA has a separate policy that deals with how IBA collects, holds, uses and discloses credit information. IBA’s Credit Information Policy can be found at​.

3. What is privacy?

IBA will often require individuals to provide certain personal and sensitive information so that we can provide them with particular services as a client or manage their employment with IBA.

The Privacy Act does not regulate a corporation’s information. It only regulates information relating to individuals.

As an individual you have a right to know:

  • when your personal and sensitive information is being collected by IBA;
  • who will have access to this information;
  • what the information will be used for; and
  • whether it will be disclosed to someone other than IBA.
4. What certain terms in this policy mean
4.1 Personal and sensitive information

Personal information​ means:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Sensitive information​ is a subset of personal information, and includes information or an opinion about a person’s:

  • Racial or ethnic origin;
  • Political opinions;
  • Political associations;
  • Religious beliefs or affiliations;
  • Philosophical beliefs;
  • Memberships of professional or trade associations or trade unions;
  • Sexual preferences or practices;
  • Criminal record;
  • Health information;
  • Genetic information that is not otherwise health information;
  • Biometric information for use in automated biometric identification;
  • Biometric templates.

Sensitive information that IBA has about you is subject to extra protection under the Privacy Act.

4.2 The kinds of personal and sensitive information that IBA collects and holds

IBA is required to collect personal information and some sensitive information in order to comply with its obligations under the ​Aboriginal and Torres Strait Islander Act 2005​ (​“ATSI Act”​) and as a credit provider.

IBA is not allowed to obtain personal or sensitive information from you that is unnecessary or not required to fulfil its purposes under the ATSI Act (or any other applicable laws and regulations). IBA will only collect personal information about you if it is reasonably necessary for IBA’s functions or is directly connected to IBA’s functions or its management of you if you are an employee of IBA.

IBA will not collect sensitive information about you without your consent unless that collection is permitted under the Privacy Act.

Information about you as a member of the public

The personal information about you (as a client or a related individual) that IBA tends to collect and handle includes:

  • your name;
  • your gender;
  • your contact details, including address, email address and phone numbers; your date of birth;
  • your marital or relationship status;
  • your citizenship or residency status;
  • your driver’s licence number (or other identification number);
  • your employment details;
  • your business details;
  • your financial details, including your assets, income and expenditure, your dependents, your banking information and your tax file number;
  • information about your credit history, including credit limit amounts, repayment information, information about defaults, credit worthiness, credit standing, credit capacity and serious credit infringements;
  • information about your visits to our website (​​) or other websites maintained by us or use of our mobile apps – including your server address, your top level domain name (for example .com, .gov, .au, .edu etc), the date and time of your visit to the site, the pages accessed and documents downloaded, the previous site visited and the type of browser used; and
  • details of your interactions with us

The sensitive information that IBA tends to collect and handle includes information about your racial or ethnic origin, your criminal history, and any affiliation to a professional or trade association or union you may have.

Information about you as an employee of IBA

The personal information about you (as an IBA employee) that IBA tends to collect and handle includes:

  • your job application and supporting documents including resumes, security checks and references;
  • written tasks undertaken during the selection process;
  • notes from the selection committee during the selection process;
  • your employment contract and other records relating to your terms and conditions of employment;
  • details of financial and other personal interests supplied by you and immediate family members for the purpose of managing perceived or potential conflicts of interest;
  • proof of citizenship or residency status;
  • details of cessation of previous employment;
  • certified copies of academic qualifications;
  • records relating to your salary, benefits and leave;
  • medical certificates or health related information supplied by you or your medical practitioner;
  • contact details;
  • taxation details;
  • superannuation contributions;
  • information relating to your training and development and performance; and
  • complaint or disciplinary information.

IBA may also be required to collect sensitive information in the form of health records and criminal history records and information about membership of a professional trade or association or trade union about its employees.

5. Collection and storage of personal information
5.1 Can you deal with IBA without identifying yourself?

To perform many of its functions, IBA will need to know who you are. For example, if you wish to make an application for a loan, IBA will not be able to process a loan request without you identifying yourself.

However, where IBA can perform its functions without knowing who you are, IBA will give you the opportunity to interact with it anonymously.

5.2 How does IBA collect personal and sensitive information?

IBA may collect personal and sensitive information from you in a number of different ways, including:

  • written forms that you complete to obtain products or services from IBA;
  • telephone conversations with you;
  • face-to-face interactions with you;
  • email correspondence with you;
  • webpage data collection logs (a “cookie” is used to keep track of the pages you have accessed while using our server, and operates only for the length of your visit to our website); and
  • media or social media interactions with you.

IBA may also sometimes collect personal information about you from other sources. IBA will only collect information from other sources if you consent, if permitted to do so under an Australian law or a court order, or if it is unreasonable and impracticable to obtain that information from you. For instance, IBA might collect some information about you as part of applications to IBA made by other people, such as your family, a business partner or people you live with.

IBA might also seek information from other people to confirm information you give us when you apply for our products or services. IBA may also collect information from other organisations to confirm your Aboriginality or Torres Strait Islander descent.

To perform its functions, IBA will often have to seek financial and credit information about you from third parties. IBA will usually seek your consent to obtain that information.

5.3 How does IBA hold personal and sensitive information?

IBA stores information both manually in paper-based records, and electronically through program systems, internal directories, email systems and other technology systems.

Access to electronic records in IBA’s possession and control is protected via appropriate security systems in accordance with the Commonwealth protective security policy.

IBA’s paper based records are held in secure offices accessible only by authorised IBA staff and contractors.

IBA will take all reasonable steps to ensure that all files in its possession or control are protected against loss, unauthorised access, misuse, disclosure or modification and that only authorised employees have access to such material.

Personnel files, previous employee files and personal information relating to payroll are archived and stored in appropriate methods in accordance with the Commonwealth protective security policy.

5.4 How long does IBA store personal and sensitive information?

IBA will destroy or de-identify any personal information it receives where:

  • IBA did not ask for the personal information to be provided; and
  • the information is not contained in a Commonwealth record.

Commonwealth records that contain personal information are managed by IBA in accordance with the ​Archives Act​ 1983 (“​Archives Act​”). Further information regarding how long a Commonwealth record must be kept can be obtained from the National Archives of Australia at ​​.

6. Purpose of collection, use, disclosure and storage of personal and sensitive information

IBA has several purposes and functions under the ATSI Act.  These purposes and functions broadly involve assisting and enhancing the economic interests of Aboriginal and Torres Strait Islander people. We collect, use and exchange your information in the course of performing our functions, including for the following purposes:

  • confirming your identity;
  • confirming your eligibility for IBA’s products and services (including confirming whether you are an Aboriginal person or Torres Strait Islander);
  • assessing your application for a product or service;
  • designing, managing, pricing and providing our products and services;
  • managing our relationship with you, including contacting you and investigating complaints;
  • debt recovery;
  • minimising risks and identifying or investigating fraud and other illegal activities;
  • complying with any reporting obligations to the Commonwealth or the relevant Minister;and
  • improving our products and services, our service to you and your experience with us (including conducting or participating in internal and external audits, and collecting and analysis of research data)

Finally, IBA collects, uses and discloses personal or sensitive information for the purpose of managing its employees.

6.1 For what purpose is my personal and sensitive information stored?

Your personal and sensitive information is stored for the purposes outlined above and as a Commonwealth record under the Archives Act.

6.2 What will my personal and sensitive information be used for?

IBA may use your information for the purposes outlined above.

6.3 For what purpose will my personal and sensitive information be shared?

We may share your information with third parties for the reasons outlined above or where the law otherwise requires or allows.  These third parties can include:

  • Australian government bodies;
  • your current or previous employers;
  • our business partners and our service providers (including contractors who provide website, IT, marketing, administration and other services to support IBA);
  • our professional advisors (for example lawyers and consultants);
  • our auditors and insurers
  • any entity to who we are required or authorised by law to disclose your personal information (for example, law enforcement agencies and government and regulatory bodies including AUSTRAC);
  • credit reporting bodies and credit providers;
  • and with your consent – other entities.

The above entities may in turn disclose your personal information to other entities as described in their respective privacy policies or notices.

Under no circumstances will IBA sell or receive payment for licensing or disclosing your personal or sensitive information to third parties.

6.4 Will my personal information be used for direct marketing purposes?

IBA might use client information (such as your contact details) to provide you with information about other products or services that are related to the products or services that you have with IBA. When you apply for an IBA product or service, IBA will give you the opportunity to opt-out of receiving this marketing information.

If at any time you change your mind about receiving marketing information from us, please email ​​ or call 1800 107 107.

7. Access to personal and sensitive information held by IBA

IBA will – upon your request and subject to the Privacy Act – provide you with access to your personal and sensitive information that is held by IBA.

To request access to your personal and sensitive information please email​ or call 1800 107 107.  IBA will need to verify the identity of anyone who requests access to personal information, to make sure that personal information is not shared with people who have no right to it.

It is important that you provide IBA with clear and appropriate instructions as to the type(s) of personal and sensitive information to which you require access.

IBA will deal with your request to provide access to your personal and sensitive information within a reasonable time period – usually within 30 days of receipt of your request.  IBA will not charge you for a request for access to your personal and sensitive information.

7.1 What if IBA does not provide me with access?

There may be some instances where IBA refuses you access to your personal and sensitive information.  If this occurs, IBA will provide you with a notice that will set out the reasons for the refusal of access and the mechanism(s) available to you to complain about the refusal (see section 8 below).

For example, IBA may decide not to disclose a record that also contains another person’s personal information to you without their consent if it would be unreasonable to do so

7.2 If the information IBA has is wrong, how do I have it corrected?

It is inevitable that some personal or sensitive information which IBA holds will become out of date. IBA will take reasonable steps to ensure that the personal and sensitive information which is held remains accurate.  If you advise IBA of any change to your personal or sensitive information, IBA will amend its records accordingly.

To request a correction to your personal or sensitive information, please email​ or call 1800 107 107.

8. Disclosure of information to Overseas Recipients

From time to time, IBA may engage service providers located overseas to perform certain of our functions and activities. In the course of providing services to IBA, we may need to disclose your personal information to these service providers. If overseas service providers are engaged and personal information is sent overseas, we will take reasonable steps to ensure that our service providers are carefully chosen and have policies, procedures and systems in place to ensure your personal information is otherwise handled in accordance with the Privacy Act.

9. Notifiable Data Breaches

IBA must report Notifiable Data Breaches (“​NDBs​”) to customers and the Office of the Australian Information Commissioner (“​OAIC​”). An NDB occurs when there is a data breach that is likely to cause serious harm to the persons to whom the information relates. A data breach happens if the personal information held by IBA is lost, or subject to unauthorised access or disclosure.

If a data breach occurs, the Privacy Act requires IBA to make an assessment of whether it is likely to result in serious harm with reference to the following:

  • the kind(s) of information;
  • the sensitivity of the information;
  • whether the information is protected by security measures and the likelihood that any of those security measures could be overcome;
  • the persons who have obtained, or could obtain, the information;
  • the likelihood of a security technology which renders the information unintelligible to unauthorised persons being circumvented; the nature of the harm; and any other relevant matters.

At IBA, the response to data breaches is managed by the IBA Legal team. All data breaches must be notified to IBA Legal at ​​ so that the breach can be assessed and managed appropriately.

10. Privacy Impact Assessments

As required by the ​Privacy (Australian Government Agencies – Governance) APP Code 2017​, IBA must prepare a Privacy Impact Assessment (“PIA”) for all high risk privacy projects. A project is a high risk privacy project if IBA considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. A register of PIAs conducted from July 2018 is available on the IBA website (​

11. Making a complaint about a breach of the Privacy Act

IBA has a formal complaint management process. This process is applicable to any complaint you may have against IBA in relation to the Privacy Act.

11.1 Submitting a complaint about a breach of the Privacy Act

If you have a concern about the manner in which your personal or sensitive information has been collected, stored, used or disclosed, you may lodge a complaint directly to IBA via telephone, email or the internet:

Telephone: 1800 107 107



You have the option to remain anonymous, although this may inhibit IBA’s ability to investigate your concerns in appropriate detail.

11.2 How would IBA handle such a complaint?

There are a number of stages in the complaint management process. IBA will endeavour to deal with your complaint as quickly as possible – usually within 30 days – and to keep you informed of progress. If unresolved in the first instance, your complaint will be referred to a complaint officer who is required to be independent and impartial when dealing with the circumstances of your complaint.

11.3 What if you are not satisfied with how the complaint was handled or resolved?

You may make a complaint to the Office of the Australian Information Commissioner

(​“OAIC”​) if you are not satisfied with IBA’s response to your complaint regarding a breach of the Privacy Act.  For further information about how to make a privacy complaint to the OAIC, please visit the website ​

12. How will IBA update this policy?

IBA will review this policy periodically to ensure that it continues to provide transparent and current information about how IBA’s policies and practices affect your personal and sensitive information.

This policy was last updated on 30 June 2018.

We acknowledge the Traditional Owners of country throughout Australia and recognise their continuing connection to land, waters and culture. We pay our respects to their Elders past, present and emerging.

Made possible by
Supported by