IBA is legally bound by the Privacy Act 1988 (“Privacy Act”). There are now 13 Australian Privacy Principles (“APPs”) within the Privacy Act that set out your rights with respect to privacy.
The Privacy Act legislates the way in which IBA collects, stores, provides access to, amends, uses and discloses an individual’s personal and sensitive information.
Credit Information Policy
IBA is a credit provider for the purposes of the Privacy Act. The Privacy Act places strict limitations on IBA’s right to collect an individual’s credit information. IBA will only collect information about a client’s credit history with their consent and in strict accordance with its obligations under the Privacy Act. IBA has a separate policy that deals with how IBA collects, holds, uses and discloses credit information. IBA’s Credit Information Policy can be found at www.iba.gov.au.
IBA will often require individuals to provide certain personal and sensitive information so that we can provide them with particular services as a client or manage their employment with IBA.
The Privacy Act does not regulate a corporation’s information. It only regulates information relating to individuals.
As an individual you have a right to know:
Personal information means:
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Sensitive information is a subset of personal information, and includes information or an opinion about a person’s:
Sensitive information that IBA has about you is subject to extra protection under the Privacy Act.
IBA is required to collect personal information and some sensitive information in order to comply with its obligations under the Aboriginal and Torres Strait Islander Act 2005 (“ATSI Act”) and as a credit provider.
IBA is not allowed to obtain personal or sensitive information from you that is unnecessary or not required to fulfil its purposes under the ATSI Act (or any other applicable laws and regulations). IBA will only collect personal information about you if it is reasonably necessary for IBA’s functions or is directly connected to IBA’s functions or its management of you if you are an employee of IBA.
IBA will not collect sensitive information about you without your consent unless that collection is permitted under the Privacy Act.
Information about you as a member of the public
The personal information about you (as a client or a related individual) that IBA tends to collect and handle includes:
The sensitive information that IBA tends to collect and handle includes information about your racial or ethnic origin, your criminal history, and any affiliation to a professional or trade association or union you may have.
Information about you as an employee of IBA
The personal information about you (as an IBA employee) that IBA tends to collect and handle includes:
IBA may also be required to collect sensitive information in the form of health records and criminal history records and information about membership of a professional trade or association or trade union about its employees.
To perform many of its functions, IBA will need to know who you are. For example, if you wish to make an application for a loan, IBA will not be able to process a loan request without you identifying yourself.
However, where IBA can perform its functions without knowing who you are, IBA will give you the opportunity to interact with it anonymously.
IBA may collect personal and sensitive information from you in a number of different ways, including:
IBA may also sometimes collect personal information about you from other sources. IBA will only collect information from other sources if you consent, if permitted to do so under an Australian law or a court order, or if it is unreasonable and impracticable to obtain that information from you. For instance, IBA might collect some information about you as part of applications to IBA made by other people, such as your family, a business partner or people you live with.
IBA might also seek information from other people to confirm information you give us when you apply for our products or services. IBA may also collect information from other organisations to confirm your Aboriginality or Torres Strait Islander descent.
To perform its functions, IBA will often have to seek financial and credit information about you from third parties. IBA will usually seek your consent to obtain that information.
IBA stores information both manually in paper-based records, and electronically through program systems, internal directories, email systems and other technology systems.
Access to electronic records in IBA’s possession and control is protected via appropriate security systems in accordance with the Commonwealth protective security policy.
IBA’s paper based records are held in secure offices accessible only by authorised IBA staff and contractors.
IBA will take all reasonable steps to ensure that all files in its possession or control are protected against loss, unauthorised access, misuse, disclosure or modification and that only authorised employees have access to such material.
Personnel files, previous employee files and personal information relating to payroll are archived and stored in appropriate methods in accordance with the Commonwealth protective security policy.
IBA will destroy or de-identify any personal information it receives where:
Commonwealth records that contain personal information are managed by IBA in accordance with the Archives Act 1983 (“Archives Act”). Further information regarding how long a Commonwealth record must be kept can be obtained from the National Archives of Australia at www.naa.gov.au.
IBA has several purposes and functions under the ATSI Act. These purposes and functions broadly involve assisting and enhancing the economic interests of Aboriginal and Torres Strait Islander people. We collect, use and exchange your information in the course of performing our functions, including for the following purposes:
Finally, IBA collects, uses and discloses personal or sensitive information for the purpose of managing its employees.
Your personal and sensitive information is stored for the purposes outlined above and as a Commonwealth record under the Archives Act.
IBA may use your information for the purposes outlined above.
We may share your information with third parties for the reasons outlined above or where the law otherwise requires or allows. These third parties can include:
The above entities may in turn disclose your personal information to other entities as described in their respective privacy policies or notices.
Under no circumstances will IBA sell or receive payment for licensing or disclosing your personal or sensitive information to third parties.
IBA might use client information (such as your contact details) to provide you with information about other products or services that are related to the products or services that you have with IBA. When you apply for an IBA product or service, IBA will give you the opportunity to opt-out of receiving this marketing information.
If at any time you change your mind about receiving marketing information from us, please email email@example.com or call 1800 107 107.
IBA will – upon your request and subject to the Privacy Act – provide you with access to your personal and sensitive information that is held by IBA.
To request access to your personal and sensitive information please email
firstname.lastname@example.org or call 1800 107 107. IBA will need to verify the identity of anyone who requests access to personal information, to make sure that personal information is not shared with people who have no right to it.
It is important that you provide IBA with clear and appropriate instructions as to the type(s) of personal and sensitive information to which you require access.
IBA will deal with your request to provide access to your personal and sensitive information within a reasonable time period – usually within 30 days of receipt of your request. IBA will not charge you for a request for access to your personal and sensitive information.
There may be some instances where IBA refuses you access to your personal and sensitive information. If this occurs, IBA will provide you with a notice that will set out the reasons for the refusal of access and the mechanism(s) available to you to complain about the refusal (see section 8 below).
For example, IBA may decide not to disclose a record that also contains another person’s personal information to you without their consent if it would be unreasonable to do so
It is inevitable that some personal or sensitive information which IBA holds will become out of date. IBA will take reasonable steps to ensure that the personal and sensitive information which is held remains accurate. If you advise IBA of any change to your personal or sensitive information, IBA will amend its records accordingly.
To request a correction to your personal or sensitive information, please email email@example.com or call 1800 107 107.
From time to time, IBA may engage service providers located overseas to perform certain of our functions and activities. In the course of providing services to IBA, we may need to disclose your personal information to these service providers. If overseas service providers are engaged and personal information is sent overseas, we will take reasonable steps to ensure that our service providers are carefully chosen and have policies, procedures and systems in place to ensure your personal information is otherwise handled in accordance with the Privacy Act.
IBA must report Notifiable Data Breaches (“NDBs”) to customers and the Office of the Australian Information Commissioner (“OAIC”). An NDB occurs when there is a data breach that is likely to cause serious harm to the persons to whom the information relates. A data breach happens if the personal information held by IBA is lost, or subject to unauthorised access or disclosure.
If a data breach occurs, the Privacy Act requires IBA to make an assessment of whether it is likely to result in serious harm with reference to the following:
At IBA, the response to data breaches is managed by the IBA Legal team. All data breaches must be notified to IBA Legal at firstname.lastname@example.org so that the breach can be assessed and managed appropriately.
As required by the Privacy (Australian Government Agencies – Governance) APP Code 2017, IBA must prepare a Privacy Impact Assessment (“PIA”) for all high risk privacy projects. A project is a high risk privacy project if IBA considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. A register of PIAs conducted from July 2018 is available on the IBA website (www.iba.gov.au)
IBA has a formal complaint management process. This process is applicable to any complaint you may have against IBA in relation to the Privacy Act.
If you have a concern about the manner in which your personal or sensitive information has been collected, stored, used or disclosed, you may lodge a complaint directly to IBA via telephone, email or the internet:
Telephone: 1800 107 107
You have the option to remain anonymous, although this may inhibit IBA’s ability to investigate your concerns in appropriate detail.
There are a number of stages in the complaint management process. IBA will endeavour to deal with your complaint as quickly as possible – usually within 30 days – and to keep you informed of progress. If unresolved in the first instance, your complaint will be referred to a complaint officer who is required to be independent and impartial when dealing with the circumstances of your complaint.
You may make a complaint to the Office of the Australian Information Commissioner
(“OAIC”) if you are not satisfied with IBA’s response to your complaint regarding a breach of the Privacy Act. For further information about how to make a privacy complaint to the OAIC, please visit the website http://www.oaic.gov.au/privacy/making-a-privacy-complaint
IBA will review this policy periodically to ensure that it continues to provide transparent and current information about how IBA’s policies and practices affect your personal and sensitive information.
This policy was last updated on 30 June 2018.
We acknowledge the Traditional Owners of country throughout Australia and recognise their continuing connection to land, waters and culture. We pay our respects to their Elders past, present and emerging.