GENERAL POLICIES
Privacy
Date approved: | 23 June 2020 |
Date commenced: | 1 July 2020 |
Purpose
To provides a framework for how SPC handles any personal information that it collects in its day-to-day operations. It aims to ensure that SPC respects personal information and that it is appropriately protected and used.
Scope
This policy applies to all SPC staff and its non-staff personnel.
Authority
This policy is issued under regulation 5, Staff Regulations and paragraph 21 of the Pacific Community Governance Arrangement.
Overview
- Key objectives
- This policy aims to ensure that SPC respects an individual’s personal information and that any personal information is appropriately protected and used.
- Definitions
- The definitions in ‘Chapter I Purpose and Definitions’ of the Manual of Staff Policies apply to this policy. In addition, the words in the following table apply. Words that have been defined in this section, or in the Manual of Staff Policies are in bold throughout this policy.
Word | Definition |
Disclosure | Information is disclosed when SPC provides the information to an individual or entity outside of SPC. Information is not disclosed if it is provided between different areas within SPC. |
Personal information | Any information about an identified individual, or an individual who is reasonably identifiable. It is personal information, whether the information is true or not, and whether the information is recorded or not. Examples of personal information are a person’s name and address, photograph, details of qualifications, an email address and their geo-location. |
Sensitive information | Personal information about a person’s physical or mental health, their sexuality, political beliefs, racial or ethnic origin, genetic or biometric data. |
- Collecting personal information
- SPC collects personal information when it is included in a record. The record could be a document (hard copy or electronic), or it could be stored electronically or on another device.
- Reasons for collecting personal information
- SPC will only collect personal information for purposes that are directly related to its official functions or activities, and only when it is necessary for or directly related to those purposes. SPC’s official purposes are set out in its founding treaty, the Canberra Agreement 1947, and in the Pacific Community Governance Arrangement.
- SPC may collect information to:
- provide development assistance to SPC member states and/or territories;
- undertake scientific research in any of SPC’s key sectoral areas;
- conduct surveys or censuses for development assistance at an SPC member’s request;
- seek feedback on SPC’s functions and activities to improve its services;
- provide information about SPC’s activities; and
- select, recruit, engage and manage staff, consultants and contractors.
- Method of collection
- SPC usually collects personal information directly from the individual, either in person, from correspondence, from an application form, over the phone or the internet, or through a mobile application.
- Sometimes SPC collects personal information from a third party, such as an implementing partners or development partner, or in an evaluation process, or through a publicly available source.
- For any personal information that SPC collects that is intended to be disclosed, SPC will inform the individual and seek their informed consent. An individual may withdraw their consent at any time.
- Electronic collection
- SPC does not collect personal information from individuals who browse any SPC website.
- SPC may collect personal information about someone when they engage with any of SPC’s social networking services (twitter, Facebook, mobile aps), or engage with SPC by email. Some examples are when an individual:
- asks to be on an email list;
- makes an enquiry;
- fills in any on-line survey run by SPC; or
- uses an SPC mobile application.
- SPC also uses a range of analytic tools to collect or view website traffic information. These sites have their own privacy policies.
- The information collected by these tools may include the IP address of the device a person is using and information about sites that the IP address has come from, the pages accessed on an SPC site and the next site visited. This information is used to maintain, secure and improve any SPC website. SPC will not sell this information to advertisers or other third parties.
Use of information
- Use of information
- SPC may use personal information it has collected for the purposes it has collected it.
- Confidentiality
- As a leading scientific and technical organisation, SPC is committed to preserving the levels of confidentiality necessary to protect its reputation as an intergovernmental organisation and a research institution.
- SPC also observes any additional confidentiality provisions in agreements where it holds or collects personal information on behalf of its members or other development partners.
- Disclosure
- SPC generally only discloses personal information when:
- the disclosure was consented to, either at the time of collection, or afterwards;
- it is necessary to fulfil the purposes of the original collection, for instance if SPC collected the information on behalf of one of its members;
- SPC is working with a development partner or other agency assisting with delivering a project;
- it is necessary for the imminent health or well-being of an individual; or
- it is necessary for SPC to refer information to law enforcement for law enforcement purposes.
- For someone to consent, the individual must be adequately informed of the purposes disclosure before giving consent and give their consent voluntarily. The consent may be express or implied.
- SPC generally only discloses personal information when:
- Risk assessment
- SPC will take reasonable steps to protect the security of the personal information it holds from internal and external threats by:
- assessing the risk of misuse, interference, loss, unauthorised access, modification or disclosure of personal information it holds;
- taking measures to address those risks; and
- conducting audits from time to time to assess compliance.
- SPC will take additional steps to protect sensitive information.
- SPC will take reasonable steps to protect the security of the personal information it holds from internal and external threats by:
- Retention
- SPC will store personal information in accordance with SPC’s retention policy and only as long as necessary to meet SPC’s legal obligations.
- Electronic storage
- Personal information that is stored electronically will be limited to staff who have a clear business purpose to access and use that information. Electronic audit trails will be used, where possible, to ensure the integrity of the information.
- Access to and accuracy of personal information
- An individual may request access to their personal information held by SPC. SPC will make the information available as soon as practicable but no longer than thirty days.
- An individual may also request any incorrect personal information be updated or corrected. If such a deletion or correction would compromise SPC’s record keeping obligations, the individual may request a note be added to reflect why they consider the personal information is inaccurate.
- Making a complaint
- A person may complain to SPC about how it has handled their personal information. In that case, the person should write to the Director-General, providing the following information:
- their contact details;
- their complaint, including how the alleged behaviour negatively affected the person;
- copies of any information supporting the allegations; and
- how they would like SPC to resolve the complaint.
- Any complaint will be directed to the Legal Unit in the first instance and will be acknowledged within five working days.
- The Legal Unit will consider the complaint and will make recommendations to the Director-General about a potential action plan or redress mechanism.
- The Director-General consider all the information and determine what, if any, action should be taken to resolve the complaint.
- A person may complain to SPC about how it has handled their personal information. In that case, the person should write to the Director-General, providing the following information:
- Staff misconduct
- Where the complaint relates to allegations of potential staff misconduct, or non-staff personnel misconduct, the grievance will be re-directed to the Director-General’s delegate and any inquiries will be carried out under ‘Chapter XII Investigations and disciplinary actions’ of the Manual of Staff Policies.