Privacy

Privacy & Security Statement

Privacy Plan

---

Privacy & Security Statement

Tourism Queensland is committed to protecting user privacy. We understand and appreciate that visitors and users of this website are concerned about their privacy and confidentiality and security of any information that may be provided to us.

The Queensland Government has established a privacy regime for the Queensland public sector, based on eleven Information Privacy Principles. These are contained in an Information Standard that Tourism Queensland is required to adhere to. A copy of this Standard can be accessed at www.qgcio.qld.gov.au/index.html

Why we collect personal information

As part of it’s function, Tourism Queensland processes numerous requests for tour brochures or information, provides avenues for the booking of travel and holidays, provides opportunities for tourism operators to market and promote their services, conducts competitions and online auctions and collects information on the types of holidays that consumers prefer. Tourism Queensland also collects personal information for specific market research and to determine if there are any demographic trends in the way consumers use travel information and book travel products. This information is aggregated as statistical information and enables us to develop and promote the Queensland tourism industry.

e-Newsletters

Tourism Queensland collects your personal information in order to send you the free e-Newsletters that contain travel and holiday information. The provision of your personal information is voluntary. Should you not wish to provide your personal information we will be unable to send you the e-Newsletters. Any personal information that you provide to us can be deleted at any time by unsubscribing.

Cookies

Some of our web pages use "cookies". Cookies are text files we place in your computer's browser to store your preferences. Cookies, by themselves do not tell us your email address or other personally identifiable information unless you choose to provide this information to us.

When you visit our sites, our internet service provider makes a record of your visit and logs the following information for statistical purposes only -

• The users server address,
• The users top level domain name (for example .com, .gov, .au, etc.)
• The date and time you visited this site,
• The pages accessed and documents downloaded,
• The previous site visited,
• The type of browser you used.

No attempt is, or will be, made to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect our activity logs.

Security

When you make a payment through our web site your personal and financial details are protected at all stages of the transaction. In processing your payment we will need to know your name, residential/postal address, e-mail address, and credit card details. We do NOT store your credit card details on our servers at any stage of the transaction. Once the credit card details have been sent to our financial institution, they are no longer known to the system. All transactions are secured by encryption technology, which enables information to be sent over the Internet in an encrypted form thereby ensuring protection against unauthorised access to your personal information.

Email Correspondence

This is a Queensland Government website. Email correspondence sent to this site will be treated as a public record and will be retained as required by the Libraries and Archives Act 1988 and other relevant regulations.
Your name and address details will not be added to a mailing list, nor will we disclose these details to third parties without your consent unless required by law. E-mail messages may be monitored by website support staff for system trouble shooting and maintenance purposes.

There may be times when personal information is provided to outside contractors (such as mailing houses) to assist with the distribution of tourism information. These companies are forbidden from using this information for any other purpose.

Access to your personal information

You can ask whether we are keeping personal information about you by writing to or emailing Tourism Queensland's Privacy Officer whose contact details are below. If we do have information on file, you can ask to access a copy of it. You may also wish to apply to amend the information if you believe it to be incomplete, inaccurate, irrelevant, out of date or misleading. There is no charge for an individual to seek access to or apply to amend their personal information. However, your right of access to and amendment of personal information is subject to exceptions provided in the Freedom of Information Act 1992 or any other State Law.

If you have any queries about our privacy and security practices, please contact privacy@tq.com.au or write to:

Privacy Officer
Tourism Queensland
GPO Box 328
Brisbane Qld 4001

---

Privacy Plan

Contents

1. Introduction

2. What is Personal Information?

3. Acts Administered by Tourism Queensland

4. Personal Information held by Tourism Queensland
Employee Personnel Records
Personnel and payroll
Recruitment
Other
Financial Management And Contractual Records
Information Systems Personal Information
Travel Arrangements Information
Consumer Research Information
Correspondence

5. List of Existing Contracts, Licences and Out-sourcing Arrangements Identified

6. Tourism Queensland Implementation Table
Privacy Implementation Plan
Strategies For Compliance
Assessment of Current Practices
Collection
Storage
Use
Disclosure
Internal Review

7. Procedure to Gain Access to Personal Information
Complaints about Tourism Queensland's handling of information privacy

8. Appendices
Summary Of Information Privacy Principles
Policy Statement
Policy Principles
Collection Of Personal Information (IPPS 1-3)
Information Privacy Principle 1
Information Privacy Principle 2
Information Privacy Principle 3
Storage And Security (IPPS 4-5)
Information Privacy Principle 4
Information Privacy Principle 5

1. Introduction

This Privacy Plan is a plan for Tourism Queensland's compliance with the information privacy principles under the requirements of the Information Standard 42 and its relevant Information Standard Guidelines. The Information Standard and its Guidelines require each Queensland Government Agency to prepare and implement a Privacy Plan approved by the CEO of each agency by April 2002.

This plan is drafted in a way which takes account of the diverse functions of Tourism Queensland's various business units. It aims to give: -

• guidance to members of the public to assist them to understand how personal information is managed in Tourism Queensland and how they can exercise their privacy rights in respect of Tourism Queensland's activities;
• guide personnel in Tourism Queensland's business units who deal with personal information, on the requirements of the Information Standard and its guidelines;
• a timetable and strategic overview for achieving full compliance with those requirements.

2. What is Personal Information?

The Information Standard 42 and its relevant Guidelines are concerned with "personal information". This is defined in the Information Standard as being: -

"Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

The information does not have to clearly identify a person. It need only provide sufficient information to lead to the identification of a person. It is not limited to confidential or sensitive personal details. It covers information held in paper or electronic records.

3. Acts Administered by Tourism Queensland

3.1. Tourism Queensland Act 1979

4. Personal Information held by Tourism Queensland

EMPLOYEE PERSONNEL RECORDS

Due to the commonality of these classes of records amongst the various business areas of Tourism Queensland, they have been grouped here as one entry. This necessarily reduces the amount of detail provided. Current and former employees and other persons (for example, spouses and next of kin who believe that Tourism Queensland's personnel records may also contain personal information about them) can obtain details of specific record handling practices of particular business area by contacting supervisors in those business areas.

It should not be assumed that all records described are kept in a common storage facility. Separate security arrangements will typically apply, depending on the sensitivity of the information.

The purpose of these records is to maintain employment history and payroll and administrative information relating to all permanent, contract and temporary employees of Tourism Queensland.

Personnel and payroll
The records may include any one or more of the following:
(1) records relating to attendance;
(2) leave applications and approvals;
(3) medical records;
(4) payroll and commission related records, including banking details;
(5) tax file number declaration forms;
(6) declarations of pecuniary interests;
(7) personal history files;
(8) performance appraisals, etc;
(9) records relating to personal development and training;
(10) trade, skill and aptitude test records;
(11) completed questionnaires and personnel survey forms;
(12) travel documentation;
(13) records relating to personal welfare matters; and
(14) contracts and conditions of employment.

Recruitment
The records may include any one or more of the following:
(1) recruitment records including interview notes and employment applications;
(2) records relating to relocation of staff and removals of personal effects; and
(3) records relating to character checks and security clearances.

Other
The records may include any one or more of the following:
(1) records of accidents and injuries;
(2) compensation case files;
(3) rehabilitation case files;
(4) records relating to counselling and discipline matters, including disciplinary, investigation and action files, legal action files, records of criminal convictions, and any other staff and establishment records as appropriate;
(5) complaints and grievances; and
(6) recommendations for honours and awards.

Contents of personnel records may include: name, address, date of birth, occupation, employee identification number, gender, qualifications, equal employment opportunity group designation, next of kin, emergency contacts, details of pay and allowances, leave details, superannuation fund details and contributions, work reports, security clearance details and employment history. It may also include physical and mental health, disabilities, racial or ethnic origin, disciplinary investigation and action, criminal convictions, adverse performance and security assessments, tax file numbers, relationship details and personal financial information.

Personal information on personnel records relates to current and former staff members and employees including contract and temporary staff.

The following staff have access to personnel records: executive and personnel management staff, supervisors and members of selection committees (if appropriate), and the individual to whom the record relates.

Personnel records are kept for variable periods according to the applicable provisions of the Standard Retention and Disposal schedule for staff and establishment records issued by Queensland State Archives.

Information held in personnel records may be disclosed outside Tourism Queensland, as appropriate, to:

• Australian Taxation Office;
• Qsuper; and
• Third Party organisations such as Banks and Insurance Companies (Name and account numbers only).

Records relate to all current and former employees of Tourism Queensland and are stored on paper and electronic media.

Location: Human Resources and individual business units

FINANCIAL MANAGEMENT AND CONTRACTUAL RECORDS

There is commonality amongst these records across various business areas of Tourism Queensland, so they are grouped here as one entry.

The purpose of the financial records is to process and account for expenditure and revenue. General content may include name, address and service or goods category. Sensitive content may include financial information including debts. The personal information relates to creditors and debtors, including outsourced service providers if they are identified personally.

Contractual Records include personal information relating to Consultants and other Contractors who provide goods and services to Tourism Queensland.

Location: Financial and Business Services and relevant business areas of Tourism Queensland.

INFORMATION SYSTEMS PERSONAL INFORMATION

Tourism Queensland's information technology information management systems network routinely carries, enables processing of, and stores, for varying periods, much of the core business information of Tourism Queensland on behalf of its many business areas. It encompasses both internal electronic transactions and external transactions, including telephone, e-mail, Internet and Intranet activity. The great bulk of those personal information records within that network environment are described above, or are described in the other parts of this plan that deal with the content of core business operations of business areas of Tourism Queensland.

In addition to that material, there are some personal information records specifically tailored to IT system administration, namely IT system security identifiers and usage tracking records about staff users of the IT system that are held by IT administrators and staff supervisors.

That information is not usually disclosed to persons other than staff supervisors, system administrators and the individuals concerned. Staff are routinely made aware of system usage rules and monitoring procedures concerning collection and use of the information.

Location: Technology Department and relevant business areas of Tourism Queensland.

TRAVEL ARRANGEMENTS INFORMATION

The Commercial Division of Tourism Queensland, comprising Sunlover Holidays and the Queensland Travel Centres, has responsibility for organising travel arrangements on behalf of clients.

In finalising these arrangements, Tourism Queensland generally collects the following personal information:

• name and address of clients;
• flight and other travel details;
• credit/debit card number and expiry date;
• billing address;
• email address;
• telephone numbers;
• dietary requirements, health issues (if any) and other special requirements;

This information is processed by the Tourism Queensland Reservations Management System for the purpose of arranging travel, accommodation and tour bookings.

Records relating to travel arrangements are stored on paper and electronic media.

Location: Commercial Division and relevant business areas of Tourism Queensland.

CONSUMER RESEARCH INFORMATION

At various times, Tourism Queensland collects personal information from consumer surveys and interviews. The information relates to holiday preferences, tourism product information sources and buying influences. The information collected includes, but is not limited to the following:

• name and address of individual concerned
• age
• previous holiday locations
• preferred holiday locations
• holiday spending patterns

Location: Marketing, Planning and Destination Development and relevant business areas of Tourism Queensland.

CORRESPONDENCE

Correspondence that has been addressed to the Chief Executive Officer or Tourism Queensland Staff from the public or other Government agencies is referred to the relevant areas within Tourism Queensland for consideration and preparation of advice and responses.

Tourism Queensland keeps copies of the correspondence in electronic and paper form.

The correspondence includes personal information which might arise in any subject matter related to Tourism Queensland's functions. Examples are: names, addresses, personal opinions about tourism related matters, complaints and grievances and any other matter that the correspondent wishes to convey to Tourism Queensland.

Location: Chief Executive's Office and relevant areas of Tourism Queensland.

5. List of Existing Contracts, Licences and Out-sourcing Arrangements Identified

The following organisations have contracts with Tourism Queensland which allow them access to personal information:

• Pacific Micromarketing
• Security Mailing Services
• Link Communications
• QM Industries Pty Ltd
• Roy Morgan
• Mangum Management GmbH
• Ernst & Young
• TMP Worldwide

These contracts will be reviewed and where necessary amended to ensure that they comply with Information Standard 42.

6. Tourism Queensland Implementation Table

PRIVACY IMPLEMENTATION PLAN

Informing staff of their privacy responsibilities will play a critical role in Tourism Queensland successfully complying with the requirements of Information Standard No. 42 and related guidelines and is a significant component of the Privacy Plan. To ensure a general awareness of the issues and the principles involved, mechanisms have been identified below which provide for ready access by staff to information regarding the Plan and the promulgation of the Information Privacy Principles which form the core of Information Standard 42. Tourism Queensland's Privacy Officer will coordinate the Plan and report progress of the Privacy Plan to Executive Management.

STRATEGIES FOR COMPLIANCE

Assessment of Current Practices

• The first step in compliance with Information Standard 42 and its principles is to assess current practice and procedure. Individual business units can do this by:
• determining which types of information are held, and identifying the personal information contained in those holdings;
  determining the functions and purposes of the business unit by reference to relevant Tourism Queensland functions and the Business Plan of the business unit;
• ascertaining the coverage of the Information Protection Principles and relevant exceptions to the personal information held, initially by reference to Information Standard 42;
• referring to the current law and policies which already govern the way in which information is processed and ascertaining the policies and procedures adopted in compliance with those laws and policies; and
• identifying any remaining areas of risk exposure under applicable Information Protection Principles.
• If such areas of risk exposure are identified then procedures will be adopted in line with the strategies for compliance.
• A number of general strategies for compliance with the Information Protection Principles have been identified for adoption by Tourism Queensland as a whole and where necessary by individual business units. These strategies have been grouped together below under the Information Protection Principles' main areas of coverage.

Collection

• Business units will review all forms used to collect personal information from clients or employees to ensure that notification requirements are met and consent to further disclosures is covered where necessary to the operation of the business unit.
• Staff in business units which collect personal information by telephone will be equipped with a form of words to notify clients of matters required by IPP 2 and to obtain consent to further disclosure where necessary. Alternatively, pro forma letters, confirming notification and consent will be forwarded to clients following telephone contact.

Storage

Tourism Queensland will further develop and review separate policies for storage of electronic and paper information.

Use

• Where information is stored in a computerised database, business units will ensure that appropriate descriptions are used to avoid errors or misinterpretation of data.
• Standards will be adopted, with reference to the functions and purposes of the particular business unit, to ensure personal information is used only for the purposes for which it was collected.

Disclosure

• Business units will develop procedures to cover the main kinds of personal information staff can be expected to disclose and the authority for such disclosures.
• Staff with frequent contact with clients will be given additional training in the application of the Information Protection Principles to disclosure in the context of their business unit's functions.

Internal Review

• The Privacy Contact Officer will be designated to be notified of each application for internal review and will be responsible for coordinating the internal review process.
• Individuals will be told about their rights to internal review through the inclusion of statements about these rights on forms and notices completed by people providing personal information. The format of such statements will differ between business units and between the information provided and the purpose for which it is provided. However the statement will contain advice that:
• people have the right of access to, and correction of personal information about them;
• if they consider that personal information about them is being handled incorrectly, then they may request Tourism Queensland to undertake an internal review;
• time limits apply to the making of applications, complaints and to the handling of internal reviews.

7. Procedure to Gain Access to Personal Information

Access and amendment rights are limited to existing rights under the Freedom of Information Act 1992.

If you want to request access to, or amendment of, your personal information records in Tourism Queensland, you need to be aware that:

• the IPPs limit the access and amendment rights and processes to those provided in the FOI Act; and.
• any application for documents or application for correction or amendment will therefore be processed under the FOI Act provisions.

Assistance is also available from Tourism Queensland's Freedom of Information Co-ordinator. The Co-ordinator's telephone contact number is: 3535 5598.

COMPLAINTS ABOUT TOURISM QUEENSLAND'S HANDLING OF INFORMATION PRIVACY

If an individual believes that their personal information has not been dealt with in accordance with an IPP, they may make a complaint to Tourism Queensland seeking an internal review of the handling of their personal information. A request for an internal review must be made in writing and must be made within six months from the date when the breach of any IPP was suspected to have occurred.

Written applications requesting internal review should be sent to the Privacy Contact Officer. The postal address is :

Privacy Contact Officer
Tourism Queensland
GPO Box 328
BRISBANE Q 4001

The Privacy Contact Officer of Tourism Queensland can provide more information about this process. The telephone contact number for the Privacy Contact Officer is 3535 5598.

Applications for review will be acknowledged in writing within 14 days from the date on which the application was received. Tourism Queensland will process each application within 60 days from the date on which the application is received. Applicants will be advised in writing of Tourism Queensland's review decision.

If an applicant does not agree with Tourism Queensland's decision, they can make a further application in writing to the Chief Executive Officer, Tourism Queensland for another internal review. The postal address for applications is:

Chief Executive Officer
Tourism Queensland
GPO Box 328
BRISBANE Q 4001

The Chief Executive Officer will arrange for the internal review to be carried out by a more senior officer than the initial review decision-maker and who has not previously been involved in the matter. This review will be completed within 45 days of receipt of the application for further review. The Chief Executive Officer will provide a response decision in writing to the individual who requested the further review.

8. Appendices

SUMMARY OF INFORMATION PRIVACY PRINCIPLES

Policy Statement
Personal information held by Queensland agencies must be responsibly and transparently collected and managed (including any transfer or sale of personal information held by agencies to other agencies, other levels of Government or the private sector) in accordance with the requirements of the Information Privacy Principles.

Policy Principles
Agencies must comply with eleven IPPs, which govern how personal information is collected, stored, used and disclosed.

The IPPs deal with the following:
Principle 1: Manner and purpose of collection of personal information;
Principle 2: Solicitation of personal information from individual concerned;
Principle 3: Solicitation of personal information generally;
Principle 4: Storage and security of personal information;
Principle 5: Information relating to records kept by record-keeper;
Principle 6: Access to records containing personal information;
Principle 7: Alteration of records containing personal information;
Principle 8: Record-keeper to check accuracy, etc., of personal information before use;
Principle 9: Personal information to be used only for relevant purposes;
Principle 10: Limits on use of personal information;
Principle 11: Limits on disclosure of personal information.

COLLECTION OF PERSONAL INFORMATION (IPPS 1-3)

Information Privacy Principle 1

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
a. the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
b. the collection of the information is necessary for or directly related to that purpose.
2. Personal information shall not be collected by a collector by unlawful or unfair means.

Information Privacy Principle 2

Where:
a. a collector collects personal information for inclusion in a record or in a generally available publication; and
b. the information is solicited by the collector from the individual concerned;
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

• the purpose for which the information is being collected;
• if the collection of the information is authorised or required by or under law, the fact that the collection of the information is so authorised or required; and
• any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first-mentioned person, body or agency to pass on that information.

Information Privacy Principle 3

Where:
a. a collector collects personal information for inclusion in a record or in a generally available publication; and
b. the information is solicited by the collector;
the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

• the information collected is relevant to that purpose and is up to date and complete; and
• the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

STORAGE AND SECURITY (IPPS 4-5)

Information Privacy Principle 4

A record-keeper who has possession or control of a record that contains personal information shall ensure:
a. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
b. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Information Privacy Principle 5

1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
a. whether the record-keeper has possession or control of any records that contain personal information; and
b. if the record-keeper has possession or control of a record that contains such information:

• the nature of that information;
• the main purposes for which that information is used; and
• the steps that the person should take if the person wishes to obtain access to the record.

2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the State that provides for access by persons to documents.
3. A record-keeper shall maintain a record in the form of a privacy plan setting out:

• the nature of the records of personal information kept by or on behalf of the record-keeper;
• the purpose for which each type of record is kept;
• the classes or types of individuals about whom records are kept;
• the period for which each type of record is kept;
• the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
• the steps that should be taken by persons wishing to obtain access to that information.

4. A record-keeper shall make the record maintained under clause 3 of this Principle available for inspection by members