Privacy Policy

Policy statement

The Council of Trustees of the National Gallery of Victoria (NGV) is committed to managing the Personal Information it collects, stores, manages and disposes of in compliance with relevant legislation.

Application

This Policy applies to all Personal Information, including Sensitive Information and Health Information, generated or held by the NGV, which directly or indirectly identifies an individual.

All NGV employees, volunteers, work experience students and interns must comply with this Policy in relation to the use of all Personal Information and Health Information including collection, storage, management and disposal.

Context

This Policy is informed by the legislative requirements of the:

  • Public Records Act 1973 (Vic)
  • Health Records Act 2001 (Vic)
  • Freedom of Information Act 1982 (Vic)
  • Privacy and Data Protection Act 2014 (Vic)

Where a requirement of the Privacy and Data Protection Act 2014 with respect to the handling of Personal Information is inconsistent with a provision in another Act, that other provision prevails.

Key Principles

  1. The NGV will only collect Personal Information that is necessary for the achievement of its organisational and strategic objectives and for the purpose of exercising its functions and lawful powers.
  2. The NGV will appoint an NGV Privacy Officer. The NGV Privacy Officer is responsible for coordinating responses to any privacy issues raised by members of the public or employees and advising employees about their privacy responsibilities.
  3. The NGV will take reasonable steps to ensure that individuals are aware that Personal Information may be collected, the reasons for the collection, and provide information on how people can contact the NGV Privacy Officer.

  4. The NGV may collect Personal Information related to the following functions and services:

    • the employment and engagement of staff, volunteers and contractors;
    • dealings with visitors or potential visitors, including ticket sales, comments, participation in market research, evaluation, competitions and promotions, education, public programs;
    • fundraising and membership;
    • NGV governance;
    • stakeholder management;
    • Collections, research and exhibitions;
    • commercial management;
    • general operations.

    Personal Information relating to some of these functions and services may be collected in electronic form, for example through the NGV's website when creating an online account with the NGV for purchasing tickets, memberships or subscribing to e-News.

  5. The NGV will collect Personal Information in a lawful and fair manner. Where practical and reasonable to do so, the NGV will obtain personal information direct from the individual to whom it pertains, although at times we may collect information about a person from someone else, for example where a membership is being purchased as a gift.
  6. The NGV will not use Personal Information for purposes other than those for which it was collected unless prior consent has been obtained. Personal Information will not be disclosed to third parties without consent from the individual to whom it pertains. In certain circumstances, the NGV may need to disclose Personal Information. This will only occur as provided for by the Privacy and Data Protect Act 2014, for example if the NGV is required to disclose Personal Information by law.
  7. The NGV will take reasonable steps to ensure the Personal Information is accurate and complete.
  8. Individuals have a right to seek access to their Personal Information or make corrections. Contact should be made to the NGV FOI Officer (foi@ngv.vic.gov.au).
  9. The NGV will not assign individuals with another organisation’s Unique Identifier unless it is necessary to carry out an organisational requirement or is required by law.
  10. Where lawful and appropriate, the NGV will provide individuals with the option of remaining anonymous when entering into transactions with the NGV.
  11. The NGV will provide secure information storage systems and procedures for the management of both physical and electronic information to minimise the risk of misuse, loss, unauthorised access, modification or disclosure, in accordance with data security standards issued from time to time by the Victorian Commissioner for Privacy and Data Protection.
  12. Records containing Personal Information will be disposed of in accordance with approved disposal schedules under the Public Records Act 1973.
  13. Unless compelled otherwise by law the NGV will not transfer Personal Information outside Victoria unless it reasonably believes the recipient is subject to a law or binding obligation which imposes restrictions on the use of that information that are substantially similar to the Information Privacy Principles.
  14. The NGV will endeavour to ensure that Contracted Service Providers or Third Parties with whom it engages are bound to comply with the requirements of the Privacy and Data Protection Act 2014.
  15. Any Health Information held by the NGV will be treated in accordance with the Health Records Act 2001.
  16. If an individual has a complaint about the conduct of the NGV in relation to the collection, storage, use or disclosure of Personal Information or Health Information, they may send details of the complaint in writing to the NGV Privacy Officer (privacy@ngv.vic.gov.au). The NGV Privacy Officer will investigate alleged breaches of the Privacy and Data Protection Act 2014.
  17. If an individual has a complaint about the conduct of the NGV in relation to the collection, storage, use or disclosure of Personal Information or Health Information, they may send details of the complaint in writing to the NGV Privacy Officer (privacy@ngv.vic.gov.au). The NGV Privacy Officer will investigate alleged breaches of the Privacy and Data Protection Act 2014.

Definitions

Information Privacy Principles

Information Privacy Principles means any of the Information Privacy Principles set out in Schedule 1 of the Privacy and Data Protection Act 2014.

Personal Information

Under the Privacy and Data Protection Act 2014 “Personal Information” means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion.

Examples of information that may be personally identifying either alone or in combination are:

  • Name
  • Photograph
  • Title
  • Email Address
  • Telephone or fax numbers
  • Driver's license number
  • Video
  • Gender
  • Ethnicity
  • Banking details, such as branch location, account number and funds available
  • Date of birth
  • Interview notes
  • Employee security pass number
  • Employee logon ID
  • A performance appraisal report on a staff member

Health Information

Under the Health Records Act 2001 “Health Information” includes information or an opinion about (i) the physical, mental, or psychological health (at any time) of an individual; or (ii) a disability (at any time) of an individual” where the Health Information is also personal information.

Examples of information that may be personally identifying either alone or in combination are:

  • Health diagnosis
  • Information on special needs to access collections
  • A performance appraisal report on a staff member

Contracted Service Provider

Under the Health Records Act 2001 "Health Information" includes information or an opinion about (i) the physical, mental, or psychological health (at any time) of an individual; or (ii) a disability (at any time) of an individual” where the Health Information is also personal information.

Examples of information that may be personally identifying either alone or in combination are:

  • health diagnosis
  • information on special needs to access collections
  • a performance appraisal report on a staff member.

Contracted Service Provider

Under the Privacy and Data Protection Act 2014 a Contracted Service Provider means a person or body who provides services under a State contract.

Third Party

Under the Privacy and Data Protection Act 2014 a Third Party means a person or body other than the organization holding the information and the individual to whom the information relates.

Unique Identifier

Under the Privacy and Data Protection Act 2014 a Unique Identifier means an identifier (usually a number) assigned to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name.

Breach of Policy

In the case where this, or related policies, are breached resolution will be according to the NGV Performance and Discipline policy.

Further Information

  • NGV IT Acceptable Use Policy
  • NGV Performance and Discipline Policy
  • NGV Protected Disclosure Procedures
  • NGV Records Management Policy
  • NGV Electronic Information Security Policy
  • NGV Enterprise Agreement
  • Code of Conduct for Victorian Public Sector Employees
  • NGV Privacy Statement

Further information about the Privacy and Data Protection Act 2014 (Vic) is available on the website of The Office of the Victorian Information Commissioner at www.ovic.vic.gov.au.

Approval

Approved by the Council of Trustees 15 December 2015

Next Review

3 years