Austroads Australian Privacy Principles Policy
1. Open and transparent management of personal information
1.2 Austroads is bound by the Australian Privacy Principles (APPs) in the Privacy Act. The APPs regulate how Austroads may collect, use, disclose and store personal information. The APPs also provide guidance on how individuals may access and correct personal information held about them.
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
2.1 Austroads Ltd ACN 136 812 390 (Austroads) is the peak association of Australian road transport and traffic agencies.
2.2 Austroads’ purpose is to improve Australian transport outcomes by:
(a) providing expert technical input to national road and transport policy development;
(b) improving the practices and capability of road agencies;
(c) promoting operational consistency by road agencies; and
(d) managing the National Exchange of Vehicle and Driver Information System (NEVDIS).
3. Austroads Safety Barrier Assessment Panel
3.1 All information provided by Proponents is considered ‘commercial in confidence’ and will not be discussed with any party other than the Proponent, Road Agency Panel representatives and the Austroads Board, unless otherwise authorised under relevant jurisdictional freedom of information legislation or legal subpoena.
3.2 To preserve the independence of the Panel and to ensure that all determinations are based only on submission content, Proponents are not permitted to address Panel meetings.
3.3 Notes and minutes of the Austroads Safety Barrier Assessment Panel are confidential and shall not be distributed to any party other than the Road Agency Panel representatives and the Austroads Board, unless otherwise authorised under relevant jurisdictional freedom of information legislation or legal subpoena.
4.1 NEVDIS is the database of Australian driver and road vehicle information. It includes the national Vehicle Identification Number (VIN) subdatabase and the national Written Off Vehicle Register (WOVR) subdatabase.
4.2 NEVDIS allows for the seamless transition of vehicle registration and driver licence information between State and Territory boundaries, providing a national and real time view of the information.
4.3 Personal information on NEVDIS is on the following subdatabases:
(a) licensed drivers in Australia;
(b) registered road vehicles in Australia where the registered owner is an individual; and
(c) WOVR where the registered owner was an individual.
4.4 A feature of Austroads’ strategic direction for NEVDIS is compliance with the APPs. The APPs require at least the same standard of privacy law compliance by Austroads compared to privacy legislation applying to the State and Territory road transport and traffic agencies (Jurisdictions), and mostly a higher standard of compliance.
4.5 The Jurisdictions, such as Roads and Maritime Services in New South Wales, are the primary source of NEVDIS data and the primary point of contact for enquiries, errors and corrections.
4.6 The eight Jurisdictions and the Commonwealth of Australia (Commonwealth) are the principal owners of Austroads. The Jurisdictions and Austroads are parties to a contract for the administration of NEVDIS (Participation Agreement).
4.7 In 2013/2014, NEVDIS processed around 98.6 million transactions including:
(a) around 7.2 million Jurisdictional transactions are made every month (approximately 250,000 per average working day) providing access to and exchange of driver and vehicle information between the Jurisdictions.
(b) providing select personal information to:
(i) the Commonwealth’s CrimTrac Agency;
(ii) the Australian Electoral Commission;
(iii) Australian motor vehicle manufacturers and authorised entities for Product Safety Recalls; and
(iv) the National Heavy Vehicle Regulator.
4.8 NEVDIS is managed by the Austroads’ NEVDIS Administration Unit.
5.1 Austroads collects personal information for the purpose of managing NEVDIS. The critical success factors for personal information data on NEVDIS are:
(a) data which is consolidated, consistent and standardised;
(b) data which can be provided to Government agencies for purposes which are lawful and in the national interest;
(c) access to the data is seamless and uses common technologies;
(d) accurate, Australia-wide road vehicle registration and driver licensing that allows for:
(i) one vehicle for one VIN; and
(ii) one licence for one person.
5.2 The personal information collected for NEVDIS is limited to personal information that is reasonably necessary for Austroads’ function of managing NEVDIS. Austroads collects the personal information by lawful and fair means.
5.3 We do not collect personal information directly from individuals for NEVDIS. The Jurisdictions routinely collect personal information when performing their functions with respect to driver licensing, the registration of motor vehicles and their other regulatory functions. The Jurisdictions and the Commonwealth agreed:
(a)to establish NEVDIS as a single consistent national repository of registration and licensing information; and
(b)for Austroads to own and manage NEVDIS.
5.4 The Jurisdictions either input information about individuals who are licensed drivers or registered owners directly into Austroads systems or via automated system uploads. Austroads collects, retains, collates, and organises the information to support and facilitate the exchange of information between Jurisdictions, the Commonwealth and stakeholders.
5.5 We may rearrange, reformat or reorganise personal information received from a Jurisdiction but must not alter, modify or remove the personal information we receive without the express consent of the originating Jurisdiction.
5.6 At or before the time when a Jurisdiction collects personal information for inclusion on NEVDIS (or as soon as practicable after that time), the Jurisdiction takes reasonable steps in the circumstances to ensure that the individual concerned is aware of:
(a) the identity and contact details of Austroads;
(b) the fact that the Jurisdiction will supply the personal information to Austroads for inclusion on NEVDIS;
(c) the fact that the Jurisdiction is required or authorised by or under an Australian law to supply the personal information to Austroads for inclusion on NEVDIS, and particulars of the law;
(d) the purposes for which Austroads collects the personal information from the Jurisdictions for inclusion on NEVDIS;
(e) the main consequences, if any, for the individual if all or some of the personal information is not supplied to Austroads (for example, in the face of an objection or protest by the individual);
(f) the Jurisdictions and other users of NEVDIS to which the information on NEVDIS is usually disclosed by Austroads;
(i) the individual may access his or her personal information on NEVDIS and how to seek the correction of the personal information by the relevant Jurisdiction;
(ii) the individual may complain about a breach of the APPs that bind Austroads, and how Austroads will deal with such a complaint;
(iii) the individual may complain about a breach of a registered “APP code” (as defined in the Privacy Act) in force that binds Austroads, and how Austroads will deal with such a complaint;
(h) the fact that Austroads is not likely to disclose the personal information to overseas recipients, and would only do so with the individual’s consent.
5.7 In relation to our administrative functions, Austroads collects personal information relating to our employees to manage Human Resources and employment related responsibilities. We also collect information as part of our normal communication processes directly related to our role as a wholly-owned government corporation, including when we:
(a) process requests for information from the public;
(b) respond to direct enquiries when an individual emails or telephones staff members;
(c) welcome individuals to our offices; and
(d) receive business cards and other personalised business paraphernalia.
6. Types of Personal Information
Personal information held
6.1 The types of personal information held by Austroads on NEVDIS include:
(a )personally identifying information (surname, first name and other names, gender, date of birth, height in centimetres, eye colour, and address history);
(b) change of name, address or personal details of a registered vehicle owner/operator (and the reason for a change in registration status) or driver’s licence holder;
(c) the registration plate for a vehicle registered to an individual, the garaging address and whether the vehicle has a VIN;
(d) driver’s licence details, such as the class of licence, probationary licences, the date granted and currency details;
(e) driver’s licence conditions or restrictions, such as:
(i) a requirement to use an interlock alcohol device on a motor vehicle;
(ii) a disqualified licence, or that the person is ineligible for a licence (the reasons for the disqualification ineligibility are not held on NEVDIS – the originating Jurisdiction has the reasons);
(iii) a refusal to issue a licence, or a licence upgrade (the reason for the refusal is not held – the originating Jurisdiction has the reason);
(iv) a good behaviour condition (the reason for the condition is not held – the originating Jurisdiction has the reason); or
(v) a requirement for “zero blood alcohol”.
(f) a reference to a suspension or cancellation of vehicle registration status by a court or administrative process for vehicles registered to individuals;
(g) a reference to a suspension or an imposed cancellation of a driver’s licence, or disqualification of a person as a licensed driver by a court process or by an administrative process, including:
(i) a demerit points cancellation;
(ii) a mandatory cancellation due to the nature of the offence (for example, high range PCA);
(iii) a fine default (that is, not paying a monetary penalty);
(iv) failing a driving test or a knowledge test; or
(v) a police confiscation.
(h) a voluntary cancellation or surrender of:
(i) vehicle registration status (for vehicles registered to individuals); or
(ii) a driver’s licence, for example, cancellation on the ground that the licence is no longer needed;
(i) stolen vehicle information, written off vehicles or import restrictions, for vehicles registered to individuals;
(j) for vehicles registered to individuals, an organisation including a business name appearing on the registration particulars; and
(k) a “suppression code” in the individual’s data field, whereby the whole or a specified part the person’s details (such as name and/or address) is not to be disclosed Austroads, although the reason for the suppression code is not held.
6.2 We collect and hold some “sensitive information” as defined in the Privacy Act, mainly:
(a) a person’s criminal record only insofar as it is relevant to the Jurisdictions carrying out their road transport and traffic functions; and
(b) a person’s health information, but again only insofar as it is relevant to the Jurisdictions carrying out their road transport and traffic functions.
6.3 We do not routinely collect “health information” as defined in the Privacy Act. However, in some circumstances a condition on a driver’s licence may contain health information, such as a requirement to wear spectacles or contact lenses while driving.
6.4 Also, when a person’s licence status is changed from ‘active’ (able to drive) to non-active, the status reason code that is recorded in NEVDIS for the change might contain health information to an extent, such as:
(a) “medical grounds”;
(b) “non-compliance medical grounds”; or
(c) “alcohol habit-related”.
6.5 No specific health information is recorded in this regard. For example, if the status reason code for an active licence being changed to non-active is “medical grounds”, the specific health information in relation to the “medical grounds” is not collected or held.
6.6 If there is a condition on a person’s driver’s licence that the person must drive a modified motor vehicle because of the person’s disability, the condition will be on NEVDIS, but not the nature or scope of the disability.
6.7 If a driver’s licence has a notation on it that the licence holder intends to be a donor of body organs, parts or substances, the notation will be recorded on NEVDIS.
Personal information we don’t hold
6.8 We do not hold personal information:
(a) on the VIN subdatabase of NEVDIS;
(b) on the Personal Property Securities Register (PPSR) subdatabase of NEVDIS;
(c) with respect to the Vehicle Information Request System (VIRS) on NEVDIS;
(d) with respect to the Commonwealth’s Document Verification Service (DVS) component on NEVDIS;
(e) in the form of photographs of individuals, including photographs on drivers licences;
(f) in the form of digital signatures;
(g) with respect to accreditation schemes administered by the Jurisdictions, such as:
(i) accredited operators of public transport and taxi networks, and
(ii) accredited driving instructors;
7. Quality and Security
7.1 We ensure the integrity (quality and security) of personal information supplied by Jurisdictions for NEVDIS in accordance with integrity procedures and standards that are at least as rigorous, and normally more rigorous, than each Jurisdiction’s integrity procedures and standards for collecting and holding the personal information by the Jurisdiction for its own regulatory role.
7.2 We have well established data integrity measures which are documented in the Participation Agreement. These measures are designed to ensure that:
(a) personal information collected from the Jurisdictions for NEVDIS is accurate, up-to-date and complete;
(b) personal information on NEVDIS used or disclosed by us is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant;
(c) personal information held by us on NEVDIS is protected from misuse, interference, loss unauthorised access, use modification or disclosure.
7.3 Our data integrity measures include physical access restrictions, password protections, data encryption, audit trails of user access to databases, and accreditation of users.
(a) we hold personal information on NEVDIS about an individual; and
(b) we no longer need the information for any purpose for which the information may be used or disclosed by Austroads in accordance with the APPs; and
(c) the information is not contained in a “Commonwealth record” as defined in the Privacy Act; and
(d) we are not required by or under an Australian law, or a court/tribunal order, to retain the information;
we will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
7.5 We also store administrative information and employment related information on electronic and hard files.
7.6 Generally, Austroads’ files are protected in accordance with measures which parallel the Australian Government’s protective securities and classification system to ensure that they are only accessed by authorised persons for authorised purposes.
8. Use and Disclosure
8.1 Austroads uses the information it collects and holds for the purpose for which it was given to us, or for purposes that are directly related to the purpose of collection.
8.2 We routinely use personal information held on NEVDIS for audit and quality assurance purposes to ensure that access to the information is monitored, recorded and auditable.
8.3 We also use personal information held on NEVDIS:
(a) to develop and train staff on system improvements and enhancements; and
(b) to update and manage records about individuals to improve the quality and accuracy of the information we hold.
8.4 Access to and use of our information holdings is consistent with the Australian Government’s Protective Security Policy Framework.
8.5 We will use and disclose personal information on NEVDIS for the purpose for which it was collected from the Jurisdictions (primary purpose). The primary purpose is:
(a) to provide driver licence information to the Jurisdictions to prevent the issue of multiple driver licences by different Jurisdictions;
(b) to aggregate demerit points gained in any Jurisdiction to enable appropriate sanctions to be initiated by the licence issuing Jurisdiction;
(c) to enable license suspension, cancellation or driver disqualification in any Jurisdiction to be available to all Jurisdictions;
(d) to ensure that driver licence history in any Jurisdiction is available to all Jurisdictions;
(e) to provide for safe, efficient and equitable road use;
(f) to improve and simplify procedures for the registration of road vehicles;
(g) to prevent the “re-birthing” of stolen vehicles;
(h) to enable the use of road vehicles to be regulated for reasons of safety, protection of the environment and law enforcement; and
(i) to provide a method of establishing the identity of each road vehicle and of the person who is responsible for it.
8.6 We will not use or disclose personal information on NEVDIS for another purpose (secondary purpose) unless:
(a) the individual concerned has consented to the use or disclosure for the secondary purpose; or
(b) the individual would reasonably expect Austroads to use or disclose the information for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information—directly related to the primary purpose; or
(ii) if the information is not sensitive information—related to the primary purpose; or
(c) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(d) a “permitted general situation” as defined in the Privacy Act exists in relation to the use or disclosure of the information by Austroads; or
(e) a “permitted health situation” as defined in the Privacy Act exists in relation to the use or disclosure of the information by Austroads; or
(f) Austroads reasonably believes that the use or disclosure of the information is reasonably necessary for one or more “enforcement related activities” as defined in the Privacy Act conducted by, or on behalf of, an “enforcement body” as defined in the Privacy Act
8.7 The CrimTrac Agency and the National Heavy Vehicle Regulator (NHVR) are prescribed enforcement bodies under the Privacy Act. If Austroads uses or discloses personal information to the CrimTrac Agency or NHVR, Austroads will make a note of the use or disclosure, as required by the APPs.
8.8 We will not use or disclose personal information on NEVDIS for direct marketing.
8.9 The APPs with respect to use and disclosure will apply to any wholly owned subsidiary of Austroads to which Austroads might subcontract the management of NEVDIS.
8.10 In the unlikely event that Austroads discloses personal information on NEVDIS to an overseas recipient (other than the individual concerned), Austroads will comply with the APPs for cross-border disclosure of personal information.
8.11 We will not adopt a “government related identifier” as defined in the Privacy Act (such as a licence number or registration plate number) as its own identifier for an individual whose personal information is on NEVDIS unless required or authorised by or under an Australian law. Austroads’ use of a government related identifier in order to search for personal information or other information on NEVDIS will not be to adopt the government related identifier as its own identifier.
8.12 Austroads has entered into, or may enter into agreements with government agencies or organisations (Users) for the purposes of:
(a) sharing particular classes of information on NEVDIS, including personal information, with the Users; and
(b) allowing access and use of particular classes of information on NEVDIS, including personal information, by the Users.
8.14 Further, the Jurisdictions have entered into, or may enter into agreements with Users for the purposes of:
(a) sharing particular classes of information on NEVDIS, including personal information, with those Users; and
(b) allowing access and use of particular classes of information on NEVDIS, including personal information, by those Users.
8.16 As an employer, Austroads uses information about our people to meet employment obligations, including:
(b) support and recognition;
(c) promotions and transfers;
(d) rehabilitation, medical assessments and employee assistance programs; and
(e) performance management matters.
8.17 In performing this function, personal information may be disclosed outside Austroads to bodies including:
(a) superannuation funds;
(b) work health and safety regulators, our workers compensation insurer and the workers’ compensation regulator; and
(c) financial institutions.
8.18 Disclosure of employee personal information is done with informed consent of the staff member involved.
8.19 We also collect information about potential employees. All recruitment activities are conducted in accordance with best practice employment standards.
9. Access and Correction
9.1 Subject to the exceptions below, we will, on request by an individual, give access to his or her personal information on NEVDIS.
9.2 There may be a fee for this access. You should check Austroads’ website (http://www.austroads.com.au/) for the applicable fee. A fee will not be excessive and will not apply to the making of the request. It will apply to the actioning of the request.
9.3 We will respond to an access request within a reasonable period after the request is made, and we will give access in the manner requested by an individual if it is reasonable and practicable to do so.
9.4 We will not give access to personal information held by us on NEVDIS or otherwise in the following circumstances:
(a) Austroads reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
(d) the information relates to existing or anticipated legal proceedings between Austroads and the individual, and would not be accessible by the process of discovery in those proceedings; or
(e) giving access would reveal the intentions of Austroads in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(f) giving access would be unlawful; or
(g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(h )both of the following apply:
(i) Austroads has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Austroads functions or activities has been, is being or may be engaged in;
(ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
(i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body, including but not limited to the CrimTrac Agency; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
9.5 If we refuse to give access because of one or more of the exceptions above, or we refuse to give access in the manner requested by an individual:
(a) we will take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of Austroads and the individual; or
(b )we will give the individual a written notice that sets out:
(i) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(ii) the mechanisms available to complain about the refusal; and
(iii) any other matter prescribed by or under the Privacy Act.
9.6 If an individual requests correction or changes to the personal information we hold about them on NEVDIS, we will refer the request to the relevant Jurisdiction. This is because we cannot alter the information held on NEVDIS without the express consideration and agreement of the relevant Jurisdiction. Normally, the relevant Jurisdiction will correct or change the personal information in their own system and upload the new data to NEVDIS.
10.1 If you have concerns about how we handle your personal information other than personal information on NEVDIS, please contact us to discuss them. Our Privacy Officer can be contacted on email@example.com or at via the contact details below.
10.2 If you have concerns relating to your personal information as recorded on NEVDIS, your first point of contact to complain or to make suggestions should be to the Jurisdiction who supplied the information to NEVDIS. Otherwise, our Privacy Officer can be contacted on firstname.lastname@example.org or at via the contact details below.
11. Contact Us
You can contact Austroads via the following ways:
Phone: +61 2 8265 3300
Fax: +61 2 8265 3399
Mail / Street Address:Level 9, 287 Elizabeth Street
SYDNEY NSW 2000