Privacy Impact Assessment register
The National Blood Authority (NBA) maintains a register of Privacy Impact Assessments completed by the NBA since 1 July 2018. The register was last updated on 18 November 2022.
The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) requires that all agencies, including the NBA, must conduct a Privacy Impact Assessment for all high privacy risk projects.
The National Blood Authority (NBA) will always take reasonable steps to ensure your personal information is handled in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). The purpose of this policy is to summarise what our personal information handling practices are, how you can seek access to or seek correction of that information and how you can complain to the NBA about our practices.
- Who are we?
- What kinds of personal information are collected and held?
- How do we collect your personal information?
- How do we collect information through our website?
- How do we hold your personal information?
- Why do we collect personal information and how is it used?
- When and to whom will the NBA disclose my personal information?
- Accessing and seeking correction of personal information
- How can I complain about a breach of privacy?
The NBA operates as an Australian Government agency within the Commonwealth legislative framework. The NBA is accountable to the Minister for Health for the performance of the agency and in particular compliance with the Australian Government’s policies and regulations. In addition to the National Blood Authority Act 2003 (Cth) (NBA Act), the operations of the NBA are governed by the Public Governance, Performance and Accountability Act 2013 and the Public Service Act 1999 (Cth). For more information about the NBA you can visit: www.blood.gov.au.
- an employee or ex-employee or independent contractor working for the NBA
- a person seeking employment with the NBA
- an individual whose personal information is held or provided to the NBA
- a contractor, consultant or supplier of goods or services provided to the NBA, and
- a member of a committee, board or working group administered by the NBA.
What kinds of personal information are collected and held?
The NBA collects and holds personal information and sensitive personal information. Sensitive personal information includes health information; racial or ethnic origin; political opinions; membership of a political association; religious beliefs or associations; philosophical beliefs; sexual orientation; genetic information; biometric information; biometric templates. We will limit the collection of sensitive information to the minimum amount required to perform our functions or activities. A more detailed list of the categories of information that the NBA maintains which contain personal information is included below:
- Personnel records
- Work health and safety database
- Contractor and consultancy details
- Committee and Board details
- Grants information
- Mailing lists
- Public consultation
- Freedom of Information requests
- Legal Branch files and advising
- Representations to the agency and minister
- Security clearance records
- Stakeholder, supplier and approved healthcare provider information
- Approved recipients of blood products travelling overseas
- Blood and blood products order and receipt data (BloodNET)
- Clotting factor use data (Australian Bleeding Disorder Registry (ABDR), MyABDR), and
- Immunoglobulin usage data (BloodSTAR).
How do we collect your personal information?
Where possible, the NBA will collect your personal information directly from you. This may be via a form completed by you or with your clinician for input into an NBA Blood Sector Information System (such as ABDR), on the telephone (for example, if you contact the NBA Information and Communications Technology (ICT) Support Line for advice about a user account), or online (for example, if you choose to sign up to a mailing list operated by the NBA via our website).
We also obtain personal information from third parties such as referees if you are seeking employment with us and health professionals who place orders for a blood product directly for you. If we collect personal information about you we will take reasonable steps to inform you of that collection including whether it will involve a third party, the reasons for collection and what usual uses and disclosures may occur. Where sensitive personal information is concerned we will also seek your express consent for that collection unless a legal exception under the Privacy Act applies.
How do we collect information through our website?
The NBA uses a 'cookie' for maintaining contact with a user through a web site session. A cookie is a small file supplied by the NBA and stored by the web browser software on your computer when you access the NBA site. The cookie allows the NBA to recognise you as an individual as you move from one page to another.
The cookie used by the NBA will be immediately lost when you end your internet session and shut down your computer. Our copy of your information will be automatically deleted twenty minutes after you last used the system. This information is only used to help you use our web site systems more efficiently, not to track your movements through the internet, or to record private information about you.
Any system on this web site that records information about you will specifically ask your permission first.
The NBA makes a record of your visit and logs the following information for statistical purposes:
- the user's server address
- the user's top level domain name
- the date and time of access to the site
- pages accessed and documents downloaded, and
- the previous site visited.
This information is analysed to show broken links in our web site, bottlenecks, and other site problems. We use this information to redesign for efficiency of use.
No attempt will be made to identify anonymous users or their browsing activities unless legally compelled to do so, such as in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the internet service provider's log files.
How do we hold your personal information?
The NBA is concerned with protecting personal information it collects. We will take all reasonable steps to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Your personal information will only be stored on a password protected ICT system which complies with the Australian Government Protective Security Policy Framework and the Australian Signals Directorate’s Information Security Manual. This includes ensuring that information we store is only accessed by authorised officers that require access to undertake their official functions and roles and safeguarding the accuracy and completeness of information provided to us.
The NBA holds the information it collects on digital systems and where appropriate, in paper format. The NBA has an electronic document and record management system that complies with government and legislation and standards.
The NBA holds its personal information on a cloud based system and on premises. Where cloud services are used, the service will have been subject to an NBA risk assessment and be compliant with the privacy and security standards required by the NBA in protecting personal information.
Sensitive personal information will have very restricted access placed on it and will be managed under strict governance requirements which will vary depending on the nature of the information.
Why do we collect personal information and how is it used?
The key role of the NBA is to:
- provide an adequate, safe, secure and affordable supply of blood products, blood related products and blood related services, and
- promote safe, high quality management and use of blood products, blood related products and blood related services in Australia.
Section 8 of the NBA Act sets out the various functions of the NBA. Several of the agreed roles of the NBA require the NBA to liaise with and continuously gather blood sector data in order to:
- monitor the demand for blood and blood products
- undertake annual supply and production planning and budgeting, and
- undertake or facilitate national information management, benchmarking and cost and performance evaluation for the national blood supply.
At times the NBA needs to collect and use personal information to undertake our functions and activities. For example, we may need to use information so we can create demand models in order to estimate demand for particular products over time. Such estimates are critical for contract negotiations with product suppliers and for Government budget planning purposes. We will only collect your personal information where it is reasonably necessary for, or directly related to, one or more of our functions or activities (‘purpose test’). Where sensitive personal information is concerned we will only collect that information where you consent to that collection and the purpose test is satisfied or where a legal exception under the Privacy Act arises.
If we collect personal information for a specific purpose then we will only use it for that purpose. The exception to this is where you consent or you would reasonably expect us to use the information for that purpose and it relates to the primary purpose of collection. For example, if you order a publication from us then we may contact you if our contact details change so you can re-order that publication in the future.
When and to whom will the NBA disclose my personal information?
The NBA will notify you at the point of collection or as soon as practicable afterwards about disclosures that apply to particular collections of personal information so you have a reasonable expectation of what disclosures may occur for that collection.
Since the NBA is a national body that represents the interests of all Governments in Australia there may be a need at times to communicate personal information to State or Territory representatives on a limited basis in order to make decisions and get input directly related to our functions and activities. However, in general, the NBA will not share personal information about you with any other party without your permission.
Exceptions to this general rule arise where we are required or authorised by law to make a disclosure, where it will lessen or prevent a serious and imminent threat to someone’s life or health or where another limited exception may apply under the Privacy Act. The NBA will not usually disclose personal information overseas.
Accessing and seeking correction of personal information
You have a right to request access to personal information that the NBA holds about you and to request its correction under the Privacy Act. Access and correction requirements in the Privacy Act operate alongside and do not replace other informal or legal procedures by which you can be provided with access to, or correction of, your personal information, including the Freedom of Information Act 1982 (Cth).
Your rights to access your personal information are not absolute. Please note that we are not required to grant access in certain circumstances such as where access would have an unreasonable impact on the privacy of other individuals. If we refuse to grant you access to your personal information, we will provide you with reasons for that decision and the avenues available for you to complain about the refusal.
How can I complain about a breach of privacy?
If you wish to make a complaint about an apparent breach of your privacy by the NBA, you should, in the first instance set out your complaint in writing to the NBA Privacy Officer on the details indicated below. The NBA will respond in writing within 30 days of receiving your complaint. If you are dissatisfied with the response you receive you can contact the Office of the Australian Information Commissioner (OAIC). Further information about making privacy complaints through the OAIC can be found by visiting https://www.oaic.gov.au/privacy/privacy-complaints.
You can contact the NBA using the details indicated below to request access or correction of your personal information, to make a complaint or for any other privacy queries:
National Blood Authority
Locked Bag 8430
CANBERRA ACT 2601
Phone: (02) 6151 5000 (general enquiries number)