The Great Barrier Reef Marine Park Authority (GBRMPA) recognises the importance of your privacy rights, and in turn, the importance of being transparent about how we collect, use, and share information about you, and demonstrates this by complying with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principals (APPs), the Spam Act 2003 (Cth), and other applicable privacy and data protection laws such as the European Union General and Data Protection Regulations (GDPR).
We routinely undertake Privacy Impact Assessments and follow a Privacy by Design approach so that privacy protection is built into our systems.
With regard to GDPR, it applies to the data control activities of GBRMPA and the data processing activities of any vendor partners in the European Union. GBRMPA offers goods and services at times in the way of the issuing of permissions under the permit systems and ticket sales and membership to Reef HQ.
These are available to individuals in the European Union. GBRMPA also monitors the behaviour of individuals including in the European Union – via our websites using tools such as cookies.
As such, we have provided more detail around what we do with your data, and how you can have access to your privacy rights, and about the purposes for which we use your personal information.
- This Policy is intended to help you understand:
- A. WHAT INFORMATION GBRMPA COLLECTS ABOUT YOU
- B. HOW GBRMPA COLLECTS INFORMATION ABOUT YOU
- C. HOW GBRMPA USES AND DISCLOSES INFORMATION ABOUT YOU INCLUDING WHEN INFORMATION IS SHARED WITH THIRD PARTIES FOR PROCESSING
- D. GBRMPA’S POLICY IN RELATION TO PRIVACY AND MINORS
- E. HOW GBRMPA TRANSFERS INFORMATION WE COLLECT INTERNATIONALLY
- F. HOW GBRMPA STORES AND SECURES INFORMATION WE COLLECT
- G. HOW TO ACCESS AND CONTROL YOUR INFORMATION INCLUDING EXERCISING YOUR RIGHTS AND MAKING COMPLAINTS
- H. CONTACT US
This Policy applies to all staff of GBRMPA and all individuals engaging with GBRMPA whose personal information may be collected, stored and used by GBRMPA or its partners.
This Policy applies to GBRMPA's management of personal information across all of its offices (in Australia and from time to time internationally).
This policy also explains your choices about how we use information about you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you.
When we refer to GBRMPA," "we," or "us" in this policy, we mean the Australian Government’s Great Barrier Reef Marine Park Authority established under an Act of Parliament, whose registered office is at 280 Flinders Street, Townsville, Queensland 4810, which controls the information GBRMPA collects when you use the services including, among other things, our websites.
A. WHAT INFORMATION GBRMPA COLLECTS ABOUT YOU
The types of information that GBRMPA collects will depend on the nature of your dealings with GBRMPA and its services and may include your name, contact details, payment details, photographic information, your views and opinions about GBRMPA services.
We collect, hold, use and disclose personal information to carry out our functions or activities under the Great Barrier Reef Marine Park Act 1975 (GBRMPA Act), Great Barrier Reef Marine Park Regulations 2019 and associated environmental legislation.
Other legislation may also confer powers or functions on GBRMPA including the Environment Protection and Biodiversity Conservation Act 1999, Freedom of Information Act 1982 and the Public Governance and Performance Accountability Act 2013.
B. HOW GBRMPA COLLECTS INFORMATION ABOUT YOU
GBRMPA collects your information only for a lawful purpose, which is reasonably necessary for or directly related to GBRMP Act functions, or other legislation which confers functions on GBRMPA.
At all times we try only to collect the information we need for the particular function or activity we are carrying out. The main way we collect personal information about you is when you give it to us.
GBRMPA will ensure that any Personal Information collected is relevant to its purpose, is accurate, complete and up-to-date. GBRMPA will collect information directly from you, unless it is reasonably impracticable to do so.
When we collect personal information from you we will issue you with a collection notice and seek your express consent to collect the information where consent is the lawful basis for collection. We will not treat silence as consent, use pre-ticked boxes or allow for bundled consent.
At times you may be required by law to provide the information.
- Personal information may be collected when you:
- contact us to ask us for information (but only if we need it)
- notify us about a possible offence against our legislation committed by another person (but only if we need it to investigate the allegation further)
- make a complaint about services you have received from GBRMPA
- make a complaint about a possible privacy breach
- make an application for a Marine Park permission
- make a submission in response to a public consultation (although you are not required to provide your name and contact details)
- apply for Reef HQ Aquarium membership or purchase a ticket to an event
- apply for membership of a Reef Advisory Committee
- apply for a job vacancy at GBRMPA.
We may also collect personal information from you for the purposes of compliance with your obligations under the GBRMP Act and associated environmental legislation.
For example, you may be required to provide your name and address if a Marine Park inspector reasonably suspects that you have committed an offence against the GBRMPA Act or associated environmental legislation.
Collecting sensitive information
We may also need to collect sensitive information about you, for example to investigate a complaint or to further engage with you for the purposes of ascertaining your views about a particular project. This might include information about your racial or ethnic origin, association memberships or criminal history.
In the course of handling or resolving a complaint, investigating a possible offence against the GBRMP Act or associated environmental legislation, or assessing a Marine Parks application, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as:
- your authorised representative, if you have one
- applicants, complainants, respondents to a complaint, investigation, application or the third parties’ employees and witnesses
- the State of Queensland, in particular from the Queensland Parks and Wildlife Service who jointly manage the Marine Park with us, or from the Australian Government Department of Agriculture, Water and the Environment.
We may also access personal information (including sensitive information) about you through surveillance and enforcement related activities.
The information collected may include your IP address, the referring site and the pages visited on GBRMPA’s sites. IP addresses are logged to track a user's session while the user remains anonymous. GBRMPA analyses this data for certain trends and statistics, such as which parts of the GBRMPA websites users are visiting and how long they spend there.
In general, you can browse the GBRMPA websites without telling GBRMPA who you are or revealing any personal information about yourself.
However, there are times when GBRMPA may need to collect your personal information. For instance, if you register to receive GBRMPA Reef HQ publications or to attend an event, GBRMPA’s Reef HQ will need to collect some personal information from you for this purpose.
In this case, GBRMPA’s Reef HQ will provide notice and seek your permission to send you further electronic communications, and for your personal information to be stored in its databases.
If at any time after submitting your personal information to GBRMPA’s Reef HQ you would no longer like to receive information, simply follow the "unsubscribe" directions at the end of any email communications you receive, or contact GBRMPA’s Reef HQ using the contact details listed at the end of this Policy.
- Great Barrier Reef Marine Park Authority web platforms:
- GBRMPA has its own public website – http://www.gbrmpa.gov.au/ – and we manage a number of associated websites including:
- Reef HQ Aquarium http://www.reefhq.com.au/
- Eye on the Reef http://www.gbrmpa.gov.au/sightings-network/
- Reef Explorer http://www.gbrmpa.gov.au/ReefExplorer/
- GeoPortal http://www.gbrmpa.gov.au/geoportal.
- Statistical and security purposes:
- When you browse our website, our Internet Service Provider makes a record of your visits and logs (in server logs) the following information for statistical and security purposes
- your server and assigned IP address
- your top level domain name (for example .com, .gov, .au)
- your operating system (for example Windows, MAC)
- the date and time for your visit to the site
- the pages accessed and documents downloaded
- the previous site you visited
- the type of browser used.
No attempt will be made by GBRMPA to identify website users or their browsing activities except in the unlikely event of an investigation where a law enforcement agency may exercise a warrant to inspect server logs.
The statistics and log files may be preserved indefinitely and used at any time and in any way necessary to prevent security breaches and to ensure the integrity of the information supplied by GBRMPA.
Where you use GBRMPA’s social media pages (such as Facebook or Instagram) GBRMPA will not collect any personal information about you without your consent.
Cookies and Other Tracking Technologies
For more information, please see our Cookies and Analytics Policy which includes information on how to control or opt-out of these cookies and tracking technologies.
GBRMPA manages a number of online platforms to provide the public and stakeholders with a user-friendly system to engage with us.
- These online platforms include:
- Bookings online https://secure.gbrmpa.gov.au/bookingsonline/
- EMC online https://secure.gbrmpa.gov.au/EMC/
- Permits online https://secure.gbrmpa.gov.au/permitsonline
These platforms are secure and can only be accessed by stakeholders with a login and password. Access to these platforms within GBRMPA is on a need to know basis and access is restricted only to those staff who manage these processes and systems. GBRMPA does not use or disclose your personal information provided via these online platforms for any other purpose without your consent.
Where it is practicable, you may choose to remain anonymous or adopt a pseudonym when dealing with GBRMPA.
The provision of your personal information on GBRMPA’s websites is voluntary and you can opt out at any time. However, if you choose not to provide your personal information we may not be able to forward the material that you are requesting or provide you with one of the numerous services available through the websites.
C. HOW GBRMPA USES AND DISCLOSES INFORMATION ABOUT YOU, INCLUDING WHEN INFORMATION IS SHARED WITH THIRD PARTIES FOR PROCESSING
GBRMPA will only use and disclose personal information for the purpose for which it was collected, or otherwise in accordance with the applicable privacy and data protection laws and regulations.
For example, if you register on a GBRMPA website to receive information about the Reef HQ Aquarium, GBRMPA will use your name and email address to send you this information.
- Other examples include use or disclosure for the purpose of:
- Providing you with the publications or services you have requested;
- Marketing communications;
- Complaint handling;
- Employment purposes; and,
- Performing specific statutory or administrative functions, for example responding to a request under the Freedom of Information Act 1982 (Cth) or under the Privacy Act 1988 (Cth).
You can opt out of receiving marketing or publications at any time.
- GBRMPA will not use or disclose personal information for a purpose other than that for which it was collected unless:
- Your consent is obtained;
- GBRMPA is required to, or authorised by the law or a court or tribunal order; or,
- Otherwise in accordance with the applicable privacy and data protection laws.
To the extent permitted under the law (for example as an ‘enforcement body’ under the Privacy Act), GBRMPA may also use or disclose your personal information for a secondary purpose related to, or directly related to, the purpose of collection where you would reasonably expect that your information would be used for this other purpose.
These secondary purposes may include activities such as public education or quality assurance.
- At or before the time GBRMPA collects your personal information (or as soon as practical afterwards), GBRMPA will take such steps as are reasonable in the circumstances to provide you with a collection notice setting out, among other things, the purpose and legal basis of the collection.
- Common situations in which we disclose information are detailed below:
- Assessment and ongoing management of Marine Park permissions. Some commercial activities and operations occurring in the Marine Park and the Great Barrier Reef (Coast) Marine Park require a permission.
- Permissions are issued by GBRMPA and the Queensland Parks and Wildlife Service through a joint permission system.
- GBRMPA will disclose information about your application and any ongoing management of your permission to the Queensland Parks and Wildlife Service to give effect to the joint permission system arrangement.
- GBRMPA also makes publicly available pursuant to section 174 of the Great Barrier Reef Marine Park Regulations 2019 copies of all Permits, applications and decisions made on applications for permission via the Permits Register found at https://secure.gbrmpa.gov.au/ENQEXT 29.
- If your application is deemed to be of public interest, there may also be a requirement under the Great Barrier Reef Marine Park Regulations to advertise your application for permission and allow public comment.
- Through the Great Barrier Reef Intergovernmental Agreement, the Australian and Queensland governments have been working together for the long-term management of the Great Barrier Reef Marine Park. On the water, GBRMPA and the Queensland Parks and Wildlife Service operate a joint field management program encompassing the Marine Park and the Great Barrier Reef (Coast) Marine Park.
- GBRMPA routinely discloses personal information obtained on water about potential offences against Marine Parks legislation as well as vessel monitoring, incident response and other matters necessary for the proper management of the Marine Parks to the Queensland Parks and Wildlife Service.
- GBRMPA may also be required to disclose personal information to various third parties, including other Australian and State Government agencies as well as other law enforcement bodies for the purposes of investigating complaints, responding to incidents and managing compliance with the Great Barrier Reef Marine Park Act 1975 and associated environmental legislation.
- GBRMPA will only disclose personal information about program/event participants with the express consent of participants in that program or as required by law.
Disclosure to service providers
Examples of third parties GBRMPA may disclose your personal information to include external service providers such as IT consultants, professional advisers and government or business partners with whom GBRMPA has a formal contractual relationship. GBRMPA will only share this information for a lawful purpose (including a contractual purpose) and will only do so with your express consent.
GBRMPA uses a number of service providers to whom we disclose personal information.
These include providers that host our website servers, manage our human resources, undertake research and peer reviews on our behalf, as well as solicitors and external investigators and third party vendors such as ticket sales providers.
These third-party service providers have access to personal information needed to perform their functions, but may not use it for other purposes.
We make available to you services, products, applications, or skills provided by third parties for use on or through GBRMPA. For example, you can buy tickets from third parties through our website.
You can tell when a third party is involved in your transactions, and we share customers' personal information related to those transactions with that third party.
Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share the information.
To protect the personal information that we disclose to these service providers we:
enter into a contract or Memorandum of Understanding (MOU) which requires the service provider to only use or disclose the information for the purposes of the contract or MOU; · include special privacy requirements in the contract or MOU where necessary.
GBRMPA will only use processors that provide sufficient guarantees that they will implement appropriate technical and organisational measures that ensure compliance with the APPs, Privacy Act and GDPR and accordingly protect the rights of the data subject.
Disclosure of personal information overseas
Noting that third party vendors may be located overseas GBRMPA does not generally otherwise disclose personal information to overseas entities. If GBRMPA were required to disclose your personal information overseas we would take reasonable steps to ensure that the overseas recipients of your personal information had sufficient processes in place to ensure that there was no breach of the obligations under the Privacy Act or GDPR. We would also inform you of the overseas disclosure and the countries to which your personal information was disclosed.
Publication of personal information on the internet
Similarly, in some instances we may be required to publish your personal information on the internet, for example through a public consultation process. We are unable to control how a third party will use your personal information if it is published on the internet and, as such, we will advise you if your personal information is to be published on the internet and ensure that it is only published with your consent.
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
Disclosure to the responsible Minister, Parliament and other Government Departments by law
We may also be required by law to provide your personal information upon request to the responsible Minister, a House or Committee of the Parliament and the Auditor-General.
There may also be occasion where other Australian Government agencies require us by law to provide them with your personal information, such as the Australian Taxation Office and the Australian Competition and Consumer Commission.
D. GBRMPA’s POLICY IN RELATION TO PRIVACY AND MINORS
GBRMPA is committed to ensuring the protection of privacy of minors and recognises that those under the age of 18 can not be taken to have consented to the use of their personal information.
GBRMPA does not market products or services to children rather they are marketed to adults to purchase for children. GBRMPA’s Reef HQ website which sells goods and services does not sell products for purchase by children.
Rather they sell children's products for purchase by adults. If you are under 18, you may use GBRMP’s Reef HQ Services only with the involvement of a parent or guardian.
E. HOW GBRMPA TRANSFERS INFORMATION WE COLLECT INTERNATIONALLY
GBRMPA does not disclose your personal information to any overseas recipient unless one of the following applies:
- The recipient is subject to a law or binding scheme substantially similar to the Australian Privacy Principles, including mechanisms for enforcement.
- You have consented to the disclosure after being expressly informed that GBRMPA will be taking reasonable steps to ensure that the overseas recipient does not breach the applicable privacy and data protection laws.
- It is required or authorised by law.
- It is required or authorised by an international agreement relating to information sharing to which Australia is a party.
- It is reasonably necessary for an enforcement related activity conducted by, or on behalf of, an enforcement body and the recipient performs similar functions.
- An exception applies under the law.
F. HOW GBRMPA STORES AND SECURES INFORMATION WE COLLECT
We take reasonable steps to protect the security of the personal information we hold from both internal and external threats by:
GBRMPA aims to store all records digitally. GBRMPA also requires its staff to ensure that any digital or paper records containing personal information are stored securely.
GBRMPA’s employees are bound by confidentiality obligations as a condition of their employment, and this extends to ensuring that personal information collected by GBRMPA is kept confidential.
- regularly assess the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
- take measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
- keep records of processing activities under their responsibility
- conduct regular internal and external audits to assess whether we have adequately complied with or implemented these measures.
- Personal information is securely destroyed or de-identified in accordance with our records disposal authority when no longer needed.
GBRMPA takes security of personal information seriously and has implemented a range of physical and electronic security measures to protect your personal information from unauthorised access, use, modification, disclosure or misuse including the implementation of firewalls.
Electronic records of personal information collected by GBRMPA are stored in databases that are hosted on servers in Australia.
Records relating to consumers are stored in databases by third party vendors. These vendors servers are located in Australia .
In each case, GBRMPA’s IT systems are protected by appropriate IT security measures.
GBRMPA strives to ensure the security, integrity and privacy of personal information submitted to its websites, and periodically updates its security measures in light of current technologies. You need to be aware of inherent risks associated with the transmission of information via the Internet.
While the systems GBRMPA uses are very secure GBRMPA cannot guarantee or warrant the security of any personal information you submit to its websites.
No information will be stored on websites. If you have concerns in this regard, GBRMPA has other ways of obtaining and providing information. Postal services, phone and fax facilities are available.
GBRMPA websites may also be linked to websites operated by third parties. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship, endorsement or approval of these websites.
Visitors to those websites should refer to their separate privacy policies and practices, e.g. Google Analytics and Adobe packages.
QUALITY OF PERSONAL INFORMATION
To ensure that the personal information we collect is accurate, up-to-date and complete we:
- where necessary, confirm the accuracy of information we collect from a third party or a public source
- promptly add updated or new personal information to existing records
- audit our contact lists to check their accuracy.
- We also review the quality of personal information before we disclose it
MANAGING YOUR ACCOUNT AND SUBSCRIPTION
If you wish to delete your registered account or unsubscribe to GBRMPA communications such as newsletters, publications, and event invitations, you may do so by contacting us using the contact details set out in this Policy.
To ensure we have the correct information, please include your registered email address, first name and last name, and requested change.
G. HOW TO ACCESS AND CONTROL YOUR INFORMATION INCLUDING EXERCISING YOUR RIGHTS AND MAKING COMPLAINTS
AUSTRALIAN PRIVACY ACT
Under the Privacy Act, you have the right to seek access to the records of personal information that GBRMPA holds about you.
You also have the right to ask GBRMPA to alter your personal information if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If you wish to access or correct your personal information that Reef HQ holds, please submit a written request setting out what information you wish to access or correct, your name and a mailing/email address to the address below, using the contact details set out at the end of this Policy.
Reef HQ may require you to verify your identity. GBRMPA will respond to your request within 30 days.
If GBRMPA refuses to provide you with access to your personal information or to correct that information as you request, you will be provided with reasons for that refusal, and information about how to make a complaint- Refer Complaint Handling Policy.
If GBRMPA refuses to correct your personal information, GRMPA will take reasonable steps to associate a statement with your personal information that you consider the information to be inaccurate.
You may also request access to and seek correction of personal information under the Freedom of Information Act 1982 (Cth).
How to make a complaint
If you wish to complain to us about how we have handled your personal information you should complain in writing. Your complaint must describe how you think your privacy has been interfered with, so we can investigate it. It will assist if you can explain:
- what happened
- when it happened (including dates)
- what personal information of yours was affected
- who did it (include names of individuals involved if known)
- how and when you found out about it.
Our procedure for investigating and dealing with privacy complaints is:
- the Privacy Officer receives a written complaint about the alleged breach of privacy
- the Privacy Officer will acknowledge receipt of your complaint within a reasonable time
- if further information is required to investigate your complaint, the Privacy Officer will contact you to obtain further details about the alleged interference with your privacy
- the Privacy Officer will identify the relevant line area where the alleged breach has occurred and will provide details to the Director of that line area to enable that Director to undertake a proper investigation of the alleged privacy breach
- the relevant Director will provide details of the alleged privacy breach to the Privacy Officer
- the Privacy Officer will consider the details provided by the line area and determine whether there was an interference of your privacy under the Privacy Act
- the Privacy Officer will respond to you within 30 days of receiving your complaint.
If you have complained to us about the way in which your personal information has been managed, and you do not believe that the matter has been resolved satisfactorily, you should write to the Office of the Australian Information Commissioner (OAIC), preferably using the online complaint form.
Further information about making a privacy complaint to the OAIC can be found at http://www.oaic.gov.au/privacy/making-a-privacy-complaint.
Under the EU GDPR, EU residents may exercise their data subjects rights – for example:
- Right of Access
- Right of Erasure
- Right to Rectification
- Right to Object
If you wish to exercise these rights, you may submit a written request using the contact details set out in this Policy.
You have a right to lodge a complaint with the relevant supervisory authority in your member state. We encourage you to contact us first so that we can respond to your concerns. We will do our best to resolve them promptly in accordance with relevant laws and policies.