SCOPE

The Great Barrier Reef Marine Park Authority (Reef Authority) recognises the importance of your privacy rights, and in turn, the importance of being transparent about how we collect, use, and share information about you, and demonstrates this by complying with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principals (APPs), the Spam Act 2003 (Cth), and other applicable privacy and data protection laws such as the European Union General and Data Protection Regulations (GDPR).

We routinely undertake Privacy Impact Assessments and follow a Privacy by Design approach so that privacy protection is built into our systems.

With regard to GDPR, it applies to the data control activities of the Reef Authority and the data processing activities of any vendor partners in the European Union. The Reef Authority offers goods and services at times in the way of the issuing of permissions under the permit systems.

Our goods and services are available to individuals in the European Union. The Reef Authority also monitors the behaviour of individuals including in the European Union – via our websites using tools such as cookies.

The purpose of this Policy is to, provide you with detail around what we do with your data, and how you can have access to your privacy rights, and about the purposes for which we use your personal information.

• This Policy is intended to help you understand:
• A. WHAT INFORMATION THE REEF AUTHORITY COLLECTS ABOUT YOU
• B. HOW THE REEF AUTHORITY COLLECTS INFORMATION ABOUT YOU
• C. HOW THE REEF AUTHORITY USES AND DISCLOSES INFORMATION ABOUT YOU INCLUDING WHEN INFORMATION IS SHARED WITH THIRD PARTIES FOR PROCESSING
• D. THE REEF AUTHORITY’S POLICY IN RELATION TO PRIVACY AND MINORS
• E. HOW THE REEF AUTHORITY TRANSFERS INFORMATION WE COLLECT INTERNATIONALLY
• F. HOW THE REEF AUTHORITY STORES AND SECURES INFORMATION WE COLLECT
• G. HOW TO ACCESS AND CONTROL YOUR INFORMATION INCLUDING EXERCISING YOUR RIGHTS AND MAKING COMPLAINTS
• H. CONTACT US

This Policy applies to all staff of the Reef Authority and all individuals engaging with the Reef Authority whose personal information may be collected, stored and used by the Reef Authority or its partners.

This Policy applies to the Reef Authority’s management of personal information across all of its offices (in Australia and, if the need arises from time to time, internationally).

This Policy also covers the information we collect about you when you use our services, or otherwise interact with the Reef Authority, unless a different privacy policy is provided.

This Policy also explains your choices about how we use information about you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you.

When we refer to the Reef Authority," "we," or "us" in this policy, we mean the  Great Barrier Reef Marine Park Authority established under Great Barrier Reef Marine Park Act 1975 (GBRMP Act), whose registered office is at 235 Stanley Street, Townsville, Queensland 4810, which controls the information the Reef Authority collects when you use the services including, among other things, our websites.

A. WHAT INFORMATION THE REEF AUTHORITY COLLECTS ABOUT YOU

The types of information that the Reef Authority collects will depend on the nature of your dealings with the Reef Authority and its services and may include your name, contact details, payment details, photographic information, your views and opinions about the Reef Authority’s services.

We collect, hold, use and disclose personal information to carry out our functions or activities under the GBRMP Act, Great Barrier Reef Marine Park Regulations 2019 and associated environmental legislation.

Other legislation may also confer powers or functions on the Reef Authority including the Environment Protection and Biodiversity Conservation Act 1999, Freedom of Information Act 1982 and the Public Governance and Performance Accountability Act 2013.

B. HOW THE REEF AUTHORITY COLLECTS INFORMATION ABOUT YOU

The Reef Authority collects your information only for a lawful purpose, which is reasonably necessary for or directly related to GBRMP Act functions, or other legislation which confers functions on the Reef Authority.

At all times we try only to collect the information we need for the particular function or activity we are carrying out. The main way we collect personal information about you is when you give it to us.

The Reef Authority will ensure that any Personal Information collected is relevant to its purpose, is accurate, complete and up-to-date.  The Reef Authority will collect information directly from you, unless it is reasonably impracticable to do so.

When we collect personal information from you, we will in most cases issue you with a collection notice and seek your express consent to collect the information where consent is the lawful basis for collection. We will not treat silence as consent, use pre-ticked boxes or allow for bundled consent.

At times you may be required by law to provide the information.

Personal information may be collected when we:

• are contacted by you and asked by you for information (but only if we need it)
• are notified about a possible offence against our legislation committed by another person (but only if we need it to investigate the allegation further)
• are notified of a complaint about services you have received from the Reef Authority 
• are notified of a Work Health and Safety (WHS) incident report made in relation to you (or involving you), in compliance with the Reef Authority’s obligations under the Work Health and Safety Act 2011
• receive a complaint about a possible privacy breach
• receive an application for a Marine Park permission
• receive a submission in response to a public consultation (although you are not required to provide your name and contact details)
• receive an application for membership of a Reef Advisory Committee
• receive an application for a job vacancy at the Reef Authority 
• Are required to do so for other purposes, where necessary, to enable the Reef Authority to perform its functions or powers under the GBRMP Act or other legislation.

We may also collect personal information from you for the purposes of compliance with your obligations under the GBRMP Act and associated environmental legislation.

For example, you may be required to provide your name and address if a Marine Park inspector reasonably suspects that you have committed an offence against the GBRMP Act or associated environmental legislation.

Collecting sensitive information

We may also need to collect sensitive information about you, for example to investigate a complaint, investigate a WHS incident report or to further engage with you for the purposes of ascertaining your views about a particular project. Depending on the purpose for collecting your sensitive information, this might include information about your racial or ethnic origin, health, association memberships or criminal history.

Indirect collection

In the course of performing the Reef Authority functions listed above, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as:

• your authorised representative, if you have one
• applicants, complainants, respondents to a complaint, investigation, application or the third parties’ employees and witnesses
• the State of Queensland, in particular from the Queensland Parks and Wildlife Service who jointly manage the Marine Park with us, or from the Australian Government Department of Agriculture, Water and the Environment.

We may also access personal information (including sensitive information) about you through surveillance and enforcement related activities.

Website use

If you use the Reef Authority’s website, information is recorded about your visit for web personalisation; research, statistical and reporting purposes; and to allow the Reef Authority to improve its websites and services. The Reef Authority also uses cookies and session tools to improve your experience when visiting its site as discussed below (refer to the Cookies and Analytics Policy).

The information collected may include your IP address, the referring site and the pages visited on the Reef Authority’s sites. IP addresses are logged to track a user's session while the user remains anonymous. The Reef Authority analyses this data for certain trends and statistics, such as which parts of the Reef Authority websites users are visiting and how long they spend there.

In general, you can browse the Reef Authority websites without telling the Reef Authority who you are or revealing any personal information about yourself. 

• Great Barrier Reef Marine Park Authority web platforms:
• the Reef Authority has its own public website – http://www.gbrmpa.gov.au/ – and we manage a number of associated websites including:
• Great Barrier Reef Aquarium http://www.reefhq.com.au/
• Eye on the Reef http://www.gbrmpa.gov.au/sightings-network/
• Geohub https://geohub-gbrmpa.hub.arcgis.com/
• Outlook Report https://outlookreport.gbrmpa.gov.au

• Statistical and security purposes:
• When you browse our website, our Internet Service Provider makes a record of your visits and logs (in server logs) the following information for statistical and security purposes
• your server and assigned IP address
• your top level domain name (for example .com, .gov, .au)
• your operating system (for example Windows, MAC)
• the date and time for your visit to the site
• the pages accessed and documents downloaded
• the previous site you visited
• the type of browser used.

No attempt will be made by the Reef Authority to identify website users or their browsing activities except in the unlikely event of an investigation where a law enforcement agency may exercise a warrant to inspect server logs.

The statistics and log files may be preserved indefinitely and used at any time and in any way necessary to prevent security breaches and to ensure the integrity of the information supplied by the Reef Authority.  

Where you use the Reef Authority’s social media pages (such as Facebook or Instagram) the Reef Authority will not collect any personal information about you without your consent.

Cookies and Other Tracking Technologies

The Reef Authority’s Sites and Apps and our third-party partners, such as our advertising and analytics partners, use cookies and other tracking technologies (e.g. pixels) to provide functionality and to recognize you across different Services and devices.

For more information, please see our Cookies and Analytics Policy which includes information on how to control or opt-out of these cookies and tracking technologies.

Subscription services

When you subscribe to one of our newsletters, we collect your personal information for the purpose of providing you with the subscription service.

We may use Campaign Monitor to provide services related to your subscription; and we share your personal information with Campaign Monitor for this purpose. We may also use Campaign Monitor’s analytics tools for the purpose of improving our communications with you.  Personal information held by Campaign Monitor is handled in accordance with Campaign Monitor's Privacy Policy. Please note, Campaign Monitor’s website and subscription services are provided, supported, and hosted on servers in the United States of America. This means that your personal information may be sent overseas, stored, and shared by Campaign Monitor in the United States (including with other countries). In that case, the privacy protection laws of the United Kingdom, EU and the USA may also apply to your personal information.

If you choose not to provide us with the personal information we request, we may not be able to provide the subscription service to you.  However, if you contact us we will assist you to access our newsletter services in another way, wherever possible.

Online Platforms

The Reef Authority manages a number of online platforms to provide the public and stakeholders with a user-friendly system to engage with us, for the purpose of the performance of the Reef Authority’s functions and powers.

• These online platforms include:
• Bookings online https://secure.gbrmpa.gov.au/bookingsonline/
• EMC online https://secure.gbrmpa.gov.au/EMC/
• Permits online https://secure.gbrmpa.gov.au/permitsonline

These platforms are secure and can only be accessed by stakeholders with a login and password. Access to these platforms within the Reef Authority is on a need to know basis and access is restricted only to those staff who manage these processes and systems. 

Where it is practicable, you may choose to remain anonymous or adopt a pseudonym when dealing with the Reef Authority.

The provision of your personal information on the Reef Authority’s websites is voluntary and you can opt out at any time. However, if you choose not to provide your personal information, we may not be able to forward the material that you are requesting or provide you with one of the numerous services available through the websites.
 

C. HOW THE REEF AUTHORITY USES AND DISCLOSES INFORMATION ABOUT YOU, INCLUDING WHEN INFORMATION IS SHARED WITH THIRD PARTIES FOR PROCESSING

The Reef Authority will only use and disclose personal information for the purpose for which it was collected, or otherwise in accordance with the applicable privacy and data protection laws and regulations.

For example, if you register on a Reef Authority website to receive information about the Great Barrier Reef Aquarium, the Reef Authority will use your name and email address to send you this information.

• Other examples include use or disclosure for the purpose of:
• Providing you with the publications or services you have requested;
• Marketing communications;
• Complaint handling;
• Employment purposes; and,
• Performing specific statutory or administrative functions, for example responding to a request under the Freedom of Information Act 1982 (Cth) or under the Privacy Act 1988 (Cth); or managing WHS incidents in compliance with the Work Health and Safety Act 2011.

You can opt out of receiving marketing or publications at any time.

• The Reef Authority will not use or disclose personal information for a purpose other than that for which it was collected unless:
• Your consent is obtained;
• the Reef Authority is required to, or authorised by the law or a court or tribunal order; or,
• Otherwise in accordance with the applicable privacy and data protection laws.

To the extent permitted under the law (for example as an ‘enforcement body’ under the Privacy Act), the Reef Authority may also use or disclose your personal information for a secondary purpose related to, or directly related to, the purpose of collection where you would reasonably expect that your information would be used for this other purpose.

These secondary purposes may include activities such as public education or quality assurance.

Common situations in which we disclose information are detailed below:

• Assessment and ongoing management of Marine Park permissions 
• Some commercial activities and operations occurring in the Marine Park and the Great Barrier Reef (Coast) Marine Park require a permission. 
• Permissions are issued by the Reef Authority and the Queensland Parks and Wildlife Service through a joint permission system. 
• The Reef Authority will disclose information about your application and any ongoing management of your permission to the Queensland Parks and Wildlife Service to give effect to the joint permission system arrangement.
• The Reef Authority also makes publicly available pursuant to section 174 of the Great Barrier Reef Marine Park Regulations 2019 copies of all Permits, applications and decisions made on applications for permission via the Permits Register found at https://secure.gbrmpa.gov.au/ENQEXT 29.
• If a permit application is deemed to be of public interest, there may also be a requirement under the Great Barrier Reef Marine Park Regulations to advertise the application for permission and allow public comment.
• Through the Great Barrier Reef Intergovernmental Agreement, the Australian and Queensland governments have been working together for the long-term management of the Great Barrier Reef Marine Park. On the water, the Reef Authority and the Queensland Parks and Wildlife Service operate a joint field management program encompassing the Marine Park and the Great Barrier Reef (Coast) Marine Park.
• The Reef Authority routinely discloses personal information obtained on water about potential offences against Marine Parks legislation as well as vessel monitoring, incident response and other matters necessary for the proper management of the Marine Parks to the Queensland Parks and Wildlife Service.
• The Reef Authority may also be required to disclose personal information to various third parties, including other Australian and State Government agencies as well as other law enforcement bodies for the purposes of investigating complaints, responding to maritime incidents, managing WHS incidents and managing compliance with the GBRMP Act and associated environmental legislation.
   

Disclosure to service providers

The Reef Authority uses a number of service providers to whom we disclose personal information. The Reef Authority may disclose your personal information to include external service providers such as: 

• IT consultants; 
• professional advisers; 
• government or business partners; 
• website server hosts;
• providers that manage our human resources;
• researchers and peer reviewers;
• solicitors;
• external investigators; and
• third party vendors (such as ticket sales providers).

with whom the Reef Authority has a formal contractual relationship. 

The Reef Authority will only share this information for a lawful purpose (including a contractual purpose) and will only do so with your express consent.

These third-party service providers have access to personal information needed to perform their functions, but may not use it for other purposes.

We make available to you services, products, applications, or skills provided by third parties for use on or through the Reef Authority. 

To protect the personal information that we disclose to these service providers we:

• enter into a contract or Memorandum of Understanding (MOU) which requires the service provider to only use or disclose the information for the purposes of the contract or MOU; 
• include special privacy requirements in the contract or MOU where necessary.

The Reef Authority will only use service providers that provide sufficient guarantees that they will implement appropriate technical and organisational measures that ensure compliance with the APPs, Privacy Act and GDPR and accordingly protect the rights of the data subject.

Publication of personal information on the internet

Similarly, in some instances we may be required to publish your personal information on the internet, for example through a public consultation process. We are unable to control how a third party will use your personal information if it is published on the internet and, as such, we will advise you if your personal information is to be published on the internet and ensure that it is only published with your consent.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Disclosure to the responsible Minister, Parliament and other Government Departments by law

We may also be required by law to provide your personal information upon request to the responsible Minister, a House or Committee of the Parliament and the Auditor-General.

There may also be occasion where other Australian Government agencies require us by law to provide them with your personal information, such as the Australian Taxation Office and the Australian Competition and Consumer Commission.

D. THE REEF AUTHORITY’S POLICY IN RELATION TO PRIVACY AND MINORS

The Reef Authority is committed to ensuring the protection of privacy of minors. The Reef Authority does not generally market products or services to children. In circumstances where a product or service is marketed or designed for use by children (e.g. educational programs) and requires the collection of personal information, the Reef Authority takes steps to ensure that a parent or guardian is appropriately involved. 

E. HOW THE REEF AUTHORITY TRANSFERS INFORMATION WE COLLECT INTERNATIONALLY

The Reef Authority does not disclose your personal information to any overseas recipient unless one of the following applies:

• The recipient is subject to a law or binding scheme substantially similar to the Australian Privacy Principles, including mechanisms for enforcement.
• You have consented to the disclosure, and the Reef Authority will be taking reasonable steps to ensure that the overseas recipient does not breach the applicable privacy and data protection laws.
• It is required or authorised by law.
• It is required or authorised by an international agreement relating to information sharing to which Australia is a party.
• It is reasonably necessary for an enforcement related activity conducted by, or on behalf of, an enforcement body and the recipient performs similar functions.
• An exception applies under the law.
   

F. HOW THE REEF AUTHORITY STORES AND SECURES INFORMATION WE COLLECT

We take reasonable steps to protect the security of the personal information we hold from both internal and external threats as follows:

• The Reef Authority aims to store all records digitally. The Reef Authority also requires its staff to ensure that any digital or paper records containing personal information are stored securely.
• The Reef Authority’s employees are bound by confidentiality obligations as a condition of their employment, and this extends to ensuring that personal information collected by the Reef Authority is kept confidential.

Reef Authority staff:

• regularly assess the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
• take measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
• keep records of processing activities under their responsibility
• conduct regular internal and external audits to assess whether we have adequately complied with and implemented appropriate privacy protection measures.
• securely destroy or de-identify personal information in accordance with our records disposal authority when the information is no longer needed.

REEF AUTHORITY SYSTEMS

The Reef Authority takes security of personal information seriously and has implemented a range of physical and electronic security measures to protect your personal information from unauthorised access, use, modification, disclosure or misuse including the implementation of firewalls.
Electronic records of personal information collected by the Reef Authority are stored in databases that are hosted on servers in Australia.

Personal information may sometimes be stored in databases by third party service providers. These service providers’ servers are located in Australia.

In each case, the Reef Authority’s IT systems are protected by appropriate IT security measures.

REEF AUTHORITY WEBSITES

The Reef Authority strives to ensure the security, integrity and privacy of personal information submitted to its websites, and periodically updates its security measures in light of current technologies. There are, however, inherent risks associated with the transmission of information via the Internet.

While the systems the Reef Authority uses are very secure, the Reef Authority cannot guarantee or warrant the security of any personal information you submit to its websites.

No personal information will be stored on Reef Authority websites. If you have concerns in this regard, the Reef Authority has other ways of obtaining and providing information. Postal services, phone and fax facilities are available.
Reef Authority websites may also be linked to websites operated by third parties. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship, endorsement or approval of these websites.

Visitors to linked third party websites should refer to the separate privacy policies and practices of the hosts, e.g. Google Analytics and Adobe packages.

QUALITY OF PERSONAL INFORMATION

To ensure that the personal information we collect is accurate, up-to-date and complete we:

• where necessary, confirm the accuracy of information we collect from the source
• promptly add updated or new personal information to existing records
• audit our contact lists to check their accuracy
• review the quality of personal information before we use or disclose it.

G. HOW TO ACCESS AND CONTROL YOUR INFORMATION INCLUDING EXERCISING YOUR RIGHTS AND MAKING COMPLAINTS

AUSTRALIAN PRIVACY ACT

Under the Privacy Act, you have the right to seek access to the records of personal information that the Reef Authority holds about you.

You also have the right to ask the Reef Authority to alter your personal information if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

If you wish to:

• access or correct your personal information that the Reef Authority holds; or
• delete your registered account or unsubscribe to Reef Authority communications such as newsletters, publications, and event invitations

Using the contact details set out at the end of this Policy, please submit:

• a written request setting out what information you wish to access or correct;
• the account or subscription you wish to unsubscribe from;
• your name; and 
• a mailing address or email address.

To ensure we have the correct information, please include your registered email address, first name and last name, and requested change. The Reef Authority may require you to verify your identity. The Reef Authority will respond to your request within 30 days.

If the Reef Authority refuses to provide you with access to your personal information or to correct that information as you request, you will be provided with reasons for that refusal. If you wish to make a complaint about an access refusal, refer to the ‘How to make a complaint’ section, below.

If the Reef Authority refuses to correct your personal information, the Reef Authority will take reasonable steps to associate a statement with your personal information that you consider the information to be inaccurate.
 

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should complain in writing. Your complaint must describe how you think your privacy has been interfered with, so we can investigate it. It will assist if you can explain:

• what happened
• when it happened (including dates)
• what personal information of yours was affected
• who did it (include names of individuals involved if known)
• how and when you found out about it.

Our procedure for investigating and dealing with privacy complaints is:

• the Privacy Officer receives a written complaint about the alleged breach of privacy
• the Privacy Officer will acknowledge receipt of your complaint within a reasonable time
• if further information is required to investigate your complaint, the Privacy Officer will contact you to obtain further details about the alleged interference with your privacy
• the Privacy Officer will identify the relevant line area where the alleged breach has occurred and will provide details to the Director of that line area to enable that Director to undertake a proper investigation of the alleged privacy breach
• the relevant Director will provide details of the alleged privacy breach to the Privacy Officer
• the Privacy Officer will consider the details provided by the line area and determine whether there was an interference of your privacy under the Privacy Act
• the Privacy Officer will respond to you within 30 days of receiving your complaint.

If you have complained to us about the way in which your personal information has been managed, and you do not believe that the matter has been resolved satisfactorily, you should write to the Office of the Australian Information Commissioner (OAIC), preferably using the online complaint form.

Further information about making a privacy complaint to the OAIC can be found at Privacy complaints | OAIC.

EU GDPR

Under the EU GDPR, EU residents may exercise their data subjects rights – for example:

• Right of Access
• Right of Erasure
• Right to Rectification
• Right to Object

If you wish to exercise these rights, you may submit a written request using the contact details set out in this Policy.

You have a right to lodge a complaint with the relevant supervisory authority in your member state. We encourage you to contact us first so that we can respond to your concerns. We will do our best to resolve them promptly in accordance with relevant laws and policies.

G. CONTACT DETAILS