Information privacy plan

What is personal information?

'Personal information' is defined in the IP Act as:

Information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

For clarity, personal information is not necessarily sensitive or confidential, and it doesn’t need to directly identify the individual. If their identity could be discovered by taking a series of steps (for example, by combining several pieces of information to work out which individual is being referred to) then this may be personal information.

As personal information relates to information about individuals, corporations do not have privacy rights under the IP Act.

What is not personal information?

The IP Act sets out some kinds of documents which, even if they include what would otherwise be considered personal information, do not have the same protections. These include documents concerning:

• covert operations of law enforcement agencies
• witness protection
• certain complaints and investigations of misconduct under the Police Service Administration Act 1990 and the Crime and Corruption Act 2001
• public interest disclosures made under the Public Interest Disclosure Act 2010
• Cabinet and Executive Council
• commissions of inquiry.

The IPPs also do not apply to a document that is a generally available publication (that is, a document which is normally available to the public). Information about a deceased person is also not considered personal information for the purposes of the IP Act.

Our overall responsibility for the proper use of personal information rests with our Ombudsman. However, all of our team members are responsible for ensuring that they comply with the IP Act and this plan in relation to the collection, management, use and disclosure of personal information that we hold. Employees are given access only to information which is relevant to their duties.

The day-to-day organising of information privacy has been delegated to the Information Privacy Officer who is the first point of contact for members of the public and employees when they have a question or concern about privacy and personal information. The Information Privacy Officer is responsible for:

• monitoring compliance with the IP Act, reporting on IP Act matters and providing general information on privacy-related issues
• dealing with requests to amend records containing personal information
• dealing with suspected breaches of privacy and privacy complaints
• conducting privacy audits.

The Information Privacy Officer can be contacted at rti&ip@ewoq.com.au or by phone on 1800 662 837.

The Privacy Principles

There are 11 IPPs that set out how personal information must be collected, stored, secured, accessed, amended, used and disclosed.

While we abide by the 11 IPPs, we are also governed by a section in our legislation (the Energy and Water Ombudsman Act 2006) which clarifies that when a customer contacts us to make a dispute (or to discuss a dispute), we can assume that the customer has agreed for us to use and disclose the information provided for the purpose of the dispute. The section states:

Use and disclosure of personal information

(1)  For any IPP under the Information Privacy Act 2009, the making of a dispute referral is, of itself, taken to be agreement by each party to their personal information relevant to the dispute—

(a)   being used by the energy and water ombudsman or either party for a preliminary inquiry or investigation concerning the dispute; or

(b)   being disclosed by the ombudsman to a party or from a party to the ombudsman for a purpose mentioned in paragraph (a); or

(c)   if a party is required to disclose the information under section 24(2) or 29, being disclosed to the ombudsman.

In practice, this means that we will disclose personal information provided to us by customers to the scheme participant (the customer’s energy or water supplier/distributor) complained about so that we can obtain their response to the complaint or seek clarification of issues or further information. See below (under “What information we collect and how we use it”) for further information on the types of personal information disclosed and for what purposes.

IPPs 1-3: Collection of personal information

Principle 1:  Collection of personal information (lawful and fair)

Principle 2: Collection of personal information (requested from individual)

Principle 3: Collection of personal information (relevance etc)

We can only collect personal information for a lawful purpose directly related to the work that we are authorised to do under our Act. The purpose of collecting personal information should be specific and current and the information must be complete and up to date. We must not collect information in a way that is unfair or unlawful, we must not intrude unreasonably into the personal affairs of the person when collecting this information.

When personal information is being collected, we must take reasonable steps to tell the person:

• why we are collecting the information
• whether we are authorised by or required under law to collect the information
• who will or normally would receive the information. We do this in the form of disclosure notifications on our website, telephone recorded messages and online complaint page.

IPP 4: Storage and security of personal information

We must make sure that the information we hold is protected against loss, misuse, or unauthorised use, access, modification or disclosure.

If we give personal information to another entity or agency in the course of our activities and functions, we must take reasonable steps to prevent unauthorised use or disclosure of the information by that other entity or agency. Contracts between us and our external service providers must include provisions to protect personal information holdings.

IPPs 5-7: Access to and amendment of personal information

Principle 5: Providing information about documents containing personal information

Principle 6: Access to documents containing personal information

Principle 7: Amendment of documents containing personal information

IPPs 5-7 require us to give individuals access to their own personal information that we hold, except if this is not allowed because of another law. We must also allow an individual to ask for amendments to any inaccurate, irrelevant, out of date, incomplete or misleading personal information.

The kinds of information that can be changed and our ways of handling an application to access or change personal information held by EWOQ are detailed below.

IPPs 8-10: Use of personal information

Principle 8: Checking the accuracy of personal information before use by agency

Principle 9: Use of Personal information only for relevant purposes

Principle 10: Limits on use of personal information

If we use personal information, we must take reasonable steps to make sure that personal information is correct, up to date, relevant and complete before using it. When we collect personal information, we must not use it for any reason other than the reason for which we collected it, unless:

• the individual has agreed (expressly or impliedly) for us to use it in this other way
• there are reasonable grounds to believe that a disclosure of it is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare
• the other way we intend to use it is:
  • required or authorised by law
  • reasonably necessary for certain law enforcement activities
  • directly related to the purpose for which the information was obtained
  • necessary for research or statistical analysis in the public interest (and certain requirements are met).

IPP 11: Disclosure of personal information

We must not give a person’s personal information to a third party (i.e. disclose the information) unless:

• that person is reasonably likely to be aware that the information is usually given to the third party
• that person has agreed (expressly or impliedly) to the disclosure
• there are reasonable grounds to believe that the disclosure is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare
• the disclosure is authorised or required under a law
• the disclosure is reasonably necessary for certain law enforcement activities
• the disclosure is necessary for research or statistical analysis in the public interest (and certain preconditions are met)
• the information is used for us marketing something to the individual, but only if we are satisfied on reasonable grounds that we are complying with IPP11(4)
• the information is routine personal information about one or more of our employees that relates solely to the routine day-to-day work duties of that employee (such as a work classification, or the listing of a name as author of a paper where that employee is the author).

We collect certain kinds of personal information regularly as part of the work we do in resolving disputes and running our office. We usually collect information from our customers (people who contact us with a complaint to resolve) when they first get in touch with us or throughout the course of resolving a complaint (and sometimes at other times when we are contacted by customers generally). We also collect relevant personal information of our team members and potential recruits.

Customers

When a customer calls us, we may ask for personal information on the phone, in person, or by letter or email. We may monitor or record calls for case management, training and coaching purposes. Customers can tell the operator if they don’t want us to do this.

We collect personal information from our customers when they make a complaint to us so that we can properly assist them in resolving it. We need this information to provide our services. The types of information we collect include (but may go beyond if needed):

• their name^[1]
• their contact details (e.g. current and previous addresses, telephone numbers, email address)
• how many people live at the home the complaint relates to
• account information (current and past) relevant to the dispute
• information the energy or water supplier or distributor gives to us about the customer
• other information provided to us by the customer, supplier or distributor (which might include photos of the property or meter and the like)
• information from collection agencies
• other demographic information (which is provided at the customer’s choice and not a prerequisite to service)
• information about any special needs of the customer (for example, if they need an interpreter).

Use by our team members

On a day-to-day basis any of our team members with responsibility for receiving and responding to enquiries (including responding to comments or messages on social media), conducting investigations or undertaking administrative activities (and any team member responsible for supervising activities) may have access to personal information.

Similarly, other team members who work on planning, managing systemic issues, creating policy or reporting may have access to personal information for the purposes of collating statistics, reporting (including case studies with identifying information removed, presentations, training and quality checking), or developing or researching policies and procedures. The information used may include demographic information to better target our community engagement work, to report to other regulators and Government bodies, and otherwise to assist in developing our processes and services. Any of the work produced by these team members will only be published if the information is de-personalised.

Other team members responsible for the managing of information technology systems may have access to personal information for the purposes of maintaining and creating the platforms on which the data is stored.

Customers can tell us if they do not want us to use their personal information in these ways, or if they want more information on how we manage their personal information.

Information provided to other entities

As indicated above, we will also disclose personal information given to us by customers to the customer’s energy or water supplier/distributor (the entity complained about) so that they can respond to the complaint or seek clarification of an issue or further information. This is required by the Act. We may give access to this information through an online portal or via email or post.

A customer’s personal information may also be provided to government entities with a legitimate interest in the information, provided EWOQ has the customer’s consent or is required by law to do so, for example, by force of a subpoena.

If a complaint is not within EWOQ’s jurisdiction we may, with the customer’s consent, refer the complaint to government entities or other ombudsman schemes which have a legitimate interest in the information, for example:

• Queensland Office of Fair Trading
• Queensland Competition Authority
• Department of Energy and Public Works
• Department of Regional Development, Manufacturing and Water
• Australian Competition and Consumer Commission
• Australian Energy Regulator
• Queensland Ombudsman
• Australian Energy Market Commission
• Office of the Australian Information Commissioner.^[2]

Customer feedback and surveys

A customer’s personal information may also be used for undertaking internal or external surveys. Customers are given an opportunity in speaking with our team members to consent to be involved in the surveys or advise EWOQ that they do not wish to be surveyed.

Information which identifies customers who have consented to the survey (name and contact details only) may be provided to an external company solely for the purpose of that company conducting surveys on behalf of EWOQ.

Where stated on a survey, a customer’s responses may be provided to members of our scheme (i.e. retailers and network service providers) for use in quality control and in improving services. This includes entities which do not have a direct relationship with the customer (e.g. retailers other than their own). We will only provide the substantive responses and not the names or contact details of the customer, but if the customer’s responses have identified themselves then this information will not be removed before the information is given to the members of our scheme.

We use the information our customers provide in surveys to improve our processes and review our performance.

Our team members and recruits

On a day-to-day basis some of our team members (those who have appropriate authorisation and operational need) have access to personal information of other team members.

Employee information

We collect and store certain employee-related information because we are required to by law.^[3]Employee records include details about personnel, payroll, recruitment, performance and other records. The information collected may include names, dates of birth, occupation, employee identification number, general medical information, qualifications, next of kin, relationship details, details of pay and allowances, travel records, personal financial information, leave details, timesheet information and overtime records, work reports, employment history, staff awards, disciplinary investigations and actions, performance assessments and criminal convictions.

The above information is used for our internal human resource management, including assessing whether employees are complying with policies and procedures. This information may be accessible by certain team members, including the employee’s manager and line managers and others as required and appropriate. This information is stored and kept confidential otherwise.

Certain employee information relating to payroll, leave, employee requests and contact information is stored in online portals operated by third party providers. These third-party providers are subject to confidentiality obligations and the IP Act under the terms of their engagement.

Recruitment information

Similarly, we keep personal information provided by potential recruits, including applications to work with us, records relating to referee checks, interview notes and selection panel assessments. This information is collected and used so that we can select employees fairly and is provided to members (and relevant administrative assistants) of selection panels (including possible third-party panel members) for use in deciding the successful candidate. The relevant details about a person’s application may be disclosed to a person’s nominated referees in the event their application warrants a referee check.

Recruitment information may be processed and handled through third party platforms, such as other government services and Springboard (as part of SmartJobs). Our human resources contractors may have access to information provided as part of recruitment processes for use in assisting us with evaluating applicants.

As part of our screening process, criminal history checks may be undertaken in accordance with a consent form from applicants. This information is used in hiring decisions and then deleted. A record is retained that a search was undertaken without the search results.

Copies of identification documents may be obtained as part of the hiring process to verify identity and other information. This information is deleted once a hiring decision is made.

Limited and specific personal information is disclosed to third parties as appropriate, including superannuation companies as nominated by the team member, the Australian Taxation Office, organisations in receipt of payroll deductions and external medical/emergency personnel. Otherwise information is only disclosed to third parties with the permission of the team member or as required by law (for example, to the Crime and Corruption Commission in connection with allegations of official misconduct).

Other information

We also store other kinds of information (some of which may be personal information) to assist us in running our workplace. This includes content like financial management information, complaints, mailing lists, details of stakeholder groups, communications and publications, audit outcomes, security and general management issues. We collect and store this kind of information in accordance with the IP Act.

^{[1] While a customer can choose to stay anonymous, it is more difficult for us to investigate an anonymous complaint (depending on the details provided) and we will not be able to advise them of the outcome.}

^{[2] The EWOQ is a recognised external dispute resolution scheme (EDR) under section 35 of the Privacy Act 1988 (Cth). Subject to the Energy and Water Ombudsman Act 2006, EWOQ will receive, investigate, facilitate the resolution of, make decisions and recommendations for, and report on, complaints within its scope about acts or practices of EWOQ scheme participants that may be an interference with the privacy of an individual under subsections 13(1) and/or 13(2) of the Privacy Act 1988 (Cth). EDR privacy complaints may be referred to the Office of the Australian Information Commissioner.}

^{[3] Under the Public Service Act 2008 and the Public Service Regulation 2008.}

From time to time we enter into contracts with other entities and people for work associated with the performance of our duties. Some of these contracts require the disclosure of personal information to third parties, or the collection of personal information by third parties on our behalf (including in the ways listed above).

We will take all reasonable steps to ensure that the entity or person we have an agreement with complies with the relevant obligations in the IPPs and their contract with us, and that any entity or person that has made an agreement with us after 1 July 2009 complies with these principles as if it were us.

We will also take steps to ensure that the third party contract or arrangement contains appropriate privacy clauses, or show the steps taken to require the contractor to comply with the IP Act.

We store records (including personal information) on paper and electronically. We will deal with personal information provided to us (whether in person, in paper, over the phone or online) in accordance with legislative obligations and the IP Act. Electronic information is stored securely and protected by two-factor authentication. Hard copy information is stored securely in accordance with its sensitivity, including in locked cabinets and filing systems.

Our information management network regularly holds, stores and allows us to access our complaints management database. Our IT officers, consultants and the IT companies we contract with may have access to personal information (concerning internet and email usage and security) in accordance with the terms of their service agreements with us, which are subject to confidentiality and the IP Act.

Customers may wish someone to contact us on their behalf or have us talk to a representative about their dispute, e.g. a paid representative, a financial counsellor, or a relative or friend. Information about how to complete a form to appoint a representative is here.

Where a representative is appointed by a customer, we use the form to show that the customer agrees for us to ask their representative for information, to give information to that person and to speak to that person as if we were speaking to the customer. We treat information provided by or to an authorised representative in the same way we would treat with the information if it was the customer we were dealing with.

Under the IP Act, we can only transfer personal information outside Australia if:

• the person whose information it is agrees to the transfer; or
• the transfer is allowed because of another law; or
• there are reasonable grounds to believe that the transfer must be made to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare; or
• two or more of the following apply:
  • the person receiving the personal information outside of Australia is also bound to comply with privacy obligations that are substantially the same as the IPPs
  • the transfer is necessary to the work that we do for the person whose information it is
  • the transfer is for the benefit of the person whose information it is and it is not possible to seek their consent, but if sought it would likely be given
  • reasonable steps have been taken to ensure the information is protected.

Except where we are not allowed because of another law, we are required (under IPP 6 and IPP 7) to allow a person to apply to us to access or amend their own personal information. A person is allowed to do this if the information we hold is wrong or inaccurate, incomplete, out-of-date or misleading.

Any request for access or amendment must be sent to the Information Privacy Coordinator, who can be contacted by emailing rti&ip@ewoq.com.au or calling 1800 662 837, or writing to:

IP Coordinator, Energy and Water Ombudsman Queensland

PO Box 3640

SOUTH BRISBANE BC QLD 4101

If you believe that your personal information has not been handled in accordance with the IP Act, you may make a complaint to us and we will respond to that complaint in accordance with our complaint processes. Further information on EWOQ’s Complaint Management Process.

The complaint should be made within six months from the date when the breach was suspected to have occurred.

Privacy complaints made to EWOQ must:

• give your address where we can forward notices under the IP Act
• include certified identification
• provide particulars of the complaint
• be forwarded to the contact detailed above.

Complaints will be acknowledged in writing within 14 days from the date on which the complaint is received and processed within 45 business days.

Where a longer period of time is required to finalise a complaint, we will contact the complainant to attempt to negotiate an extension of time. On completion, we will inform the complainant of our decision, including any remedies appropriate to resolve the complaint.

If a complainant does not agree with our decision or has not received a decision from us after 45 days from the date the complaint was made, they may take the complaint to the Office of the Information Commissioner (OIC). Complaints to the OIC must be in writing.