Skip to main content
Go to search page

Complete privacy policy

What is this privacy policy?

This policy applies to personal information collected by the Murray–Darling Basin Authority (the MDBA).

The MDBA is bound by the Australian Privacy Principles (APPs) (APPs) (www.oaic.gov.au/privacy) in the Privacy Act 1988 (Cth) which set out how we should collect, use, secure, or disclose personal information and how you can access records containing your personal information. We also follow the Australian Privacy Principles Australian Privacy Principles guidelines issued by the Office of the Australian Information Commissioner (OAIC).

The MDBA uses a multi-layered privacy notice format in line with the OAIC's guidelines. This is the complete version of our Privacy Policy. For an overview of how we handle your personal information, see our Condensed Privacy Policy.

This Privacy Policy was last updated in December 2015. This policy will next be reviewed in March 2017 or earlier as required and any changes will be notified on our website.

Visiting our website and social media accounts

Visiting our website

Our website is bound by the Australian Privacy Principles (the APPs) and we also follow the Guidelines for Federal and ACT Government websites issued by the Office of the Australian Information Commissioner (OAIC).

We do not collect identifiable personal information about you if you only browse our website to read or download information.

When you visit our website to read or download information, we may record, through our web server log files or Google Analytics, the following non-personal information for statistical purposes:

  • your server address
  • your top level domain name (eg. .gov, .com, .edu, .org, .au, .nz etc)
  • the pages you accessed and the documents you downloaded
  • the search terms you used
  • the date and time you visited the site
  • the previous site you visited
  • your operating system (eg. Windows, Macintosh)
  • the type of browser you use (eg. Internet Explorer).

This data helps us manage our website efficiently and securely, including monitoring to prevent security breaches and to enhance the website to meet your needs. No attempt is made to identify you or your browsing activities, except in the unlikely event of a criminal investigation, eg. where a law enforcement agency may exercise a warrant to inspect our Internet Service Provider's (ISP) logs.

If you send a message to us through our contact us page, or subscribe to one of our publications or request one of our services, we only record or use the personal information you provide to us to respond to you or provide you with the requested service. Your email address will not be added to a mailing list or used for any other purpose. If we wish to use your email address for another purpose we will seek your prior consent by way of a specific request in writing to you.

Google Analytics

In addition to web server logs, this website uses Google Analytics, a web analytics service provided by Google Inc. ('Google'). Reports obtained from Google Analytics are used to help improve the efficiency and usability of this web site.

Google Analytics uses 'cookies' to help analyse how users use this site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.

Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Please refer to Google's privacy policy. You can opt out of Google Analytics if you disable or refuse the cookie, disable javascript, or use Google's opt-out service.

Cookies

Cookies are pieces of information that a website can transfer to your web browser. Parts of our website may store cookies on your browser in order to service you better when you next visit the site.

You can change your web browser's settings to reject cookies or to prompt you each time a website wishes to add a cookie to your browser. Some functionality on the website may be affected by this.

For more information about cookies and instructions on how to adjust your browser settings to restrict or disable cookies, see the Office of the Australian Information Commissioner's Privacy Fact Sheet 4 or the Interactive Advertising Bureau website.

Security

The MDBA maintains the same level of security for personal information collected electronically as it does for personal information collected on paper. However, if you are providing personal information via an email or an online form you should be aware that there are some risks to transmitting data via the Internet.

Links to external web sites

The MDBA's web site contains links to other web sites. The MDBA is not responsible for the content and the privacy practices of other web sites and encourages you to examine each web site's privacy policy and make your own decisions regarding the accuracy, reliability and correctness of material and information found.

Accessing our social media accounts

When using MDBA news, or Facebook, Twitter or YouTube, the information posted on their pages is used only to administer the pages and to consider and respond to any comments you make. No attempt will be made to further identify you except where authorised or required by law.

MDBA news is managed by the MDBA. We only record your personal information if you comment on a news article or send us an email. We use Google Analytics to collect statistical web traffic information.

The MDBA is not responsible for the privacy practices of Facebook, Twitter or YouTube and you should refer to their privacy policies on their websites: Facebook privacy policy; Twitter privacy policy; and YouTube privacy policy.

Kinds of personal information collected and held by the MDBA

The main kinds of personal information we collect and hold relate to:

  • personnel, payroll, and recruitment, Fringe Benefits Tax return, worker's compensation returns
  • program records
  • procurement and contracts, including tenders
  • contact and mailing lists
  • requests for publications
  • Freedom of Information requests and responses
  • access to ICT equipment and security passes.

Personal information collected and held relates to government and non-government organisations and individuals and may include contact and mailing list details, such as names, business and private addresses, email addresses and phone numbers; personnel records, employment history and payroll details of employees and contractors; business and financial information for the management of our programs and for contract and procurement purposes.

Sensitive information collected or held in the personnel records of MDBA staff may include information about a person's racial or ethnic origin; memberships of professional or trade associations or trade unions; criminal records; or health information.

How personal information is collected and held by the MDBA

Collection

The MDBA collects personal information only where it is reasonably necessary for, or directly related to, the MDBA's functions or activities, or if collecting sensitive information, if the person concerned expressly consents to the collection.

We only collect personal information directly from the person concerned, unless this is unreasonable or impracticable, and we only collect it by lawful and fair means.

When we receive personal information that we did not ask for we deal with it as if we had requested it.

Dealing with us anonymously or using a pseudonym

You have the option of dealing with us without revealing your identify. You may remain anonymous or use a pseudonym, unless we are required or authorised by law to deal only with an identified person, or it is impracticable for us to respond to you if you have not identified yourself, e.g. to deliver a publication to you, or provide you with feedback.

If you use a pseudonym, MDBA will not link other personal information to the pseudonym unless required or authorised by law, it is impracticable for us to act differently, or you have consented to a link. Access to any personal information that may be linked to a pseudonym is restricted to authorised staff.

The MDBA may seek submissions and comments from the Murray–Darling Basin community on the implementation of the Basin Plan and may also publish them and you will need to provide your name with the submission but you may use a pseudonym for publication purposes.

Contact and mailing lists

Personal information for contact and mailing lists is generally collected directly from the individuals concerned. This information is collected by personal contact, emails, or telephone calls, or website subscription forms. Some personal contact information was also obtained through the transfer of data from the former Murray–Darling Basin Commission.

Personal information contained on contact and mailing lists is only held by the MDBA for the business purposes for which it was collected or for which the individuals have given permission. The records are held on an ongoing basis and are updated regularly.

Storage and security

The MDBA uses a range of physical and electronic systems to store the personal information and takes all reasonable steps to secure the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

These measures include, but are not limited to, restricted physical access to our offices; secure cupboards and storage containers for paper records; secure computer systems and networks for electronic records; controlled access to databases by authorisation, training and passwords; workplace policies; and regular review and testing of our physical and electronic systems.

Personal information is stored in paper and electronic form. Paper records containing personal information are held in secure cabinets with restricted access.

Paper records are held in secure cabinets with restricted access in our Canberra office. Commonwealth Government policy requires the MDBA to create and maintain an effective protective security environment as outlined in the Protective Security Policy Framework (PSPF) 2010 and it is mandatory for all staff to protect our assets and information from theft, unauthorised access and disclosure. Security risks are continually reviewed and assessed and staff are instructed in proper security practices, including a clear desk policy applying to all work areas and the use of appropriate security containers for the type and security classification of the personal information.

All internal electronic records are processed, stored and maintained in accordance with the MDBA's information security management system which is designed to protect the confidentiality, integrity, and availability of electronic information. It is mandatory for all staff who use the MDBA computer systems, including contractors, consultants and volunteers, to comply with the security rules. All records held externally are stored and secured in accordance with "Australian Government Policy and Risk management guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements".

Electronic records containing personnel information are held in the following secured systems. Human resources and payroll records are held in a secured server in the Canberra office. Records relating to staff recruitment are hosted by NGA.NET Pty Ltd at a secure off-site facility. Personal information collected in the course of our engagement with Basin stakeholders is held on a secured network service accessible by the internet and hosted by Polymorphic Solutions Pty Ltd in Queensland. Emails are held in a secure exchange server in the Canberra office. Our electronic records management system (TRIM) is held in a secured server in the Canberra office.

Contact and mailing lists are generally stored electronically, either in individual staff members' Outlook email folders or on the Authority's Customer Relationship Management System (SugarCRM). In relation to Outlook folders, only the individual staff member and Information & Technology staff have access.

SugarCRM is a secure customer relationship management system, hosted offsite by Squiz. It contains information and details relating to internal and external stakeholders, Authority and committee members, working groups and task forces. This database is password-protected and is only available to MDBA staff and contracted service providers who are undertaking work on behalf of the MDBA. These records relate to approximately 4,500 individuals. This information is only used by the MDBA for the business purposes for which it was collected or for which the individuals have given permission, and is not disclosed to other parties without prior consent.

Records relating to finance and procurement are in a secure database hosted on a protected internal server.

No personal information is stored overseas.

The purposes for which the MDBA collects, holds, uses and discloses personal information

The MDBA only collects, holds, uses or discloses personal information for purposes which are reasonably necessary for, or directly related to, our functions and related activities. The MDBA is not likely to disclose personal information to overseas recipients.

The purposes for which the MDBA might handle personal information relate to a number of functions under the Water Act 2007 (Cth) and include:

  • for the management of our employees, contractors and service providers
  • to engage with and educate stakeholders and the Basin community in the planning, management and use of the Basin's resources
  • to implement the Murray–Darling Basin Plan, including public consultation, water resource planning and water trading rules
  • to construct and operate River Murray assets such as dams and weirs
  • for environmental water planning and delivery
  • and for river and ecosystem health.

The MDBA carries out these functions directly and through Basin state government agencies in partnership with the Australian Government. More information about the MDBA's role and structure can be found in Part 9, Division 2 of the Water Act 2007 (Cth), on our website, in our Annual Report and in our Information Publication Scheme.

Authority to keep, destroy or transfer records

Records containing personal information are kept, destroyed or transferred in accordance with section 24 of the Archives Act 1983 (Cth). See the National Archives website for further information on records management under section 24 of the Archives Act.

The MDBA follows the Administrative Functions Disposal Authority (AFDA) to keep, destroy or transfer records of an administrative nature common to most Australian Government agencies. This includes functions such as finance, human resources, procurement and publications management.

Records relating to our core business functions and activities are being retained pending the issuing a Records Authority (RA) covering the MDBA.

Core function and activity purposes

Personnel and related records

The purpose of personnel records is to maintain employment history, payroll and administrative information relating to all current and former MDBA employees, including contract and temporary staff. These records may also relate to MDBA Authority and committee members.

The following MDBA staff have access to certain personnel records as appropriate: executive and senior personnel and payroll management staff (including performance management development scheme and learning and development administrators), supervisors and members of selection committees (if appropriate), the individual to whom the record relates and, as is appropriate, security officers, Occupational Health and Safety staff and case managers.

Information held in personnel records may be disclosed, as appropriate, to Comcare, Commonwealth Medical Officers, Attorney General's Department, Department of Defence, Australian Public Service Commission, ComSuper and other superannuation administrators, Australian Taxation Office (ATO), the Australian Federal Police and the receiving agency following movement or re-engagement of an employee.

Personnel records are stored on paper and electronically. These records relate to approximately 700 individuals.

Workers' Compensation Returns

Personal information of MDBA staff is collected for lodging MDBA's annual Workers' Compensation Premium return with Comcare. Comcare also supplies claims information to the MDBA in relation to expenses covered by Workers' Compensation.

The annual return to Comcare contains only aggregated payroll system information and no personal information is disclosed to Comcare. Auditing for workers' compensation premium purposes also does not disclose the names of MDBA staff.

Records relating to Worker's Compensation Premium returns are stored on paper or electronically. The records relate to approximately 6 individuals. Access to workers' compensation records is restricted to Executive and senior Finance and Human Resources staff.

Fringe Benefits Tax (FBT) Return

Personal information is collected to calculate the MDBA's FBT liability to lodge the FBT return with the Australian Taxation Office. The return only contains aggregated financial information and no personal information is disclosed. Records relating to FBT returns are stored on paper or electronically. These records relate to approximately 40 individuals. Access to FBT records is restricted to Executive and senior Finance staff.

Business-related program records

The MDBA holds a range of personal information which is related to our business programs, projects and functions and collected for the management of those programs, including programs managed by the former Murray–Darling Basin Commission (MDBC).
Records with personal information records are held for the following former programs:

  • Water Purchase Program which enabled holders of water entitlements to sell their entitlements to the Commonwealth Government.
  • Rice Growers Association Program which provided funding to irrigators to initiate water savings on-farm in return for permanent water entitlements.

These records are stored on paper and electronically. Access to this personal information is restricted to the Executive and staff in the teams who processed the applications.

Development and implementation of the Basin Plan 2012 (Cth)

Records with personal information are held relating to the development and implementation of the Basin Plan 2012 (Cth) (the Basin Plan). The information relates to submissions, correspondence, and consultations with government and community stakeholders for the purpose of developing the Basin Plan under the Water Act 2007 (Cth). After the adoption of the Basin Plan in November 2012, the information relates to consultations and correspondence with government and community stakeholders for the purposes of implementing the Basin Plan.

This information is held by the Policy and Planning Division and the Corporate and Business Services Division. This information is available to Executive and program staff on a need to know basis within these Divisions. These records are stored on paper and electronically. This information is only disclosed to Basin state governments and related agencies with the permission of the persons concerned.

Submissions

The MDBA may from time to time seek submissions and comments from the Murray–Darling Basin community during the implementation phase of the Basin Plan and may publish them. Only names, or pseudonyms, are published. Any other personal information such as addresses or contact details are not published.

During 2011-12, the MDBA invited submissions from the public on the proposed Basin Plan to help us further shape our policies and design of the Basin Plan. The submissions were published unless the author requested confidentiality in accordance with s43 of the Water Act 2007 (Cth).

Submissions are held in a database that was specifically developed to manage submissions received from the public. Access to the database is restricted to staff who have a business reason to view the information contained in it.

Water markets

The Water Markets Section collects personal information for the purposes of consulting and informing market participants on the rules and obligations imposed by the Basin Plan on the trade or transfer of tradeable water rights. These records are stored on paper and electronically and are only accessible by Water Markets Section staff.

Procurement and Contract records

Personal information such as names, addresses and other contact details are collected for the purposes of conducting tender processes and entering into contracts. This information may also be used in the context of managing contracts.

The MDBA also maintains a Register of Contracts which contains the names of suppliers and contact persons.

Personal information relating to tenders and contracts may be disclosed to the MDBA's legal advisors and auditors, and in accordance with government financial reporting requirements.

Contracts and procurement documentation containing personal information relating to contracts and communications with contractors, are retained in both electronic and hard copy form. All MDBA staff have access to these records on a need to know basis.

Contact & Mailing Lists

Contact lists held by staff are for the purposes of keeping details of our internal and external stakeholders with whom we deal to carry out our business activities and functions, eg. the distribution of information and correspondence, arranging travel for MDBA staff and committee members. These records also relate to secretariat functions, such as the management of the meetings of the Authority and our statutory advisory committees, working groups and task forces.

Subscription mailing lists are held for the purposes of providing request for media releases, newsletters, and education updates. Staff in the Communications Section, or the Education Section for subscriptions to education updates, and web services only have access to these mailing lists.

Publications

Personal information such as names and addresses is collected and used by the Publications Section to provide requests for MDBA publications. Requests are held electronically and are only accessible by the Publications Section staff.

A non-government company is contracted to deliver large or hard-copy publications from an offsite storage facility in Mitchell, ACT, and they subcontract delivery of these publications to individual couriers. The MDBA provides the company with names and addresses for delivery purposes only, and the contracted company is required to keep the information private and confidential in accordance with the Privacy Act 1988 (Cth).

Personal information collected for requests for high resolution images from our Image Library is held and used to provide the requested image. Requests for images are held electronically and are only accessible by the Image Librarian.

Education activities and students

The MDBA's Education Section collects personal information for the purposes of providing requests from students for educational material for study and homework though our 'contact us' link on our website's education page. Personal information collected through our website education updates subscription page is used to provide information on new education activities and programs.

Requests for education material and updates are held electronically and are only accessible by Education Section staff. All other Education Section interactions with students, for example the Basin Champions program, are managed through a class teacher.

Freedom of Information (FOI) files

Personal information contained in FOI records may be disclosed to other agencies with responsibility for the subject matter of particular FOI requests (in accordance with the Freedom of Information Act 1982 (Cth)), the Office of the Australian Information Commissioner, the Administrative Appeals Tribunal and the Office of the Commonwealth Ombudsman.

During the required third party consultation phase of an FOI request, the names of applicants are not disclosed to third parties without the express consent of the applicant.

FOI records are maintained electronically and on paper files. Access is limited to staff in the Legal Section, the Executive Director, Corporate and Business Services and decision making staff (as appropriate).

ICT records

The Information & Computer Technology Branch (ICT) collects the names of individuals for the purposes of processing applications for access to ICT equipment and security passes. Completed application forms are only collected from the relevant individual. Access forms and security pass forms are not disclosed to any third parties. Forms for access to ICT equipment and security passes are stored with the relevant business manager.

Names of applicants for ICT equipment access and security passes are held in an email directory, and in Active Directory which is a database that governs access to ICT equipment. Access is limited to ICT staff.

How you can access or seek correction of your personal information held by the MDBA

The MDBA will provide access or make corrections to the personal information that we hold about you unless we are required or authorised to refuse to give you access or make corrections under the Freedom of Information Act 1982 (Cth) (the FOI Act) or any other Commonwealth law.

You have the right to apply for access to or request correction of the personal information that we hold about you under either the FOI Act or the Privacy Act 1988 (Cth) (the Privacy Act). There is no charge for making an access or correction request. To protect your privacy and the privacy of others, when you contact us we may need to verify your identify.

Former MDBA employees seeking their employment details should initially do so in accordance with our personnel procedures. Please contact the Director, People, Policy and Planning Section, Corporate and Business Services Division.

There are some statutory and administrative differences between the 2 options of making a request under either the FOI Act or the Privacy Act and these are explained below.

Application for access or correction under the FOI Act

Under the FOI Act, you may request access to documents which contain personal information about you. You may also request us to amend or annotate documents that contain personal information about you if you believe that your personal information in the documents is incomplete, incorrect, out of date or misleading. You cannot ask that the information be deleted. If you would like to request that your personal information be deleted you should apply under the Privacy Act (see below).

Under the FOI Act your request must:

  • be in writing, including by email
  • state that the request is an application for the purposes of the FOI Act
  • provide information about the document(s) to assist us to process your request
  • provide an address for reply.

You can send your request to:

By email

foi@mdba.gov.au

By post

FOI Officer
Murray–Darling Basin Authority
GPO Box 1801
CANBERRA ACT 2601

In accordance with the FOI Act, we will acknowledge within 14 days that we have received your request and we will give you our decision within 30 days. This time period can be extended for various reasons including by up to a further 30 days by agreement with you because your request is complex, or by a further 30 days if we need to consult with state governments or with other people where the document relates to their business affairs or personal privacy. For more details see the Office of the Australian Information Commissioner's FOI Fact Sheet 6: Freedom of Information: How to apply.

If you disagree with our decision, you can ask for the decision to be reviewed either by requesting an internal review, which will be conducted by another officer in the MDBA, or you can ask the Office of the Australian Information Commissioner to review our decision. If you disagree with our decision not to amend your personal information, you can also ask us to attach a statement or file note to your personal information that reflects your disagreement. For more details of your review rights, see the Office of the Australian Information Commissioner's FOI Fact Sheet 12 – Freedom of information: Your review rights.

Application for access or correction under the Privacy Act

Under the Privacy Act, Australian Privacy Principle 12 (APP 12) allows you to request access to your personal information. Australian Privacy Principle 13 (APP 13) allows you to request us to correct your personal information if you believe that the information is incomplete, inaccurate, out of date, misleading, or irrelevant.

Under the Privacy Act, your request can be in writing, including by email, or by telephone. Please indicate that the request is a request for access under APP 12 or for correction under APP 13 of the Privacy Act.

You can send your request to:

By email
privacy@mdba.gov.au

By post

Privacy Contact Officer
Murray–Darling Basin Authority
GPO Box 1801
CANBERRA ACT 2601

By phone
02 6279 0100 and ask for the Privacy Contact Officer.

We will acknowledge within 5 working days that we have received your request and we will respond to your request within 30 days. If we refuse to give you access to your personal information or to correct it we will give you written reasons for the refusal, unless it is unreasonable to do so on, for example, if providing a reason could prejudice a legal action.

If you wish to make a complaint about a refusal, you should do so firstly to us by writing (including by email) to the Privacy Contact Officer. We will respond to your complaint within 30 days. If you are still not satisfied with our decision, you can complain to the Office of the Australian Information Commissioner. See the Office of the Australian Information Commissioner's website for further information.

For any further information, please contact MDBA's Privacy Contact Officer (contact details provided at the end of this privacy statement).

How you can complain if we breach the Australian Privacy Principles, and how the complaint will be handled

If you have any concerns about the way we handle your personal information and wish to make a complaint, please contact the Privacy Contact Officer by mail, phone, fax or phone (contact details provided at the end of this policy statement).

The MDBA is committed to the consistent, fair and confidential handling of a complaint. We are also committed to resolving complaints as quickly as possible, generally within 20 working days. You can also expect us to acknowledge your complaint and to keep you advised of progress.

If you are not satisfied with our response, you may request us to reconsider it. You may also make your complaint directly to the Office of the Australian Information Commissioner. However, in most cases the Office of the Australian Information Commissioner will refer you to us to make the complaint in the first place.

How to contact us

Privacy Contact Officer
Murray–Darling Basin Authority
GPO Box 1801
CANBERRA ACT 2601

Email: privacy@mdba.gov.au

Phone: (02) 6279 0100 and ask for the Privacy Contact Officer
 

You have the option to contact us without identifying yourself or of using a pseudonym. Further information on dealing with us anonymously or by using a pseudonym is in our Collection policy above.