DTH privacy policy

This policy outlines the collection, use, disclosure and protection of personal information collected by the Department of Tourism and Hospitality (DTH) through the delivery of services and programs of the department. This policy should be read in addition to the Northern Territory Government’s copyright, disclaimer and privacy statements.

This policy provides guidance to the Department of Tourism and Hospitality staff for the protection of personal information in compliance with the Information Privacy Principles (IPP) in the Northern Territory Information Act 2002 and, where applicable, with the Australian Privacy Principles (APP) in the Commonwealth Privacy Act 1988.

This policy describes the personal information that may be collected by the department and how that information is protected. It applies to DTH staff, and includes its contracted service providers and their employees, subcontractors or agents, or any other persons providing services to the DTH, to the extent of their involvement in handling the department’s personal information.

DTH is committed to protecting the privacy of the personal information it collects relating to the officers and entities with whom it engages. Some of these entities include but are not limited to: businesses and associations across industry sectors and their employees, apprentices and trainees, skilled migrant applicants, students, and any other individuals that the department collects personal information from.

The department collects, manages, uses and discloses information in accordance with:

  • Information Act 2002 (Information Act) (NT)
  • Information Regulations 2010 (NT)
  • Privacy Act 1988 (Privacy Act) (Commonwealth) (to the extent applicable)
  • Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Commonwealth)
  • Privacy Amendment (Notifiable Data Breaches) Act 2017 (Commonwealth).

3.1. Definitions

Australian Privacy Principles (APP) means the rules covering the handling, use and management of personal information including the right to access and correct personal information, in schedule 1 of the Privacy Act.

Eligible data breach means a breach of data that is likely to result in serious harm to any of the individuals to whom the information relates as defined by the Office of the Australian Information Commissioner.

Information Privacy Principles (IPP) means general rules that govern the collection, management, access and correction of personal information contained in schedule 2 of the Information Act.

Person means an individual and includes a deceased individual within the first five years after death as defined in section 4 of the Information Act.

Personal information means government information containing personal details of an individual and any other information that directly or indirectly identifies a person, except where:

  1. she disclosure identifies a person who is acting in an official capacity for DTH, and
  2. no other personal information about the person is disclosed, as defined in section 4A of the Information Act.

Privacy means privacy with respect to personal information section 4A of the Information Act.

Notifiable Data Breach Scheme means established requirements for data breach notifications under the Privacy Act where entities must notify the Australian Information Commissioner and individuals of eligible data breaches.

Sensitive information is a subset of personal information and means personal information as set out in section 4 of the Information Act relating to racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional / trade association or trade union, sexual preferences or practices, criminal record or health information.

3.2. Principles

3.2.1. Collection of personal and sensitive information

The department will only collect information that is necessary for any of its functions or activities by reasonable and lawful means and in most instances, directly from the individual.

In vocational education and training related matters, information may be provided by third parties such as the National Centre for Vocational Education Research Limited.

At the time personal information is collected, the department will ensure that individuals are aware of:

  • the identity of the department and how to contact it
  • the purpose for which the information is collected
  • the fact that the individual is able to have access to the information
  • the persons or bodies, or classes of persons or bodies, to which the department usually discloses information of the same kind
  • any relevant laws that require the particular information to be collected, and
  • the consequences if any, of not providing the information.

If the department collects personal information about an individual from another person, DTH will take reasonable steps to ensure that the individual is aware of these matters, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of the individual or another individual.

DTH will only collect personal information about an individual directly with an individual’s consent, unless it is otherwise required by law, or the individual is incapable of communicating consent and the information would prevent or lessen a serious threat to life and health, or it is required in relation to a legal claim.

Reasonable steps will be taken to ensure the quality of the personal information collected, and that the information is accurate, complete and up to date.

3.2.2. Use and disclosure

DTH will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose for which it was collected unless one or more of the following apply:

  • consent has been provided
  • if the information is sensitive information, the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the department to use or disclose the information for the secondary purpose
  • if the information is not sensitive information, the secondary purpose is related to the primary purpose and the individual would reasonably expect the department to use or disclose the information for the secondary purpose
  • the use and disclosure is necessary for research or the compilation or analysis of statistics in the public interest and will not be published in a form that identifies an individual, it is impracticable to seek consent and it is reasonably satisfied the recipient of the information will not disclose the personal information
  • DTH has reason to suspect that unlawful activity has been, is being or may be engaged in and uses or discloses the information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities
  • DTH reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:
    • preventing, detecting, investigating, prosecuting or punishing an offence or a breach of a prescribed law
    • enforcing a law relating to the confiscation of proceeds of crime
    • protecting public revenue
    • preventing, detecting, investigating or remedying seriously improper conduct or prescribed conduct
    • preparing for or conducting proceedings before a court or tribunal or implementing the orders of a court or tribunal
  • other circumstances set out in IPP 2.

3.2.3. Accessing and updating personal information

Except in certain circumstances, DTH will take reasonable steps to allow individuals to access their personal information, and to correct the information where necessary or associate a statement outlining their concerns with the information. The department will always provide reasons for refusing to provide access to or correct personal information, and give its reasons for delays in responding to requests within a reasonable time.

3.2.4. Keeping personal information secure

DTH will take reasonable steps to ensure that the personal information it collects is protected from misuse and loss and from unauthorised access, modification or disclosure. Reasonable steps to destroy or de-identify personal information that is no longer needed will be done in accordance with the department’s retention and disposal schedules and / or in accordance with any formal agreements governing the information.

In the event of an eligible data breach, DTH will act in accordance with the Notifiable Data Breach Scheme under the Privacy Act. The department will seek to promptly determine the nature of the breach and secure against further breaches, alert authorities where criminal activity is suspected, assess the risk of harm to affected individuals, and notify individuals and the Information Commissioner if the breach is significant.

3.2.5. Openness

This privacy policy can be accessed from DTH's website and intranet. Any questions not addressed in this policy can be directed to the privacy officer under making a privacy complaint below.

3.2.6. Anonymity

Individuals may have the option of dealing anonymously or by pseudonym with DTH except in circumstances where it is required by law, and where it is impracticable for DTH to deal with individuals who have not identified themselves. For example, it may be impracticable to resolve an individual’s complaint about how they have been treated by DTH , if the individual does not provide their name or other information that allows DTH to identify the circumstances of the complaint.

3.2.7. Trans border data flows

In most cases, DTH will not transfer personal information outside of the Territory unless the transfer is required or authorised by a law of the Territory or the Commonwealth, or the person has consented to the transfer, or DTH reasonably believes the transfer is necessary for performance or completion of a contract between DTH and a third party that would benefit the individual, or it is impracticable to obtain consent and the individual would likely agree to the transfer. The department will only transfer information where it is reasonably satisfied it will be handled in a manner consistent with these principles and others set out in IPP 9.

Where contracts and agreements with third parties require the transfer of personal information, privacy and confidentiality clauses within the contracts and agreements will require compliance with the Information Act and the IPPs, or the Privacy Act and the APPs as appropriate.

3.2.8. Confidentiality obligations

Staff members, contractors and third parties of DTH have a responsibility to collect, use and disclose personal information in the course of official employment or engagement consistent with the IPPs and APPs (where the latter are applicable). Information shall only be released in accordance with the Information Act and the Privacy Act (where the latter applies), and with advice of the privacy officer. Unauthorised access to personal information must be reported to DTH's privacy officer and to the responsible owner of the information. The handling of confidential information is outlined in the department’s confidentiality policy.

3.2.9. Making a privacy complaint

Complaints about privacy should be directed to DTH's privacy officer to request a resolution. If unsatisfied with the response by this department, a complaint may be lodged with the Northern Territory Office of the Information Commissioner, within 12 months of becoming aware of the privacy matter.

To contact us with a complaint or privacy question, you can contact us at:

Privacy Officer
Department of Tourism and Hospitality
GPO Box 3200
Darwin NT 0801
Phone: 08 8999 1792
Opening hours: Monday to Friday, 8am to 4:21pm CST

September 2020
Version 2.0


Give feedback about this page.

Share this page:

URL copied!