1. What is this policy about?
State Library Victoria values the personal information of individuals.
This policy describes how we protect the personal information of individuals in accordance with applicable privacy laws.
Depending on the context, this policy should be read in conjunction with our other policies, for example, our entry and service policies.
Certain terms used in this policy have a particular meaning which is set out in the Definitions section of this policy.
This policy applies to our Board, our committees and all staff who do work for us or on our behalf, including our employees, volunteers and contractors.
This policy covers personal information handled by us except where the personal information is:
- in a generally available publication
- kept by us for the purposes of reference, study or exhibition
- a public record that is available for public inspection in accordance with the Public Records Act 1973 (Vic)
- archived within the meaning of the Copyright Act 1968 (Cth).
From time to time, we may change this policy, for example, to reflect changes in applicable law or our practices. We reserve the right to make changes to this policy at any time.
3. How we handle personal information
3.1. Collecting personal information
We interact with individuals in multiple ways, including in connection with:
- visits to our premises (including members of the public, schools, employees, volunteers and contractors);
- prospective and actual employment and volunteering with us;
- prospective and actual memberships (including corporate and Startspace applicants and members);
- our tenants and venue hire by third parties;
- the purchase of our offerings;
- the supply of products and services to us;
- grant and lending arrangements to and from us;
- donations; and
- representatives from external organisations (business and stakeholder relationships).
We collect personal information for certain activities in order to administer our activities, perform our functions under the Libraries Act 1988 (Vic) and comply with our other obligations (for example, under the Privacy and Data Protection Act 2014 (Vic)).
You can interact with a number of our activities anonymously. For example, you can access and browse parts of our website without providing your personal information to us. It is not always practical to anonymously interact with certain activities. Examples of why we may ask for your personal information include:
- to gather data to provide relevant products and services to you;
- to communicate with you about our relevant products and services;
- to provide access to our services and premises, respond to requests and facilitate venue hire;
- to offer you the opportunity to participate in surveys and promotions;
- to administer and manage our websites;
- to record and respond to interactions with us, including via social media channels;
- to manage attendance at events, subscriptions to newsletters and to administer memberships (including applications);
- to manage business, volunteer and employment relationships;
- for operational and commercial reasons, including processing financial transactions, and entering into legal arrangements (for example, executing contracts);
- to engage in fundraising, donation, bequest and loan communications and processes;
- to support inclusivity and facilitate reporting (for example, reporting demographic information to the Victorian Government);
- to comply with legislative and regulatory obligations, including providing a safe workplace; and
- for safety and security purposes, including incident management.
The type of personal information we may ask for and collect includes:
- names (including actual and preferred names);
- phone number and email address;
- date of birth and age details;
- biographical, educational, religion, cultural, linguistic and gender identity details;
- education and work history, skills, salary, performance and professional membership information;
- job titles, roles and places of work;
- referee and emergency contact information;
- financial and banking details, and tax file numbers;
- medical information (for example, to make reasonable adjustments for workers, or cater for dietary requirements at events);
- signatures (including employees, members and donors);
- photos and recordings, including CCTV footage (for example, for incidents) and consent forms for events;
- business names and business associates;
- catalogue use history, use of resources (for example, co-working spaces and meeting rooms) and Google Analytics data;
- donation details including date, amount and description of donated item including photographs);
- date of death and the Will (in connection with bequests); and
- ideas, interests, opinions and other information you volunteer to share (for example, to learn about your family history).
When we collect personal information, we take reasonable steps to make you aware of the following:
- why we are collecting your personal information;
- who we may share your personal information with;
- whether any law requires us to collect your personal information;
- the main consequences (if any) if you do not provide your personal information;
- that you can contact us to access the personal information we hold about you;
- how you can contact us.
Where possible, we collect personal information directly from individuals.
Where we handle any personal information which relates to an individual who is under 18 years old, we will take reasonable steps to seek consent from their parent or guardian.
We collect health information and/or sensitive information only if the law allows us to do so, and if it is reasonably necessary for carrying out our activities. For example, we may collect the health information of prospective employees to enable them to participate in recruitment processes. In such circumstances, we will handle the information in accordance with applicable privacy and health laws.
3.2. Using, storing and sharing personal information
We may use, store and share your personal information:
- for the reason it was collected;
- in accordance with our legal obligations (for example, to assist law enforcement agencies); and
- as part of accessing third party products and services which helps us carry out our activities and perform our functions. Before sharing your personal information, we will require third parties to agree to comply with this policy and the Information Privacy Principles in the Privacy and Data Protection Act 2014 (Vic).
In some circumstances, your personal information may be used or shared for a purpose which is related to the main reason we collected the information, and where you would reasonably expect us to use or share the information for that other purpose, in accordance with the Information Privacy Principles in the Privacy and Data Protection Act 2014 (Vic).
3.3. Transferring personal information outside Victoria
At times, we may need to transfer your personal information outside Victoria, for example, to the server of a third party organisation located outside Victoria. If we need to transfer your personal information outside Victoria, we will require third parties to agree to protections required by the Privacy and Data Protection Act 2014 (Vic).
3.4. Retention, de-identification and destruction of personal information
We will retain your personal information for so long as is necessary for us to administer activities, perform our functions and comply with our obligations (for example, under the Public Records Act 1973 (Vic)).
We will de-identify or permanently destroy your personal information if it is no longer required for any purpose.
3.5. Accessing and updating personal information
We take reasonable steps to protect your personal information from being misused, lost, accessed by unauthorised people, or changed without your knowledge. For example, we may restrict physical and electronic access to certain personal information to authorised staff only.
We require third parties to agree to restrict access to personnel who have a need to access your personal information to deliver agreed products and services to us.
We rely upon you to provide accurate and current personal information, and to notify us when your personal information changes. We understand that you may want to change your preferences, for example, you may choose to opt out of a mailing list but continue to access other member benefits. You can ask for access to your personal information by contacting us via email [email protected] or writing to:
The Privacy Officer
Policy, Risk and Legal,
State Library Victoria,
328 Swanston Street, Melbourne VIC 3000.
We will notify you if we are unable to provide access (for example, if providing access to you would infringe upon another’s individual’s rights). In such circumstances, we will also notify you of other options you may consider to request access to your personal information, including by making a Freedom of Information request.
3.6. Assigning unique identifiers
We may assign a unique identifier to your personal information where it is required by law or necessary to efficiently carry out our activities and functions, for example, assigning a Library member number.
3.7. Your use of our websites
We collect certain information about visits to our websites to support us to manage our websites and continue to provide relevant products and services.
If you are logged in to a Library membership account, then we may collect information associated with your account and use your information in accordance with the purpose(s) for which it was collected and as permitted by law.
Web servers automatically capture and log some data associated with visits to our websites. Some data may also be captured by Google Analytics, including the date and time of your visit and pages accessed.
You may be able to opt out of some tools, for example, Google Analytics provides an opt-out service.
We do not control all personal information you choose to share with us via our websites and other channels. Some personal information you enter on the Library website may appear elsewhere, for example:
- Content publicly contributed to the Library’s websites may be stored by Google and other search engines, for example if you leave a comment on a blog post.
- Snapshots of the Library’s websites may be captured periodically for historical purposes and are stored in and available from the National Library of Australia’s Trove website.
Our website contains links to other websites that we do not operate or control. You are responsible for checking the privacy policies and practices of any entities and websites you choose to interact with.
We take reasonable steps to protect the security of personal information shared with us via the internet. Despite this, there various are risks associated with transmitting information over the internet. If you are concerned about transmitting your personal information to us over the internet, you may contact us for more information.
3.8. Social media
We use a range of social media platforms including Facebook, Instagram, Twitter, YouTube, and LinkedIn. We welcome lawful contributions by the public on our social media platforms. When you interact with us on these platforms, you are agreeing to our requirements, as well as the terms of service of these platforms. You are responsible for checking the privacy policies and practices of platform service providers.
We use archiving and other services to manage content and comments across the social media platforms. We may collect the personal information of individuals who have been restricted from accessing our social media platforms, for example, to prevent further antisocial interactions on these platforms.
3.9. Data breach
We will notify you if we become aware of unauthorised access to your personal information which creates a risk of harm to you.
We may also report data breaches to the Office of the Victorian Information Commissioner on a voluntary basis or in accordance with our obligations relating to security incidents.
3.10. Complaints and queries
If you have questions about this policy, or want to make a complaint about how we have handled your personal information, please email [email protected] or write to:
The Privacy Officer
Policy, Risk and Legal,
State Library Victoria,
328 Swanston Street, Melbourne VIC 3000.
We will investigate alleged breaches of this policy. An investigation could result in a range of outcomes, for example, a review of this policy, changes to our privacy practices, and disciplinary action where employee misconduct is involved.
You can also make a privacy complaint to the Office of the Victorian Information Commissioner. The Office of the Victorian Information Commissioner will generally expect you to complain to us before you complain to it.
If your complaint is about health information, then you can make a complaint to the Health Complaints Commissioner.
Activities includes any projects, programs, processes, practices, systems, services or other activity which the Library undertakes or otherwise engages with.
Handle or handling of personal information and similar expressions used in this policy include doing any of the following things in respect of personal information:
- destruction; and
Health information includes:
- information or an opinion about an individual’s physical, mental or psychological health (at any time), an individual’s disability (at any time), or an individual’s expressed wishes about future provision of health services to him or her; or
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.
Personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information to which the Health Records Act 2001 (Vic) applies.
Sensitive information means information or an opinion that relates to an individual’s:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual preferences or practices; or
- criminal record;
that is also personal information.
Unique identifier means an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name and does not include an identifier within the meaning of the Health Records Act 2001 (Vic).
We, our, us means the Library.
You or your means an individual whose personal information will be, or is being, handled by us.