PRIVACY

As a Commonwealth agency, CrimTrac must operate in accordance with the Commonwealth Privacy Act 1988. Section 14 of the Privacy Act specifies eleven Information Privacy Principles (IPPs) that govern how agencies may collect, store, use and disclose personal information

What is personal information?

The Privacy Act defines personal information as: "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion". CrimTrac operational systems contain personal information (e.g. fingerprints, criminal histories, firearms registrations etc).

The role of CrimTrac

The primary role of CrimTrac is to provide Australia's police services with enhanced access to high quality operational information, much of which is personal information. In performing this role, CrimTrac acts as an information clearing house for the police services. The CrimTrac Agency does not collect personal information from individuals. Rather, it undertakes what are referred to as 'third party collections' from police services, which may in turn have collected the information directly from the individuals concerned. When information is provided through the CrimTrac Agency to the police it is for the purpose of criminal investigation and law enforcement.

The privacy regime for personal information

The CrimTrac Agency is required to ensure that personal information within its possession or control is handled in accordance with the IPPs. Amongst other things, the agency is required, along with its contractors to:

• ensure the safe storage and security of information within CrimTrac (IPP 4);
• provide details of the nature of personal information held within CrimTrac in an annual report to the Commonwealth Privacy Commissioner (IPP 5);
• where relevant, provide individuals with access to their personal information held within CrimTrac (IPP 6);
• where relevant, allow for the updating of personal information held within CrimTrac (IPP 7);
• limit use and disclosure of personal information (IPPs 10 & 11); and
• generally assist in the promotion and implementation of privacy safeguards.

To meet its privacy obligations, CrimTrac:

• is actively involving the Commonwealth Privacy Commissioner in the development of its information privacy policies and procedures, including the role of the Commissioner in auditing its activities;
• has put in place stringent security measures to protect the security of the personal information in its systems and to guard against unauthorised access, use, modification or disclosure. CrimTrac's systems use sophisticated hardware, software and communications technology to combat attempted unauthorised access or interference with data. Access to operational data is on a need to know basis, and audit logs are maintained of who has accessed what information;
• includes privacy requirements in its contracts with outsourced service providers;
• provides privacy training to its staff and contractors so that they are aware of their obligations;
• is working with police services to reinforce best practice in how information on operational systems is accessed; and
• is developing policies for handling requests to access personal information and complaints.

Good privacy is good policing

There is a convergence between the interests of Australian police services and adherence to the IPPs. Police services need to be confident that:

• the information held on CrimTrac systems is secure and not open to unauthorised access, use or tampering;
• the information that they are accessing is accurate and up to date;
• their officers are using the information provided through the CrimTrac Agency for the purpose of law enforcement; and 
• the systems, policies and procedures that the CrimTrac Agency is implementing will assist in achieving the twin goals of personal information privacy and good policing.

Federal Personal Information Digest

Each year CrimTrac provides the following information to the Federal Privacy Commissioner:

• the nature of the various types of personal information kept by Crimtrac;
• the purpose for which these records are kept;
• the class of individuals to which the records apply;
• the period for which the records are kept; and
• details of how individuals can get access to records about themselves.

This information is published in the Federal Privacy Commissioner's Federal Personal Information Digest. The latest version of this digest is available at The Office of the Privacy Commissioner - Personal Information Digest.

Privacy Contact Officer

Further information on privacy and personal information as it relates to CrimTrac is available from CrimTrac's Privacy Contact Officer on 02 6268 7826 or by email.