Privacy statement

The NSW Government's privacy practices are regulated by the NSW Privacy and Personal Information Protection Act 1998 (the PPIP Act) and a number of other statutory obligations. The PPIP Act establishes certain principles which determine how we collect, manage, store, use and disclose personal information.

We take our obligations under the PPIP Act and other applicable data protection laws seriously and we respect individuals’ rights to determine how their information is used or disclosed. In addition to this Statement, we also:

• publish and review a Privacy Management Plan 
• include descriptions for our customers in our application forms and agreements that outline how we manage personal information in the delivery of our services.

Information we collect when we provide services to the public

As part of providing services, we may collect personal information from multiple sources (such as directly from individuals or public sources). The types of personal information we may collect or be provided with include, but are not limited to:

• name
• email address
• phone numbers
• social media identifiers
• physical and postal address
• geospatial references e.g. coordinates
• date of birth
• financial records

We may also collect sensitive personal information (also called ‘special category information’). We may from time to time, be required to assess if you are likely to fulfil your obligations under a Biodiversity Stewardship Agreement – this is known as a ‘fit and proper person test’. For example, in conducting a ‘fit and proper person test’, we would look for civil and criminal proceedings under certain courts (e.g. the Land and Environment Court of NSW) and the associated legislation.

We may also collect personal information (such as contact details and account details) from suppliers, contractors, and third-party service providers that we engage to help us operate.

Information we collect when we perform any other activities as part of our business

We may collect personal information when performing other activities as part of our business, but which do not directly form part of providing our services to the public. For example, we might collect personal information from members of the public as part of undertaking surveys, research on current issues or as part of projects or initiatives we are conducting with other organisations. The types of information that we collect may vary depending on the nature of the activity. However, we will take reasonable steps to provide clear information about the nature of those activities and the purpose for which we are collecting information.

Information we collect via this website or from events

We may collect personal information from our website or at an event. For example, if people sign up to receive promotional materials or communications about services provided by us. To improve users’ experience when using this website and to ensure it is functioning effectively, we also use “cookies”. Cookies are small files which contain a unique identification number that store information on one’s internet enabled device. Cookies enable us to recognise users returning to our website and enable us to keep track of services they view or preferences they have. We may also use cookies to measure usage, to determine which areas of our website have been visited and to measure transaction patterns.

How do we use personal information collected to provide services to our customers?

We use personal information to provide services to agreement owners. We use this information as permitted by our agreements and we do not use that information for any other purposes unless it is necessary to comply with a legal or professional right or duty.

How we use information collected when we perform other activities as part of our business

When we collect personal information as part of performing other activities as part of our business, we will take reasonable steps to provide clear information about the nature of those activities and how we will use any personal information collected. We may also use non-personal, deidentified or anonymised and aggregated information for several purposes including for data analytics, research, submissions, thought leadership and promotional purposes. Our data policy precludes the use of data linkage to reveal individuals’ identities.

How do we use information collected via this website or through other sources? Do we use it to market goods and services?

We may use the personal information we collect:

• to manage and improve our digital products, such as our website, or emails.
• to tailor the content of our digital products to provide a more personalised experience.
• to share information about NSW Biodiversity Conservation Trust products, services or opportunities we feel may be of interest.
• to seek feedback on our services.

We use personal information to promote new conservation offers, educational and landholder network events and opportunities to fund and scale our work.

Are there any other ways we use personal information?

We may also use personal information to comply with a legal or professional right or duty.

We may be required to disclose personal information to law enforcement, regulatory or government agencies or to other third parties:

• to comply with legal or regulatory obligations or requests e.g. the Government Information (Public Access) Act 2009.
• where there is a legal or professional right or duty to disclose.

We will never disclose personal information for any other secondary purpose without the authorisation of the relevant individual. We may share non-personal, de-identified and aggregated information with third parties for several purposes, including data analytics and research purposes.

Blogs and other social media

This website hosts social media applications that allow you to share content with other users. Any personal information that you contribute to these social media applications can be read, collected and used by other users of the application. We have no control over these other users and, therefore, we cannot guarantee that any information that you contribute to any social media applications will be handled in accordance with this statement.

We will only collect personal information for a lawful purpose which directly relates to our functions and for obtaining feedback about the effectiveness of our services. We will not collect any more information than is necessary for it to fulfil these functions, nor retain it for longer than is necessary.

We will not disclose personal information to anyone without consent unless legally required to do so.

We hold personal information in hard copy and electronic formats. We use a range of physical, operational and digital security measures to protect this information. These measures include:

• written guidelines and advice
• referrals for advice to the Department of Climate Change, Energy, the Environment and Water (DCCEEW) Privacy and Information Access Unit
• Staff awareness through webinars and training to ensure we understand our obligations when handling personal information 
• administrative and ICT controls to limit access to personal information to only those people who need it
• ICT security measures including fire walls, encryption and anti-virus software in line with the NSW Government Cyber Security Policy
• adopting best practice in electronic and physical records management and complying with our obligations under the State Records Act 1998 (NSW)
• keeping information for only as long as necessary and disposing of information securely
• physical security measures, such as employees securing their building access passes and portable information storage devices (e.g. laptops, mobile phones, tablets) at all times.

You may access your personal information at any time. You may also request the information is corrected at any time. To request access, or correct your personal information, please contact us at [email protected]. We will then contact you (either by phone or via email) and after verifying your identity will provide you access to your information . You also have the right to:

• ask that we delete personal information that we hold about you, or restrict the way in which we use your personal information
• withdraw consent to our use of your personal information
• ask us to stop or start contacting you at any time.

If you believe the we have breached your privacy, or have not complied with a request for access or amendment, you can make a complaint:

• directly with us at [email protected], or
• with the Department of Climate Change, Energy, the Environment and Water (DCCEEW) Privacy and Information Access Unit at [email protected] or 02 9860 1440.

You may also choose to submit an application for internal review of conduct with the DCCEEW Privacy and Information Access Unit.

Complaints raised with us may be referred to DCCEEW for their review under Part 5 of the PPIP Act, if it is considered that a serious breach has occurred, or that it is more appropriate to deal with a complaint on a more formal basis. This is known as an internal review.

If unsatisfied, you can seek for the decision to be reviewed by the Administrative and Equal Opportunity Division of the NSW Civil and Administrative Tribunal by emailing [email protected] or calling 1300 006 228.

For more information on privacy, visit the Information and Privacy Commission (IPC NSW) website at https://www.ipc.nsw.gov.au/ or call IPC NSW on 1800 472 679.

We may modify or amend this Privacy Statement from time to time. To let you know when we make changes to this statement, we will amend the revision date at the top of this page. The new modified or amended Privacy Statement will apply from that revision date.