Intro
The Department of Creative Industries Tourism and Sport (CITS) is a department of the Government of the State of Western Australia dedicated to championing, supporting and growing sectors and communities in the portfolios of Creative Industries, Tourism, Sport and Recreation and Multicultural Interests.
In delivering services to you, we inevitably collect information which can tell us things about you. This information allows us to ensure we better understand and meet your needs and the needs of the state.
However, we realise that the personal information which we hold and the things we do with it also carries with it risks such as:
CITS is committed to handling your personal information in a manner which seeks to protect you from exposure to these risks.
Core to our commitment to your privacy is our compliance with the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), which includes the Information Privacy Principles (IPPs). The IPPs set out rules and standards that agencies must follow when collecting, using, storing, sharing and destroying/de-identifying personal information and de-identified information.
The IPPs include a requirement to publish an up-to-date privacy policy that is clear, concise and written in plain language. This policy explains, at a general level, how we handle personal information when performing our functions and delivering services.
Where CITS handles tax file numbers, we manage them in accordance with the Privacy Act 1988 (Cth) and the Tax File Number Rule made under that Act.
We handle personal information when performing functions and delivering services including:
Personal information means information or an opinion (whether true or not) about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is recorded in a material form or not.
Put simply, personal information is information that can identify you (directly or indirectly), or information that can reasonably identify you.
Personal information:
Sensitive personal information is a special category of personal information. It can include information about health, biometrics, racial or ethnic origin, religious or philosophical beliefs, political opinions, professional or trade union membership, sexuality or sex characteristics, and criminal record. It can also include any personal information from which those matters can be reasonably inferred.
If we need to collect or use sensitive personal information, we do so only where it is necessary for the activity and we apply any extra requirements that apply under the PRIS Act and other laws.
As shown in the snapshot below, the types of personal information we collect depends on our relationship with you and the functions or services you engage with. Below are some key examples.
There are several ways we collect personal information, including where we ask you for it, where you give it to us, where we generate it as part of our work, and where we receive it from someone else, These methods include:
Depending on the activity, we may disclose personal information to external parties such as:
We are required to share only what is reasonably necessary for the relevant purpose.
Where personal information is handled by CITS for the purpose of assisting these bodies perform their functions and provide these services to you, we have steps in place to ensure that it is not handled by CITS for other purposes.
When you comment on, react to, message us through, or otherwise engage with CITS on a social media platform, it is not only CITS collecting or handling information. The relevant social media platform also collects and handles information in accordance with its own terms of service and privacy policy. CITS may receive and use analytics, insights and reporting made available by social media platforms or social media management tools about how users engage with our content, campaigns and channels. This information is generally provided to CITS in aggregated form and may include information such as audience location, age range, reach, impressions, clicks and other engagement metrics.
Where CITS runs paid social media or digital advertising campaigns, CITS or service providers acting on its behalf may use platform tools such as tracking pixels or similar technologies to measure campaign performance, improve communications and understand audience engagement.
CITS may also keep records of social media interactions where needed for accountability, recordkeeping, moderation, campaign administration or to respond to your enquiry. Please do not share sensitive personal information on public social media channels.
Where you wish to engage with us about a specific matter, we encourage you to contact us directly using official CITS channels.
Where it is possible and lawful to engage with CITS without identifying yourself, we will provide that option. For example, you may be able to make a general enquiry about programs we operate or services we offer without providing your full name.
In many circumstances we need to know who you are to perform our functions, provide a service, assess an application, manage a payment, handle a complaint, verify eligibility, manage access to a site, or meet legal and recordkeeping obligations.
CITS may de-identify personal information (remove or change details so a person is not identifiable) for purposes such as reporting, evaluation, research, statistics, policy development and service improvement. When we de-identify information, we take steps to protect it from misuse and loss and from unauthorised re-identification, access, modification or disclosure.
CITS does not generally use automated decision-making processes to make decisions that have a significant effect on individuals.
If CITS later adopts automated decision-making in a way that has a significant effect on individuals, we will explain the process by which their personal information is used in the relevant collection notice or supporting privacy information given to individuals when we collect their personal information.
CITS uses service providers to help deliver its functions including some functions that may involve the handling of your personal information.
CITS has processes in place to ensure that we engage service providers with appropriate cybersecurity safeguards in place.
Wherever possible, CITS endeavours to only store or process your personal information using service providers in Australia. In exceptional circumstances, CITS may store personal information outside of Australia including in the European Union, United Kingdom and United States where a software provider uses offshore data centres or support teams.
When you visit a CITS website, technical and usage information may be collected for statistical, system administration, security and service improvement purposes. This may include your IP address, device type and device information, browser or operating system, approximate or city-level location, the previous site visited, date and time of access, pages viewed, links clicked, events, time spent on pages and documents downloaded.
CITS websites may use analytics, website management, performance monitoring and online form tools, including tools such as Google Analytics, Acquia and Sitefinity. These tools help us understand how our websites are used, monitor performance, identify and resolve issues, improve accessibility and content, manage online services, and collect information submitted through website forms.
Analytical tools may provide reports about broad audience patterns, such as website usage, approximate location, device information and engagement with website content. We do not use routine website analytical information to identify you. We may, however, use technical logs and related data to identify or investigate activity where this is necessary for cyber security, fraud prevention, investigation or law enforcement purposes.
If you submit information through a website form, the information collected will depend on the form, service, program or activity it relates to. Forms may collect identifiable information such as your name, contact details, address, organisation, age or other information needed for the relevant program or service. Information submitted through forms is generally accessed by the CITS business area responsible for the relevant program or activity.
CITS recognises the importance of keeping personal information safe throughout its lifecycle. We take steps to protect personal information from misuse, loss, unauthorised access, modification and disclosure. These steps include:
CITS keeps personal information for as long as required or authorised by law and in line with approved government recordkeeping and disposal rules. Where personal information is no longer needed and is not required to be kept, CITS has processes in place to destroy or de-identify it.
If a privacy incident or data breach occurs, CITS will assess it and take steps to contain and resolve the issue. Where required by law or otherwise appropriate, we will notify affected individuals and relevant regulators such as the Western Australian Information Commissioner or the Office of the Australian Information Commissioner (with respect to Tax File Numbers).
You can ask to access or correct personal information we hold about you. In many cases we can respond through our usual business processes. In some circumstances, requests may need to be managed under the Freedom of Information Act 1992 (WA) (FOI Act). The FOI Act includes some limits and exceptions. To make a request, contact CITS Privacy at privacy@cits.wa.gov.au or CITS FOI at foi@cits.wa.gov.au, or visit CITS’ information statement.
If you have a question about how CITS handles personal information, or if you wish to make a privacy complaint, you can contact CITS using the details below. CITS will consider the matter and respond in accordance with applicable law and internal procedures.
Email privacy@cits.wa.gov.au or lodge a complaint via our complaints website.
Please include enough detail for us to understand your concern and contact you. All complaints which allege that an interference with your privacy or the privacy of someone you represent has occurred will be directed to our designated privacy officer under the PRIS Act.