Page title

Intro

About this policy

The Department of Creative Industries Tourism and Sport (CITS) is a department of the Government of the State of Western Australia dedicated to championing, supporting and growing sectors and communities in the portfolios of Creative Industries, Tourism, Sport and Recreation and Multicultural Interests. 

In delivering services to you, we inevitably collect information which can tell us things about you. This information allows us to ensure we better understand and meet your needs and the needs of the state.

However, we realise that the personal information which we hold and the things we do with it also carries with it risks such as:

  • loss of seclusion, i.e. the enjoyment of being left alone, as well as controlling who is aware of aspects of your life or identity which you might reasonably consider to be appropriate knowledge to only you or other specific individuals;
  • loss personal autonomy that might arise from excessive surveillance or monitoring of your behaviours;
  • domestic violence, harassment, loss of reputation or embarrassment where inappropriate access is given to individuals close or known to you;
  • identity theft and financial/property crime;
  • loss in trust in institutions (such as the Department itself and government in general) making it harder for you to receive the benefits of public services; and
  • entrenching of systemic biases and discrimination, e.g. where inappropriate or irrelevant information is collected during a recruitment process and unduly influences decision making.

CITS is committed to handling your personal information in a manner which seeks to protect you from exposure to these risks. 

Core to our commitment to your privacy is our compliance with the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), which includes the Information Privacy Principles (IPPs). The IPPs set out rules and standards that agencies must follow when collecting, using, storing, sharing and destroying/de-identifying personal information and de-identified information. 

The IPPs include a requirement to publish an up-to-date privacy policy that is clear, concise and written in plain language. This policy explains, at a general level, how we handle personal information when performing our functions and delivering services. 

Where CITS handles tax file numbers, we manage them in accordance with the Privacy Act 1988 (Cth) and the Tax File Number Rule made under that Act.

Our functions involving personal information

We handle personal information when performing functions and delivering services including:

  • administering grants, funding and other assistance programs
  • supporting, delivering or regulating events, programs and initiatives across our portfolios
  • conducting stakeholder engagement, consultation, research, surveys and program evaluation
  • communicating with the public, stakeholders, industry and community groups, including through newsletters, campaigns, competitions and digital channels such as social media
  • handling complaints, feedback, general enquiries and ministerial correspondence
  • procuring goods and services, contracting with suppliers and working with organisations that help us deliver services and programs
  • administering recruitment, employment, payroll, workplace services, ICT access and staff support functions
  • managing visitors, building access, security and CCTV at CITS workplaces and managed sites
  • handling freedom of information and other information access requests as well as records management and responding to privacy issues and queries
  • supporting other government bodies with related functions to deliver services to you, most notably those responsible for operating cultural, sporting and tourism related functions.

Personal information collection, use and disclosure

Personal information means information or an opinion (whether true or not) about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is recorded in a material form or not.

Put simply, personal information is information that can identify you (directly or indirectly), or information that can reasonably identify you. 

Personal information:

  • does not have to be true
  • does not have to be written down or recorded
  • can relate to you directly or indirectly
  • can relate to a person who is alive or deceased

Sensitive personal information is a special category of personal information. It can include information about health, biometrics, racial or ethnic origin, religious or philosophical beliefs, political opinions, professional or trade union membership, sexuality or sex characteristics, and criminal record. It can also include any personal information from which those matters can be reasonably inferred. 

If we need to collect or use sensitive personal information, we do so only where it is necessary for the activity and we apply any extra requirements that apply under the PRIS Act and other laws.

When we collect personal information (and what we collect)

As shown in the snapshot below, the types of personal information we collect depends on our relationship with you and the functions or services you engage with. Below are some key examples.

When you ...we collection personal information such as ...
because, to perform our functions, we may need to…
apply for, receive or administer grants, funding or sponsorshipidentity and contact details, organisation details, eligibility information, project details, financial and banking information, business identifiers (such as an ABN), assessment records, reporting information and supporting documentsassess eligibility and merit, administer agreements and payments, make sure the project, event or activity is delivered as agreed, meet audit and reporting requirements, and evaluate programs.
register for, attend or seek accreditation for an event or programname and contact details, organisation and role, registration or accreditation details, access requirements, payment details (where relevant), attendance records, and emergency or accessibility informationmanage registrations and access, communicate updates, support safety and incident response, and review how the event or program was run and how it could be improved.
or children under your care, participate in holiday programs which we operateparticipant and parent/guardian identity and contact details, medical or health information, behavioural or support needs, emergency contacts, authorised arrangements for the collection of children, and dietary requirements where relevantdeliver programs safely, manage risks, respond to incidents, meet safeguarding obligations, and ensure appropriate care and arrangements for the collection of children.
are photographed, filmed or recorded at a CITS event or activityimages, video or audio recordings and related event context information, and any consent or permissions where relevantdocument activities, promote programs, report on what happened and what was achieved, manage communications, and respond to incidents where necessary.
participate in research, surveys, interviews, focus groups or evaluations
name and contact details, organisation and role, opinions and responses, demographic information you choose to provide, and recordings or transcripts where relevantconduct research or evaluation, analyse outcomes, improve services, and produce aggregated or deidentified reports.
participate in stakeholder engagement, consultation, advisory groups or committeesname and contact details, organisation and role, expertise, submissions and views, attendance records, meeting notes and communication preferencesmanage engagement processes, analyse feedback, communicate outcomes, and support transparency and accountability.
subscribe to updates, enter a competition or use our digital channelsname and contact details, organisations you represent, subscription or communication preferences, competition entry details, records of your interactions with our digital content, and digital engagement information made available through our communications, social media and website tools (such as email opens, clicks, unsubscribes, website usage information, approximate location information and device or browser information).manage subscriptions and communications, run promotions and campaigns, understand how our content and services are used, improve user experience, evaluate and improve communications, and protect our systems and digital services from misuse.
make an enquiry, complaint or provide feedback
name and contact details, details of your enquiry or complaint, information about relevant people or events, documents or images, and authority to act where relevant 
respond to enquiries, investigate and resolve issues, and improve services.
report suspected misconduct, provide information as an informant, or use an anonymous reporting channel
your identity and contact details (where provided), details of the concern, supporting material (including documents, images or recordings), and information about other individuals (note: some reports may also be made anonymously through the service Safe2Say) 
assess and investigate concerns, take appropriate action, and meet legal or oversight obligations. It is important to note that, wherever possible we will seek to preserve your confidentiality. However, this cannot always be guaranteed – for instance where you are the only person who could have made a particular type of report, your identity may become apparent to those involved in addressing the report or to the person reported about. 
engage with CITS as a supplier, contractor or partnername and work contact details, organisation and role, qualifications and licences, referee details, conflict or probity declarations, insurance information, and contract and payment records
run procurement processes, assess suitability, manage contracts, administer payments, and meet governance and integrity requirements.
make a conflict of interest or probity declarationinformation about your employment, financial interests, external activities, or personal relationships, including details of relevant third partiesidentify, assess and manage conflicts of interest and meet integrity and governance obligations.
visit CITS premises or managed sitesname, organisation and contact details, purpose of visit, host details, entry and exit records, visitor pass details, vehicle registration (where required), and CCTV imagesmanage site access, maintain visitor records, protect people and assets, and respond to safety or security incidents, including in controlled or safeguarding environments.
apply to work at or for CITS
name and contact details, employment history, qualifications, licences, work rights, identity information, referee details and feedback, and any information about adjustments required to your environment required to meet your specific needs which you choose to provide
assess suitability, verify eligibility and identity, undertake screening, and administer recruitment processes.
are onboarded and work for CITSemployment and payroll information, tax, banking and superannuation details, leave and entitlements, training and development records, ICT access records, and workplace services information 
administer employment, provide workplace services, ensure system security, manage performance and conduct matters, and meet governance and reporting obligations. 

How we collect personal information

There are several ways we collect personal information, including where we ask you for it, where you give it to us, where we generate it as part of our work, and where we receive it from someone else,  These methods include:

  • directly from you, for example through online forms, applications, emails, other digital interactions (such as social media), phone calls, meetings, interviews, registrations, surveys or paper forms
  • from organisations or people you nominate, such as referees, support people, partner organisations, suppliers, venues, employers or representatives
  • from contracted service providers, organisations that help us deliver programs, services or events, event organisers, research providers, grant administrators, recruitment providers, insurers or other parties involved in delivering a CITS function
  • from other government agencies, statutory authorities, regulators or Ministerial Offices where relevant to our functions
  • from records generated by CITS, such as assessments, case notes, meeting records, access logs, CCTV footage, payment records, or records created by our computer systems, such as login records, audit logs and records of actions taken in a system
  • from public sources where needed to verify information or perform a function, such as public registers, published organisational contact details or professional registers.

Disclosures of your personal information to external parties

Depending on the activity, we may disclose personal information to external parties such as:

  • service providers who host, support or deliver systems and services for CITS
  • delivery partners, assessors, evaluators, researchers, consultants, contractors or suppliers where strictly necessary in order to provide our services to you
  • other WA Government agencies, local governments, portfolio bodies, statutory authorities or regulators where required or authorised, or where necessary to perform a function
  • Ministers, Ministerial Offices or parliamentary processes where relevant to correspondence, briefing or accountability functions
  • auditors, insurers, legal advisers and professional advisers where needed for audits, insurance, legal advice, claims, complaints, risk management, governance or legal compliance
  • emergency services or law enforcement agencies where required or authorised by law, or where necessary to respond to a serious safety or security matter.

We are required to share only what is reasonably necessary for the relevant purpose. 

Our relationship with other related government entities

CITS provides varying degrees of corporate and administrative support (such as staffing, IT, cyber security, records, finance, procurement and FOI support) to the following bodies who provide services or perform functions relating to creative industries, tourism and sport:
  • Art Gallery of Western Australia
  • Arts and Culture Trust (which operates venues used by local, national and international performing arts companies, performers and artists)
  • State Library of Western Australia
  • Western Australian Museum
  • Western Australian Tourism Commission
  • Combat Sports Commission
  • State Records Officce
  • State Records Commission

Where personal information is handled by CITS for the purpose of assisting these bodies perform their functions and provide these services to you, we have steps in place to ensure that it is not handled by CITS for other purposes.

A note about social media

When you comment on, react to, message us through, or otherwise engage with CITS on a social media platform, it is not only CITS collecting or handling information. The relevant social media platform also collects and handles information in accordance with its own terms of service and privacy policy. CITS may receive and use analytics, insights and reporting made available by social media platforms or social media management tools about how users engage with our content, campaigns and channels. This information is generally provided to CITS in aggregated form and may include information such as audience location, age range, reach, impressions, clicks and other engagement metrics. 

Where CITS runs paid social media or digital advertising campaigns, CITS or service providers acting on its behalf may use platform tools such as tracking pixels or similar technologies to measure campaign performance, improve communications and understand audience engagement. 

CITS may also keep records of social media interactions where needed for accountability, recordkeeping, moderation, campaign administration or to respond to your enquiry. Please do not share sensitive personal information on public social media channels. 

Where you wish to engage with us about a specific matter, we encourage you to contact us directly using official CITS channels.

Choosing not to identify yourself

Where it is possible and lawful to engage with CITS without identifying yourself, we will provide that option. For example, you may be able to make a general enquiry about programs we operate or services we offer without providing your full name.

In many circumstances we need to know who you are to perform our functions, provide a service, assess an application, manage a payment, handle a complaint, verify eligibility, manage access to a site, or meet legal and recordkeeping obligations.

De-identifying personal information we collect

CITS may de-identify personal information (remove or change details so a person is not identifiable) for purposes such as reporting, evaluation, research, statistics, policy development and service improvement. When we de-identify information, we take steps to protect it from misuse and loss and from unauthorised re-identification, access, modification or disclosure.

Automated decision making

CITS does not generally use automated decision-making processes to make decisions that have a significant effect on individuals.

If CITS later adopts automated decision-making in a way that has a significant effect on individuals, we will explain the process by which their personal information is used in the relevant collection notice or supporting privacy information given to individuals when we collect their personal information.

Our use of service providers

CITS uses service providers to help deliver its functions including some functions that may involve the handling of your personal information.

CITS has processes in place to ensure that we engage service providers with appropriate cybersecurity safeguards in place.

Wherever possible, CITS endeavours to only store or process your personal information using service providers in Australia. In exceptional circumstances, CITS may store personal information outside of Australia including in the European Union, United Kingdom and United States where a software provider uses offshore data centres or support teams.

A note about website privacy 

When you visit a CITS website, technical and usage information may be collected for statistical, system administration, security and service improvement purposes. This may include your IP address, device type and device information, browser or operating system, approximate or city-level location, the previous site visited, date and time of access, pages viewed, links clicked, events, time spent on pages and documents downloaded.

CITS websites may use analytics, website management, performance monitoring and online form tools, including tools such as Google Analytics, Acquia and Sitefinity. These tools help us understand how our websites are used, monitor performance, identify and resolve issues, improve accessibility and content, manage online services, and collect information submitted through website forms. 

Analytical tools may provide reports about broad audience patterns, such as website usage, approximate location, device information and engagement with website content. We do not use routine website analytical information to identify you. We may, however, use technical logs and related data to identify or investigate activity where this is necessary for cyber security, fraud prevention, investigation or law enforcement purposes. 

If you submit information through a website form, the information collected will depend on the form, service, program or activity it relates to. Forms may collect identifiable information such as your name, contact details, address, organisation, age or other information needed for the relevant program or service. Information submitted through forms is generally accessed by the CITS business area responsible for the relevant program or activity. 

Security and retention of personal information

CITS recognises the importance of keeping personal information safe throughout its lifecycle. We take steps to protect personal information from misuse, loss, unauthorised access, modification and disclosure. These steps include: 

  • mandatory staff training and guidance about privacy, cyber security and records management
  • maintaining security updates, access controls, with the principle of least privilege to ensure appropriate access to records and systems
  • secure storage, transmission and disposal practices appropriate to the sensitivity of the information
  • due diligence of service providers handling personal information
  • monitoring of our ICT systems for suspicious events
  • maintaining physical security of storage media and hard copy documents through securing and monitoring our premises
  • review and improvement of internal policies, procedures and information security practices.

CITS keeps personal information for as long as required or authorised by law and in line with approved government recordkeeping and disposal rules. Where personal information is no longer needed and is not required to be kept, CITS has processes in place to destroy or de-identify it.

If a privacy incident or data breach occurs, CITS will assess it and take steps to contain and resolve the issue. Where required by law or otherwise appropriate, we will notify affected individuals and relevant regulators such as the Western Australian Information Commissioner or the Office of the Australian Information Commissioner (with respect to Tax File Numbers).

Access and correction rights

You can ask to access or correct personal information we hold about you. In many cases we can respond through our usual business processes. In some circumstances, requests may need to be managed under the Freedom of Information Act 1992 (WA) (FOI Act). The FOI Act includes some limits and exceptions. To make a request, contact CITS Privacy at privacy@cits.wa.gov.au or CITS FOI at foi@cits.wa.gov.au, or visit CITS’ information statement.

Privacy complaints and enquiries

If you have a question about how CITS handles personal information, or if you wish to make a privacy complaint, you can contact CITS using the details below. CITS will consider the matter and respond in accordance with applicable law and internal procedures. 

Privacy complaints

Email privacy@cits.wa.gov.au or lodge a complaint via our complaints website.

Please include enough detail for us to understand your concern and contact you. All complaints which allege that an interference with your privacy or the privacy of someone you represent has occurred will be directed to our designated privacy officer under the PRIS Act.

Contact us

Department of Creative Industries, Tourism and Sport
246 Vincent Street, Leederville WA 6007
PO Box 8349, Perth Business Centre WA 6849
Telephone: 61 8 6552 1604
Privacy enquiries: privacy@cits.wa.gov.au
FOI enquiries: foi@cits.wa.gov.au  
Page reviewed 01 July 2025