Austroads Privacy Principles Policy

Austroads Australian

Privacy Principles Policy

1. Open and transparent management of personal information

This policy (APP Policy) sets out how Austroads complies with its obligations under the

Privacy Act 1988 (Privacy Act).

Austroads is bound by the Australian Privacy Principles (APPs) in the Privacy Act.1 The APPs

regulate how Austroads may collect, use, disclose and store personal information. The APPs

also provide guidance on how individuals may access and correct personal information held

about them.

In this APP Policy “personal information” has the same meaning as defined in the Privacy Act,

being:

Information or an opinion about an identified individual, or an individual who is

reasonably identifiable:

• whether the information or opinion is true or not; and

• whether the information or opinion is recorded in a material form or not.

2. Austroads

Austroads Ltd ACN 136 812 390 (Austroads) is the peak association of Australasian road

transport and traffic agencies.

Austroads’ purpose is to improve Australasian transport outcomes by:

a. Providing expert technical input to national road and transport policy development;

b. improving the practices and capability of transport agencies;

c. promoting operational consistency by transport agencies; and

d. managing the Australian National Exchange of Vehicle and Driver Information System

(NEVDIS).

Austroads’ board of directors is made up of the Chief Executives (or equivalent) of the

Australian and New Zealand roads and transport regulatory authorities. The owners of

Austroads are:

a. the eight Australian State and Territory roads and transport authorities (Jurisdictions);

b. the Commonwealth through the Department of Infrastructure, Transport, Regional

Development and Communications;

c. the New Zealand government through the New Zealand Transport Authority; and

d. The Australian Local Government Association.

There is no private sector representation or stakeholders in Austroads.

1 Austroads is an “APP entity” within the meaning of the Privacy Act. This APP Policy complies with APP 1 in Schedule 1 to

the Privacy Act.

2 austroads.com.au

Austroads Australian Privacy Principles Policy

3. NEVDIS

Most of the personal information handled by Austroads is in connection with managing

NEVDIS. The focus of this APP Policy is personal information held on NEVDIS.

NEVDIS is the database of Australian driver and road vehicle information. It includes the

national Vehicle Identification Number (VIN) sub-database and the national Written Off Vehicle

NEVDIS allows for the seamless transition of vehicle registration and driver licence information

across State and Territory boundaries, providing a national and real time view of the

information.

Personal information on NEVDIS is on the following sub-databases:

a. licensed drivers in Australia;

b. registered road vehicles in Australia where the registered operator is an individual

c. accredited VIN submitters; and

d. World Manufacturer Identifier (WMI) details.

NEVDIS is managed by Austroads’ NEVDIS Administration Unit.

A feature of Austroads’ strategic direction for NEVDIS is compliance with the APPs. The APPs

require at least the same standard of privacy law compliance by Austroads compared to privacy

legislation applying to the State and Territory registration and licensing authorities, and mostly a

higher standard of compliance.

The Jurisdiction based registration and licensing authorities are the primary source of NEVDIS

data and the primary point of contact for enquiries, data-breach notifications, errors and

corrections.

The Jurisdictions the Australian Criminal Intelligence Commission (ACIC)4;and Austroads are

parties to a contract for the administration of NEVDIS (NEVDIS Participation Agreement).

Transactions processed on NEVDIS include:

a. providing access to and exchange of driver and vehicle information between participants

under the NEVDIS Participation Agreement.

b. providing select personal information to:

i. ACIC;

ii. the Australian Electoral Commission;

iii. Australian motor vehicle manufacturers and authorised entities for Product Safety

Recalls;

and

iv. the National Heavy Vehicle Regulator (NHVR).

3 The WMI Code is the first three digits of a VIN.

4 ACIC delivers and maintains national information-sharing solutions that enable Australia’s police and law enforcement

agencies to share information across state and territory borders (https://www.acic.gov.au/). ACIC also delivers Australia’s

National Police Tracking Service

in partnership with Australia’s police agencies.

5 https://www.productsafety.gov.au/recalls/browse-all-recalls

6 https://www.nhvr.gov.au

Austroads Australian Privacy Principles Policy

4. Collection

NEVDIS

Austroads collects personal information from the Jurisdictions for the purpose of managing

NEVDIS.

The critical success factors for personal information on NEVDIS are:

a. data which is consolidated, consistent and standardised;

b. data which can be provided to Government agencies for purposes which are lawful and in

the national interest;

c. access to the data is seamless and uses common technologies;

d. accurate, Australia-wide road vehicle registration and driver licensing that allows for:

i. one vehicle for one VIN; and

ii. one licence for one person.

The personal information collected for NEVDIS is limited to information that is reasonably

necessary for the NEVDIS system to perform its function of enabling the exchange of driver

information and registered operator information (where the registered operator is an individual).

Austroads collects the personal information by lawful and fair means.

We do not collect personal information directly from individuals for NEVDIS. Rather, the Jurisdictions:

a. routinely collect personal information when performing their functions with respect to driver

licensing, the registration of motor vehicles and their other regulatory functions

b. provide that information to Austroads only in accordance with each of the Jurisdiction’s

statutory authority to do so.

For example, NSW registration and licensing authority’s statutory framework in relation to driver

licensing and the registration of motor vehicles:

a. requires the authority to maintain “the NSW driver licence register”;

b. permits the authority to provide to Austroads information recorded in the NSW driver licence

c. requires the authority to maintain “the NSW registrable vehicles register”;

d. permits the authority to provide to Austroads information in the NSW registrable vehicles

The Jurisdictions and the Commonwealth agreed:

a. to establish NEVDIS as a single consistent national repository of registration and driver

licensing information; and

b. for Austroads to own and manage NEVDIS.

The Jurisdictions either send information about individuals who are licensed drivers or

registered operators directly into Austroads systems or via automated system uploads.

Austroads collects, retains, collates, and organises the information to support and facilitate the

exchange of information between Jurisdictions, the Commonwealth and stakeholders.

We may rearrange, reformat or reorganise personal information received from a Jurisdiction,

but we must not alter, modify or remove the personal information received without the express

consent of the originating Jurisdiction.

7 Austroads “collects” the information in the sense that the Jurisdictions provide the information for the purposes of NEVDIS

in accordance with their statutory authority to do so.

8 There are equivalent statutory regimes in most of the other Jurisdictions.

9 Section 27, Road Transport Act 2013 (NSW)

10 Clause 102, Road Transport (Driver Licensing) Regulation 2017 (NSW)

11 Section 64, Road Transport Act 2013 (NSW)

12 Clause 135, Road Transport (Vehicle Registration) Regulation 2017 (NSW)

Austroads Australian Privacy Principles Policy

Austroads complies with APP 3 - “Collection of personal information” with respect to NEVDIS.

At or before the time when a Jurisdiction collects personal information for a primary purpose (or

as soon as practicable after that time), the Jurisdiction may take steps in in accordance with

their own privacy legislation or policy to ensure that the individual concerned is aware of:

a. the identity and contact details of Austroads as a third party with whom the information might

be shared;

b. the fact that the Jurisdiction will supply the personal information to Austroads for the

purposes of NEVDIS (a secondary purpose to the primary purpose for which the information

was collected by the Jurisdictions);

c. the fact that the Jurisdiction is required or authorised by or under an Australian law (such as

the NSW registration and licensing authority discussed in section 4 “Collection” of this APP

Policy) to supply the personal information to Austroads for the secondary purpose, and

particulars of the law;

d. the secondary purpose for which information is being shared;

e. the main consequences, if any, for the individual arising from the information being supplied

to Austroads for the purposes of NEVDIS;

f. entities to which the shared information might be re-supplied by Austroads;

g. a requirement to notify affected individuals of a data-breach with respect to the shared

information which is likely to result in serious harm to the individuals;

h. the possibility of the shared information being disclosed to overseas recipients.

Further, our entitlement to “collect” personal information for the purposes of NEVDIS is the

statutory authority of the Jurisdictions to provide the information to us for those purposes.

In view of those circumstances, Austroads complies with APP 5 - “Notification of the collection

of personal information”.

Administrative (non-NEVDIS) functions

In relation to our administrative functions, Austroads collects personal information relating to

our employees to manage Human Resources and employment related responsibilities.

We also collect information as part of our normal communication processes directly related to

our role as a wholly-owned corporation, including when we:

a. process requests for information from the public;

b. respond to direct enquiries when an individual emails or telephones staff members;

c. welcome individuals to our offices; and

d. receive business cards and other personalised business paraphernalia.

We also collect personal information in the normal course of Austroads’ business activities such

as contact details of Jurisdiction representatives and private sector business representatives,

and we collect digital signatures on documents signed through DocuSign.

Austroads complies with APP 3 with respect to these administrative functions.

5. Types of Personal Information

NEVDIS

The types of personal information held by Austroads on NEVDIS include:

a. personally identifying information, being the individual’s surname, first name and other

names, date of birth and address, although we do not hold:

13 https://www.docusign.com.au/#

Austroads Australian Privacy Principles Policy

i. the person’s address history, or

ii. a photograph of the person;

b. an individual’s preferred or alternate name, otherwise the information held by Austroads is

“current state” and so we do not hold details of a change of name, address or personal

details in relation to:

i. an individual as a registered operator of a vehicle (including the reason for a change in

registration status), or

ii. an individual as the holder of a driver’s licence;

c. the registration plate for a vehicle registered to an individual, the garaging address and

whether the vehicle has a VIN;

d. driver’s licence details, such as the class of licence, probationary licences and currency

details;

e. driver’s licence conditions or restrictions, such as:

i. a requirement to use an alcohol interlock device on a motor vehicle;

ii. a disqualified licence, or that the person is ineligible for a licence (the reasons for the

disqualification ineligibility are not held on NEVDIS – the originating Jurisdiction has the

reasons);

iii. a refusal to issue a licence, or a licence upgrade (the reason for the refusal is not held –

the originating Jurisdiction has the reason);

iv. a good behaviour condition (the reason for the condition is not held – the originating

Jurisdiction has the reason); or

v. a requirement for “zero blood alcohol”.

f. a reference to a suspension or cancellation of vehicle registration status by a court or

administrative process for vehicles registered to individuals;

g. a reference to a suspension or an imposed cancellation of a driver’s licence, or

disqualification of a person as a licensed driver by a court process or by an administrative

process, including:

i. a demerit points cancellation;

ii. a mandatory cancellation due to the nature of the offence (for example, a high range

prescribed concentration of alcohol offence);

iii. a fine default (that is, not paying a monetary penalty);

iv. failing a driving test or a knowledge test; or

v. a police confiscation.

h. a voluntary cancellation or surrender of:

i. vehicle registration status (for vehicles registered to individuals); or

ii. a driver’s licence, for example, cancellation on the ground that the licence is no longer needed;

i. for vehicles registered to individuals, an organisation including a business name appearing

on the registration particulars; and

j. a “suppression code” in the individual’s data field, whereby the whole or a specified part the

person’s details (such as name and/or address) is not to be disclosed Austroads, although

the reason for the suppression code is not held.

NEVDIS has the capability to store details such as gender, height in centimetres, eye colour,

email address and telephone number if sent by the Jurisdictions.

14 Given that the information held is current state and we do not hold the previous data, we cannot normally determine that

data has changed by comparison with the previous record.

Austroads Australian Privacy Principles Policy

Sensitive information held on NEVDIS

We collect and hold on NEVDIS some “sensitive information” as defined in the Privacy Act,

notably a person’s health information, but only insofar as it is relevant to the Jurisdictions

carrying out their road transport and traffic functions.

We do not hold an individual’s criminal record.

We do not routinely collect “health information” as defined in the Privacy Act. However, in some

circumstances a condition on a driver’s licence may contain health information such as a

requirement to wear spectacles or contact lenses while driving.

When a person’s licence status is changed from ‘active’ (able to drive) to non-active, the status

reason code that is recorded in NEVDIS for the change might contain health information to an

extent, such as:

a. “medical grounds”;

b. “non-compliance medical grounds”; or

c. “alcohol habit-related”.

No specific health information is recorded in this regard. For example, if the status reason code

for an active licence being changed to non-active is “medical grounds”, the specific health

information in relation to the “medical grounds” is not collected or held.

If there is a condition on a person’s driver’s licence that the person must drive a modified motor

vehicle because of the person’s disability, the condition will be on NEVDIS, but not the nature

or scope of the disability.

If a driver licence has a notation on it that the licence holder intends to be a donor of body organs,

parts or substances and the notation has been sent to Austroads, it will be recorded on NEVDIS.

Personal information we don’t hold on NEVDIS

We do not hold personal information:

a. on the VIN sub-database of NEVDIS;

b. on the Personal Property Securities Register (PPSR) subdatabase of NEVDIS;

c. with respect to the Plate to VIN (P2V) on NEVDIS;

d. with respect to the WOVR sub-database;

e. with respect to stolen vehicle information, written off vehicles or import restrictions;

f. with respect to the Commonwealth’s Document Verification Service (DVS) component on

NEVDIS;

g. in the form of photographs of individuals, including photographs on driver licences;

h. with respect to accreditation schemes administered by the Jurisdictions, such as:

i. accredited operators of public transport and taxi networks, and

ii. accredited driving instructors.

We do not hold digital signatures on NEVDIS.

15 The PPSR is administered by the Australian Financial Security Authority (https://www.afsa.gov.au/about-us/ppsr). It is the

national register where details of security interests in personal property can be registered and searched.

16 The VIRS has the same information as the PPSR with the addition of registration plate information.

17 The DVS (http://www.dvs.gov.au/Pages/default.aspx

• is a national online system that allows organisations to compare a customer's identifying information with a government

record

• is a secure system that operates 24/7 and matches key details contained on Australian-issued identifying credentials,

providing a 'yes' or 'no' answer within seconds

• helps organisations build greater confidence in the identities of their clients

• helps protect governments, businesses and Australians from identity crime).

Austroads Australian Privacy Principles Policy

Other (non-NEVDIS) personal information

The types of “non-NEVDIS” personal information held by Austroads arise from our

administrative functions mentioned in Section 4 “Collection” of this APP Policy.

6. Quality and Security

NEVDIS

We store information supplied to us by the Jurisdictions on NEVDIS. There are no measures

available to us to ensure that personal information supplied by the Jurisdictions is accurate, up-

to-date and complete. This is because the Jurisdictions only send us the information in

accordance with their statutory authority to do so (such as the NSW registration and licensing

statutory authority discussed in section 4 “Collection” of this APP Policy).

In particular, we do not audit the quality of personal information supplied to us by the

Jurisdictions for NEVDIS, and it is not our function to audit the information.

In view of those limitations, Austroads complies with APP 10 - “Quality of personal information”.

We have appropriate data integrity measures in place to ensure that personal information held

on NEVDIS is protected from misuse, interference, loss, unauthorised access, use modification

or disclosure.

Our data integrity measures include physical access restrictions, password protections, data

encryption, audit trails of user access to databases, and accreditation of users.

If:

a. we hold personal information on NEVDIS about an individual; and

b. we no longer need the information for any purpose for which the information may be used or

disclosed by Austroads in accordance with the APPs; and

c. the information is not contained in a “Commonwealth record” as defined in the Privacy Act;

and

d. we are not required by or under an Australian law, or a court/tribunal order, to retain the

information;

the Jurisdictions will have the role of taking such steps as are reasonable in the circumstances

to destroy the information or to ensure that the information is de-identified.

Austroads complies with APP 11 - “Security of personal information”.

Non-NEVDIS personal information

We also store administrative information and employment related personal information on

electronic and hard files. Austroads complies with APP 10 and APP 11 with respect to this non-

NEVDIS personal information.

Generally, Austroads’ files are protected in accordance with measures which parallel the

Australian Government’s protective securities and classification system to ensure that they are

only accessed by authorised persons for authorised purposes.

7. Notifiable Data Breach scheme

Austroads has a written Data Breach Response Plan in relation to Austroads’ obligations under

the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act.

Austroads’ NDB Plan follows a four-step process — contain, assess, notify, and review. The

Plan applies to personal information held on NEVDIS and to other personal information held by

Austroads.

Austroads Australian Privacy Principles Policy

The NDB Plan includes:

a. an explanation of what constitutes a data breach;

b. a strategy for containing, assessing and managing data breaches, including the preparation

of a statutory “eligible data breach” statement;

c. the roles and responsibilities of staff;

d. documentation, and review.

An eligible data breach occurs when the following criteria are met:

a. there is unauthorised access to or disclosure of personal information held by Austroads (or

information is lost in circumstances where unauthorised access or disclosure is likely to

occur);

b. this is likely to result in serious harm to any of the individuals to whom the information

relates; and

c. we have been unable to prevent the likely risk of serious harm with remedial action.

Austroads will conduct an assessment if it is not clear if a suspected data breach meets these

criteria. The assessment will determine whether the breach is an “eligible data breach” that

triggers notification obligations.

NEVDIS

The NDB Plan facilitates notification by the relevant Jurisdictions to affected individuals if the

individuals’ personal information on NEVDIS is involved in a data breach that is likely to result

in serious harm. The Jurisdictions are best placed to notify the affected individuals compared to

Austroads because the Jurisdictions have the best means to send a statutory “eligible data

breach” statement to the individuals, and otherwise to communicate with them.

Austroads will notify the Jurisdictions, and the Office of the Australian Information

Commissioner (OAIC) about “eligible data breaches” within the meaning of the NDB scheme,

for personal information held on NEVDIS.

The NDB Plan ensures that breaches of privacy are taken seriously by Austroads and the

Jurisdictions. The NDB Plan also builds trust in Austroads’ handling of personal information

held on NEVDIS.

8. Use and Disclosure

NEVDIS

Austroads uses the personal information it holds on NEVDIS for the purpose for which it was

given to us by the Jurisdictions, or for purposes that are directly related to the purpose of

collection.

We routinely use the information held for quality assurance purposes; that is, to ensure that

access to the information is monitored, recorded and auditable.

We also use personal information held on NEVDIS:

a. to develop and train staff on system improvements and enhancements

b. to update and manage records about individuals to improve the quality and accuracy of the

information we hold.

We will use and disclose personal information on NEVDIS for the purpose for which it was

collected from the Jurisdictions (primary purpose). The primary purpose is:

a. to provide current driver licence information to the Jurisdictions to prevent the issue of

multiple driver licences by different Jurisdictions;

b. to aggregate demerit points gained in any Jurisdiction to enable appropriate sanctions to be

initiated by the licence issuing Jurisdiction;

Austroads Australian Privacy Principles Policy

c. to enable license suspension, cancellation or driver disqualification in any Jurisdiction to be

available to all Jurisdictions;

d. to provide for safe, efficient and equitable road use;

e. to improve and simplify procedures for the registration of road vehicles;

f. to prevent the “re-birthing” of stolen vehicles;

g. to enable the use of road vehicles to be regulated for reasons of safety, protection of the

environment and law enforcement; and

h. to provide a method of establishing the identity of each road vehicle and its registered

operator.

We will not use or disclose personal information on NEVDIS for another purpose (secondary

purpose) unless:

a. the individual concerned has consented to the use or disclosure for the secondary purpose;

b. the individual would reasonably expect Austroads to use or disclose the information for the

secondary purpose and the secondary purpose is:

i. if the information is sensitive information—directly related to the primary purpose; or

ii. if the information is not sensitive information—related to the primary purpose; or

c. the use or disclosure of the information is required or authorised by or under an Australian

law or a court/tribunal order; or

d. a “permitted general situation” as defined in the Privacy Act exists in relation to the use or

disclosure of the information by Austroads; or

e. a “permitted health situation” as defined in the Privacy Act exists in relation to the use or

disclosure of the information by Austroads; or

f. Austroads reasonably believes that the use or disclosure of the information is reasonably

necessary for one or more “enforcement related activities” as defined in the Privacy Act

conducted by, or on behalf of, an “enforcement body” as defined in the Privacy Act.

In particular, ACIC and the NHVR are prescribed enforcement bodies under the Privacy Act. If

Austroads uses or discloses personal information in relation to ACIC or NHVR, Austroads will

make a written note of that use or disclosure, as required by the APPs.

Austroads complies with APP 6 - “Use of disclosure of personal information”.

Further, we will not use or disclose personal information on NEVDIS for direct marketing, in

accordance with APP 7 - “Direct marketing”.

APP 6 will apply to any wholly owned subsidiary of Austroads to which Austroads might

subcontract the management of NEVDIS.

We will not normally disclose personal information on NEVDIS to an overseas recipient. In the

unlikely event that Austroads intends to disclose such information to an overseas recipient

(other than the individual concerned), Austroads will comply with APP 8 - “Cross-border

disclosure of personal information”.

We will not adopt a “government related identifier” as defined in the Privacy Act (such as a

licence number or registration plate number) as its own identifier for an individual whose

personal information is on NEVDIS, unless required or authorised by or under an Australian

law. Austroads’ use of a government related identifier in order to search for personal

information or other information on NEVDIS will not be to adopt the government related

identifier as its own identifier.

18 There is no such subsidiary.

Austroads Australian Privacy Principles Policy

Approved Users

Austroads has entered into, or may enter into agreements with government agencies or

organisations (Users) for the purposes of:

a. sharing particular classes of information on NEVDIS, including personal information, with the

Users; and

b. allowing access and use of particular classes of information on NEVDIS, including personal

information, by the Users.

These agreements are thoroughly considered and approved by Austroads’ board of directors.

The agreements meet stringent requirements in accordance with the NEVDIS Participation

Agreement and Australian privacy law for compliance with the spirit and letter of this APP

Policy as if it was the User’s APP Policy.

Further, the Jurisdictions have entered into, or may enter into agreements with Users for the

purposes of:

a. sharing particular classes of information on NEVDIS, including personal information, with

those Users; and

b. allowing access and use of particular classes of information on NEVDIS, including personal

information, by those Users.

These agreements between Jurisdictions and Users are also thoroughly considered and

approved by Austroads’ board of directors. The agreements also meet stringent requirements

in accordance with the NEVDIS Participation Agreement and Australian privacy law for

compliance with the spirit and letter of this APP Policy as if it was the User’s APP Policy.

Non-NEVDIS personal information

As an employer, Austroads uses information about our people to meet employment obligations,

including:

a. payroll;

b. support and recognition;

c. promotions and transfers;

d. rehabilitation, medical assessments and employee assistance programs; and

e. performance management matters.

In performing this function, personal information may be disclosed outside Austroads to bodies

including:

a. superannuation funds;

b. work health and safety regulators, our workers compensation insurer and the workers’

compensation regulator; and

c. financial institutions.

Disclosure of employee personal information is done with informed consent of the staff member

involved.

We also collect information about potential employees. All recruitment activities are conducted

in accordance with best practice employment standards.

Austroads complies with APP 6 and related APPs with respect to non-NEVDIS personal

information.

Austroads Australian Privacy Principles Policy

9. Access and Correction

NEVDIS

If you wish to seek access to your personal information on NEVDIS, you should request the

relevant Jurisdiction that also holds the information to give you access. The Jurisdictions will

usually have their own regimes for providing access.

Austroads is not subject to federal freedom of information legislation, or to freedom of

information legislation in the Jurisdictions.

If you request Austroads to provide access to your personal information on NEVDIS, we will

refer you to the relevant Jurisdiction.

Otherwise, if you give notice in writing that you require Austroads to provide access to your

personal information on NEVDIS, there will be a fee for this access. The fee will apply to the

actioning of your request to provide access. Austroads will inform you of the amount of the fee,

which must be paid in advance of access being given.

We will respond to notice of an access request within a reasonable period after the notice is

given, and we will give access in the manner requested if it is reasonable and practicable to do

so.

We will not give access to personal information held by us on NEVDIS or otherwise in the

following circumstances:

a. Austroads reasonably believes that giving access would pose a serious threat to the life,

health or safety of any individual, or to public health or public safety; or

b. giving access would have an unreasonable impact on the privacy of other individuals; or

c. the request for access is frivolous or vexatious; or

d. the information relates to existing or anticipated legal proceedings between Austroads and

the individual, and would not be accessible by the process of discovery in those

proceedings; or

e. giving access would reveal the intentions of Austroads in relation to negotiations with the

individual in such a way as to prejudice those negotiations; or

f. giving access would be unlawful; or

g. denying access is required or authorised by or under an Australian law or a court/tribunal

order; or

h. both of the following apply:

i. Austroads has reason to suspect that unlawful activity, or misconduct of a serious nature,

that relates to Austroads functions or activities has been, is being or may be engaged in;

ii. giving access would be likely to prejudice the taking of appropriate action in relation to

the matter; or

i. giving access would be likely to prejudice one or more enforcement related activities

conducted by, or on behalf of, an enforcement body, including but not limited to ACIC and

the NHVR; or

j. giving access would reveal evaluative information generated within the entity in connection

with a commercially sensitive decision-making process.

If we refuse to give access because of one or more of the exceptions above, or we refuse to

give access in the manner requested by an individual:

a. we will take such steps (if any) as are reasonable in the circumstances to give access in a

way that meets the needs of Austroads and the individual; or

b. we will give the individual a written notice that sets out:

i. the reasons for the refusal except to the extent that, having regard to the grounds for the

refusal, it would be unreasonable to do so; and

Austroads Australian Privacy Principles Policy

ii. the mechanisms available to complain about the refusal; and

iii. any other matter prescribed by or under the Privacy Act.

In view of these limitations, Austroads complies with APP 12 – “Access to personal

information”.

If an individual requests correction or changes to the personal information we hold about them

on NEVDIS, we will refer the request to the relevant Jurisdiction. This is because we cannot

alter the information held on NEVDIS without the express consideration and agreement of the

relevant Jurisdiction. Normally, the relevant Jurisdiction will correct or change the personal

information in their own system and upload the new data to NEVDIS.

In view of these limitations, Austroads complies with APP 13 – “Correction of personal

information”.

Non-NEVDIS personal information

Austroads complies with APPs 12 and 13 with respect to non-NEVDIS personal information.

10. Safety recalls

The Department of Infrastructure, Transport, Regional Development and Communications

regulates the manufacture, importation and first supply to the market of road vehicles to ensure

an acceptable level of safety and emission control across the Australian vehicle fleet.

19 Vehicle

standards are set through the Australian Design Rules (ADRs).

If a safety or ADR non-compliance issue is identified in a vehicle it may be subject to a recall.

Generally, Austroads participates in approximately 20 – 30 safety recalls per month. Austroads

supplies VINs and registered operator details (when not suppressed) to the affected motor

vehicle supplier in accordance with Safety Recall Agreements with those suppliers.

Safety recalls can be voluntary (initiated by suppliers) or compulsory (initiated under the

Competition and Consumer Act 2010).

For example, if a supplier starts the safety recall process:

a. the supplier would notify the Australian Competition and Consumer Commission (ACCC),

who would allocate a registration number for that “recall campaign”;

b. the supplier would notify Austroads of the ACCC campaign number and VINs for the

affected vehicles;

c. Austroads would provide the supplier with a spreadsheet of VINs and registered operator’s

details including their address, or perhaps two addresses:

d. the garaging address; and

e. the registered operator’s address.

f. the ACCC would enter details of the recall campaign and affected vehicles’ VINs on its

Safety Recall

website.

Austroads’ purpose of supplying personal information on NEVDIS to a motor vehicle supplier

for any safety recall (voluntary or compulsory) that has an ACCC campaign number, is for the

recall campaign.

A safety recall sometimes results in class action litigation by aggrieved motor vehicle owners. If

a law firm approaches Austroads with a request for the use of NEVDIS personal information in

class action proceedings for the purpose of “marketing” the litigation to potential class action

members, the request will be refused in the absence of a court order.

19 Department of Infrastructure, Transport, Regional Development and Communications does so under the Motor Vehicle

Standards Act 1989 (Cth) and Motor Vehicle Standards Regulations 1989 (Cth)

20 Department of Infrastructure, Transport, Regional Development and Communications monitors vehicle safety recalls on

behalf of the ACCC

Austroads Australian Privacy Principles Policy

Unless required under legislation or a court order, such requests have been, and will be

refused by Austroads. Generally, Austroads similarly considers the security and confidentiality

of NEVDIS data to be of the utmost importance.

The protection of this data maintains public confidence so that the personal information people

have supplied for driver licensing and vehicle registration purposes, will not be made available

for any secondary purpose, such as class action proceedings precipitated by a safety recall, in

the absence of a court order.

If there is a class action but there has not been a safety recall for the motor vehicles which are

the subject of the litigation, Austroads will not release personal information for the purpose of

the class action in the absence of a court order. Austroads will request stringent security and

confidentiality safeguards to accompany any such court order.

11. Transport Certification Australia Ltd

Austroads, as the owner of Transport Certification Australia Ltd (TCA), may disclose personal

information to TCA or receive personal information from TCA. TCA is also subject to the APPs

and maintains a Privacy Policy on its website (

www.tca.gov.au).

12. Complaints

If you have concerns relating to your personal information as recorded on NEVDIS, your first

point of contact to complain or to make suggestions should be to the Jurisdiction who supplied

the information to NEVDIS. Otherwise, our Privacy Officer can be contacted on

austroads@austroads.com.au or via the contact details below.

If you have concerns about how we handle your personal information (other than personal

information on NEVDIS), please contact us to discuss your concerns. Our Privacy Officer can

be contacted on

austroads@austroads.com.au or via the contact details below.

13. Contact Us

You can contact Austroads via the following ways:

Phone: +61 2 8265 3300

Fax: +61 2 8265 3399

Address: Level 9, 570 George Street, SYDNEY NSW 2000

Email: austroads@austroads.com.au

14. Version Control

Policy Owner Version Date of Approval Date for Review

Manager, Contracts &

Compliance

3 10 November 2021 23 January 2022

Summary of changes

since previous version

• Added clause 11 – Transport Certification Australia Ltd

• Changed street address of Austroads