Privacy Management Plan

Privacy Plan (PDF, 427KB)

1 Purpose

The National Heavy Vehicle Regulator (NHVR) values and is committed to protecting the privacy of persons and ensuring that they are aware of the types of personal information held by the NHVR, why that information is held, and how that information is collected, stored, used, and disclosed.

This privacy plan sets out:

  • the functions of the NHVR and the main types of personal information that the NHVR deals with to carry out those functions
  • explains the NHVR’s approach to complying with its lawful obligations in relation to personal information
  • how a person may request access to their personal information or an amendment of that information to ensure that it is accurate
  • how a person may make a complaint if they consider that their privacy may have been breached
  • the NHVR’s commitment to continual improvement to privacy management.

2 Application

This privacy plan integrates with, and should be read alongside the following documents to understand the NHVR’s whole privacy framework (the NHVR’s Privacy Framework):

  • Policy – Right to Information and Information Privacy
  • Guideline – Administrative Access to Information
  • Privacy Policy.

3 Background

3.1 The NHVR

The Heavy Vehicle National Law (the National Law or HVNL) establishes a scheme for facilitating and regulating the use of heavy vehicles on roads. It operates across multiple jurisdictions.

The host jurisdiction, Queensland, enacted the National Law in the Heavy Vehicle National Law Act 2012 (Qld).

Legislation adopting the National Law was then passed in the ACT[1], New South Wales[2], South Australia[3], Tasmania[4], and Victoria[5] (known as the HVNL participating jurisdictions). The National Law does not apply in Western Australia or the Northern Territory, and there is no Commonwealth Act implementing it.

The NHVR’s main function[6] is to achieve the object of the National Law. The object of the National Law is as follows:

3 Object of Law

The object of this Law is to establish a national scheme for facilitating and regulating the use of heavy vehicles on roads in a way that—

  1. promotes public safety; and
  2. manages the impact of heavy vehicles on the environment, road infrastructure and public amenity; and
  3. promotes industry productivity and efficiency in the road transport of goods and passengers by heavy vehicles; and
  4. encourages and promotes productive, efficient, innovative and safe business practices

Section 4 of the HVNL declares the regulatory framework by which the object of the National Law is to be achieved, being as follows:

4 Regulatory framework to achieve object

The object of this Law is to be achieved by a regulatory framework that—

  1. establishes an entity (the National Heavy Vehicle Regulator) with functions directed at ensuring the object is achieved; and
  2. provides for a database of heavy vehicles; and
  3. prescribes requirements about the following—
    1. the standards heavy vehicles must meet when on roads;
    2. the maximum permissible mass and dimensions of heavy vehicles used on roads;
    3. securing and restraining loads on heavy vehicles used on roads;
    4. preventing drivers of heavy vehicles exceeding speed limits;
    5. preventing drivers of heavy vehicles from driving while fatigued; and
  4. imposes duties and obligations directed at ensuring heavy vehicles and drivers of heavy vehicles comply with requirements mentioned in paragraph (c)(i) to (v) on persons whose activities may influence whether the vehicles or drivers comply with the requirements; and
  5. includes measures directed at the matters mentioned in section 3 (c) and (d) by allowing improved access to roads in certain circumstances, including by—
    1. allowing heavy vehicles, that would otherwise be prevented from being used on roads, access to the roads through exemptions or authorisations granted in circumstances in which the matters mentioned in section 3 (a) and (b) will not be compromised; and
    2. providing for accreditation schemes allowing operators of heavy vehicles who adopt best practices directed at the matters mentioned in section 3 to be subject to alternative requirements more suited to the operators’ business operations.

The NHVR is provided with further functions under the HVNL, which are congruent with that regulatory framework, which include:

  • to provide the necessary administrative services for the operation of the National Law, including collecting fees, charges and other amounts payable under the National Law[7]
  • to monitor compliance with the National Law and to investigate contraventions or possible contraventions of provisions of this Law, including offences against the National Law[8]
  • to bring and conduct proceedings in relation to contraventions or possible contraventions of provisions of the National Law, including offences against the National Law, and to bring and conduct, or conduct and defend, appeals from decisions[9]
  • to conduct reviews of particular decisions made under the National Law by the NHVR or authorised officers, to implement and manage an audit program for heavy vehicle accreditations granted under the National Law, to facilitate access to heavy vehicles under Chapter 4 of the National Law, and to undertake the duties in relation to the regulation of fatigue under Chapter 6 of the National Law[10]
  • to identify and promote best practice methods for complying with the National Law, for managing risks to public safety arising from the use of heavy vehicles on roads, and for the productive and efficient road transport of goods or passengers by heavy vehicles[11]
  • to encourage and promote safe and productive business practices of persons involved in the road transport of goods or passengers by heavy vehicles that do not compromise the object of the National Law[12]
  • to provide advice, information and education to persons with duties or obligations under the National Law about compliance with the duties or obligations[13]
  • to work collaboratively with other law enforcement agencies to ensure a nationally consistent approach for enforcing contraventions of laws involving heavy vehicles.[14]

How the NHVR performs its function is influenced by a Statement of Expectations issued annually by the responsible Ministers under the National Law and, further, is expanded upon in the NHVR’s Statement of Regulatory Approach and the NHVR’s Statement of Regulatory Intervention. All of those documents are published on the NHVR’s website.[15]

Significantly, various functions of the NHVR are performed by persons appointed by the NHVR as ‘authorised officers’ for the purposes of the National Law.[16] The functions of authorised officers are to:[17]

  • monitor, investigate and enforce compliance with the National Law
  • monitor or investigate whether an occasion has arisen for the exercise of powers under the National Law
  • facilitate the exercise of powers under the National Law.

An authorised officer who is a police officer may exercise the various powers conferred on the officer by the National Law and under law enforcement legislation.

3.2 Personal Information

Application of Scheme

In each of the HVNL participating jurisdictions, the NHVR has been established as a body corporate that:

  • represents the respective State[18]
  • has power to do acts in the exercise of functions conferred on it by the National Law.[19]

It is expressly the intention of each HVNL participating jurisdiction’s Parliament that the National Law, as applied in each of the jurisdictions, has the effect that the NHVR is 'one single national entity' which may exercise its functions in relation to any or all HVNL participating jurisdictions.[20]

Although the NHVR is a national entity because its functions are conferred by the laws of the individual HVNL participating jurisdictions and it represents the respective States, it is not an 'APP entity' to which the Privacy Act 1988 (Cth) would apply.

Consistent with the intention that the NHVR act as 'one single national entity', s. 696 of the National Law operates to extend certain Queensland legislation to all HVNL participating jurisdictions for the purposes of the National Law. Significantly, that includes the following:

  • the Information Privacy Act 2009 (Qld)
  • the Right to Information Act 2009 (Qld).

Modifications are made to the application of those Acts by the Heavy Vehicle (General) National Regulations, for instance so as to:

  • deem references to Queensland in the Acts to be references to a HVNL participating jurisdiction
  • deem references to 'agencies' to be references to the NHVR
  • provide that functions conferred on Queensland entities under the Acts, such as the Queensland Office of the Information Commissioner, can be exercised in relation to HVNL participating jurisdictions
  • provide that the Queensland Civil and Administrative Tribunal is to exercise its jurisdiction under the Acts in relation to a HVNL participating jurisdiction.

Each of the Acts in a HVNL participating jurisdiction that adopt the National Law as a law of the jurisdiction include provisions that ‘dis-apply’ the jurisdiction specific privacy Act for the purposes of the National Law.

Personal Information

The National Law

Part 13.4 of the National Law includes sections 728 and 729, which are penalty provisions that a person exercising functions under the National Law must not disclose ‘protected information’ to another person or use protected information other than for an authorised use.

'Protected information' is defined by the National Law as follows:[21]

protected information

  1. means information obtained in the course of administering this Law or because of an opportunity provided by involvement in administering this Law; but
  2. does not include—
    1. intelligent access program information; or
      Note— See Chapter 7 for the restrictions on the use and disclosure of intelligent access program information.
    2. information mentioned in paragraph (a) in a form that does not identify a person; or
    3. information relating to proceedings before a relevant tribunal or court that are or were open to the public; or
    4. electronic work diary protected information.

The Information Privacy Act 2009 (Qld)

The Information Privacy Act 2009 (Qld) declares its primary object to provide for:[22]

  • the fair collection and handling in the public sector environment of personal information
  • a right of access to, and amendment of, personal information in the government’s possession or under the government’s control unless, on balance, it is contrary to the public interest to give the access or allow the information to be amended.

'Personal Information' is defined in the Information Privacy Act as follows:[23]

  • Personal information is information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

It is not necessary for the information to be sensitive or confidential or even for the information to expressly disclose the identity of a person, with it being sufficient if the person’s identity could be reasonably ascertained. For instance, is there an affirmative answer to both of the following questions:

  • can an individual be identified from the information sought?
  • if so, is the information sought about that individual?

Guidance as to the type of information that may constitute ‘personal information’ is available on the website for the office of the Queensland Information Commissioner.[24]

The types of personal information collected by the NHVR include the following:

  • a person’s name, address, telephone number or email address (e.g., as a result of a road-side interaction, application for an access permit or accreditation under the HVNL, registration in the NHVR’s Portal, etc.)
  • a photograph of a person or video or audio footage of a person, e.g., as a result of body worn cameras, road side cameras (e.g., Safe-T-Cam,.), CCTV cameras at NHVR sites, etc.
  • third party employee or contractor details (e.g., names of persons of an operator accredited under basic fatigue management accreditation)
  • registration and licence information (e.g., received from Austroads, road authorities, police authorities, or the individuals themselves)
  • intercept and sighting information and observations (e.g., as a result of road side intercepts or provision of information from police agencies, etc.)
  • information about offences or potential offences by persons
  • dates of birth and some financial information (e.g., as may be relevant for applications for accreditations, prosecutions under the National Law, etc.)
  • information as a result of industry consultation, engagement, research, education campaigns, educational engagement with heavy vehicle operators, or surveys
  • information arising from the monitoring of compliance with the National Law or the investigation of offences or potential offences under the National Law (e.g., witness information, etc.)
  • the use of data analytics, where de-identified data may not be suitable or where a comparison of data sets may create information that may identify a person and that is about a person
  • employment records of NHVR staff and contractors (e.g., wage information, bank details, etc.).

What, therefore, is not ‘personal information’? That includes:

  • information about a person whose identity is not known or who cannot be reasonably ascertained
  • information about a deceased person (although, care and sensitivity are still required)
  • a corporate entity (but employees or officers of the company will have ‘personal information’).

‘Routine personal work information’ applies to employees of the NHVR. It is a form of personal information, being personal information that is solely and wholly related to the routine day to day work duties and responsibilities of NHVR employees. The concept is only relevant to potential disclosure under Information Privacy Principle 11 (or the National Privacy Principle 2) or an access application under the Right to Information Act 2009 (Qld) or the Information Privacy Act 2009 (Qld).[25]

4 Obligations Under the Information Privacy Act

The Information Privacy Act 2009 (Qld) applies to the collection of personal information, regardless of when it came into existence, and to the storage, handling, accessing, amendment, management, transfer, use and disclosure of personal information regardless of when it was collected.[26]

The handling of personal information is regulated by eleven Information Privacy Principles (IPPs) established by the Information Privacy Act, with which the NHVR must comply,[27] while also having regard to the human rights legislation that also applies to the NHVR.[28] The IPPs relate to:

  • the collection of personal information, being IPPs 1, 2, and 3
  • the storage and security of personal information, being IPP 4
  • providing information about documents containing personal information, being IPP 5
  • access and amendment of documents containing personal information, being IPPs 6 and 7
  • use of personal information, being IPPs, 8, 9, and 10
  • the disclosure of personal information, being IPP 11.

4.1 Collection of Personal Information

The NHVR may only collect personal information for a lawful purpose directly related to a function or activity of the NHVR and the collection of the information must be necessary to fulfil the purpose or is directly related to fulfilling the purpose. The NHVR must not collect information in a way that is unfair or unlawful.

Furthermore, when collecting the information from the individuals themselves, the NHVR must provide them with a notice on why their personal information is being collected, any authorities under which it is collected and to whom the information is usually disclosed, including anyone to whom they will then disclose it.

The NHVR determines what personal information is necessary and relevant to be collected in relation to each function that it performs. Collection statements are provided (e.g., in the terms of use for the NHVR’s Portal), appear in the NHVR’s Privacy Policy, or persons are otherwise advised as to the reason for collection when it occurs (e.g., when a person contacts the NHVR call centre).

The NHVR continues to monitor and refine its approach to the collection of personal information, particularly as a result of the use of camera technology on roads.

4.2 Storage and Security of Personal Information

The NHVR must ensure that the personal information it holds is protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure, and any other misuse.

The NHVR takes the storage and security of information seriously, taking proactive measures in that regard and aligning its approach to relevant standards and benchmarks, such as the Australian Signal Directorate’s Essential Eight and ISO 27001:2022. The NHVR continues to develop and refine its postures.

The NHVR has record-keeping compliance in line with the Public Records Act 2023 (Qld).[29]

4.3 Access to and Amendment of Personal Information

The NHVR has an established process for dealing with applications for access under the Information Privacy Act 2009 (Qld) and the Right to Information Act 2009 (Qld) and, further, applications for amendment under the Information Privacy Act.[30] This is captured in the NHVR’s Policy – Right to Information and Information Privacy. The NHVR also has an established administrative release process, which is outlined in the NHVR’s Guideline – Administrative Access to Information. Information about how to make requests is available on the NHVR’s website, along with the NHVR’s disclosure log.[31]

4.4 Use of Personal Information

As appears in section 3.2 above, the use of personal information is regulated by the National Law and the Information Privacy Act.

Section 729(1) of the National Law provides that ‘A person who is, or has been, a person exercising functions under this Law must not use protected information other than for an authorised use’.

‘Authorised use’ is defined in the National Law as follows:[32]

authorised use, for protected information, means—

  1. use by a person—
    1. in the exercise of a function under this Law; or
    2. where use of the information is required or authorised under this Law (whether explicitly or by implication); or
  2. use by a public authority or law enforcement agency—
    1. for the administration or enforcement of a law or the exercise of another function of the authority or agency, including, for example, investigating a contravention or suspected contravention of a law; or
    2. if a law authorises, requires or permits the disclosure of the information to, and the use of the information by, the authority or agency; or
  3. use by a court or tribunal in a proceeding under an Australian road law; or
  4. use by a court or tribunal if an order of the court or tribunal requires the disclosure of the information to the court or tribunal; or
  5. an activity associated with preventing or minimising—
    1. a risk of danger to the life of a person; or
    2. a risk of serious harm to the health of a person; or
    3. a risk to public safety; or
  6. a use authorised by the person to whom the information relates; or
  7. research purposes if the information contains no personal information; or
  8. use by an entity (whether public or private) in connection with road tolls; or
  9. use by an entity (whether public or private) in connection with the administration of third party insurance legislation; or
  10. use by an entity (whether public or private) for the purpose of determining the registration status of a heavy vehicle; or
  11. a use required or authorised under a relevant law of a participating jurisdiction; or
  12. a use prescribed by the national regulations; or
  13. a use referred to in subsection (2).

As to the reference to sub-section (2), that sub-section is as follows:

  • (2) It is also an authorised use, for protected information disclosed to or otherwise held by a police agency for any purpose or for a particular purpose, to disclose the information to another police agency authorised to hold protected information (whether or not for the same purpose).

Subject to the use being an ‘authorised use’ under the National Law, consideration then turns to use under the Information Privacy Act.

IPP10 relates to how an agency uses information and, in particular, that the use was for the purpose that the information was obtained, with IPP10 then listing a series of exceptions to that, being as follows:

  • the individual has expressly or implied agreed to the use
  • there are reasonable grounds to believe that the use of the information for the other purpose is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
  • use of the information for the other purpose is authorised or required under a law
  • the use is reasonably necessary for certain law enforcement activities (IPP10(1)(d))
  • the other purpose for use is directly related to the purpose for which the information was obtained
  • the use is necessary for research or statistical analysis in the public interest and certain preconditions are met (IPP10(10(f)).

‘Use’ is defined in the Information Privacy Act as follows:[33]

An entity uses personal information if it—

  1. manipulates, searches or otherwise deals with the information; or
  2. takes the information into account in the making of a decision; or
  3. transfers the information from a part of the entity having particular functions to a part of the entity having different functions.

The NHVR is committed to the lawful and appropriate use of information, including personal information, and in particular to ensure that the use is for the purpose that the information was collected. To such extent that use may extend beyond the original collection purpose, the NHVR:

  • takes steps to consider whether such further use is lawful, in the sense that it is authorised by the HVNL and is compliant with IPP10
  • will, where appropriate, undertake a privacy impact assessment, being in line with the guidance published in that regard by the Office of the Queensland Information Commissioner.

4.5 Disclosure of Personal Information

The disclosure of personal information is regulated by the National Law and the Information Privacy Act.

Section 728(1) of the National Law provides that ‘A person who is, or has been, a person exercising functions under this Law must not disclose protected information to another person.’ However, sub-sections (2) and (3) then declare when that prohibition does not apply, being if:

  • the NHVR is disclosing protected information[34] in the form of a confirmation that a stated person is the registered operator of a stated heavy vehicle
    or
  • the NHVR is disclosing details of heavy vehicles registered in a person’s name to an executor or administrator of that person’s deceased estate
    or
  • the disclosure is to an entity for an authorised use[35]
    or
  • the disclosure is to, or made with the agreement of, the person to whom the information relates.

The National Law authorised the NHVR to disclose information in certain instances. For instance:

  • s. 686B of the National law provides that the NHVR may share information in the NHVR’s database of heavy vehicles with a registration authority of an Australian jurisdiction
  • s. 660 of the National Law allows the NHVR to give information to a government agency of a HVNL participating jurisdiction or the Commonwealth that the agency requires to exercise its functions under a law of the HVNL participating jurisdiction or the Commonwealth.

Consideration then turns to the Information Privacy Act. Disclosure is defined under that Act as follows:[36]

An entity (the first entity) discloses personal information to another entity (the second entity) if—

  1. the second entity does not know the personal information, and is not in a position to be able to find it out; and
  2. the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
  3. the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.

IPP11 provides that an agency (such as the NHVR) that has control of a document containing an individual’s personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information, unless at least one of the listed exceptions applies, i.e.:

  • the person is reasonably likely to be aware that the information is usually passed to the other entity
  • the person has expressly or impliedly agreed to the disclosure
  • there are reasonable grounds to believe that the disclosure is necessary in order to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety, and welfare
  • the disclosure is authorised or required by law
  • the use is reasonably necessary for certain law enforcement activities (IPP(11)(1)(e) and (ea))
  • the use is necessary for research or statistical analysis in the public interest and certain preconditions are met (IPP11(10(f))
  • the information is used of a commercial purpose involving the NVHR’s marketing of anything to the individual, but only if it is satisfied on reasonable grounds the consideration listed in IPP11(14) are met.

The NHVR is committed to the lawful and appropriate disclosure of information, including personal information. The NHVR will always take steps to ensure that disclosure is authorised or required by law.

The NHVR also proactively undertakes work with law enforcement agencies, related to enforcement under the National Law. To the extent that involves the exception under IPP11(1)(e), the NHVR takes reasonable steps to ensure:

  • it is satisfied that the law enforcement exemption applies
  • that the relevant entity will not use or disclose the information for a purpose other than the purpose for which the information was disclosed by the NHVR.

5 Transfer of Personal Information Overseas

Section 33 of the Information Privacy Act allows an agency to transfer an individual’s personal information to an entity outside Australia only if:

  • the individual agrees to the transfer
    or
  • the transfer is authorised or required under a law
    or
  • the agency is satisfied on reasonable grounds that the transfer is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
    or
  • two or more of the following apply:
    • the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the IPPs or, if the agency is a health agency, the NPPs
    • the transfer is necessary for the performance of the agency’s functions in relation to the individual
    • the transfer is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement
    • the agency has taken reasonable steps to ensure that the personal information it transfers will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the IPPs or, if the agency is a health agency, the NPPs.

To the extent that NHVR ICT partners and contractors deal with personal information, the NHVR:

  • ensures that such partners have servers based in Australia (e.g., as a condition of the procurement process, etc.)
  • seeks to contractually bind such parties to comply with Chapter 2, Parts 1 to 3 of the Information Privacy Act
  • seeks contractual assurances in relation to information and data handling, storage, and use, such as security and auditing requirements.

6 Complaints

If a person believes that the NHVR has not handled or dealt with their personal information in accordance with the HVNL and/or the Information Privacy Act, they may make a complaint to the NHVR.

The complaint may be made to the ‘Privacy/RTI Officer’ via either:

  • privacyrti@nhvr.gov.au
    or
  • by post to National Heavy Vehicle Regulator, PO Box 492, Fortitude Valley, QLD 4006.

If the person does not agree with the NHVR’s decision in relation to the complaint, or has not heard from us after 45 days, the person may appeal in writing to the Office of the Queensland Information Commissioner.[37]

References

  1. Heavy Vehicle National Law (ACT) Act 2013 (ACT).
  2. Heavy Vehicle (Adoption of National Law) Act 2013 (NSW)
  3. Heavy Vehicle National Law (South Australia) Act 2013 (SA)
  4. Heavy Vehicle National Law (Tasmania) Act 2013 (Tas)
  5. Heavy Vehicle National Law Application Act 2013 (Vic)
  6. HVNL, s. 659(1)
  7. HVNL, s. 659(2)(a)
  8. HVNL, ss. 659(2)(b) & (c)
  9. HVNL, ss. 659(2)(d) & (e)
  10. HVNL, ss. 659(2)(f), (h), and Chapters 4 and 6 of the HVNL
  11. HVNL, s. 659(2)(j)
  12. HVNL, s. 65(2)(k)
  13. HVNL, s. 659(2)(ka)
  14. HVNL, s. 659(2)(l)
  15. See: https://www.nhvr.gov.au/about-us/corporate-documents
  16. HVNL, s. 481
  17. HVNL, s. 479
  18. HVNL, s. 657(2)
  19. HVNL, ss. 656(3) and 658
  20. HVNL, s. 656(2)
  21. HVNL, s. 727(1)
  22. Information Privacy Act, s. 3
  23. Information Privacy Act, s. 12
  24. See: https://www.oic.qld.gov.au/guidelines/for-government/access-and-amendment/introduction-to-the-acts/what-is-personal-information
  25. Further guidance can be found on the website for the Office of the Queensland Information Commissioner, see: https://www.oic.qld.gov.au/guidelines/for-government/access-and-amendment/processing-applications/routine-personal-work-information-of-public-sector-employees
  26. Information Privacy Act, s. 6
  27. Information Privacy Act, ss. 26 & 27
  28. The Human Rights Act 2019 (Qld), the Charter of Human Rights and Responsibilities Act 2006 (Vic), and the Human Rights Act 2004 (ACT)
  29. Similar to the Information Privacy Act, this legislation has been adopted for application by the National law.
  30. The NHVR must take all reasonable steps to ensure that personal information it holds is accurate, relevant, complete, up to date and not misleading. The NHVR must allow an individual to request amendment of any inaccurate, irrelevant, out of date, incomplete or misleading personal information.
  31. See: https://www.nhvr.gov.au/law-policies/right-to-information
  32. Being mindful of s. 729(1) (as referenced in section 3.2 above), which provides that ‘A person who is, or has been, a person exercising functions under this Law must not use protected information other than for an authorised use’.
  33. Information Privacy Act, s. 23(3)
  34. That term is defined in section 3.2 above.
  35. That term is defined earlier, under the sub-heading ‘4.4 Use of Personal Information’ above.
  36. Information Privacy Act, s 23(2)
  37. See: https://www.oic.qld.gov.au/about/privacy/privacy-complaints