Last updated: 27 September 2022
On this page:
The Privacy Act 1988 (the Privacy Act) requires entities bound by the Australian Privacy Principles (APPs) to have a Privacy Policy. This Privacy Policy outlines the personal information handling practices of DHA (we, us, our). Any individual who provides personal information or sensitive information to DHA (you, your) is responsible for being aware of the contents of this policy.
DHA may revise or update this Privacy Policy from time to time by publishing a revised version on our website. Revised versions take effect from the time published.
While we make every effort to identify all circumstances of personal information handling, it is not practicable to provide an exhaustive list of all the ways we collect and use personal information. Instead, some instances may be covered in broad terms.
Please refer to the Interpretation section at the bottom of the page for definitions of important terms.
This Privacy Policy covers personal information relating to:
- Australian Defence Force (ADF) members (Defence members) and their families (or dependents) who interact with DHA
- current and potential investors and landlords of DHA-managed housing and developments
- civilian tenants of DHA-managed housing
- an agent or representative of a person whose personal information may be given to or held by DHA
- current, former, or prospective employees of DHA, including employees engaged through a third-party
- ·our contracted service providers and their employees (who may be known or referred to as contractors, consultants, sub-contractors, suppliers, third-party providers, vendors, or other such terms)
- attendees or registrants for DHA events or seminars
- persons who interact with DHA employees, contractors, website, or social media
- any other individuals whose personal information may be given to or held by us in connection with our business functions and activities either directly or indirectly related to providing adequate and suitable housing to members of the Defence Force and their families.
We may collect and hold the following types of personal information about you, depending on the purpose for which we are collecting information from you:
- information to identify you, including your name, date of birth, or photo identification documentation such as passport or driver’s licence details, gender, signature
- contact details such as your email address, postal and/or home address and phone numbers
- profession, qualifications, licenses or certificates, occupation or job title, work location
- Defence member information relevant to the provision of housing, such as:
- entitlement categorisation, rank, posting location, tenancy agreements and proof of payment of rent
- dependant information, including name, gender, date of birth and school attending (if applicable)
- special needs information, including health information in relation to you and/or any of your dependants (if applicable)
- information relating to insurance claims, including health information
- financial institution/bank details
- details of shareholdings or other financial or beneficial interests
- employee information, such as tax file number (in accordance with the Privacy (Tax File Number) Rule 2015 (TFN Rule), salary and entitlement information, medical certificates, referees, declared conflicts of interest, performance and attendance at work, and emergency contact details
- job applicant information relevant to your eligibility and suitability for a job vacancy, such as education, employment history, citizenship, police checks, and diversity and inclusion characteristics as required
- information provided in comments or enquiries on DHA profiles or on individuals’ publicly available personal profiles on social media platforms
- responses to survey questions about your use and satisfaction with our products and services for research purposes
- audio or visual recordings of your face, person, voice, or likeness
- biometric information of DHA employees related to an employee’s facial characteristics for the purposes of multi-factor authentication to use DHA systems
- any other personal information provided to us verbally, electronically or in a document by an individual about themselves or another individual for purposes related to our business functions.
DHA collects some sensitive information, for example health information that may be relevant to your requirements for adequate housing, and we ensure this is collected and handled in accordance with the Privacy Act.
How we collect your personal information
We will generally collect your personal information directly from you unless it is unreasonable or impracticable to do so. When collecting personal information from you directly, it will generally be:
- through your registered access and use of our DHA online portals or third-party platforms, for example when requesting relocation or housing maintenance or lodging a job application
- when you make an enquiry or complete an application form (hard or soft copy)
- during conversations between you and our employees or contractors
- ·via telephone, online or paper-based surveys conducted by us or a representative or service provider of DHA
- when you enter into a contract with us (for example, to purchase or lease a property or provide a service to us or on our behalf)
- when you attend one of our locations such as an office or construction site where we may have security cameras in operation (clearly identified with signage).
We may collect information about you via third parties in the following ways with the consent you provide to them or us to share your personal information with us:
- from the Department of Defence and its contracted service providers, such as TOLL Group, in relation to member housing entitlements and requirements as specified by you to those third parties
- from other government agencies or departments such as AusTender or local councils
- from a Defence member in relation to their dependents
- from marketing representatives in relation to investment opportunities that you have enquired about
- from someone authorised to act or provide personal information on your behalf, for example your legal representative, financial adviser, insurance company or medical practitioner.
We will also collect your personal information from other third parties with your express or implied consent; where we are required or authorised to do so by or under an Australian law or a court/tribunal order; or when it is unreasonable or impractical to collect it from you directly. For example, we may collect personal information:
- from State and Commonwealth agencies or regulators
- credit reporting agencies, law enforcement agencies and other government entities
- from past employers or referees.
Privacy Collection Notices
We will take reasonable steps to ensure you are informed in a Privacy Collection Notice about why we are collecting your personal information, and any other relevant matters in relation to the circumstances of that collection, such as who we plan on disclosing the information to (where relevant). We will provide this information at the time of collection where practical.
Use of our website, online portals, and social media
When you use our website and online portals, information about your activity may be collected using cookies, Google Analytics and ‘retargeting’ (tailoring content based on your activity) to optimise the content you see and improve user experience. This information does not personally identify you.
If you do not wish to receive cookies, you can set your browser so that your computer does not accept them. However, our website may not offer optimal performance if you choose to disable cookies. Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page.
No attempt will be made to identify you based on this information, except in the unlikely event of an investigation by a law enforcement agency or where we are required to do so by court/tribunal order.
While we take all reasonable steps to secure personal information transmitted to our online platforms, you should be aware that there are inherent risks associated with the transmission of personal information over the internet.
Our website may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third-party website.
The social networking platforms we use, such as Twitter, Facebook and LinkedIn may also collect your personal information for its own purposes during your interactions with us via these platforms. These sites have their own privacy policies.
We will only collect, hold, use, and disclose personal information for purposes that are directly related to, or reasonably necessary to enable us to perform our functions as prescribed in the Defence Housing Australia Act 1987 (DHA Act).
To perform these functions, we collect personal information for various purposes depending on the nature of your relationship with DHA, including but not limited to:
- verifying your identity
- performing our business activities and functions
- meeting our obligations under the Defence Services Agreement (DSA) with the Department of Defence, including for the purposes of reporting requirements, performance measurement, assisting authorised Defence personnel to verify individual member compliance with housing entitlements, resolving escalated complaints, and any other purpose covered under the DSA
- acquiring and disposing properties to meet our housing provisioning requirements
- contacting you in response to an enquiry by you about our products or services
- providing you with access to any protected areas of our website
- presenting you with personalised housing options that meet your requirements
- recruitment and personnel management purposes (in relation to DHA employees and potential DHA employees)
- marketing (including direct marketing), planning, product or service development, quality control or research purposes
- facilitating community engagement, including forums, surveys, and the promotion of upcoming projects
- handling and resolving a complaint to the extent that is necessary for us to investigate your complaint
- responding to any communications from you, including via social media
- to facilitate requests for tender and to engage with third parties to deliver services for DHA
- work health and safety purposes
- complying with any law, regulation, or binding decision of a regulator.
In most cases we will only use your personal information for the primary purpose for which it was collected. In certain circumstances, we may use or disclose your information for a different purpose (the secondary purpose), such as where you have consented or would reasonably expect us to use or disclose the information for a secondary purpose, or the secondary purpose is one or more of the following:
- related to the primary purpose for which the information was collected (or in the case of sensitive information, directly related to the primary purpose)
- required or authorised under Australian law or has been ordered by a court or tribunal
- reasonably necessary for enforcement-related activities.
In most instances we will be unable to provide services or engage with a person who is not prepared or is otherwise unable to provide their personal information. Where possible we will provide you with the opportunity to interact with us anonymously or pseudonymously.
Direct Marketing
We may send you direct marketing communications and information about our products and services when we consider that you would reasonably expect us to use your personal information for the purpose of direct marketing, for example when you have provided your consent, or we have notified you that you may receive direct marketing upon collection of your personal information.
Marketing communications may be sent in various forms including mail, phone call SMS and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth), and may be sent via a representative or service provider of DHA. If you indicate a preference for a method of communication, we will endeavour to use that method whenever practicable to do so.
You may opt-out of receiving marketing materials from us by using the opt-out facilities provided in the marketing communications or contacting the Privacy Officer. We will then remove your name from our mailing list. We do not provide your personal information to other organisations for the purposes of their direct marketing.
We disclose personal information to other organisations or individuals when:
- you give your consent
- it is reasonably necessary to conduct DHA’s functions, or
- it is required or authorised by law, including in emergency situations or to assist law enforcement in accordance with the Privacy Act.
We may disclose your personal information to:
- related bodies corporate or owners’ corporations for DHA properties that are subject to Strata Titles
- contractors or service providers who perform services on our behalf in connection with our business and functions
- utilities providers, such as water or electricity companies
- the Department of Defence to meet the requirements of our DSA
- ·other Commonwealth or State government agencies or other entities as required or authorised by or under applicable laws or rules, such as the Privacy Act, the DHA Act and the Public Governance, Performance and Accountability Act 2013 (PGPA Act)
- law enforcement bodies, as defined in the Privacy Act
- your nominated representative, or
- ·other individuals or entities where there is a legal basis to do so.
We will not disclose any sensitive information about you unless you have provided your express consent for us to do so, or where we are required or permitted to do so by law.
Contracted service providers
We use contracted service providers to undertake certain business functions and activities for us or on our behalf, for example housing maintenance, marketing, data analysis, legal services, consultancy, and research activities. This may involve disclosing your personal information to, or collecting your personal information from, those providers for the purposes of performing our business functions.
To protect the personal information we provide to contracted service providers, we take contractual measures to ensure the contractor and its employees comply with the Privacy Act and the APPs, and only handle the personal information for the purposes of the contract.
Overseas disclosure
We may engage contracted service providers that are based overseas, or that use subcontractors based overseas, for the purposes of personal information collection and storage. For example, cloud storage or other data or web-based services and in limited circumstances, contracted service providers who operate an overseas contact centre. Contracted service providers are required to obtain DHA’s permission prior to overseas disclosure. Wherever possible, we engage providers that collect and store data in Australia.
Your personal information will not be disclosed overseas other than as described in this Privacy Policy, without your consent.
We securely store personal information we collect electronically on our IT systems, backup servers and on third-party provided cloud storage. We undertake Security Risk Assessments before engaging third-party software and application providers to ensure compliance with relevant data protection legislation. We also undertake regular security testing of our information management systems. In some limited cases, we may also hold your personal information on securely stored paper files.
We use software and applications provided by third parties, or IT providers, to store and manage personal information to deliver our services, such as Microsoft 365. We act as the sole data owner (or data controller) in all instances, with IT providers accessing personal information only in the event such access is necessary, for example for technical support.
Contracted service providers use DHA systems and may also store personal information on their own systems to carry out the required services. Providers are required to comply with the Privacy Act to keep your personal information secure, and to destroy personal information once it is no longer required.
We take reasonable steps to ensure your personal information is protected from misuse, interference, loss, unauthorised access, modification, or disclosure.
Retention and disposal
We aim to keep personal information only for as long as we need for business purposes and to comply with the Archives Act 1983 (the Archives Act). When we no longer need personal information and are lawfully able to do so, we take reasonable steps to destroy or de-identify it. Personal information we collect may become part of a Commonwealth record. We must retain your personal information held within Commonwealth records in accordance with the Archives Act. For more information about how the APPs intersect with the Archives Act, please visit the relevant page on the National Archives of Australia website here.
To request access or correction of your personal information, please use the contact details on the right of this page with the specific details of your request.
You have a right to access your personal information unless we are entitled to refuse access on grounds permitted under the Privacy Act. This includes where such refusal is required or authorised by the Freedom of Information Act 1982 (the FOI Act) or other Commonwealth legislation.
You may also request us to correct any personal information that you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to make that correction upon being satisfied that the information is inaccurate, out of date, incomplete, irrelevant, or misleading. It is useful if you provide information and details to support your request.
If we do not give you access to your personal information or decide that we will not correct your personal information, we will provide you with written reasons for our decision. We will endeavour to respond to your request within 30 days of receiving it. If there may be a delay in responding to your request, we will contact you.
The FOI Act also provides mechanisms for seeking access to, and the correction of, your personal information. For further information about making an FOI request to DHA please go to our Freedom of Information page.
We recognise the importance of protecting your personal information and take all privacy complaints seriously. If you believe that we have breached our obligations under the Privacy Act in handling your personal information, you can make a privacy complaint to the Privacy Officer.
To lodge a privacy complaint, please use the contact details on the right of this page with all relevant details so that we can accurately understand, assess, and investigate your complaint. It is our preference that privacy complaints are made in writing by email to ensure we have accurate records of your complaint.
On receiving your complaint, a Privacy Officer will investigate the matter and respond to you regarding the outcome, generally within 30 days unless your complaint is particularly complex.
If you believe that the Privacy Officer’s decision or response is not correct or appropriate, you may seek further clarification or request the Privacy Officer escalate the matter to DHA’s General Manager, Governance and Communication.
If you do not believe that your complaint has been resolved satisfactorily, you can write to the Office of the Australian Information Commissioner (OAIC). Further information about how can be found on the OAIC website at https://www.oaic.gov.au/.