Skip to main content
Go to search page

Privacy Policy

The Murray–Darling Basin Authority (the MDBA) is subject to the Privacy Act 1988 (Cth) (the Privacy Act), and the requirements of the Australian Privacy Principles (APPs) at Schedule 1 of the Privacy Act.

The APPs regulate how agencies collect, use, disclose and store personal information, including sensitive information, and how individuals may access and correct records containing their personal information. The MDBA has implemented a ‘privacy by design’ approach to ensuring that privacy compliance and governance is robust. This includes ensuring that privacy compliance is included in the design of information systems and agency practices and in the implementation of those arrangements.

The role of the MDBA’s Privacy Officers and its Privacy Champion are central to this commitment. All MDBA staff and contracted service providers who undertake work on behalf of the MDBA must comply with the APPs. We also require all staff to undertake annual Privacy training.

This Privacy Policy was last updated in July 2022. This Privacy Policy will next be reviewed in July 2023 or earlier as required, and any changes will be notified on our website.

The MDBA reviews privacy risks, all relevant privacy processes, policies, notices and any other relevant privacy documentation and consults with the Executive to measure privacy performance annually. The results of these reviews are then used to improve our privacy processes and practices through the consideration of existing and/or emerging privacy issues. The Executive will be provided with an annual report on the agency’s privacy performance.

If appropriate the MDBA will consider external review or audit of privacy processes and practices.

This is the complete version of our Privacy Policy.

What is personal information?

When used in this Privacy Policy, the terms ‘personal information’ and ‘sensitive information’ have the meaning given to them by the Privacy Act under section 6.

Personal information means ‘any information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not, and
  • whether the information or opinion is recorded in a material form or not.

Examples include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, photos and videos.

Sensitive information means:

  1. information or an opinion about an individual's:
    1. racial or ethnic origin
    2. political opinions
    3. membership of a political association
    4. religious beliefs or affiliations
    5. philosophical beliefs
    6. membership of a professional or trade association
    7. membership of a trade union
    8. sexual orientation or practices
    9. criminal record

that is also personal information, or

b. health information about an individual

c. genetic information about an individual that is not otherwise health information

d. biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or

e. biometric templates.

Additional protections apply to the collection and handling of sensitive information.

Why we collect personal information

The MDBA collects and holds personal information to support the performance of its functions under the Water Act 2007 (Cth) (the Water Act) and for incidental purposes. This extends to information about:

  • personnel, payroll, and recruitment, fringe benefits tax return, workers compensation
  • program records related to our activities and functions
  • procurement and contracting activity including the conduct of tenders and grants
  • engagement and communications
  • requests for publications
  • Freedom of Information requests and responses
  • privacy requests and responses, and
  • information communications technology and security arrangements.

Personal information we collect may include (but is not limited to):

  • name, address and contact details
  • photos, videos and audio recordings
  • information about personal circumstances and identity, including marriage status, age, gender, date of birth and occupation
  • business and financial details and assets including bank, property and water license details
  • images (including geospatial satellite images and images from fixed and drone cameras)
  • water usage details
  • information about an individual’s cultural or ethnic background when engaging with cultural or culturally sensitive information, and
  • employment details, including employment history and payroll details.

We maintain a centralised record of the types of personal information we hold called a Personal Information Holdings Register.

How we collect your information

Collection of personal information

The MDBA collects personal information only where it is reasonably necessary for, or directly related to, the MDBA’s functions or activities.

The MDBA may collect personal information in a number of ways, including:

  • through correspondence and application forms
  • during conversations
  • through subscription for information and updates of programs and functions administered by us
  • through contact and mailing lists
  • through participation in our stakeholder engagement processes and public and statutory consultations
  • as part of the complaints process
  • through image capture using fixed and drone cameras, and
  • use of our website and referral arrangements.

We will usually collect personal information directly from the person concerned. However we may collect personal information from a third party:

  • where it is unreasonable or impracticable to collect from the individual
  • where we are authorised or required by law to collect the information from someone else, or
  • with consent of the person concerned.

We may obtain personal information collected by other Australian Government agencies, state or territory governments, our service providers and contractors, other third parties or from publicly available sources in the circumstances set out above.

When we receive personal information that we did not ask for we deal with it in accordance with the APPs.

When we collect personal information, we are required under the APPs to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information, including if those persons or bodies are located overseas. We usually provide this notification by including privacy notices on our forms and online portals.

Collection of sensitive information

In carrying out our functions or activities we may collect personal information that is sensitive information. The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information from you:

  • if you consent and the information is reasonably necessary for, or directly related to, one or more of our functions or activities
  • if required or authorised by law, or
  • where a permitted general situation exists (e.g. to lessen or prevent a serious threat to life, health or safety1 ).

We may also collect sensitive information, where authorised to do so, for the purposes of human resource management, detection and investigation of fraud and misconduct, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.

Remaining anonymous or using a pseudonym

We may also collect sensitive information, where authorised to do so, for the purposes of human resource management, detection and investigation of fraud and misconduct, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.

Collection of geospatial satellite and camera images

We collect geospatial satellite and camera images to support a broad range of functions under the Water Act and Basin Plan 2012 (Cth) (the Basin Plan).

Collecting geospatial satellite and camera images which show the flow of water through the landscape and the extraction, use or application of those resources is central to effectively monitoring the quality and quantity of Basin water resources.

For more information on our collection of geospatial and camera images, please see our privacy collection notice.

Information storage and security

Information storage

Personal information is stored in paper and electronic form, including cloud storage.

Storage of personal information (and the disposal of information when no longer required for business purposes) is managed in accordance with the Australian Government’s records management regime, including the Archives Act 1983 (Cth), General Records Authorities and Agency-specific records authorities.

Information security

MDBA uses a range of physical and electronic systems to store personal information and takes all reasonable steps to secure the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

These measures include, but are not limited to, restricted physical access to our offices, secure cupboards and storage containers for paper records, secure computer systems and networks for electronic records, controlled access to databases by authorisation, training and passwords, workplace policies and regular review and testing of our physical and electronic systems.

Commonwealth Government policy requires the MDBA to create and maintain an effective protective security environment as outlined in the Protective Security Policy Framework (the PSPF) and it is mandatory for all staff to protect MDBA assets and information from theft, unauthorised access and disclosure. Security risks are continually reviewed and assessed and staff are instructed in proper security practices, including a clear desk policy and the use of appropriate security containers reflecting the type and security classification of the personal information.

All internal electronic records are processed, stored and maintained in accordance with the MDBA’s information security management system which is designed to protect the confidentiality, integrity, and availability of electronic information. It is mandatory for all staff who use the MDBA computer systems, including contractors, consultants and volunteers, to comply with the Acceptable Use of Information and Communication Technology Resources. All records held externally are stored and secured in accordance with the PSPF.

We will consider the privacy implications of new technologies, new security risks and threats in consultation with the Chief Information Officer (the CIO).

The purposes for which the MDBA collects, holds, uses and discloses personal information

The MDBA collects personal information for a variety of different purposes relating to the MDBA’s functions and activities including:

  • performing employment and personnel functions in relation to staff, contractors and service providers
  • performing legislative and administrative functions, including under the Water Act and Basin Plan
  • policy development, research and evaluation
  • complaints handling
  • to engage with and educate stakeholders and the Basin community in the planning, management and use of the Basin's resources
  • to implement the Basin Plan, including public consultation, water resource planning and water trading rules
  • program management, and
  • contract management.

The MDBA carries out its functions directly and through Basin state government agencies in partnership with the Australian Government. More information about the MDBA's role and structure can be found in Part 9, Division 2 of the Water Act on our website, in our Annual Report and in our Information Publication Scheme.

In most cases, we use and disclose personal information for the primary purpose for which it is collected. There are some circumstances in which the MDBA is permitted to use or disclose personal information for another purpose. Those other purposes include where:

  • we can obtain your consent to use the information for that other purpose
  • you would reasonably expect us to use or disclose the information for a secondary purpose that is related to the primary purpose (for sensitive information, this secondary purpose must be directly related to the primary purpose)
  • where required or authorised under law, and/ or
  • a permitted general situation exists (e.g. to lessen or prevent a serious threat to life, health or safety).

For additional information regarding use or disclosure of personal information, please refer to the APP 6 Guidelines developed by the Office of the Australian Information Commissioner (the OAIC).

Likely secondary purposes for which we may use or disclose your personal information include but are not limited to:

  • quality assurance
  • auditing
  • reporting
  • research, evaluation and analysis
  • investigations of fraud or misconduct, and
  • promotional/engagement purposes.

Disclosure of personal information overseas

The MDBA is not likely to disclose personal information to overseas recipients. However, geospatial satellite images and related information are publicly available including to overseas parties (see our privacy collection notice).

Accidental or unauthorised disclose of personal information

We follow the OAIC’s Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act when handling accidental or unauthorised disclosures of personal information, as well as Part IIIC of the Privacy Act which deals with the notification of ‘eligible data breaches’ (data breaches a reasonable person would conclude would be likely to result in serious harm to an individual).

The Notifiable Data Breaches (the NDB) scheme in Part IIIC of the Privacy Act came into force in February 2018.

The MDBA is required to notify affected individuals and the Australian Information Commissioner of data breaches that may cause serious harm. This can include data breaches that are likely to result in serious financial harm, or harm to affected individuals’ mental or physical well-being. The MDBA has developed a tailored plan to follow if a data breach has occurred. If you are subject to a data breach and you experience emotional distress, there are support services that can help you.

More guidance about data breaches is available on the OAIC’s website.

Our website and social media accounts

Visiting our website

Our website has been developed consistently with the APPs and we also follow the Guidance for agency websites: ‘Access to information’ issued by the OAIC.

When you visit our website to read or download information, we may record, through our web server log files or Google Analytics, the following non-personal information for statistical purposes:

  • your server address
  • your top level domain name (e.g. ‘.gov’, ‘.com’, ‘.edu’, ‘.org’, ‘.au’, ‘.nz’ etc.)
  • the pages you accessed and the documents you downloaded
  • the search terms you used
  • the date and time you visited the site
  • the previous site you visited
  • your operating system (e.g. Windows, Macintosh), and
  • the type of browser you use.

This data helps us manage our website efficiently and securely, including monitoring to prevent security breaches and to enhance the website to meet your needs. No attempt is made to identify you or your browsing activities, except in the unlikely event of a criminal investigation, e.g. where a law enforcement agency may exercise a warrant to inspect our Internet Service Provider’s (ISP) logs.

Google Analytics

We use Google Analytics to collect data about your interaction with our website. The sole purpose of collecting your data in this way is to improve your experience when using our site. The types of data we collect with Google Analytics include:

  • your device's IP address (collected and stored in an anonymised format)
  • device type, operating system and browser information
  • geographic location (country and state only)
  • referring domain and out link if applicable
  • search terms, pages visited, files downloaded and any other click event while browsing the pages
  • date and time when website pages were accessed, and
  • how long you spend on each ‘’ page.

This data helps us manage our website efficiently and securely, including monitoring to prevent security breaches and to enhance the website to meet your needs. No attempt is made to identify you or your browsing activities, except in the unlikely event of a criminal investigation, e.g. where a law enforcement agency may exercise a warrant to inspect our ISP logs.

By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Please refer to Google's privacy policy. You can opt out of Google Analytics if you disable or refuse the cookie, disable javascript, or use Google’s opt-out service.


Cookies are pieces of information that a website can transfer to your web browser. Parts of our website may store cookies on your browser in order to service you better when you next visit the site.

You can change your web browser’s settings to reject cookies or to prompt you each time a website wishes to add a cookie to your browser. Some functionality on the website may be affected by this.


The MDBA maintains the same level of security for personal information collected electronically as it does for personal information collected on paper. However, if you are providing personal information via an email or an online form you should be aware that there are some risks to transmitting data via the Internet.

Links to external web sites

The MDBA’s web site contains links to other web sites. The MDBA is not responsible for the content and the privacy practices of other web sites and encourages you to examine each web site's privacy policy and make your own decisions regarding the accuracy, reliability and correctness of material and information found.

Accessing our social media accounts

When using Facebook, Twitter, Linkedin, YouTube or Vimeo, the information posted on their pages is used only to administer the pages and to consider and respond to any comments you make. No attempt will be made to further identify you except where authorised or required by law.

We only record your personal information if you send us an email. We use Google Analytics to collect statistical web traffic information.

The MDBA is not responsible for the privacy practices of Facebook, Twitter, Linkedin, YouTube or Vimeo and you should refer to their privacy policies on their websites:

Accessing and correcting your personal information

How to request access to and correction of personal information

You have the right to apply for access to, or request correction of, the personal information that we hold about you under the Privacy Act if you think the information is inaccurate, out of date, incomplete, irrelevant or misleading.

To protect your privacy and the privacy of others, when you contact us we may need to verify your identity.

To access or seek correction of personal information we hold about you, please contact us using the details provided under the contact us section below. The Privacy Act does not require you to seek access to your personal information in any particular way. However, to ensure your request for access is efficiently identified and processed, the MDBA prefers that you make your request via email.

Former MDBA employees seeking their employment details should initially do so in accordance with our personnel procedures. Please contact the Director, People and Culture, Business Services Portfolio.

Our access and correction process

If you request access to, or correction of, your personal information, we will acknowledge within 5 working days that we have received your request and we will respond to your request within 30 days.

If we refuse to give you access to your personal information or to correct it we will give you written reasons for the refusal, unless it is unreasonable to do so, for example, if providing a reason could prejudice a legal action. We will also provide you with information about how you can complain about our refusal if you wish to do so.

It is also possible to access and correct documents held by the MDBA under the Freedom of Information Act 1982 (Cth). For more information on Freedom of Information requests please see our website.


If you have any concerns about the way we handle your personal information and wish to make a complaint about a breach of the APPs, please contact the Privacy Officer using the details provided under the contact us section below.

The MDBA is committed to the consistent, fair and confidential handling of a complaint. We are also committed to resolving complaints as quickly as possible, generally within 20 working days. You can also expect us to acknowledge your complaint and to keep you advised of progress.

If you are not satisfied with our response, you may request us to reconsider it. You may also make your complaint directly to the OAIC. However, in most cases the OAIC will refer you to us to make the complaint in the first instance.

Privacy Management Plan

A Privacy Management Plan (PMP) identifies specific, measurable goals and targets, and sets out how an agency will meet its compliance obligations under APP 1.2. The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (the Privacy Code) requires agencies to have a PMP and to measure and document performance against the plan at least annually.

The MDBA’s PMP outlines the actions we will be taking within a 12 month period to ensure we are compliant under APP 1.2. PMP’s are endorsed by the Privacy Champion.

Privacy assessments

The MDBA has implemented processes to ensure that privacy risks are assessed. These reflect that Privacy Threshold Assessments (PTA) are to be conducted at the beginning of any body of work that will involve personal information being collected, stored, used or disclosed in a new or novel manner, or a way which carries elevated privacy risk. If the project or program is identified as high risk then, consistent with the Privacy Code, we are required to conduct a Privacy Impact Assessment (PIA).

A PIA is a systematic assessment of a project that identifies the impacts that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact. More information about PIAs is available on the OAIC website.

We maintain a PIA register on our website.

Contact us

Privacy Officer
Murray–Darling Basin Authority
GPO Box 1801
Phone: (02) 6279 0100 and ask for the Privacy Contact Officer

You have the option to contact us without identifying yourself or of using a pseudonym. Further information on dealing with us anonymously or by using a pseudonym is set out under the collection section above.

1Permitted general situations are set out in Section 16A of the Privacy Act.

Updated: 23 Aug 2022