1. Policy Statement
Activ are bound by the Privacy Act (1998) which sets out 13 Australian Privacy Principles (APP’s) which regulate how Activ collects, hold, use and disclose personal information, and how an individual may access and correct personal information held about them.
This document tells you how to collect, manage, store and use personal information, and how we may disclose information in the delivery of services we provide. This policy will apply to all records, whether hard copy or electronic.
2. Activ Principles
2.1 Meet its legal and ethical obligations as an employer and service provider to protect the privacy of customers and staff.
2.2 Require staff, directors, volunteers and customers to sign a Confidentiality Form demonstrating their understanding of their rights and responsibilities in relation to protecting the privacy and confidentiality of personal information, including educating all staff, directors and volunteers to understand what is required to meet these obligations.
2.3 Ensure customers and staff are provided with information about their rights and responsibilities regarding privacy, dignity and confidentiality.
2.4 Use fair and lawful ways to collect personal information only by consent from the individual.
2.5 Collect and store only personal information that is necessary for the functioning of the organisation and conducting its activities.
2.6 Ensure our customers and staff know what sort of personal information is held, what purposes it is held for and how it is collected, used, disclosed and who has access to it.
2.7 Take reasonable steps to ensure that personal information collected or disclosed is accurate, complete and up to date.
2.8 Enable customers/staff to access and review their information, and update or correct wrong information about themselves.
2.9 Take reasonable steps to protect all personal information from misuse and loss and from unauthorised access, modification, or disclosure.
2.10 Ensure staff have access to customer files or other personal information necessary to undertake their usual duties.
2.11 Instruct staff on the process and approval requirements to release information.
2.12 Provide customers and staff with privacy and dignity when they are discussing matters of a personal or sensitive nature.
2.13 Destroy or permanently de-identify personal information no longer needed and/or after legal requirements for retaining documents have expired.
2.13 Adhere to all requirements under the Privacy Act 1988, including the Australian Privacy Principles under the provisions of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Privacy Amendment (Notifiable Data Breaches) Act 2017, to strengthen the protection of personal information.
3. Detailed Information on Activ’s Privacy Principles
3.1 Personal and Sensitive Information Activ Holds & Collects
Activ collects personal and sensitive information only if this is necessary to provide services, fundraise or conduct its business lawfully and ethically.
This includes personal and sensitive information about customers and staff that is reasonably necessary for, or directly related to, the services provided by Activ or its functions or activities.
Activ will ask for consent before using information for a different purpose other than originally intended.
The nature and extent of the personal and sensitive information collected by Activ varies depending on the interaction with Activ.
Reasons may include maintaining our relationship, service provision, enquiries, research, fundraising, and legal compliance.
3.2 Types of Information Collected
Personal information is information or an opinion that identifies an individual. Examples of personal information we collect include:
- date of birth,
- email addresses,
- telephone and facsimile numbers
- bank account details.
We collect your personal information for the primary purpose of providing our services to you. We may also use your personal information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure.
Sensitive information is defined in the Privacy Act as information or opinion about such things as medical records, an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record, or health information.
Sensitive information will only be disclosed for the primary purpose of collection or with the customer’s consent.
3.3 Storage, Retention & Disposal of Personal Information
Activ takes reasonable steps to protect and store the Personal Information and Sensitive Information we hold against misuse, interference, loss, unauthorised access, modification and disclosure.
These steps include password protection for accessing electronic IT systems, securing hardcopy files in locked cabinets and applying physical access restrictions. Only authorised personnel are permitted to access our systems and controlled premises.
Some information is required by law to be retained after a Customer/Staff has left Activ (e.g., the retention of employee records). When your information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify the records in line with record-keeping legislation and Activ’s Records Procedures (AQUA 2790).
Overseas data transfer will only happen with your consent, ensuring compliance with the Privacy Act.
3.4 Data Security & Protection of Information
Your personal information is stored in a manner that reasonably protects it from misuse, loss, and from unauthorised access, modification, or disclosure.
We endeavour to reduce any breach of personal or sensitive information by conducting formal audit testing of our IT systems and processes and education for our staff.
Our website collects data to enhance user experience. Data might include submissions, emails, and cookies for tracking. Cookies enhance website functionality and might be used for remarketing. Where your data is used by Activ for marketing purposes, you will be given the option to opt out. Website interaction data is used for website improvement.
3.5 Third Party Disclosures
Where reasonable and practicable to do so, we will collect your personal information only from you. In some circumstances, we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
We may need to disclose your personal information to a third party, however this will be done with your consent, or under one of the circumstances outlined in the APPs. (Customer/NDIS). We will not sell your data or personal details, including email addresses to third parties.
3.6 Request to Access or Correct Personal Information
Requests for access or correction of Personal Information, are required preferably in writing for Activ to review in a timely manner, below are contact options to submit these requests. Activ will take steps to correct a customer’s personal information in accordance with the APPs on receipt of a written request to do so.
If an individual requests access to the Personal Information Activ holds about them, Activ will review and consider the below prior to releasing the information:
- does the request relate to the Personal Information of the person making the request;
- could the request have an unreasonable impact on the privacy of other individuals;
- could providing access pose a serious threat to the life, health or safety of a person or to public health or public safety;
- does the request relate to existing or anticipated legal proceedings;
- would access be unlawful;
- is denial of access authorised or required by law;
- would access prejudice an action in relation to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of Activ;
- could access disclose a ‘commercially sensitive’ decision making process or information; or
- is there any other reason that is provided for in the APPs or in the Privacy Act to deny access.
If we deny access to information, we will set out our reasons for denying access in writing.
Service Areas Contact
For Customers email@example.com
For Staff Via your Line Manager or via firstname.lastname@example.org
All other enquiries email@example.com or 08 9387 0555
3.7 Privacy Complaints & Breaches
In accordance with Activ’s Privacy Management Procedures, if Activ becomes aware that the privacy of a person to whom this policy applies has been breached, Activ will notify the affected individual immediately and also inform the Office of the Australian Information Commission in line with the Privacy Act Notification of a data breach.
The notification to individuals will include recommendations about the steps they should take in response to the data breach, as well as steps taken by Activ to contain and remediate systems, process, or practice, involved in a privacy data breach.
If you have a complaint about our privacy practices or our handling of your Personal Information or Sensitive Information, you may notify our Privacy Officer.
All efforts will be made to address complaints and achieve an effective resolution of your complaint within a reasonable timeframe. In most cases this will be 30 days or as soon as practicable. However, if the matter is complex, the resolution of the complaint may take longer.
All complaints and outcomes will be recorded.
If unsatisfied, you may wish to contact the Privacy Commissioner.
3.8 Additional Resources for Activ Staff to Manage Privacy
Additional information for staff to manage privacy requests, or information, is provided in Activ’s internal Privacy Management Procedures, located on Activ’s intranet.
4. Contact Us
5. Responsibilities and Delegations
This policy applies to all customers, guardians, advocates, all staff, contract workers, agency staff, volunteers, directors, donors, business partners and the representatives of agencies.
Each line manager is responsible for ensuring staff, supported employees and customers are familiar with this policy, receive appropriate training, and have sufficient skills, knowledge and ability to meet the requirements.
All staff will be held accountable for complying with the requirements of this policy. Activ have appointed Privacy Officers with specific responsibilities described in the Privacy Management Framework.
Governance & Risk Business Partner, Clinical Governance Manager, Senior Compliance Officer, Head of Service Delivery, Head of Sales & Development.
6. Policy Context
6.1 Relevant standards:
- National Standards for Disability Services: Standard 1 – Rights
- NDIS Practice Standards and Quality Indicators: Core Module
- NDIS Act 2013
- Privacy Act 1988
- Privacy Amendment (Enhancing Privacy Protection) Act 2012
- Privacy Amendment (Notifiable Data Breaches) Act 2017
- Student Identifier Act 2014
6.3 Related policies and procedures:
- Code of Conduct and Ethics (1867)
- Privacy Management Procedures (2788)
- RTO Privacy and Confidentiality Policy (2882)