The purpose of this policy is to outline the privacy practices of the St Vincent de Paul Society NSW (the Society) including how we collect and manage personal information and how individuals may access and correct records containing their personal information or make a complaint about a breach of privacy.
1. The purpose of this policy is to outline the privacy practices of the St Vincent de Paul Society NSW (the Society) including how we collect and manage personal information and how individuals may access and correct records containing their personal information or make a complaint about a breach of privacy.
2. This policy applies to all Society Personnel (including members, volunteers and staff).
3. This policy covers personal information collected:
4. Where a funding agreement has specific requirements pertaining to the collection and storage of sensitive information that are outside of this Policy, a separate procedure or protocol may exist or will be developed as necessary and will be an extension of this Policy. For example, a separate procedure exists for the Local Area Coordination program.
5. Relevant definitions are contained in Appendix 1.
6. Related policies and procedures at the time of approval include:
7. The Society recognises the importance of, and is committed to, protecting an individual’s dignity, right to privacy and rights to their personal information.
9. The Society complies with federal and state legislation that impose specific obligations relating to handling personal information and health information. These include:
10. The Society also complies with other laws that protect specific types of personal information in service delivery to, for example, children, older people and people with disabilities (together, the Australian Privacy and related Laws).
11. The Society takes reasonable steps to communicate and implement its policies, practices, procedures and systems in compliance with Australian Privacy and related Laws.
12. The Society respects the privacy of children and young people, and people with disability. The Society takes reasonable steps, including using appropriate language and modes of communication, to ensure that all individuals understand their rights to privacy and confidentiality and that they understand what personal information is collected, used, stored and disclosed, and why.
14. The Society acknowledges and supports an individual’s right to complain if they believe their privacy has been breached contrary to this policy and to Australian Privacy and related Laws.
16. The Society may collect personal information required to carry out its functions or activities. These include service delivery, referrals, fundraising and communication, complaints handling and reporting. It also includes information that individuals provide to the Society through its websites or online presence. The Society also collects personal information where necessary or required by law.
17. The Society collects personal information about people we assist:
18. The Society may sometimes be required to collect sensitive information from individuals to provide particular assistance. Such assistance could include facilitating arrangements with, or on behalf of, individuals for financial assistance, accommodation, community engagement and medical and/or mental health assistance.
19. The Society will limit the collection, storage, use and disclosure of sensitive information to instances where the information is:
20. The Society will explain the purpose for which sensitive information will be used, provide individuals the opportunity to discuss any concerns they may have, and record in the Society Privacy disclosure form (Appendix 2) whether or not consent was given to use the sensitive information.
21. The Society may also collect information regarding applicants for employment, staff members, volunteers or contractors, including: job applications; professional development history; salary and payment information; superannuation details; medical information (for example details of disclosed disabilities and/or allergies, medical certificates); emergency and/or family contact information; leave details; workplace surveillance information, including video; work emails and private emails (when using work email address); and Internet browsing history.
22. The Society may engage third parties to provide limited personal information for marketing and fundraising purposes.
23. For other people who come into contact with the Society, personal information necessary for the purpose of contact will be collected.
24. The Society will not record telephone conversations for quality, compliance and training purposes without the express consent of the parties to the call.
25. The society may use GPS tracking devices in its vehicles in accordance with relevant legislation.
26. The Society collects, holds and uses personal information:
27. The Society collects personal information (and in particular any sensitive information such as health information and probity checks) directly from individuals unless it is unreasonable or impracticable to do so.
28. As part of its commitment to open and transparent management of personal information, where the Society requires the collection of personal information, the Society will advise individuals when it is possible to interact anonymously or by using a pseudonym. For example, if an individual contacts the Society’s independently managed Integrity Hotline by email or phone with a general question, a name will not be required unless the individual chooses to provide it.
29. Where anonymous interaction is not possible, the Society will advise individuals about their privacy rights including: the purpose for the collection of information; who it may be shared with or disclosed to (where possible); and how it will be stored. This advice will be provided before an individual is asked to consent to the collection or sharing of that information, in language and in a mode that they can understand.
30. The Society’s first and preferred approach is to collect information directly from individuals wherever possible and to ensure that they have provided informed consent. Where the Society seeks personal information from individuals who require assistance to provide this information directly, the Society will take the necessary steps to explain the individual’s right to privacy and to obtain consent in accessible format. This may include the use of appropriate written, picture or other format. The Society will record the steps taken to explain and achieve informed consent in the notes of client meetings and store these securely in personal record files.
31. The Society may also collect personal information directly from publicly available sources or from third parties. Third parties may include: individual’s carers, guardians, advocates or authorised representatives; individual’s medical and/or health professionals; government or non-government agencies that the Society partners with to deliver services; law enforcement agencies; parties to a complaint; or prescribed bodies permitted to provide Chapter 16A information relating to the safety, welfare and wellbeing of a child or young person. It could also include third parties for fundraising purposes.
32. Where the Society collects personal information about an individual from third parties, the Society will take reasonable steps before the time of, or at the time of, collection; or as soon as practicable after collection; to let the individual or their authorised representative know the circumstances of the collection.
33. The Society will take reasonable steps to ensure that personal information collected, stored, used and disclosed by it is accurate, complete and up-to-date. To ensure this the Society will:
34. Individuals can decline to provide personal information. However, if the personal information requested is not provided the Society may not be able to:
35. The Society may disclose information to a third party in certain circumstances.
36. The Society will not disclose personal information to another party if an individual explicitly denies consent for the disclosure except as required by law.
37. The Society will ensure that any disclosure request is made in writing when possible and practical. If it not possible or practical to obtain a disclosure request in writing, this will be recorded by the Society. While complying with relevant laws, the Society will only disclose such information as is necessary and required, including in accordance with the Personal Information Requests Policy.
38. The Society may disclose an individual’s personal information within the Society or to a third party including:
39. From time to time the Society provides some personal information to other charities and data co-ops, based in Australia and subject to Australian privacy laws, to increase its donor base.
40. If the Society provides services to an individual, it may also disclose their personal, health and sensitive information to:
41. The Society may receive and will comply with disclosure requests regarding information held about individuals to comply with legal obligations, including:
42. The Society is a global organisation with affiliates that operate all over the world.
43. The Society will take reasonable steps to ensure that any disclosure of personal information to third parties overseas, including to the Society’s own overseas affiliates, is compliant with Australian privacy laws.
44. The Society uses social media platforms such as Facebook to facilitate its business activities and functions and post information about events and activities. Individuals who interact with the Society through these services are responsible for reviewing and accepting their privacy policies prior to interacting with the Society. These services may use cloud based data storage services. Some of these services and platforms store information overseas. The privacy laws of these countries may not provide the same level of protection as Australian privacy laws. Individuals providing information to the Society cannot seek redress against these services under Australian privacy laws and may not be able to seek redress overseas.
45. The Society’s public website (www.vinnies.org.au) collects limited generic user information to identify generic user behaviours such as webpages visited and popular content. Where the website allows individuals to make comments, give feedback or make a credit card payment, the Society may collect email addresses and other contact details. The Society may use email addresses provided to respond to feedback and, on occasion, to make direct contact for surveying purposes and ongoing communication. The personal information from the website is stored on servers located in Australia.
46. Where there is a mailing list that individuals have subscribed to, there will be a simple option available to opt out of receiving further information or correspondence if they no longer wish to receive communication.
47. If individuals visit the website to read, browse or download information, information such as the date and time of the visit to the website, the pages accessed and any information downloaded may be recorded and used for statistical, reporting and website administration and maintenance purposes.
48. The Society’s website may use ‘cookies’ (small summary files containing an ID number unique to your computer). Cookies allow the Society’s system to identify and interact more effectively with other devices. They help the Society to maintain the continuity of the browsing session, remember the visitor’s details and preferences if they return, and to measure traffic patterns to determine which areas of our websites have been visited so that we can improve our services. Our cookies do not collect personal information. Individuals can configure the web browser software to reject cookies, however some parts of the website may not have full functionality in that case.
49. When the Society sends emails or other electronic messages, it may record where the message was opened and what particular links were clicked to better understand what information is of interest to the viewer.
50. The Society is subject to laws requiring it to protect the security of personal information once it comes into its possession. However, any personal information sent through the website or other electronic means may be insecure in transit, particularly where no encryption is used (for example email or standard HTTP). The website may contain links to other sites operated by third parties. Third party websites are responsible for informing you about their own privacy practices and the Society is not responsible for the privacy practices or policies of those sites.
51. The Society may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer the websites, track users’ movements, and gather broad demographic information.
52. The Society engages external data aggregators including Facebook and Google Analytics to identify individuals who may be interested in Society campaigns and activities, based on their usage of the Society’s website. The Society uses Google Analytics to inform and optimise content based on an individual’s past visits to the Society websites. Google Analytics informs the Society how visitors use the websites based on their browsing habits, so that the Society can improve its websites, and make it easier to find information. Google also receives this information as individuals browse the Society’s websites and other websites on the Google Display Network using Remarketing. Individuals can opt-out of customised Google Display Network services and Google Analytics for Display Advertising using ad settings, and can use the Google Analytics Opt-out Browser Add-on to not be tracked into Google Analytics.
53. Despite all precautions taken by the Society to protect personal information, because our websites are linked to the Internet, we cannot provide any assurance regarding the security of any transmission of information individuals communicate online. The Society also cannot guarantee that information supplied will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information transmitted to the Society online is transmitted at the individual’s own risk.
54. The Society takes reasonable steps to ensure personal information is protected from misuse, interference, loss and unauthorised access, modification or disclosure. Personal information in electronic form is stored in electronic databases that require passwords and logins. Personal information in hard copy is kept securely. The Society’s standard practice is to destroy or de-identify records of personal information once they are no longer needed. If the Society is required to disclose personal information it will take reasonable steps to prevent unauthorised use or disclosure of that information.
55. The Society does not use any government assigned identifier as a primary form of identification, such as an individual’s Tax File Number or Medicare Number. The Society takes reasonable steps to ensure that the personal and sensitive information relating to individuals is de-identified, particularly when such information is required for reporting or other statistical purposes.
56. Where the Society must request information from Centrelink to check eligibility for concessions, rebates and services it will only utilise the information to the extent necessary to perform the required services.
57. The Society complies with requirements under the Archives Act 1983 (Cth) and its own Records Retention Policy, to protect personal information it holds. Generally, the Society is required to keep records for a minimum of seven years from the date it was last accessed or until the person has reached 25 years of age, whichever is longer. In addition, the Society has a restricted access system where only appropriate Society Personnel have access to files. The Society protects information held from both internal and external threats by:
• regularly assessing the risk of misuse, interference, loss and unauthorised access, modification or disclosure of that information
• taking measures to address those risks, for example, by keeping a record (audit trail) of when someone has added, changed or deleted personal information held by the Society electronically
• maintaining electronic security of Society premises and information systems, including password protection for electronic files (further, the Society’s internal network and databases are protected using firewall, intrusion detection and other technologies).
58. Where individuals or their nominated person and the Society Personnel agree that changes to personal information held by the Society need updating or amendment, changes to records containing that information will be made following an informal request.
59. Individuals or their nominated person may request formal access to their personal information held by the Society at any time by making a written request to the Privacy Officer, St Vincent de Paul Society NSW, PO Box 5, Petersham NSW 2049 or by email at firstname.lastname@example.org.
60. After the Society has established the appropriate personal identification of the individual and if applicable, the requisite authority of the nominated person, the Society will usually make the requested information available for inspection within 28 days upon receipt of the request for access. Some services may have additional requirements relating to access (such as requiring individuals to view files in person with the Society Personnel present to provide additional support or information).
61. The Society may refuse access where it reasonably believes that granting access would pose a serious threat to the life, health or safety of an individual or to public health and safety, have an unreasonable impact on the privacy of another individual or if it would result in a breach of confidentiality. Where the Society refuses access, it will give written reasons. Where the Society refuses access to personal information on the ground that it would present a serious threat to an individual’s life or health, an individual may request the Society to provide access through an intermediary (such as a treating medical practitioner) who would consider whether access should be provided.
62. Individuals or their nominated person can make a request in writing if they believe the information held by the Society is inaccurate, out-of-date, misleading or incomplete.
63. If an individual believes that the personal information the Society holds about them is incorrect, incomplete, out-dated or inaccurate, they may request the Society to amend it. The request will be treated confidentially. In responding to the request, the Society will:
Privacy and data breaches
64. Despite the Society’s best efforts to protect and safeguard individuals’ privacy, information data breaches may occur including:
65. The Society must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of ‘eligible data breaches’ when:
66. In these circumstances the Society must notify the OAIC and the affected individuals of: the contact details of the Society; a description of the eligible data breach; the kinds of information concerned (for example, health records, sensitive information); and recommended steps individuals can take relating to the breach.
67. When notifying individuals, the Society will, depending on the most appropriate course, either notify all affected individuals; or notify only those individuals at risk of serious harm; or if those options are not feasible, publish a Notifiable Data Breach statement on the Society website and publicise it. Where the Society is required to also report the breach to other enforcement agencies, it will take reasonable steps to inform individuals concerned.
68. Individuals, or their authorised representative, with any questions or concerns regarding a possible privacy breach, should contact the Society’s Privacy Officer who will confidentially discuss the concerns and outline options for resolution.
69. The Society recognises the right of all individuals, or their authorised representative, to complain about possible privacy breaches by the Society.
70. The Society will provide a procedure to receive and resolve complaints fairly and accessibly, in a timely manner that is procedurally fair, without reprisal for the person making the complaint.
71. The Society acknowledges the right of individuals to be represented by an authorised representative or advocate of their choice at all stages of the complaint process and will inform the individual of this at the time they make a complaint.
72. Where an individual is not represented and requires support to make a complaint, the Society will ensure that appropriate support and assistance is provided to them to do so.
73. Individuals, or their authorised representative, wishing to make a complaint to the Society regarding the handling of personal information, can do so:
74. The Society will aim to resolve complaints in a timely, satisfactory, fair and transparent manner in accordance with the Society’s Complaint Handling Policy.
75. However, where individuals are not satisfied with the results of the complaint, depending on the nature of the complaint, they or their nominated person can make a complaint to:
76. The Executive Director, Corporate Services is responsible for maintaining the currency of this policy.
77. Each Executive Director or the Chief Financial Officer is responsible for managing legal compliance obligations in their directorates and for promoting, monitoring and upholding a positive compliance culture and identifying the need to engage support and/or training for staff to implement the policy.
78. The Executive Director, Membership, Volunteers and Regional Operations is responsible for managing the legal compliance obligations of members and for identifying the need to engage support and/or training for members to implement the policy.
79. The Society shall send staff, members and volunteers regular reminders regarding information security and their privacy responsibilities.
80. This policy is scheduled for review every year, or on a needs basis as required to align with legislative or practice changes.
81. The effectiveness of the operation and socialisation of this policy is to be evaluated and reviewed by the Executive Director, Corporate services, at least once every two years after coming into operation.
82. Society Personnel should speak with their Manager regarding any questions about the implementation of this policy. They may also contact the Executive Director, Corporate Services to provide feedback on this policy.
83. Individuals who have any queries, concerns or feedback about this policy, may contact the Society’s Privacy Officer as follows:
Phone: (02) 9568 0262 Email: email@example.com Post: PO Box 5 Petersham NSW 2049 Visit: 2C West St Lewisham NSW 2049
84. Legislation, regulations and guides relevant to this policy include: