NSW Privacy Policy

Download a PDF copy of the St Vincent de Paul Society NSW Privacy Policy here.

Purpose

1. The purpose of this policy is to outline the privacy practices of the St Vincent de Paul Society NSW (the Society) including how we collect and manage personal information and how individuals may access and correct records containing their personal information or make a complaint about a breach of privacy.

Scope

2. This policy applies to all Society Personnel (including members, volunteers and staff).

3. This policy covers personal information collected:

• regarding Society staff, contractors, applicants for employment, members and volunteers
• regarding individuals who access or receive Society services, their carers or family members and any other person that has contact with the Society
• regarding donors and prospective donor information from third parties for fundraising purposes.

4. Where a funding agreement has specific requirements pertaining to the collection and storage of sensitive information that are outside of this Policy, a separate procedure or protocol may exist or will be developed as necessary and will be an extension of this Policy. For example, a separate procedure exists for the Local Area Coordination program.

Definitions

5. Relevant definitions are contained in Appendix 1.

Related policies and procedures

6. Related policies and procedures at the time of approval include:

• Code of Conduct for Members, Volunteers and Employees
• Complaint Handling Policy
• Computer Password Policy
• Media Policy and Procedures
• National Privacy Policy
• No interest Loan Scheme Policy
• Records Retention Policy
• Safeguarding Children and Young People Policy
• Social Media Policy

Policy principles

7. The Society recognises the importance of, and is committed to, protecting an individual’s dignity, right to privacy and rights to their personal information.

8. The Society in NSW complies with the St Vincent de Paul Society National Privacy Policy.

9. The Society complies with federal and state legislation that impose specific obligations relating to handling personal information and health information. These include:

• the Australian Privacy Act 1988 (Cth) (Privacy Act)
• the Australian Privacy Principles (Privacy Principles)
• Privacy and Personal Information Protection Act 1998 (NSW)
• the Health Records and Information Privacy Act 2002 (NSW).

10. The Society also complies with other laws that protect specific types of personal information in service delivery to, for example, children, older people and people with disabilities (together, the Australian Privacy and related Laws).

11. The Society takes reasonable steps to communicate and implement its policies, practices, procedures and systems in compliance with Australian Privacy and related Laws.

12. The Society respects the privacy of children and young people, and people with disability. The Society takes reasonable steps, including using appropriate language and modes of communication, to ensure that all individuals understand their rights to privacy and confidentiality and that they understand what personal information is collected, used, stored and disclosed, and why.

13. By providing personal information to the Society, individuals consent to the use, storage and disclosure of that information as described in this Privacy Policy.

14. The Society acknowledges and supports an individual’s right to complain if they believe their privacy has been breached contrary to this policy and to Australian Privacy and related Laws.

15. The Society may, from time to time, review and update this Privacy Policy to take into account new laws and technology, changes to our operations and practices and to ensure it remains appropriate to the changing environment in which we operate.

Personal information that the Society may collect

16. The Society may collect personal information required to carry out its functions or activities. These include service delivery, referrals, fundraising and communication, complaints handling and reporting. It also includes information that individuals provide to the Society through its websites or online presence. The Society also collects personal information where necessary or required by law.

17. The Society collects personal information about people we assist:

• directly with the individual’s consent
• through the individual’s nominated person (such as a carer or family member), partnering service or government agency.

18. The Society may sometimes be required to collect sensitive information from individuals to provide particular assistance. Such assistance could include facilitating arrangements with, or on behalf of, individuals for financial assistance, accommodation, community engagement and medical and/or mental health assistance.

19. The Society will limit the collection, storage, use and disclosure of sensitive information to instances where the information is:

• directly relevant to the purpose for collection
• reasonably necessary to carry out its functions or activities
• required by law.

20. The Society will explain the purpose for which sensitive information will be used, provide individuals the opportunity to discuss any concerns they may have, and record in the Society Privacy disclosure form (Appendix 2) whether or not consent was given to use the sensitive information.

21. The Society may also collect information regarding applicants for employment, staff members, volunteers or contractors, including: job applications; professional development history; salary and payment information; superannuation details; medical information (for example details of disclosed disabilities and/or allergies, medical certificates); emergency and/or family contact information; leave details; workplace surveillance information, including video; work emails and private emails (when using work email address); and Internet browsing history.

22. The Society may engage third parties to provide limited personal information for marketing and fundraising purposes.

23. For other people who come into contact with the Society, personal information necessary for the purpose of contact will be collected.

24. The Society will not record telephone conversations for quality, compliance and training purposes without the express consent of the parties to the call.

25. The society may use GPS tracking devices in its vehicles in accordance with relevant legislation.

Purposes for the collection, holding and usage of personal information

26. The Society collects, holds and uses personal information:

• to advise about, assess eligibility for, and provide, Society services and to meet funding, professional and legal obligations in the provision of services
• to effectively undertake its business activities and functions, including:
  • keeping individual’s records and contact details up-to-date
  • complying with industrial relations, human resources, and workplace health and safety obligations including workplace claims management systems
  • processing and responding to complaints
  • marketing and communications
  • responding to media requests (these are referred to the Media and Communications Team who will comply with the privacy requirements in the Media Policy)
  • organisational planning
  • service development and quality control
  • research, monitoring, advocacy and evaluation
  • publishing de-identified personal information in submissions and reports
  • meeting funding, audit and regulatory reporting requirements through the provision of de-identified personal information
  • complying with any law or court/tribunal orders
  • complying with regulatory authorities and government requirements
  • fundraising purposes.

How the Society collects personal information

27. The Society collects personal information (and in particular any sensitive information such as health information and probity checks) directly from individuals unless it is unreasonable or impracticable to do so.

28. As part of its commitment to open and transparent management of personal information, where the Society requires the collection of personal information, the Society will advise individuals when it is possible to interact anonymously or by using a pseudonym. For example, if an individual contacts the Society’s independently managed Integrity Hotline by email or phone with a general question, a name will not be required unless the individual chooses to provide it.

29. Where anonymous interaction is not possible, the Society will advise individuals about their privacy rights including: the purpose for the collection of information; who it may be shared with or disclosed to (where possible); and how it will be stored. This advice will be provided before an individual is asked to consent to the collection or sharing of that information, in language and in a mode that they can understand.

30. The Society’s first and preferred approach is to collect information directly from individuals wherever possible and to ensure that they have provided informed consent. Where the Society seeks personal information from individuals who require assistance to provide this information directly, the Society will take the necessary steps to explain the individual’s right to privacy and to obtain consent in accessible format. This may include the use of appropriate written, picture or other format. The Society will record the steps taken to explain and achieve informed consent in the notes of client meetings and store these securely in personal record files.

31. The Society may also collect personal information directly from publicly available sources or from third parties. Third parties may include: individual’s carers, guardians, advocates or authorised representatives; individual’s medical and/or health professionals; government or non-government agencies that the Society partners with to deliver services; law enforcement agencies; parties to a complaint; or prescribed bodies permitted to provide Chapter 16A information relating to the safety, welfare and wellbeing of a child or young person. It could also include third parties for fundraising purposes.

32. Where the Society collects personal information about an individual from third parties, the Society will take reasonable steps before the time of, or at the time of, collection; or as soon as practicable after collection; to let the individual or their authorised representative know the circumstances of the collection.

33. The Society will take reasonable steps to ensure that personal information collected, stored, used and disclosed by it is accurate, complete and up-to-date. To ensure this the Society will:

• aim to record information in a consistent format
• where necessary and/or possible, confirm the accuracy of the information collected from a third party or a public source
• promptly add updated or new personal information to existing records
• review the quality of personal information before it is used or disclosed.

When personal information requested is not provided

34. Individuals can decline to provide personal information. However, if the personal information requested is not provided the Society may not be able to:

• provide the requested services (or information about those services), either to the same standard or at all
• engage an individual as a volunteer, member, employee or contractor or volunteer
• employ or enter into a contract with an individual
• meet funding, professional and legal obligations
• respond to a complaint
• tailor the content of our websites which might impact the experience of our websites.

Disclosure of personal information

35. The Society may disclose information to a third party in certain circumstances.

36. The Society will not disclose personal information to another party if an individual explicitly denies consent for the disclosure except as required by law.

37. The Society will ensure that any disclosure request is made in writing when possible and practical. If it not possible or practical to obtain a disclosure request in writing, this will be recorded by the Society. While complying with relevant laws, the Society will only disclose such information as is necessary and required, including in accordance with the Personal Information Requests Policy.

38. The Society may disclose an individual’s personal information within the Society or to a third party including:

• contractors
• suppliers
• service providers-including those who assist in fundraising strategy, activities, and analysis
• funders
• regulators
• charities to the extent necessary to effectively undertake its business activities and functions.

39. From time to time the Society provides some personal information to other charities and data co-ops, based in Australia and subject to Australian privacy laws, to increase its donor base.

40. If the Society provides services to an individual, it may also disclose their personal, health and sensitive information to:

• their authorised representative or advocate
• other non-government agencies or government agencies that the Society has a partnership with for the delivery of its services
• members of a health treatment team (including other health service providers involved in diagnosis, care and treatment) to the extent necessary to improve or maintain their health or manage a disability
• prescribed bodies where disclosure of information relating to a child or young person’s safety or well-being is a Chapter 16A requirement
• employees, volunteers, contractors, suppliers or service providers for the purposes of providing the service
• courts or tribunals in compliance with Court orders
• external professional individuals or organisations in circumstances where a Society employee is subject to external professional supervision or peer review
• anyone else for any authorised purpose with the individual’s express consent.

41. The Society may receive and will comply with disclosure requests regarding information held about individuals to comply with legal obligations, including:

• pursuant to a court order or subpoena
• information relating to the safety, welfare and wellbeing of a child or young person under Chapter 16A
• where there is a serious or imminent threat to the life or health of the individual concerned or another person.

Disclosure of personal information to anyone outside Australia

42. The Society is a global organisation with affiliates that operate all over the world.

43. The Society will take reasonable steps to ensure that any disclosure of personal information to third parties overseas, including to the Society’s own overseas affiliates, is compliant with Australian privacy laws.

The Society’s websites and online presence privacy practices

44. The Society uses social media platforms such as Facebook to facilitate its business activities and functions and post information about events and activities. Individuals who interact with the Society through these services are responsible for reviewing and accepting their privacy policies prior to interacting with the Society. These services may use cloud based data storage services. Some of these services and platforms store information overseas. The privacy laws of these countries may not provide the same level of protection as Australian privacy laws. Individuals providing information to the Society cannot seek redress against these services under Australian privacy laws and may not be able to seek redress overseas.

45. The Society’s public website (www.vinnies.org.au) collects limited generic user information to identify generic user behaviours such as webpages visited and popular content. Where the website allows individuals to make comments, give feedback or make a credit card payment, the Society may collect email addresses and other contact details. The Society may use email addresses provided to respond to feedback and, on occasion, to make direct contact for surveying purposes and ongoing communication. The personal information from the website is stored on servers located in Australia.

46. Where there is a mailing list that individuals have subscribed to, there will be a simple option available to opt out of receiving further information or correspondence if they no longer wish to receive communication.

47. If individuals visit the website to read, browse or download information, information such as the date and time of the visit to the website, the pages accessed and any information downloaded may be recorded and used for statistical, reporting and website administration and maintenance purposes.

48. The Society’s website may use ‘cookies’ (small summary files containing an ID number unique to your computer). Cookies allow the Society’s system to identify and interact more effectively with other devices. They help the Society to maintain the continuity of the browsing session, remember the visitor’s details and preferences if they return, and to measure traffic patterns to determine which areas of our websites have been visited so that we can improve our services. Our cookies do not collect personal information. Individuals can configure the web browser software to reject cookies, however some parts of the website may not have full functionality in that case.

49. When the Society sends emails or other electronic messages, it may record where the message was opened and what particular links were clicked to better understand what information is of interest to the viewer.

50. The Society is subject to laws requiring it to protect the security of personal information once it comes into its possession. However, any personal information sent through the website or other electronic means may be insecure in transit, particularly where no encryption is used (for example email or standard HTTP). The website may contain links to other sites operated by third parties. Third party websites are responsible for informing you about their own privacy practices and the Society is not responsible for the privacy practices or policies of those sites.

51. The Society may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer the websites, track users’ movements, and gather broad demographic information.

52. The Society engages external data aggregators including Facebook and Google Analytics to identify individuals who may be interested in Society campaigns and activities, based on their usage of the Society’s website. The Society uses Google Analytics to inform and optimise content based on an individual’s past visits to the Society websites. Google Analytics informs the Society how visitors use the websites based on their browsing habits, so that the Society can improve its websites, and make it easier to find information. Google also receives this information as individuals browse the Society’s websites and other websites on the Google Display Network using Remarketing. Individuals can opt-out of customised Google Display Network services and Google Analytics for Display Advertising using ad settings, and can use the Google Analytics Opt-out Browser Add-on to not be tracked into Google Analytics.

53. Despite all precautions taken by the Society to protect personal information, because our websites are linked to the Internet, we cannot provide any assurance regarding the security of any transmission of information individuals communicate online. The Society also cannot guarantee that information supplied will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information transmitted to the Society online is transmitted at the individual’s own risk.

Storage and security of personal information

54. The Society takes reasonable steps to ensure personal information is protected from misuse, interference, loss and unauthorised access, modification or disclosure. Personal information in electronic form is stored in electronic databases that require passwords and logins. Personal information in hard copy is kept securely. The Society’s standard practice is to destroy or de-identify records of personal information once they are no longer needed. If the Society is required to disclose personal information it will take reasonable steps to prevent unauthorised use or disclosure of that information.

55. The Society does not use any government assigned identifier as a primary form of identification, such as an individual’s Tax File Number or Medicare Number. The Society takes reasonable steps to ensure that the personal and sensitive information relating to individuals is de-identified, particularly when such information is required for reporting or other statistical purposes.

56. Where the Society must request information from Centrelink to check eligibility for concessions, rebates and services it will only utilise the information to the extent necessary to perform the required services.

Retention and destruction of personal information

57. The Society complies with requirements under the Archives Act 1983 (Cth) and its own Records Retention Policy, to protect personal information it holds. Generally, the Society is required to keep records for a minimum of seven years from the date it was last accessed or until the person has reached 25 years of age, whichever is longer. In addition, the Society has a restricted access system where only appropriate Society Personnel have access to files. The Society protects information held from both internal and external threats by:

• regularly assessing the risk of misuse, interference, loss and unauthorised access, modification or disclosure of that information

• taking measures to address those risks, for example, by keeping a record (audit trail) of when someone has added, changed or deleted personal information held by the Society electronically

• maintaining electronic security of Society premises and information systems, including password protection for electronic files (further, the Society’s internal network and databases are protected using firewall, intrusion detection and other technologies).

Accessing and correcting personal information

58. Where individuals or their nominated person and the Society Personnel agree that changes to personal information held by the Society need updating or amendment, changes to records containing that information will be made following an informal request.

59. Individuals or their nominated person may request formal access to their personal information held by the Society at any time by making a written request to the Privacy Officer, St Vincent de Paul Society NSW, PO Box 5, Petersham NSW 2049 or by email at privacy@vinnies.org.au.

60. After the Society has established the appropriate personal identification of the individual and if applicable, the requisite authority of the nominated person, the Society will usually make the requested information available for inspection within 28 days upon receipt of the request for access. Some services may have additional requirements relating to access (such as requiring individuals to view files in person with the Society Personnel present to provide additional support or information).

61. The Society may refuse access where it reasonably believes that granting access would pose a serious threat to the life, health or safety of an individual or to public health and safety, have an unreasonable impact on the privacy of another individual or if it would result in a breach of confidentiality. Where the Society refuses access, it will give written reasons. Where the Society refuses access to personal information on the ground that it would present a serious threat to an individual’s life or health, an individual may request the Society to provide access through an intermediary (such as a treating medical practitioner) who would consider whether access should be provided.

62. Individuals or their nominated person can make a request in writing if they believe the information held by the Society is inaccurate, out-of-date, misleading or incomplete.

63. If an individual believes that the personal information the Society holds about them is incorrect, incomplete, out-dated or inaccurate, they may request the Society to amend it. The request will be treated confidentially. In responding to the request, the Society will:

• consider if the information requires amendment
• if it agrees that the information require amendment, correct the information as soon as practicable and notify the individual that the changes have been made
• if it does not agree that there are grounds for amendment, provide notification in writing of the reasons for the declined request, referencing laws where applicable that permit or require the Society not to approve the request (the Society will also provide notification of any available avenues for review of the refusal and will add a note to the personal information indicating that the individual has requested that the information is amended).

Privacy and data breaches

64. Despite the Society’s best efforts to protect and safeguard individuals’ privacy, information data breaches may occur including:

• unauthorised access (including Society Personnel, contractors or external third parties such as by hacking)
• unauthorised disclosure (whether intentional or unintentional through human error – for example an employee accidentally sends personal information of individuals accessing a particular service to the wrong email address)
• loss or theft (for example, hardcopies of documents, electronic devices and storage devices being misplaced or stolen).

65. The Society must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of ‘eligible data breaches’ when:

• there is unauthorised access to, or unauthorised disclosure of, personal information, or loss of personal information
• unauthorised access to or disclosure of personal information is likely to result in serious harm to one or more individuals
• efforts to contain the harm with remedial action have been unsuccessful.

66. In these circumstances the Society must notify the OAIC and the affected individuals of: the contact details of the Society; a description of the eligible data breach; the kinds of information concerned (for example, health records, sensitive information); and recommended steps individuals can take relating to the breach.

67. When notifying individuals, the Society will, depending on the most appropriate course, either notify all affected individuals; or notify only those individuals at risk of serious harm; or if those options are not feasible, publish a Notifiable Data Breach statement on the Society website and publicise it. Where the Society is required to also report the breach to other enforcement agencies, it will take reasonable steps to inform individuals concerned.

Complaining about a breach of privacy

68. Individuals, or their authorised representative, with any questions or concerns regarding a possible privacy breach, should contact the Society’s Privacy Officer who will confidentially discuss the concerns and outline options for resolution.

69. The Society recognises the right of all individuals, or their authorised representative, to complain about possible privacy breaches by the Society.

70. The Society will provide a procedure to receive and resolve complaints fairly and accessibly, in a timely manner that is procedurally fair, without reprisal for the person making the complaint.

71. The Society acknowledges the right of individuals to be represented by an authorised representative or advocate of their choice at all stages of the complaint process and will inform the individual of this at the time they make a complaint.

72. Where an individual is not represented and requires support to make a complaint, the Society will ensure that appropriate support and assistance is provided to them to do so.

73. Individuals, or their authorised representative, wishing to make a complaint to the Society regarding the handling of personal information, can do so:

• in writing to the Privacy Officer at PO Box 5, Petersham NSW 2049 or by email to privacy@vinnies.org.au
• orally by telephoning the Privacy Officer on (02) 9568 0262
• or by other means and modes that are appropriate in the circumstances.

74. The Society will aim to resolve complaints in a timely, satisfactory, fair and transparent manner in accordance with the Society’s Complaint Handling Policy.

75. However, where individuals are not satisfied with the results of the complaint, depending on the nature of the complaint, they or their nominated person can make a complaint to:

• the Office of the Australian Information Commissioner in writing to GPO Box 5218, Sydney NSW 2001, by fax (+61 2 9284 9666), or by email to enquiries@oaic.gov.au
• the Privacy Commissioner by telephone on 1300 363 992 (enquiries only)
• the NDIS Quality and Safeguards Commission in writing to PO Box 210 Penrith NSW 2750, by email to contactcentre@ndiscommission.gov.au or by telephone on 1800 035 544
• the National Disability Abuse and Neglect Hotline on 1800 880 052
• the NSW Ombudsman on 9286 1000 or www.ombo.nsw.gov.au.

Roles and responsibilities

76. The Executive Director, Corporate Services is responsible for maintaining the currency of this policy.

77. Each Executive Director or the Chief Financial Officer is responsible for managing legal compliance obligations in their directorates and for promoting, monitoring and upholding a positive compliance culture and identifying the need to engage support and/or training for staff to implement the policy.

78. The Executive Director, Membership, Volunteers and Regional Operations is responsible for managing the legal compliance obligations of members and for identifying the need to engage support and/or training for members to implement the policy.

79. The Society shall send staff, members and volunteers regular reminders regarding information security and their privacy responsibilities.

Review

80. This policy is scheduled for review every year, or on a needs basis as required to align with legislative or practice changes.

81. The effectiveness of the operation and socialisation of this policy is to be evaluated and reviewed by the Executive Director, Corporate services, at least once every two years after coming into operation.

Further assistance

82. Society Personnel should speak with their Manager regarding any questions about the implementation of this policy. They may also contact the Executive Director, Corporate Services to provide feedback on this policy.

83. Individuals who have any queries, concerns or feedback about this policy, may contact the Society’s Privacy Officer as follows:
Phone: (02) 9568 0262 Email: privacy@vinnies.org.au Post: PO Box 5 Petersham NSW 2049 Visit: 2C West St Lewisham NSW 2049

References

84. Legislation, regulations and guides relevant to this policy include:

• Aged Care Act 1997 (Cth)
• Archives Act 1983 (Cth)
• Privacy Act 1988 (Cth) including the Australian Privacy Principles
• Privacy and Personal Information Protection Act 1998 (NSW)
• Freedom of Information Act 1989 (NSW)
• Health Records and Information Privacy Act 2002 (NSW)
• Health Records and Information Privacy Code of Practice 2005 (NSW)
• National Disability Insurance Scheme (Complaints Management and Resolution) Rules 2018 [F2018L00634]
• Privacy and Personal Information Protection Act 1998 (NSW)
• Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
• Office of the Australian Information Commissioner, 2014 Guide to developing an APP privacy Policy
• Children and Young Persons (Care and Protection) Act 1998 (NSW)
• National Disability Insurance Scheme Act 2013 (Cth), Chapter 4 Part 2
• National Disability Insurance Scheme Quality Indictors Guidelines 2018
• National Disability Insurance Scheme Code of Conduct 2018
• Notifiable Data Breaches Scheme 2018