Purpose
The Institute for Healthy Communities Australia Ltd (IHCA Group) and its workers are bound by the Privacy Act 1988 (Cth) (the “Privacy Act”) when collecting, holding, securing, using and disclosing personal, sensitive or health information relating to a customer, stakeholder, worker or other person. This policy outlines how the Privacy Act is applied within IHCA Group when dealing with personal information.
The Privacy Act contains 13 Australian Privacy Principles (APPs) which give rights designed to protect privacy. IHCA Group will comply with the APPs for the following reasons:
- From time-to-time personal information about an individual may be disclosed to others for a benefit, service or advantage.
- From time-to-time IHCA group may receive Commonwealth funding to run specific programs.
- Information about former job applicants who were not employed by the IHCA Group, contractors and volunteers are not exempt from the APPs.
- Compliance with the privacy principles is a best practice approach.
Scope
This policy applies to workers who are contracted to the IHCA Group. These workers include:
- permanent (full-time or part-time)
- temporary (full-time or part-time)
- agency supplied temporary staff
- casual
- contractor or consultant
- volunteers including members of the Board
Principles
Principles underpinning this policy include:
- Delegations are assigned to a position, including its changed title which has substantially the same responsibilities, not a named individual or group of individuals.
- Each employee is accountable and responsible for the correct exercise of delegations assigned to his or her position.
- All employees exercising delegations must adhere to the fundamentals of good judgment and decision making, independence, transparency, and maintain adequate records.
References
This Policy needs to be read in conjunction with the following documents:
- Fair Work Act 2009
- Privacy Act 1988(Cth)
- Australian Privacy Principles (APPs) (commencement date 12 March 2014)
- Freedom of Information Act 1982
- Australian Charities and Not-for-profits Commission Act 2012
- JASANZ Accreditation Manual – Procedure 18 – Requirements for Bodies providing audit and Certification of Disability Employment Organisations – Section 8.5 Confidentiality
- Australia Not-for-profit Law Guide: Privacy Guide July 2017 (Justice Connect)
Definitions
‘Personal information’ is defined in the Privacy Act 1988 (Cth) to mean any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Policy
This policy describes how IHCA Group complies with the Privacy Act and explains:
- The types of personal information IHCA Group collects.
- How IHCA Group collect personal information.
- How IHCA Group holds personal information.
- The purposes for IHCA Group collecting, holding, using and disclosing personal information.
- Access to personal Information and the management of complaints regarding alleged breaches
- The types of personal information IHCA Group collects
- From customers
IHCA Group typically collects, holds, uses and discloses the following types of personal information about our customers:- names, job titles, and contact details;
- communications between the customer and IHCA Group;
- financial information;
- information about the customer’s areas of interest or specialisation; and
- other personal information that the customer provides to IHCA that we collect in the course of our relationship with you.
To the extent that it is relevant to the work we are undertaking for a customer or our general relationship with a customer, we may also collect and hold personal information about customers that is sensitive information under the Privacy Act. For example, we may collect health information about an individual, membership of a professional or trade association, membership of a trade union, religious beliefs or affiliations or criminal records.
- From contractors, service providers, suppliers and job applicants
IHCA Group typically collects and holds the following kinds of personal information about contractors, service providers, suppliers and job applicants:- name and contact details;
- information contained in resumes;
- educational details, academic and other transcripts, employment history, skills and background checks;
- references from past employers and referees;
- information collected during the interview or assessment process;
- details of your performance under any contract; and
- personal information required to make payments, such as bank account details.
We may also collect sensitive information contained within the sources set out above, such as membership of a political, professional or trade association or trade union, religious beliefs or affiliations, criminal records and health information.
- From other individuals
In providing IHCA Group’s customers with the services requested, IHCA Group may be required to collect personal information about other individuals including other parties to our customers’ matters, their legal representatives and other service providers or contractors retained by them. The nature of information collected will depend upon the individual circumstances of the matter, but is likely to include name, contact details, job title, and communications with these other individuals. Depending upon the circumstances of the matter, it may also include sensitive information.If IHCA Group is approached by government departments, regulatory authorities etc. to provide information, IHCA Group may record names and contact details and collect additional personal information about an individual to verify their identity and consider whether to provide that individual with the information that they have requested. - From website, on-line contacts, attendees at functions or training
The amount and type of information IHCA Group collects from you when you use one of the IHCA Group websites (www.ihca.com.au or www.ihcacertification.com.au) or when you contact us online will depend upon your use of the facilities and services available through our website or otherwise available online. However, the only personal information which IHCA Group collects about you when you use the IHCA Group website or when you contact IHCA Group online is what you tell IHCA Group about yourself, such as when you complete an online form to claim expenses, or when you accept an invitation to attend training or a function, or information you provide to us when you send us an email.The kinds of personal information that IHCA Group may collect through our website, online or when you register to attend a function or training include:- your name, contact details, employer and job title; and
- your areas of interest or specialisation.
Email addresses and any other contact details you provide will be collected and used by IHCA Group to communicate with the worker and/or to forward updates on IHCA Group activities.
At times, IHCA Group will also collect personal information about you if you provide ICHA Group with your business card at a function or otherwise provide your personal information to us in person or contact us through social media (such as LinkedIn and Facebook).
- From customers
- How IHCA Group collects personal information
IHCA Group will usually collect personal information directly from the person to whom the information relates, or from the organisation of which that person is an employee, director or principal. IHCA Group and its workers will collect personal information when it is reasonably necessary for, or directly related to, IHCA Group functions or activities under the Fair Work Act 2009, and any other relevant legislation.Using lawful and fair means, IHCA Group only collects personal information necessary for the effective delivery and management of services. The types of personal information IHCA Group could collect includes name, address, date of birth, telephone number, email address, letter of offer, employment contract, work rosters, sign-in sheets, pay slips, bank statements, or health information (for example, medical certificates).IHCA Group and its workers take steps to ensure information collected is accurate, up to date and complete for the purpose for which it is collected.IHCA Group and its workers take steps to ensure information collected remains secure and confidential to the staff performing the service for which the information is collected.IHCA Group and workers, take steps to provide a detailed explanation to customers and individuals from whom information is collected of how the information is intended to be used.IHCA Group may collect sensitive information with the worker’s consent and when authorised by law. This may include information about health, your membership of a professional or trade association or trade union, or criminal record.IHCA Group may also collect personal information about individuals from the following third parties:
- our customers;
- government agencies;
- law enforcement bodies;
- publicly available records;
- court or tribunal records;
- search agencies;
- regulatory and licensing bodies;
- service providers;
- parties to whom you refer us, including previous employers and referees;
- recruitment agencies;
- online searches; and
- social media (such as LinkedIn and Facebook).
When IHCA Group obtains personal information from third parties to whom you refer IHCA Group, IHCA Group will assume you have made that third party aware that you have referred IHCA Group to them and the purposes involved in the collection, use and disclosure of the relevant personal information to be obtained.
If you supply IHCA Group with personal information about another individual, IHCA Group will assume you have referred that person to this Privacy Policy.
- How IHCA Group holds personal information
The requirements regarding the retention (or destruction) of documents affect many aspects of IHCA Group operations, a not-for-profit organisation, including corporate governance, industry obligations, consumer law obligations, electronic record keeping, civil and criminal liability.Under the Australian Charities and Not-for-profits Commission Act 2012, IHCA Group is required to retain financial and operational records for a minimum of seven years. Changes to the Privacy Act 1988 also provide for IHCA Group to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed.IHCA Group use a range of physical and electronic storage and security measures to protect personal information from loss, misuse, interference, unauthorised access, modification or disclosure. IHCA Group have systems in place aimed at ensuring personal information will only be accessed by other workers on a need-to-know basis.IHCA Group holds personal information in hardcopy and/or in electronic form.
IHCA Group stores hardcopy files in offices, cupboards and filing cabinets within access-controlled premises. Access to files is appropriately limited within IHCA Group. IHCA Group applies additional safekeeping measures by limiting access to certain information by storing files in locked cupboards and/or locked electronic folders. IHCA Group stores electronic records within our own secure network which is maintained through a third-party data provider. Access to personal information within the IHCA Group network is appropriately limited.
- The purposes for IHCA Group Collecting, Holding, Using and Disclosing Personal Information
IHCA Group collects, holds, uses and discloses personal information for the purposes for which it was collected, related purposes, and other purposes including:- Providing the services requested by IHCA customers.
- Contracting out some of our functions to external service providers such as contract assessors, consultants, agency staff, IT providers, and recruitment agencies.
- Assessing and considering applications from prospective employees, contractors, consultants, agency staff and service providers.
- To comply with our legislative and regulatory requirements.
- To carry out our functions as a service provider.
- IHCA Group may disclose personal information to a number of service providers. These include IT service providers that host our website servers, manage our IT and store our information. IHCA Group may also use external lawyers to provide advice about matters and to represent IHCA Group. This information often includes personal information.
- Access to personal information and the management of complaints regarding alleged breaches
IHCA Group is authorised to disclose information under the Freedom of Information Act 1982 (FOI Act). The information disclosed by IHCA Group may include personal information. The FOI Act gives a person the right to:- Access copies of documents, other than documents that are determined to be exempt from disclosure under the FOI Act
- Ask for information held by IHCA Group about that person, to be changed or annotated if it is incomplete, out of date, incorrect or misleading
- Seek a review of IHCA Group’s decision not to give access to a document or not to amend a personal record.
IHCA Group and workers will correct any inaccuracies with regards to personal information held about individuals if details are brought to the attention of the Chief Executive Officer and the Chief Executive Officer is satisfied the information needs to be corrected.
IHCA Group will ensure complaints made to the Chief Executive Officer IHCA Group regarding alleged breaches of privacy are quickly investigated. If a complaint is not resolved by management to the satisfaction of the individual concerned, the complainant can refer the matter direct to the Australian Information Commissioner.
If a data breach occurs as to any personal or sensitive information held by IHCA Group, the Chief Executive Officer will assess the nature of the breach, mitigate the risk of damage arising from the breach, and notify the individuals to whom the information relates who are at risk from the breach and the Australian Privacy Commissioner.
If there is a complaint, any questions or concerns about what information is held about an individual or about the accuracy of the information, the Chief Executive Officer IHCA Group must be notified. Unless there is a lawful reason not to, the Chief Executive Officer IHCA Group will give the individual access to the information and allow the worker/person to correct any incorrect information. If the information we hold about you is incorrect, or not up to date, we will update it as soon as possible after you have advised us of the changes.
The Chief Executive Officer ICHA Group can be contacted on (07) 3844 2222 or email Fiona Loughlan, Chief Executive Officer IHCA Group at fiona.loughlan@ihca.com.au. The postal address for any written complaints is PO Box 764, Toowong DC QLD 4066.