C2A recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand and made accessible to them on the other.
These privacy values are reflected in and supported by our core values and philosophies and align with the Privacy Act 1988 (Cth) Schedule 1 Privacy Amendment (Enhancing Privacy Protection) Act 2012. https://www.legislation.gov.au/Details/C2012A00197
C2A also acknowledges the 13 Australian Privacy Principles (APPs) which became effective 12 March 2014.
C2A is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.
C2A will:
- Collect only information which the organisation requires for its primary function;
- Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;
- Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent;
- Store personal information securely, protecting it from unauthorised access; and Provide stakeholders with access to their own information, and the right to seek its correction.
Collection - Why C2A collects and uses personal information?
C2A collects and uses personal information about participants so that C2A can provide high-quality supports and services and maintain a safe environment for all participants, staff and visitors.
C2A will
- Only collect and use personal information necessary to provide supports and services, such as:
- Contact details e.g. addresses, phone numbers, email addresses;
- Details of family members, guardians and advocates and other people authorised to make decisions on behalf of a participant;
- Information about a participant’s disability;
- Information about a participant’s health or medical needs or treatment;
- Information about the kinds of services delivered by C2A or other service providers; and
- The participant’s NDIS Plan (or other funding body plan/agreement), which includes information about the participant’s goals, aspirations and needs.
C2A also collects media (photos, videos, quotes and stories) of participants for use in C2A’s publications and
promotional materials. Participants provide consent via the Photo and Media Consent Form. C2A will:
- Only collect information that is necessary for the performance and primary function of C2A.
- Notify stakeholders about why we collect the information and how it is administered.
- Notify stakeholders that this information is accessible to them.
- Collect personal information from the person themselves wherever possible.
- collecting personal information from a third party, be able to advise the person whom the information concerns, from whom their personal information has been collected.
- Collect Sensitive information only with the person’s consent. Signed Consent form placed in Individuals file. (Sensitive information includes health information and information about religious beliefs, race, gender and others).
- Determine, where unsolicited information is received, whether the personal information could have collected it in the usual way, and then if it could have, it will be treated normally. (If it could not have been, it must be destroyed, and the person whose personal information has been destroyed will be notified about the receipt and destruction of their personal information).
Use and Disclosure
C2A will:
- Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose.
- For other uses, C2A will obtain written consent from the affected person.
- In relation to a secondary purpose, use or disclose the personal information only where:
- a secondary purpose is related to the primary purpose and the individual would reasonably have expected us to use it for purposes; or
- the person has consented; or
- certain other legal reasons exist, or disclosure is required to prevent serious and imminent threat to life, health or safety.
- In relation to personal information which has been collected from a person (written signed consent), use the personal information for direct marketing, where that person would reasonably expect it to be used for this purpose, and C2A has provided an opt out and the opt out has not been taken up.
- In relation to personal information which has been collected other than from the person themselves, only use the personal information for direct marketing if the person whose personal information has been collected has consented (and they have not taken up the opt-out).
- State in C2A’ privacy policy whether the information is sent overseas and further will ensure that any overseas providers of services are as compliant with privacy as C2A is required to be.
- Provide all individuals’ access to personal information except where it is a threat to life or health or it is authorised by law to refuse and, if a person is able to establish that the personal information is not accurate, then C2A must take steps to correct it. C2A may allow a person to attach a statement to their information if C2A disagrees it is inaccurate.
Where for a legal or other reason we are not required to provide a person with access to the information, consider whether a mutually agreed intermediary would allow enough access to meet the needs of both parties.
Storage
C2A will:
- Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorised access, interference, unauthorised modification or disclosure.
- Before C2A discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, establish that they are privacy compliant. C2A will have systems which provide enough security.
- Ensure that C2A’s data is up to date, accurate and complete.
Destruction and de-identification
C2A will:
- Destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones.
- Change information to a pseudonym or treat it anonymously if required by the person whose information C2A holds and will not use any government related identifiers unless they are reasonably necessary for our functions.
Data Security and Retention
C2A will:
- Only destroy records in accordance with the C2A’s Policy.
Openness
C2A will:
- Ensure stakeholders are aware of C2A’s Privacy Policy and its purposes.
Access and Correction
C2A will:
- Ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date.
Anonymity
C2A will:
- Allow people from whom the personal information is being collected to not identify themselves or use a pseudonym unless it is impracticable to deal with them on this basis.
Making information available to other organisations
C2A can:
- Release information to third parties where it is requested by the person concerned.
Marketing and fundraising:
C2A treats marketing and seeking donations for the future growth and development of the organisation as important and a key operational function. Personal information held by C2A may be disclosed to an organisation that assists in the organisations fundraising, for example, C2A’s marketing publisher / news media.
Enquiries and privacy complaints
You have the right to check what personal information C2A holds about you. Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to obtain access to any personal information which the organisation holds about them and to advise the organisation of any perceived inaccuracy. There are some exceptions to this right set out in the applicable legislation. To make a request to access any information C2A holds about you, please contact the Privacy Officer in writing.
Privacy Officer Human Resources Manager
Connecting2Australia
362-364 Nepean Hwy, Frankston VIC 3199
PO BOX 773, Frankston VIC 3199,
Ph: 1300 111 212
Email: HRSupport@c2a.org.au
If you would like further information about the way C2A manages the personal information it holds, please contact the Privacy Officer. If you have any concerns, complaints or you think there has been a breach of privacy, then also please contact the Privacy Officer who will first deal with you usually over the phone. If we then have not dealt satisfactorily with your concerns, we will meet with you to discuss further. If you are not satisfied with our response to your complaint within 30 days from this meeting, then you can refer your complaint to the;
Office of the Australian Information Commissioner via:
Email: enquiries@oaic.gov.au | Tel: 1300 363 992 | Fax: +61 2 9284 9666
Need help or more information?
If you need further information or help, you can contact the Office of the Commissioner for Privacy and Data Protection. The Commissioner’s staff can:
- Answer your questions and give you more information
- Help you put your complaint in writing
- Help you and the organisation to talk about the problem, and
- Put you in contact with another office that can help if needed.
There is no cost for advice and help. Free interpreting and translating services are used if needed. All enquiries are kept confidential.
Commissioner for Privacy and Data Protection
Level 6, 121 Exhibition Street
PO Box 24014
Melbourne Victoria 3001
Telephone: 1300 666 444 | Website: www.cpdp.vic.gov.au
This Policy is based on:
- Privacy and Data Protection Act 2014 (Vic)
- Health Records Act 2001 (Vic)
- Privacy Act 1988 (Cwlth) Standards
- NDIS Quality and Safeguarding Framework