This policy is in place to establish the standards that ACH Group will employ in relation to privacy:
- We are required by the Privacy Act 1988 (Commonwealth) (Privacy Act) to comply with the Australian Privacy Principles (APPs). The APP’s regulate the manner in which personal information is handled throughout its life cycle, from collection to use, disclosure and disposal.
- When you provide us with your personal information, you consent to ACH Group collecting and handling your personal information in accordance with this policy and any other arrangements between us.
This policy applies to ACH Group’s customers, relatives or authorised representatives of customers, donors, job applicants and their referees, members of the ACH Group Workforce, contractors and prospective contractors (including health service providers), and other individuals who come in contact with us.
For this policy, the following definitions apply:
ACH Group Workforce
- ACH Group workforce includes ACH Group board members, employees, volunteers, students.
- Includes program specific term that may be used interchangeably, such as consumer, client, resident or patient.
- Information or an opinion (including written and verbal information or an opinion forming part of a data base), whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.
- Personal information which includes details of an individual’s racial or ethnic origin, religious or philosophical beliefs, employment record, criminal record or health/mental health information and/or other personal information that is ‘sensitive information’ as defined in the Privacy Act.
1. KINDS OF PERSONAL INFORMATION WE COLLECT
1.1. We collect and hold personal information about customers, relatives or authorised representatives of customers, donors, job applicants and their referees, employees, contractors and prospective contractors (including health service providers), students on work placement with us, volunteers and other individuals who come in contact with us (you).
1.2. The kinds of personal information we collect may include your name, gender, address and other contact details, bank account details, credit and debit card details, pension/concession details, Medicare and health fund details, Centrelink and/or NDIS details, guardians/emergency contacts, donation details, occupation, and information obtained when you use our website, including which of our pages you have accessed.
1.3. We may also collect sensitive information about you, including without limitation details of your health/mental health and medical history, race or ethnic origin, religion, nationality and in some cases, details of any criminal record you may have.
1.4. If you are a job applicant or prospective or current contractor, we may also collect your tax file number or ABN and information about your work history and professional qualifications and/or memberships.
1.5. The Privacy Act classifies certain information relating to services supplied on terms which allow payment to be deferred for a period of more than 7 days after the services are supplied as ‘credit information’. We may collect and hold credit information about you if we supply services to you and allow payment to be deferred for more than 7 days after supply.
2. MANNER AND PURPOSE FOR COLLECTING PERSONAL INFORMATION
2.1. We will generally collect personal information about you directly by way of forms and other documents submitted to us by you, correspondence you provide to us and telephone calls/meetings with you. We may also collect information through the use of CCTV or other monitoring used in our premises, photography or videography or in the course of providing services to you, such as during consultations or provision of medical services.
2.2. Occasionally, we may collect personal information about you from third parties. For example, we may collect personal information about customers from relatives or other authorised representatives (and vice versa), health service providers or, where relevant, government agencies. For job applicants,
contractors or prospective contractors, volunteers and students, and we may collect details of your criminal record (if any) from police agencies or agencies who complete police checks on our behalf. We may also collect information about students from your educational institution.
2.3. We will only collect and use personal information for the following purposes:
2.3.1. to offer and provide housing and related services to our customers;
2.3.2. to fulfil our duty of care and legal obligations;
2.3.3. to ensure that customers receive appropriate healthcare, social support and spiritual support as and when required, including to suggest other services that may be suitable for a customer;
2.3.4. for our promotion and marketing activities, including market research and analytics, fundraising and organising events, from time to time;
2.3.5. if you are a job applicant or a potential contractor, to assess your suitability and (if successful) engage you;
2.3.6. if you are a student, to manage your participation in your program of study;
2.3.7. for our internal administration and management purposes, such as conducting audits, undertaking process improvement and managing our staff, volunteers, students and contractors;
2.3.8. to apply for and secure government funding;
2.3.9. for research subject to human research ethics approval processes;
2.3.10. to manage our relationship with you and, where applicable, to manage the payment and recovery of amounts payable to us by you;
2.3.11. to enable volunteers to work together and to keep such groups informed about matters concerning them; and
2.3.12. for other specific purposes:
188.8.131.52. if you consent;
184.108.40.206. where required or permitted by law, including for purposes related to the purpose of collecting of personal information (or purposes directly related to the purpose of collecting your sensitive information); and
220.127.116.11. which are reasonably necessary for or directly related to our normal functions and activities.
2.4. If we are unable to collect personal information relating to you, we may be unable to provide you with the services you require or continue our relationship with you.
2.5. We will only use sensitive information for the following purposes unless otherwise permitted or required by law or we obtain your consent:
2.5.1. to provide appropriate housing services to customers, to look after customers’ medical, social and spiritual well-being, to satisfy our legal obligations and to satisfy our duty of care; and
2.5.2. to assess whether it is appropriate for certain volunteers, students, job applicants and potential contractors to be on our premises or interact with customers from time to time.
2.6. Tax file numbers, NDIS details and other government identifiers will only be handled in accordance with relevant legislation, if applicable.
3. DISCLOSURE OF PERSONAL INFORMATION
3.1. We may disclose personal information about you to the following types of persons or entities if required in connection with the purposes listed above:
3.1.1. medical/healthcare professionals, health funds and people providing services to us or you;
3.1.2. your relatives or authorised representatives;
3.1.3. our contractors, consultants, advisers, associates, volunteers, students and related entities who are subject to confidentiality obligations;
3.1.4. any industry body, tribunal, court or otherwise in connection with any complaint made about us by you or on your behalf;
3.1.5. your referees (if you have provided us with referees to assist with a job application, the assessment of a potential contract between you and us or for any other purpose);
3.1.6. government departments or funding agencies, police agencies and agencies who complete police checks such as CrimTrac;
3.1.7. a purchaser of our business as a going concern; and
3.1.8. other entities with your consent or as permitted or required by law.
3.2. We will not disclose your credit-related information to entities such as other credit providers or credit reporting bodies without your consent.
3.3. We will not generally disclose your personal information to recipients located overseas, except where our third party service providers use cloud-based systems which are located offshore, including in the United States of America and Japan.
3.4. We may aggregate or de-identify statistical information in such a way that individuals cannot be identified, to use for our own internal purposes or to make available to government agencies or research organisations.
3.5. We will not disclose your personal information to any third party for a fee or other benefit, service or advantage.
4. HOLDING INFORMATION
4.1. We hold personal information in paper form and electronic form. Our electronic records are stored using local and/or cloud storage. Our cloud storage providers are subject to contractual obligations to strictly limit handling of personal information.
4.2. We have in place steps to protect the information we hold from misuse, interference and loss and from unauthorised access, modification or disclosure. Our security measures include:
4.2.1. strong policies and procedures to ensure the ACH Group Workforce and our contractors follow appropriate security protocols;
4.2.2. secure storage facilities for physical files both on our premises and in offsite facilities;
4.2.3. limiting access to personal information, particularly sensitive information, to such members of the ACH Group Workforce and contractors as require the information to perform their activities;
4.2.4. using secure networks or encryption when transmitting information electronically (although it is important to note that transmission over the internet can never be made completely secure);
4.2.5. protecting our devices and networks using authentication, firewalls, intrusion detection, virus scanning and other security systems.
4.3. Where NDIS-related data is subject to more stringent requirements under law or imposed by the relevant government agency, we comply with those additional requirements in respect of that data.
4.4. Data breaches (including notifying affected individuals of any such breach) will be dealt with in accordance with our Data Breach Response Plan Procedure and the law.
4.5. You are responsible for the security of personal information you store within premises you occupy within any of our housing services or on your own devices, however we can assist you to make appropriate security arrangements on your request.
4.6. We retain personal information for as long as it is required for our functions and activities or as required by law or an order of a court/tribunal. Generally, we retain information about customers for at least 7 years after the date of the last record in relation to that customer. Information that is no longer required is securely destroyed or de-identified.
5. HOW TO OBTAIN ACCESS TO YOUR PERSONAL INFORMATION
5.1. You may obtain access to personal information which we hold about you by completing a Request for Information Form.
5.2. If you request that we provide you with copies of your personal information, we may require you to verify your identity and specify what information you require. If you make a request for copies of your personal information held by us we will endeavour to provide you with such personal information as soon as reasonably practicable. Where you ask for copies of your personal information, we may at our discretion charge you a fee to cover our reasonable costs incurred in providing you with those copies (but we will not charge you for updating or varying your personal information pursuant to Section 6 below).
5.3. There may be occasions when access to personal information we hold about you is denied, including where the release of the requested information would have an unreasonable impact on the privacy of others or because we are otherwise prevented by law from releasing the information.
6. ACCURACY OF PERSONAL INFORMATION
While we will endeavour to ensure that the personal information collected from you is up to date, accurate and complete, we will assume that any personal information provided by you is free from errors and omissions. You may request that we update or vary personal information that we hold about you by discussion with your key ACH Group contact such as a nurse, advisor or manager. Where correction to information is disputed, we will notify you and, if it is reasonable to do so, make a note in our records that you have requested that we update or vary the information. Resolution of the matter will be managed by our Privacy Officer – see Section 12 below.
7. DIRECT MARKETING COMMUNICATIONS
From time to time we may use your personal information to provide you with marketing materials in relation to offers and services that we have available. We may use various means of communication to do so, including email, SMS and targeted or behavioural online advertising. If you would not like to receive direct marketing materials from us through some or all of those channels you may notify us using the contact details set out below or, for email and SMS, by using the unsubscribe option.
8. DIRECT MARKETING COMMUNICATIONS
8.1. If you are of the view that we have breached the APPs, the Privacy Act or any related privacy code in dealing with your personal information, you may make a complaint verbally, using one of the feedback forms provided by ACH Group or in writing to the manager of the service or to our Privacy Officer using the contact details set out below.
8.2. When we receive a complaint, we will endeavour to provide you with confirmation as to how we propose to deal with the complaint as soon as reasonably practicable.
8.3. If you are not satisfied with our response to your complaint, you may make a complaint to the Office of the Australian Information Commissioner by visiting the following website and following the steps: http://www.oaic.gov.au/privacy/privacy-complaints.
9. COOKIES AND THIRD PARTY WEBSITES
10. ANONYMITY AND PSEUDONYMS
You have the option of not identifying yourself or using a pseudonym when dealing with us, unless we are required by law or a court/tribunal to deal with individuals who have identified themselves, or it is impractical for us to deal with you if you have not identified yourself.
11. VARIATION OF POLICY
12. CONTACT US
Please direct all enquiries or complaints regarding your personal information or privacy to your key ACH Group contact or to our Privacy Officer, General Manager Corporate Services, PO Box 646, Torrensville Plaza, SA 5031.