To ensure The Counselling Collaborative (and its related entities) meet its commitment to the protection of personal information, health information, sensitive information and its obligations under law (including the Privacy Act 1988 (Cth)) and for the purposes of compliance – to create a clearly expressed up-to-date policy compliant with the Australian Privacy Principles (APP’s).
- LEGISLATIVE CONTEXT
Effective from the 01/01/2017, The Counselling Collaborative has adopted all of the amendments to the Privacy Act 1988 (Cth)set out under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) including the recently introduced 13 Australian Privacy Principles which apply to all APP entities and the NDB scheme which commenced on 22 February 2018 including The Counselling Collaborative.
- The Counselling Collaborative regards the protection of privacy as central to the operation and general conduct of the organisation’s affairs. The Counselling Collaborative. will ensure compliance with regulatory requirements in relation to the collection, recording, use, secure storage, amendment, release/disclosure and destruction of personal information.
- The Counselling Collaborative recognises and promotes the rights of our employees, volunteers, clients and customers to have their personal information protected in accordance with legislative requirements.
- The Counselling Collaborative, its employees, contractors and all persons notified that this policy applies to them, are legally obliged to protect the personal information of clients and customers.
- The Counselling Collaborative appoints a member (or members) of staff to act as the Privacy Officer(s) for the whole of the organisation. The Privacy Officer(s) can be contacted via email: email@example.com
- The key obligations as set out in the Australian Privacy Principles (APP’s) that impact on The Counselling Collaborative day-to-day operations are summarised below. This policy and the Privacy Statement represent high level summaries of The Counselling Collaborative’s privacy obligations and further meet The Counselling Collaborative obligations under law.
Summary of Australian Privacy Principles and the Obligations of MSL.
|Consideration of personal information privacy|
Open and transparent management of personal information
|· The Counselling Collaborative is committed to the open and transparent management of personal information
a. the kinds of personal information that The Counselling Collaborative collects and holds;
b. how The Counselling Collaborative collects and holds personal information;
c. the purposes for which The Counselling Collaborative collects, holds, uses and discloses personal information;
d. how an individual may access personal information about the individual that is held by The Counselling Collaborative and seek the correction of such information;
e. how an individual may complain about a breach of the APP’s, or a registered APP code (if any) that binds The Counselling Collaborative, and how The Coliniunselling Cc will deal with such a complaint;
f. whether The Counselling Collaborative is likely to disclose personal information to overseas recipients;
g. if The Counselling Collaborative is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
· Where an individual is concerned about a potential or actual breach of the APP’s they have a right to lodge a complaint. All complaints will be received, managed and resolved in accordance with the The Counselling Collaborative Complaints, Feedback & Compliments Policy.
o All complaints in relation to Privacy are referred directly to the Privacy Officer(s).
· All enquiries in relation to The Counselling Collaborative management of personal information are referred directly to the Privacy Officer(s), via firstname.lastname@example.org
· A data breach or possible breach is therefore also considered an Incident and requires reporting via the The Counselling Collaborative Incident, Near Miss and Hazard Reporting Form and within 24 hours of occurrence – to support timely investigation, mitigation and external reporting requirements.
Anonymity and pseudonymity
|· Clients and Customers have the option to engage with The Counselling Collaborative anonymously or under a pseudonym.
· The Counselling Collaborative acknowledges that it may be impracticable to provide the full extent of its services to a person engaging anonymously.
|Collection of personal information|
Collection of solicited personal information
|· The Counselling Collaborative will only collect personal information if:
o it is necessary for one or more of The Counselling Collaborative’s business activities or services
o it is collected by lawful and fair means
o consent to information collection is provided
· The Counselling Collaborative will only collect personal information from the individual concerned, or seek the individuals consent to collect information from another person on their behalf.
Dealing with unsolicited personal information
|· Where The Counselling Collaborative receives unsolicited personal information, it will within a reasonable time of receipt determine whether or not it would have collected the information under APP 3 if The Counselling Collaborative. had solicited the information.
· If The Counselling Collaborative determines that it would not have collected the unsolicited personal information and the information is not contained in a Commonwealth record, it will as soon as practicable either de-identify or destroy the information, if lawful to do so, unless the information can be managed otherwise in accordance with APP3.
· The Privacy Officer(s) provides advice and direction regarding the destruction or de-identification of unsolicited personal information.
Notification of the collection of personal information
|· The Counselling Collaborative will ensure a Client/Customer is notified as soon as practicable about:
o the types of personal information that is being collected by The Counselling Collaborative
o the purpose for which information is being collected by The Counselling Collaborative
o which information is likely to be disclosed to other parties, and for what purpose, including any overseas recipients if relevant
o how Clients and Customers can access and/or seek to amend the personal information held by The Counselling Collaborative.
o how to lodge a complaint about a potential/actual breach
o and otherwise comply with the notice obligations under APP 5
· Where The Counselling Collaborative has collected personal information from someone other than the individual, The Counselling Collaborative will take reasonable steps to notify the individual of the collection.
|Dealing with personal information|
Use and disclosure of personal information
|· The Counselling Collaborative will only use and disclose personal information for the particular purpose (primary purpose) for which it was collected or a related purpose where the Client/Customer would reasonably expect the use or disclosure of personal information
· The Counselling Collaborative will not use or disclose personal information for another purpose (secondary purpose) unless consent is provided by the individual.
· The Counselling Collaborative may use or disclose personal information without the individual’s consent in exceptional circumstances, as set out under APP 6 including:
o the individual would reasonably expect use/disclosure of the information for the secondary purpose and the secondary purpose is:
i) if the information is sensitive information – directly related to the primary purpose; or
ii) if the information is not sensitive information – related to the primary purpose (APP 6.2(a))
o use/disclosure is required by Australian law or a court/tribunal order (APP 6.2 (b))
o is necessary to prevent a threat to a person’s health or safety (APP 6.2(c))
o use/disclosure is necessary to prevent a threat to a person’s health or safety (APP 6.2(c))
o use/disclosure is reasonably necessary in relation to a legal claim (APP 6.2 (c))
o use/disclosure is required during dealings with law enforcement agencies or government bodies
· The Privacy Officer(s) provides advice and direction regarding the use/disclosure of personal information without consent
· The Privacy Statement sets out how personal information is used and disclosed.
|· The Counselling Collaborative will not use personal information that it holds for the purpose of direct marketing in accordance with APP 7.1
· Despite APP 7.1, The Counselling Collaborative may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(a) The Counselling Collaborative collected the information from the individual; and
(b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
(c) The Counselling Collaborative provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(d) the individual has not made such a request to The Counselling Collaborative
· Despite subclause APP 7.1, The Counselling Collaborative may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
a. The Counselling Collaborative collected the information from:
i. the individual and the individual would not reasonably expect The Counselling Collaborative to use or disclose the information for that purpose; or
ii. someone other than the individual; and
i. the individual has consented to the use or disclosure of the information for that purpose; or
ii. it is impracticable to obtain that consent; and
c. The Counselling Collaborative provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
d. in each direct marketing communication with the individual:
i. The Counselling Collaborative includes a prominent statement that the individual may make such a request or
ii. The Counselling Collaborative otherwise draws the individual’s attention to the fact that the individual may make such a request; and
e. the individual has not made such a request to The Counselling Collaborative
· Despite APP 7.1 The Counselling Collaborative may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
|· The Counselling Collaborative is unlikely to disclose information to overseas recipients during the course of day to day operations
· The Counselling Collaborative will take reasonable steps to ensure that any potential overseas recipient of personal information is aware of the APP’s and does not breach the requirements of the APP’s
· All requests for personal information to be disclosed to an overseas recipient should be referred to the The Counselling Collaborative Privacy Officer(s) for advice and management
Adoption, use or disclosure of government related identifiers
|· The Counselling Collaborative will not adopt, use or disclose a government related identifier (number, letter, symbol) of an individual unless the use or disclosure of the identifier is reasonably necessary in order for The Counselling Collaborative to provide service, or required by a court/tribunal or as otherwise required under APP 9.2|
|Integrity of personal information|
Quality of personal information
|· The Counselling Collaborative will take reasonable steps to ensure the personal information it collects, is accurate, up to date and complete
· The Counselling Collaborative will take reasonable steps to ensure that the personal information that it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant
Security of personal information
|· The Counselling Collaborative will take all reasonable steps to ensure that the personal information it holds is protected from misuse, loss, interference and unauthorised access, modification or disclosure. This includes but is not limited to:
o Use of Data Loss Prevention services to protect against files with personal information being accidentally shared.
o Engagement of an external IT Security organisation to perform independent security and penetration testing on our corporate network and websites.
· The Counselling Collaborative will destroy or permanently de-identify personal information when it is no longer required for use or disclosure, and where The Counselling Collaborative is not required to retain the information in accordance with Australian law
· The Counselling Collaborative will ensure compliance with archiving requirements as stipulated in various State and Territory based Health Record Management legislation
|Access to, and correction, of personal information|
Access to personal information
|· The Counselling Collaborative will allow individuals access to their personal information, at that individuals request, unless The Counselling Collaborative deems that a valid exception to access applies (as per APP 12.3), this includes:
o giving access poses a serious threat to the life, health or safety of any person
o the information relates to existing or anticipated legal proceedings between MSL and the individual, and would not be accessible by the process of discovery in those proceedings
o giving access is unlawful, or denying access is required by Australia law or a court/tribunal order
o giving access would have an unreasonable impact on the privacy of other individuals
· All requests for access to personal information must be referred to the Privacy Officer. A request is required in writing and accompanied by a signed Consent to share confidential information form.
· All requests will be responded to in a reasonable time and where possible, access will be given in the manner requested by the individual
· The Counselling Collaborative may charge the individual for giving access to the information (e.g. printing costs) however this charge will not be excessive nor will it apply to the making of the request
· Where requests for access are refused, The Counselling Collaborative will provide written notification of the reasons for refusal and refer the applicant to the Complaints, Feedback & Compliments Policy.
Correction of personal information
|· The Counselling Collaborative will take reasonable steps to correct personal information where an individual requests The Counselling Collaborative to correct the information or The Counselling Collaborative identifies that the information held is inaccurate, out of date, incomplete, irrelevant or misleading
· The Counselling Collaborative will accept requests from individuals to correct that individual’s personal information in accordance with its obligations under APP 13.
o All requests for correction of personal information must be referred to the Privacy Officer
· No charges will be incurred by the individual for the correction of personal information
· Where requests for correction of personal information are refused, The Counselling Collaborative will provide written notification of the reasons for refusal and refer the applicant to the Complaints, Feedback & Compliments Policy.
The Counselling Collaborative’s
|1.1||All Employees, Agents, Contractors, Consultants and Volunteers
As privacy is a key priority in the management of The Counselling Collaborative operations and service delivery, you:
a) Must comply with this Policy, and any relevant supporting Policy and Procedure documents, at all times
b) Attend and complete Privacy training or education opportunities as identified and agreed to by your Manager including the annual Incident and Privacy Management Webinar
c) Have an obligation to raise with your Manager any lack of understanding or confusion in relation to privacy issues affecting The Counselling Collaborative.
d) Must not engage in behaviour either directly or indirectly, or fail to report behaviour by others, that may breach this Policy
e) Must promptly raise any issues or suspected breaches of this Policy with your Manager or the The Counselling Collaborative Privacy Officer(s).
|All Team Members|
All Managers must be fully aware of this policy and all relevant supporting Procedures and demonstrate a strong commitment to privacy compliance by:
a) Identifying any privacy compliance risks and implementing appropriate controls to manage those risks.
c) Undertaking more in-depth privacy training and education (where required)
d) Dealing with privacy issues or breaches as or when they arise and notifying the Privacy Officer of any breaches or suspected breaches.
· Under service agreement clause 17.3(i), funded organisations must immediately notify the department when becoming aware of a breach or possible breach of the organisation’s obligations – via the Notifiable Data Breaches cheme (NDBS) managed by the OAIC.
· Where there is an eligible data breach there is an obligation on The Counselling Collaborative to notify all individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. This must be done as soon as practicable.
· In addition and as a separate obligation, The Counselling Collaborative must notify the OAIC of any eligible data breaches by using a form located at https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB
This must be done as soon as practicable and in any event within 30 days of the data breach.
· If it is not possible to notify the individual(s) concerned of an eligible data breach then The Counselling Collaborative must:
o publish a copy of the statement on its website; and
o take reasonable steps to publicise the contents of its statement.
(The OAIC would expect such a statement to be accessible for at least 6 months.)
· The content of any statement by way of a notification to individuals must contain the following information:
o the identity and contact details of the entity
o a description of the eligible data breach that the entity has reasonable grounds to believe has happened
o the kind, or kinds, of information concerned
o recommendations about the steps that individuals should take in response to the eligible data breach
DHHS, have defined the following for funded- agencies:
Breach or Possible Breach – an action or omission that results in loss, theft, misuse or unauthorised disclosure of personal information, or has the potential to do so.
• Near Miss – are situations where a breach would have occurred without intervention. This includes situations where a privacy incident has occurred without any actual disclosure of personal information
• Where a complaint has been made that a privacy breach has occurred, which then needs to be investigated (or allegation of privacy breach).
An Incident, Near Miss and Feedback Reporting Form must be completed as per the Incident, Near Miss and Hazard Management System Policy, and submitted to email@example.com, followed by the Investigation of the Incident, Near Miss or Hazard Report Form to enable prompt investigation and mitigation by the Senior Manager in conjunction with the Operations Team and to meet external reporting requirements.
Additional External reporting requirements for Privacy breaches are required according to state and federal requirements including the DHHS Privacy Incident Report Form https://dhhs.vic.gov.au/user-guide-funded-agency-staff-members-privacy-incident-report-form
|All staff in conjunction with Operations Team|
|2.2||Failure to comply with this Policy may result in disciplinary action. In addition, you may be exposed to personal liability if you are grossly negligent or engage in wilful misconduct.
|3||Other Mandatory reporting|
|3.1||The Counselling Collaborative teams are required to:
· Report de-identifiable information to Government agencies in order to secure continued funding; and
· Report identifiable information in accordance with organisational procedures regarding Vulnerable People
|All Team Members|
- SUPPORTING DOCUMENTATION
|Policies or Forms (reviewed at same time as policy review undertaken)||Location|
|Complaints Form (Customers)||Intranet|
|Consent to Release Confidential Information||Intranet|
|Terms and Conditions documents (fundraising and services activities)||Intranet|
|Complaint, Feedback and Compliment Policy||Intranet|
|Incident, Near Miss and Hazard Policy||Intranet|
|Incident, Near Miss and Hazard Reporting Form||Intranet|
|Investigation of the Incident, Near Miss and Hazard Report From||Intranet|
|Risk Management Policy||Intranet|
|Managing Customer Data Policy||Intranet|
|Records Management Policy||Intranet|
- KNOWLEDGE MANAGEMENT
|Staff Group||Level of knowledge required||Training source|
|All new staff (including Volunteers)||Staff induction and orientation programs includes training about Privacy requirements and Incident reporting.
|Induction slides are updated by Operations Manager and Team.|
|All staff||Completion of Incident and Privacy Management Webinar annually
|Induction slides are updated by Operations Manager and Team.|
- COMPLIANCE MEASUREMENT
|Breaches of the APP’s from each business unit||0||Annual||Incident register trend analysis report||Executive|
|All new staff (including Volunteers) will be orientated to Privacy requirements||100%||On-going||New staff report cross referenced with the Policy Acknowledgement Form||Operations|
|Completion of Incident and Privacy Management training||100%||Annually||HR staff report cross referenced with completion||Operations|