The purpose of this policy is to:
- clearly communicate EveryMan's personal information handling practices;
- set out how EveryMan complies with its obligations under the Privacy Act 1988 (Cth) ("the Act");
- enhance the transparency of EveryMan's operations;
- give individuals a better understanding of:
- the personal information that EveryMan collects,
- the way that information is managed, and
- how people may seek access to personal information held by EveryMan and seek correction of such information.
This policy also recognises that the right to privacy is a human right, as provided by section 12 of the Human Rights Act 2004 (ACT). This policy records EveryMan's commitment to this human right.
This policy appears on EveryMan's website and is available at the EveryMan office.
2. The meaning of terms used in this document
Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric
(e) biometric templates.
3. Our Personal Information Handling Practices
3.1 What type of personal information do we collect?
a) We only collect personal information (other than sensitive information) that is reasonably necessary for, or directly related to, one or more of EveryMan's functions or activities.
b) We only collect sensitive information that is reasonably necessary for one or more of EveryMan's functions or activities.
c) EveryMan's functions and activities include:
- providing health and community support services including counselling, anger management courses, accommodation/housing and health support to people or help them access the services they need;
- assessing, investigate, conciliate, determine, develop or monitor privacy complaints;
- responding to enquiries made to EveryMan;
- assessing the eligibility and suitability of individuals to EveryMan's programmes;
- distributing information about our activities or publications to people who may have an interest in EveryMan;
- collating statistical data programme accountability and reporting purposes and for public advocacy;
- employing and paying staff;
- engaging with volunteers;
- accepting and receiving donations and acknowledging donors.
d) The types of personal information which may be reasonably necessary for, or directly related to, one of EveryMan's functions or activities include:
- image, date of birth, contact details, bank account details, family details including family's contact details, criminal history, family violence history, disability pension number and/or medical information;
- sensitive information such as criminal records, health information, information concerning sexual preferences and information about racial and ethnic origin;
- driver's licence number, tax file number, bank account details, previous employment information and/or next of kin (where the person is member of EveryMan).
e) More information on the types of personal information we collect can be found in Section 2 below.
f) You do not have to provide us with personal information unless you wish to do so. However, it may affect our ability to provide you with services or allow you to participate in our programs or events if you do not give us your personal information. If you do not consent to us collecting, using and disclosing your personal information, we may not be able to provide assistance to you.
3.2 Who do we collect information from?
Wherever possible, we will collect personal information (including sensitive information) directly from you with your consent. Personal information (including sensitive information) may be collected from third parties but only where it is unreasonable or impracticable to collect personal information directly from you.
Sometimes third parties provide personal information to us without us asking (that is, unsolicited personal information). In those circumstances, we will, within a reasonable period after receiving the personal information, determine whether we could have lawfully collected that personal information. If we could not, we will destroy or de-identify the personal information.
Where practicable to do so, we will take reasonable steps to ensure that information provided to us by a third party has been disclosed pursuant to your consent and to inform you that the personal information is being or has been collected and obtain your consent.
When we collect personal information from third parties, we typically collect personal information including sensitive information from any of the following entities: the Australian Federal Police (AFP); the Alexander Maconochie Centre; Mental Health ACT; Community Advocate; Guardianship Tribunal; the Domestic Violence Crisis service; the Justice and Community Safety Directorate (JACS); the Canberra Hospital; OneLink; family members of a person and a person's general practitioner.
Any time EveryMan collects personal information (including information from third parties), we will take reasonable steps to ensure that you are aware of:
- EveryMan and how to contact us;
- the fact that you are able to gain access to the personal information;
- the purpose(s) for which the personal information is collected;
- the organisations or types of organisations to whom EveryMan usually discloses personal information of that kind;
- any law that requires the particular personal information to be collected;
- the main consequences (if any) to you if all or part of the personal information is not provided;
- whether we are likely to transfer your personal information to an overseas recipient.
3.3 Sensitive information
EveryMan may collect personal information which is sensitive information. Such information includes criminal records, health information, information concerning sexual preferences and information about racial and ethnic origin. In relation to sensitive information, EveryMan will only collect that information with your consent or as otherwise permitted by the Privacy Act or at law. If a third party provides sensitive information to us without us asking we will take reasonable steps to verify your consent to collect that information. If your consent cannot be obtained, we will destroy it.
3.4 What is express and implied consent?
Express consent: refers to consent either oral or written that has been directly given by the individual to whom the information relates.
Implied consent: refers to where the consent to collect the personal information may be inferred by the conduct of the individual to whom the information relates. For, example where an individual presents to a counsellor, starts speaking and the counsellor makes notes.
When we seek your consent to the use and/or disclosure of personal information, the key principles we apply are that:
- consent must be voluntary - the individual must have a genuine opportunity to provide or withhold consent; that is, they must be able to say 'yes' or 'no' without extreme pressure which would equate to an overpowering of will;
- consent must be informed - the individual must know what it is they are agreeing to. That is, the individual need to be aware of the implications of providing or withholding consent, having received the information in a way meaningful to them and appropriate in the circumstances;
- the individual must have the capacity to provide consent - the individual must be capable of understanding the issues relating to the decision, forming a view based on reasoned judgment and communicating their decision.
3.5 How do we use and disclose your personal information?
EveryMan will only use or disclose personal information for the particular purpose(s) for which the information was collected (for example, to provide services or support to a person) This is the 'primary purpose'. EveryMan will not use or disclose personal information for a purpose other than a primary purpose ('secondary purpose') unless:
- you have consented to the use or disclosure of the personal information;
- you would reasonably expect us to use the or disclose the personal information for the secondary purpose and, in the case of sensitive information, the secondary purpose is directly related to a primary purpose, and in all other cases, the secondary purpose is related to a primary purpose; or
- we are otherwise permitted to use or disclose the personal information by the Privacy Act (for example, where it is unreasonable or impracticable to obtain your consent and we believe that the use or disclosure of the personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety).
3.6 Who at EveryMan sees your information?
Your information is circulated to a limited number of EveryMan staff on the basis of their need to know in order to provide a service to you, or for administrative uses related to the operation of the service you're accessing.
There may be times when you don't want a particular staff member to have access to your personal information, e.g. if you've been dissatisfied with a service or the way you've felt in your interactions with the staff member.
If you don't want to have the staff member know about your personal information or complaint, please let us know. This may put some limits on what we can do to support you or address your concerns. If so, we will discuss the impact of withholding information from that staff member with you.
When we receive a complaint about a staff member, we usually need to tell them about it if we need to stop or change the way they are doing things. if the complaint is personal and might go on their record, we need to tell them because principles of natural justice require employers to give staff a chance to give their version of events.
Even if we don't give your name, sometimes a staff member may be able to guess you've contacted us because of the type of action we're taking or changes we're implementing, so if you don't want them to know, you can tell us you don't want us to do anything. This is an 'informal complaint'.
If a program needs to make changes to the way it does things as a result of a client's complaint, a small number of management or program staff may need to read this report or be given the details of it, in order to address the issues. If you don't want that to happen, please let us know.
3.7 Government Related Identifiers
EveryMan may collect, use and disclose personal information in the form of government related identifiers such as a tax file number and Medicare number. In accordance with Australian Privacy Principle (APP) 9, EveryMan will only use and/or disclose such identifiers to fulfil its obligations to an agency, State or Territory authority or otherwise as permitted by APP 9.
3.8 Data quality
EveryMan takes reasonable steps to ensure that the personal information we collect, use or disclose (and our record of any consent in relation to that information) is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by you that your personal information has changed.
3.9 Information security
EveryMan takes reasonable steps to protect personal information we hold against misuse, loss, unauthorised access, modification and disclosure. Staff access to your personal information is based on the 'need-to-know' principle.
These steps include password protection for electronic files, securing paper files in locked cabinets, physical access restrictions and taking reasonable steps to ensure that, when no longer required, personal information/images are destroyed in a secure manner or deleted.
EveryMan may store personal information offsite and keep that information for archival purposes as required by law. For more information please see EveryMan's Records Policy guidelines. While stored offsite, personal information will be stored securely in locked cabinets, with physical access restrictions.
3.10 Our Files
3.10.1 Client Files
File Contents and Purpose
EveryMan's programmes may differ in relation to the types of personal information they require and the format in which it is collected and maintained. Programmes should provide guidelines on essential records and that different categories of information will be kept in separate sections of the client file, namely:
- Case management files should contain the following information: referral information; social history; correspondence; case management plans; intake/exit summaries; assessments and reports.
- Programme accountability files should contain client information data that is relevant to performance indicators specified in service purchaser contracts. The programme accountability files aggregate data for reporting purposes. Data may be recorded in the programme file which identifies an individual by code. Information released as part is de-identified prior to disclosure.
We collect personal information in client files to enable us to provide services or health support to people or to help them access the services they need. This may include information such as a person's image, date of birth, contact details, bank account details, family details including family's contact details, disability pension number, medical information, criminal history and notes made by our counsellors.
All entries should be clearly legible, the writer identified, signed and dated, and facsimile information should be photocopied if paper quality is poor.
Commonly, a case management file may contain the following types of personal information:
- the clients' name, address, telephone numbers, and Medicare, details of DVA matters or other social security numbers;
- current treatments and drugs used;
- previous and current medical history, if directly relevant to the services provided, including any relevant family medical history;
- the name of any health service provider, medical specialist, government agency or other organisation to whom we may need to refer, including in reports or other information provided by these organisations or agencies;
- records of conversations with EveryMan's counsellors;
- details of racial or ethnic origin, membership of any trade associations, sexual preferences or practices and criminal record.
We typically collect this personal information directly from the individual or their authorised representative. We may share this information with various types of people and organisations to assist EveryMan to provide its services, for example government departments, the individual's family or employment services. We will only do so if the individual or their authorised representative has given consent or the disclosure is otherwise required or permitted by law.
3.10.2 Staff Files (including volunteers)
We collect personal information in staff files to enable us to provide appropriate industrial relations, payroll and Workplace Health & Safety support. This may include information such as a person's date of birth, contact details, driver's licence number, tax file number, bank account details, previous employment information, next of kin or relevant medical information.
We typically collect this personal information directly from the individual or their authorised representative. Sometimes we collect personal information from a third party (for example, in obtaining a police check or functional assessment when recruiting staff), where the individual or their authorised representative has consented or the collection is otherwise required or permitted by law.
We may share this information with various types of people and organisations for example government departments, the individual's family or other employers. We will only do so if the individual or their authorised representative has given consent, or the disclosure is otherwise required or permitted by law.
Staff files will be controlled and managed by Administrative Services Unit staff and the Director of EveryMan. Access by other employees of EveryMan will be limited to the immediate managers of the individual and will strictly be on a 'need to know' basis, under the supervision of a Administrative Services Unit team member or the Director of EveryMan. In particular, access to an employee's TFN will be limited to only those that are required to use that information for the purpose of a taxation law, personal assistance law or superannuation law (see Tax File Number Guidelines 2011)
3.10.3 Complaint Files
We collect personal information in complaint files to enable us to assess, investigate, conciliate or determine privacy complaints and for related purposes such as developing or monitoring the way we handle complaints.
The personal information in these files is about complainants and respondents. Complaint files may also include personal information about individuals who are authorised to represent complainants or respondents, and about third parties who provide information in the course of our investigations. We collect personal information directly from complainants and respondents or their authorised representatives. We may also collect personal information about complainants and respondents from third parties, when it is relevant to our assessment, investigation, conciliation or determination of a complaint and it is unreasonable or impracticable to collect the information directly from the complainant or respondent.
We may use personal information held in complaint files to make contact with the complainant, the respondent and any other relevant individual or organisation.
3.10.4 Audit Files
If, and when EveryMan conducts an audit or is audited by an external agency we will create Audit files that record details of audits of EveryMan which are conducted by EveryMan or an external agency. Personal information held in audit files may include contact information and opinions of employees who are subject to audit.
We use information in audit files for the purpose of undertaking audits and to assist in the compilation of audit reports. Personal information in audit files is not disclosed to other organisations, agencies or anyone else, unless the individual would reasonably expect us to or has given their consent or it is otherwise required or permitted by law.
We maintain and update personal information in our audit files including when we are advised by individuals that their personal information has changed. Audit files are stored in either password protected electronic media or in locked cabinets in paper form. We take reasonable steps to ensure that, when no longer required, personal information in audit files is destroyed in a secure manner or deleted.
3.10.5 Enquiries Files
We maintain enquiries files containing personal information for the purpose of responding to enquiries.
We collect personal information directly from the individual making the enquiry or their authorised representative. In the course of responding to some enquiries, we may collect personal information from
publicly available sources such as websites or telephone directories for the purpose of making contact with the enquirer.
We only use personal information collected from an enquirer to respond to the enquiry or to make referrals which the enquirer has consented to or would reasonably expect us to make or otherwise as required or permitted by law. Sometimes, if the enquirer consents, we will pass on their personal information to government departments or organisations for the purpose of following up their enquiry.
We maintain and update personal information in our enquiries files including when we are advised by individuals that their personal information has changed.
We offer an email service for individuals to lodge enquiries on its website. Enquiries files are stored in either password protected electronic media or in locked cabinets in paper form. We take reasonable steps to ensure that, when no longer required, personal information in enquiries files is destroyed in a secure manner or deleted.
3.10.6 Contacts Lists
We maintain contacts lists which include contact information about individuals who may have an interest in EveryMan. We use these contacts lists to distribute information about our activities and publications.
It is our usual practice to collect personal information in contacts lists directly from individuals, for example, where they have asked to be added to a contact list or receive information about our activities and publications. Sometimes, if it is unreasonable or impracticable to collect the information directly from the individual, we collect personal information from a third party or from a publicly available source such as a website or telephone directory. We usually only collect personal information in this way if the individual would reasonably expect us to or has given their consent. We would only contact this individual in their work capacity.
We only use personal information in contacts lists to distribute information about our activities and publications, for the purpose of managing to manage public and stakeholder relations and for related purposes for which the individual would reasonably expect us to use the information or otherwise as required or permitted by law.
We maintain and update personal information in our contacts lists when we are advised by individuals that their personal information has changed and at other times as necessary when we are aware personal information has changed. We also regularly review contacts lists to check the currency of the contact information. When updating the lists, or when requested, we will remove contact information of individuals who we know no longer wish to be contacted.
Personal information in contact lists is stored in password protected electronic media or in locked cabinets in paper form. We take reasonable steps to ensure that, when no longer required, personal information in contacts lists is destroyed in a secure manner or deleted. Access is limited to a need-to-know basis.
3.11 Internal Information Sharing
Employees working in EveryMan programs may collect information about clients and their families that may, if shared with employees of other EveryMan programs:
- ensure the safety of clients, family members or others in the community, or EveryMan employees
- enable more comprehensive assessment of, or work with, client risk factors
- improve and strengthen our services to men and their families
We will typically obtain the consent of the individual to whom the information relates, prior to sharing information between EveryMan's programmes. Where it is unreasonable or impracticable to obtain consent, we may share information between programmes where the individual would reasonably expect us to use the information for that purpose or otherwise as permitted by the APPs.
In relation to personal information which is "sensitive information" (as defined in the Privacy Act 1988) such as health information and criminal records, EveryMan will only share that information with other programmes, in circumstances where obtaining consent is impracticable or unreasonable, where the programme with whom that information is to be shared is directly related to the programme that collected
the information and the individual would reasonably expect EveryMan to use or disclosure that information for the secondary purpose or otherwise as permitted by the APPs.
When sharing information between programmes, EveryMan complies with ACT and Commonwealth legislation, legislated ACT and Commonwealth privacy and confidentiality regulations, and contractual agreements with our funding bodies. Further information relating to information sharing between programmes can be found in EveryMan's Operational policies and procedures manual.
3.12 Accessing and correcting personal information
In most cases, a person can obtain access, upon request, any personal information that EveryMan holds about them. They can ask us to correct personal information we hold about them if they believe that information is inaccurate. To request access or correction of personal information, contact details are below.
3.13 How to contact us:
Phone: (02) 6230 6999 Fax: 02 6257 1223 Email address: email@example.com
Address: 3.01 Griffin Centre, 20 Genge Street, Civic ACT Postal Address: GPO Box 1753, Civic ACT 2601
If you would like further information about how we handle personal information or would like to make a complaint about a possible breach of privacy, please contact the Executive Director, Greg Aldridge, on (02) 6230 6999 or email: firstname.lastname@example.org.