Policy Name:	Privacy Policy	Policy Number:	FCO-022
Date Approved:	15 April 2019	Approved By:	Board of Management
Date Issued:	18 April 2019	Review Date:	April 2022
Version 1.7	This version of the policy was approved 15 April 2019 and replaces the version approved 18 July 2018.

1.    Aim

Firstchance is committed to protecting personal information in accordance with our obligations under the Privacy Act 1988 and related amendment legislation.

The purpose of this document is to outline how Firstchance will comply with these legislative requirements.

The supporting systems and procedures will ensure that there are some guidelines and consistency on the following:

• What kind of personal and sensitive information Firstchance collects and holds
• Why and how Firstchance collects, holds, uses and discloses personal and sensitive information
• How people can access or correct their personal and sensitive information held by Firstchance
• What kind of events are defined as data breaches and how Firstchance manages and reports data breaches
• How people can make a complaint about the way Firstchance collects, holds, uses or discloses personal and sensitive information, and how Firstchance deals with data breaches and privacy related complaints

2.    Scope

This policy applies to all Firstchance stakeholders, including children, young people, families and all workers for Firstchance (employees, volunteers, students, contractors, and third parties/partners), community members, donors and sponsors.

3.    Policy

This policy ensures that Firstchance manages personal and sensitive information in an open and transparent way (Australian Privacy Principle 1).

3.1.    What is Personal Information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.[1] Firstchance is aware that information that is not about an individual on its own can become personal information when combined with other information and that individual may then be ‘reasonably identifiable’; for example, the nature and amount of information, or who will access the information.

Personal information can be in any format, such as, information that is shared verbally, captured digitally, recorded, or captured on signs. Examples of personal information Firstchance would collect includes a person’s name, address, a photograph, details of education qualifications or an email address. We will collect relevant information depending on your relationship with Firstchance. These are outlined in detail in the Record Keeping and Retention Policy, and include the following file types:

• Employee Records – personal information in relation to the employment of an individual
• Client Files – personal information collected from children/young people and their families to assist us in providing safe, relevant and effective advice and support in relation to early intervention strategies for children living with a disability
• Donor/Sponsor details – personal information collected from community members, workers and/or the families we support who provide financial or in-kind support to the work of Firstchance.

3.2.    What is Sensitive Information?

Sensitive information can only be collected with the individual’s consent, and where it is reasonably necessary for Firstchance service, activities and functions (Australian Privacy Principle 3).

Sensitive information may include any of the following information or opinion about an individual:

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual orientation or practices
• criminal record
• working with children check
• health information about an individual

3.3.    Collection of personal information

Personal information will only be collected if it is reasonably necessary for Firstchance service, activities and functions (Australian Privacy Principle 3). Where possible, Firstchance will collect personal information directly from the individual it relates to (or their legal guardian). In some instances, Firstchance may need to obtain personal information from third parties, such as, the employment of an individual, where Firstchance may obtain work history information from a referee. Where reasonable, Firstchance will notify the individual that this personal information has been collected. Firstchance will only collect personal information by lawful and fair means (Australian Privacy Principle 3).

3.4.    Unsolicited personal information

Should Firstchance receive personal information that they did not request and determine that they could not have obtained this information using the lawful and fair means identified in section 3.3, Firstchance will destroy this information (Australian Privacy Principle 4).

3.5.    Use and disclosure

• Personal information which is collected for the primary purpose of Firstchance service delivery, activities and functions will not be disclosed for secondary purposes unless the individual consents to the disclosure of the information or; the secondary purpose is directly related to the primary purpose or; the disclosure of information is required under Australian law (Australian Privacy Principle 6).
• Firstchance will not disclose personal information, including sensitive information, for the purpose of direct marketing or fundraising without the consent of the individual (Australian Privacy Principle 7).
• Firstchance will not disclose personal information to an overseas recipient unless required by Australian law (Australian Privacy Principle 8).
• Firstchance will not adopt a government related identifier (such as a Medicare number) as a unique identifier, nor will we disclose any identifiers we store (Australian Privacy Principle 9).
• General Data Protection Regulations (GDPR) - data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:
  • Your data will be made available to our website provider
  • The data that may be available to them include any of the data we collect as described in this privacy policy.
  • Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  • They will store your data for a maximum of 7 years.
  • This processing does not affect your rights as detailed in this privacy policy.

3.6.    Data Quality and Correction

• Firstchance will take reasonable steps to ensure all personal information collected from stakeholders is accurate, complete and up to date. Parents/carers will be required to update their enrolment details annually, or whenever they experience a change in circumstances. Computer records will be updated as soon as new information is provided. If Firstchance discloses personal information we will reasonably ensure it is accurate and relevant as per our commitment to data quality (Australian Privacy Principle 10).
• Similarly, should Firstchance believe that personal information stored is out of date, or an individual asks to update personal information, they will take reasonable steps to correct the information and will update computer records (Australian Privacy Principle 13).

3.7.    Access and Correction

• Where reasonable, Firstchance will allow individuals access to their personal information in a prompt and convenient manner (Australian Privacy Principle 12). Parents/carers wishing to access their personal information must make written application to the Program Manager, who will arrange an appropriate time for this to occur. The Program Manager will protect the security of the information by checking the identity of the applicant, and ensuring someone is with them while they access the information to ensure the information is not changed or removed without the Program Manager’s knowledge.
• If Firstchance believes that access to personal information: poses a risk to health and safety; unreasonably impacts the privacy of others; or relates to anticipated legal proceedings between Firstchance and the individual, Firstchance may reasonably refuse access and will outline the decision in writing.

3.8.    Data Security

• Firstchance is committed to securely storing personal and sensitive information we collect and will take all reasonable steps to prevent the unauthorised access, misuse, loss or disclosure of such information. If Firstchance no longer needs, or is no longer required under Australian law to store personal information, we will de-identify and/or destroy the information (Australian Privacy Principle 11).
• If personal or sensitive information is used for evaluation, case studies or research, including in assessment tasks completed by student placements, documents provided will be de-identified.
• Anonymity and pseudonymity: Individuals have the right to not identify themselves in relation to a matter, unless it is impractical to do so, or a law or court/tribunal order requires it, for example, mandatory reporting of suspected child abuse or neglect (Australian Privacy Principle 2).

3.9.    Data Breaches

• A data breach occurs when personal information held by Firstchance is subject to unauthorised access or disclosure or is lost. A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.

Examples include, loss or theft of physical laptops and storage devices or paper records, unauthorised access by an employee, or inadvertent disclosure of personal information due to ‘human error’ (e.g., email sent to the wrong person).

• Management of data breaches: Firstchance has a Data Breach Response Plan covering how data breaches are assessed and managed; staff roles and responsibilities; how data breaches are recorded and reviewed; how to improve information security because of a breach; and, notifying data breaches.
• Eligible (notifiable) data breaches: Firstchance may notify certain data breaches to the OAIC and to individuals about whom the personal information relates. ‘Eligible data breaches’ occur when all three of the following criteria are met:

• There is unauthorised access to or disclosure of personal information held by Firstchance (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
• This is likely to result in serious harm to any of the individuals to whom the information relates.
• Firstchance has been unable to prevent the likely risk of serious harm with remedial action.
  • Notifying data breaches: The method Firstchance will use to notify individuals will depend on the type of data breach and who it affects. We may notify each individual to whom the relevant information relates, notify only individuals at risk of serious harm, or publish a notification (e.g. on the Firstchance website). Any notification will not identify specific individuals who accessed information unless it is relevant to the steps Firstchance recommends individuals might take in response.

3.10. Complaints

• This policy is available to all stakeholders in an appropriate form and/or as requested by an individual. The Privacy Policy is available on the Firstchance website – firstchance.org.au – or a copy can be emailed or posted upon request. There is no fee to view this policy.
• The Program Manager will deal with privacy complaints promptly and in a consistent manner, following the Firstchance Complaints and Feedback procedures. Where the aggrieved person is dissatisfied after going through the complaints process, they should refer to the Office of the Australian Information Commissioner (OAIC) website oaic.gov.au and submit a Privacy Complaint Form. Alternatively, they should phone the hotline on 1300 363 992.

3.11. Advocacy/legal advice/independent support

Firstchance welcomes the inclusion of support for families which is external to the organisation, to assist families in their interactions with Firstchance. Assistance may be provided by a friend, family member, staff member, translator, community visitor, advocate or anyone else who is acceptable to the family / person. Where necessary, Firstchance will offer assistance to a family by making a referral to an advocacy service with the consent of the family.

4.    Related Policies

This policy must be read in conjunction with the following policies and procedures:

Child Protection Policy

Complaints and Feedback procedures

Data Breach Response Plan

Family Handbook

Family Law and Access Policy

Medical Conditions Policy

Record Keeping and Retention Policy

Social Networking Usage Policy

Work from Home/Remote Location Policy

5.    References

Disability Service Standards

      Standard 1 – Rights

OAIC

Australian Privacy Principles (OAIC, 2015)

Data breach preparation and response: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (OAIC, 2018)

What is personal information? (OAIC, 2018)

Other references

United Nations Convention of the Rights of a Child

Legislation

Children and Young Persons (Care and Protection) Act 1998 (NSW)

Disability Inclusion Act 2014 (NSW)

Freedom of Information Act 1989 (Cth)

Privacy Act 1988 (Cth)

Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

6.    Persons Responsible

All employees are responsible for:

• Implementing this policy
• Recording documentation in an accurate and strengths based way
• Maintaining Privacy and Confidentiality responsibilities as outlined in their employment contract
• Ensuring security of all family and staff information
• Ensuring that changes to enrolment and other relevant information about children/young people and parent/carers is updated in the service records
• Reporting all data breaches immediately as outlined in the Data Breach Response Plan

Supervisors are responsible for:

• Ensure staff under their supervision are implementing this policy in their daily practice
• Support and direct staff in relation to reporting data breaches

Managers are responsible for:

• Responding to requests from parents/carers and workers to see information held about themselves
• Coordinating the Enrolment process for all clients
• Organising for Confidentiality Forms to be signed by volunteers/students

Board of Management are responsible for:

• Approval of this policy.

7.    Definitions

Anonymity – means that an individual dealing with Firstchance cannot be identified and Firstchance does not collect personal information or identifiers.

APP entities – refers to the organisations and Australian Government agencies that the Australian Privacy Principles (APP) apply to, including Firstchance.

Board of Management – the governing body of Firstchance, comprised of elected or appointed members who jointly oversee the activities and legal responsibilities of the organisation

Collecting by Fair means - a ‘fair means’ of collecting information is one that does not involve intimidation or deception, and is not unreasonably intrusive. Whether a collection uses unfair means will depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with a fraud investigation.

The following are given as examples of where a collection of personal information may be unfair (some may also be unlawful):

• collecting from a file dumped by accident on a street, or from an electronic device which is lost or left unattended
• collecting from an individual who is traumatised, in a state of shock or intoxicated
• collecting in a way that disrespects cultural differences
• misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
• collecting by telephoning an individual in the middle of the night
• collecting by deception, for example, wrongly claiming to be a police officer, doctor or trusted organisation.

Collecting by lawful means – The term ‘lawful’ is not defined in the Privacy Act. It is lawful for an organisation to destroy or de-identify unsolicited personal information if it is not unlawful to do so. That is, if the destruction or de-identification is not criminal, illegal or prohibited or proscribed by law. Unlawful activity does not include breach of a contract. Examples of collection that would not be lawful include:

• collecting via computer hacking
• collecting using telephone interception or a listening device except under the authority of a warrant
• requesting or requiring information in connection with, or for the purpose of, an act of discrimination
• collecting by a means that would constitute a civil wrong, for example, by trespassing on private property or threatening damage to a person unless information is provided
• collecting information contrary to a court or tribunal order, for example, contrary to an injunction issued against the collector.

Disclose (information/records/data) – where Firstchance makes personal and sensitive information accessible to others outside Firstchance and releases the subsequent handling of the information from the effective control of Firstchance. The release may be a proactive release or publication, a release in response to a specific request, an accidental release, or an unauthorised release by an employee.

Data breach – may be one or more of the following:

• Unauthorised access: when personal information held by Firstchance is accessed by someone who is not permitted to have access, including an employee, independent contractor, or an external third party (such as by hacking). Examples of unauthorised access include: an employee browsing sensitive customer records without any legitimate purpose, and a computer network being compromised by an external attacker.
• Unauthorised disclosure: when Firstchance, whether intentionally or unintentionally, makes personal information accessible or visible to others outside Firstchance and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee, for example, accidentally publishing a confidential data file containing personal information of one or more individuals on the internet.
• Loss: accidental or inadvertent loss of personal information held by Firstchance, in circumstances where is it is likely to result in unauthorised access or disclosure, for example, where an employee leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) in a public location, or, electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure.

Family – refers to the parents/caregivers of the children or young people that receive support from Firstchance

Firstchance – all Firstchance Incorporated services and programs

Manager – refers to the General Manager or Program Manager, whichever is relevant in the context of the situation

OAIC – Office of the Australian Information Commissioner – a regulatory body with responsibilities and powers under the Privacy Act 1988, the Freedom of Information Act 1982 (FOI Act) and other related legislation. Its functions cover privacy, freedom of information (FOI), and government information management.

Primary Purpose – the specific function or activity for which Firstchance collects personal information

Pseudonym/pseudonymity – A pseudonym is a name, term or descriptor that is different to an individual’s actual name.

Secondary Purpose – is any purpose other than the primary purpose for which Firstchance collects the personal information

Serious harm – in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. For example, financial fraud including unauthorised credit card transactions or credit fraud; identity theft causing financial loss or emotional and psychological harm; family violence; and, physical harm or intimidation.

Staff – refers to employees and volunteers of the organisation

Supervisor – refers to all senior staff who are responsible for supervising one or more staff members

Visitor – any person who is visiting a Firstchance service who is not a staff member, client or family

Worker – anyone who is carrying out work, in any capacity, for Firstchance. This includes employees, contractors/subcontractors and their employees, labour hire employees engaged to work in the organisation, outworkers, apprentices, trainees, students on work experience and volunteers

 

 

Document review history

 

Date	Section	Change
August 2014	Definitions	Included definitions for “Collecting by Lawful means”, “Collecting by Fair means”, “Primary Purpose”, “Secondary Purpose”
	3.3/3.4	Inclusion of the term “fair” in relation to collecting information in a lawful and fair way
	3.1.1	Removal of Criminal History Check from list of personal information, as it is classified as sensitive information
	3.7	Inclusion of de-identifying documents
March 2015	3	Working with Children Checks moved from Personal Information list in 3.1 to Sensitive Information list in 3.2
	References	New Legislation – Disability Inclusion Act 2014 Removed Children Legislation Amendment (Wood Enquiry Recommendations) Act 2009 – repealed 29/10/14
June 2016	All	Removed any reference to Nominated or Certified Supervisor
	4	Removal of reference to NQS, EYLF and National Regulations as Firstchance is no longer a licenced service, Removed reference to Enrolment Policy and included Family Handbook
	5	Changed reference to Nominated Supervisor to Supervisor; Amended responsibility of all employees and Managers
	3.10	Removed reference to Centres
July 2018	All	Most updates related to OAIC notifiable data breaches and responses.
	3.1	Added detail to definition of ‘personal information’
	3.1.2	Deleted detailed list of client files – referred reader to Record Keeping and Retention Policy.
	3.9	New: ‘data breaches’ definition; managing breaches (referred to Data Breach Response Plan); eligible (notifiable) data breaches; notifying data breaches
	Related policies	Added: Complaints and Feedback procedures; Data Breach Response Plan; Work from Home/Remote Location Policy
	References	Added: OAIC documents (x 2) and Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)
	Definitions	Added: anonymity; disclose; data breach; OAIC; pseudonym/ pseudonymity; serious harm.
April 2019	3.5.5	Addition to clause to cover General Data Protection Regulations for information gathered from website users

 

[1] Privacy Act 1988, section 6.