Privacy Policy Policy Name:Privacy PolicyPolicy Number:FCO-022 Date Approved:15 April 2019Approved By:Board of Management Date Issued:18 April 2019Review Date:April 2022 Version 1.7This version of the policy was approved 15 April 2019 and replaces the version approved 18 July 2018.1. AimFirstchance is committed to protecting personal information in accordance with our obligations under the Privacy Act 1988 and related amendment legislation.The purpose of this document is to outline how Firstchance will comply with these legislative requirements.The supporting systems and procedures will ensure that there are some guidelines and consistency on the following:What kind of personal and sensitive information Firstchance collects and holdsWhy and how Firstchance collects, holds, uses and discloses personal and sensitive informationHow people can access or correct their personal and sensitive information held by FirstchanceWhat kind of events are defined as data breaches and how Firstchance manages and reports data breachesHow people can make a complaint about the way Firstchance collects, holds, uses or discloses personal and sensitive information, and how Firstchance deals with data breaches and privacy related complaints2. ScopeThis policy applies to all Firstchance stakeholders, including children, young people, families and all workers for Firstchance (employees, volunteers, students, contractors, and third parties/partners), community members, donors and sponsors.3. PolicyThis policy ensures that Firstchance manages personal and sensitive information in an open and transparent way (Australian Privacy Principle 1).3.1. What is Personal Information?Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.[1] Firstchance is aware that information that is not about an individual on its own can become personal information when combined with other information and that individual may then be ‘reasonably identifiable’; for example, the nature and amount of information, or who will access the information.Personal information can be in any format, such as, information that is shared verbally, captured digitally, recorded, or captured on signs. Examples of personal information Firstchance would collect includes a person’s name, address, a photograph, details of education qualifications or an email address. We will collect relevant information depending on your relationship with Firstchance. These are outlined in detail in the Record Keeping and Retention Policy, and include the following file types:Employee Records – personal information in relation to the employment of an individualClient Files – personal information collected from children/young people and their families to assist us in providing safe, relevant and effective advice and support in relation to early intervention strategies for children living with a disabilityDonor/Sponsor details – personal information collected from community members, workers and/or the families we support who provide financial or in-kind support to the work of Firstchance.3.2. What is Sensitive Information?Sensitive information can only be collected with the individual’s consent, and where it is reasonably necessary for Firstchance service, activities and functions (Australian Privacy Principle 3).Sensitive information may include any of the following information or opinion about an individual:racial or ethnic originpolitical opinionsmembership of a political associationreligious beliefs or affiliationsphilosophical beliefsmembership of a professional or trade associationmembership of a trade unionsexual orientation or practicescriminal recordworking with children checkhealth information about an individual3.3. Collection of personal informationPersonal information will only be collected if it is reasonably necessary for Firstchance service, activities and functions (Australian Privacy Principle 3). Where possible, Firstchance will collect personal information directly from the individual it relates to (or their legal guardian). In some instances, Firstchance may need to obtain personal information from third parties, such as, the employment of an individual, where Firstchance may obtain work history information from a referee. Where reasonable, Firstchance will notify the individual that this personal information has been collected. Firstchance will only collect personal information by lawful and fair means (Australian Privacy Principle 3).3.4. Unsolicited personal informationShould Firstchance receive personal information that they did not request and determine that they could not have obtained this information using the lawful and fair means identified in section 3.3, Firstchance will destroy this information (Australian Privacy Principle 4).3.5. Use and disclosurePersonal information which is collected for the primary purpose of Firstchance service delivery, activities and functions will not be disclosed for secondary purposes unless the individual consents to the disclosure of the information or; the secondary purpose is directly related to the primary purpose or; the disclosure of information is required under Australian law (Australian Privacy Principle 6).Firstchance will not disclose personal information, including sensitive information, for the purpose of direct marketing or fundraising without the consent of the individual (Australian Privacy Principle 7).Firstchance will not disclose personal information to an overseas recipient unless required by Australian law (Australian Privacy Principle 8).Firstchance will not adopt a government related identifier (such as a Medicare number) as a unique identifier, nor will we disclose any identifiers we store (Australian Privacy Principle 9).General Data Protection Regulations (GDPR) - data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:Your data will be made available to our website providerThe data that may be available to them include any of the data we collect as described in this privacy policy.Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.They will store your data for a maximum of 7 years.This processing does not affect your rights as detailed in this privacy policy.3.6. Data Quality and CorrectionFirstchance will take reasonable steps to ensure all personal information collected from stakeholders is accurate, complete and up to date. Parents/carers will be required to update their enrolment details annually, or whenever they experience a change in circumstances. Computer records will be updated as soon as new information is provided. If Firstchance discloses personal information we will reasonably ensure it is accurate and relevant as per our commitment to data quality (Australian Privacy Principle 10).Similarly, should Firstchance believe that personal information stored is out of date, or an individual asks to update personal information, they will take reasonable steps to correct the information and will update computer records (Australian Privacy Principle 13).3.7. Access and CorrectionWhere reasonable, Firstchance will allow individuals access to their personal information in a prompt and convenient manner (Australian Privacy Principle 12). Parents/carers wishing to access their personal information must make written application to the Program Manager, who will arrange an appropriate time for this to occur. The Program Manager will protect the security of the information by checking the identity of the applicant, and ensuring someone is with them while they access the information to ensure the information is not changed or removed without the Program Manager’s knowledge.If Firstchance believes that access to personal information: poses a risk to health and safety; unreasonably impacts the privacy of others; or relates to anticipated legal proceedings between Firstchance and the individual, Firstchance may reasonably refuse access and will outline the decision in writing.3.8. Data SecurityFirstchance is committed to securely storing personal and sensitive information we collect and will take all reasonable steps to prevent the unauthorised access, misuse, loss or disclosure of such information. If Firstchance no longer needs, or is no longer required under Australian law to store personal information, we will de-identify and/or destroy the information (Australian Privacy Principle 11).If personal or sensitive information is used for evaluation, case studies or research, including in assessment tasks completed by student placements, documents provided will be de-identified.Anonymity and pseudonymity: Individuals have the right to not identify themselves in relation to a matter, unless it is impractical to do so, or a law or court/tribunal order requires it, for example, mandatory reporting of suspected child abuse or neglect (Australian Privacy Principle 2).3.9. Data BreachesA data breach occurs when personal information held by Firstchance is subject to unauthorised access or disclosure or is lost. A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.Examples include, loss or theft of physical laptops and storage devices or paper records, unauthorised access by an employee, or inadvertent disclosure of personal information due to ‘human error’ (e.g., email sent to the wrong person).Management of data breaches: Firstchance has a Data Breach Response Plan covering how data breaches are assessed and managed; staff roles and responsibilities; how data breaches are recorded and reviewed; how to improve information security because of a breach; and, notifying data breaches.Eligible (notifiable) data breaches: Firstchance may notify certain data breaches to the OAIC and to individuals about whom the personal information relates. ‘Eligible data breaches’ occur when all three of the following criteria are met:There is unauthorised access to or disclosure of personal information held by Firstchance (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).This is likely to result in serious harm to any of the individuals to whom the information relates.Firstchance has been unable to prevent the likely risk of serious harm with remedial action.Notifying data breaches: The method Firstchance will use to notify individuals will depend on the type of data breach and who it affects. We may notify each individual to whom the relevant information relates, notify only individuals at risk of serious harm, or publish a notification (e.g. on the Firstchance website). Any notification will not identify specific individuals who accessed information unless it is relevant to the steps Firstchance recommends individuals might take in response.3.10. ComplaintsThis policy is available to all stakeholders in an appropriate form and/or as requested by an individual. The Privacy Policy is available on the Firstchance website – firstchance.org.au – or a copy can be emailed or posted upon request. There is no fee to view this policy.The Program Manager will deal with privacy complaints promptly and in a consistent manner, following the Firstchance Complaints and Feedback procedures. Where the aggrieved person is dissatisfied after going through the complaints process, they should refer to the Office of the Australian Information Commissioner (OAIC) website oaic.gov.au and submit a Privacy Complaint Form. Alternatively, they should phone the hotline on 1300 363 992.3.11. Advocacy/legal advice/independent support Firstchance welcomes the inclusion of support for families which is external to the organisation, to assist families in their interactions with Firstchance. Assistance may be provided by a friend, family member, staff member, translator, community visitor, advocate or anyone else who is acceptable to the family / person. Where necessary, Firstchance will offer assistance to a family by making a referral to an advocacy service with the consent of the family.4. Related PoliciesThis policy must be read in conjunction with the following policies and procedures:Child Protection PolicyComplaints and Feedback proceduresData Breach Response PlanFamily HandbookFamily Law and Access PolicyMedical Conditions PolicyRecord Keeping and Retention PolicySocial Networking Usage PolicyWork from Home/Remote Location Policy5. ReferencesDisability Service Standards Standard 1 – RightsOAICAustralian Privacy Principles (OAIC, 2015)Data breach preparation and response: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (OAIC, 2018)What is personal information? (OAIC, 2018)Other referencesUnited Nations Convention of the Rights of a ChildLegislationChildren and Young Persons (Care and Protection) Act 1998 (NSW)Disability Inclusion Act 2014 (NSW)Freedom of Information Act 1989 (Cth)Privacy Act 1988 (Cth)Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)6. Persons ResponsibleAll employees are responsible for:Implementing this policyRecording documentation in an accurate and strengths based wayMaintaining Privacy and Confidentiality responsibilities as outlined in their employment contractEnsuring security of all family and staff informationEnsuring that changes to enrolment and other relevant information about children/young people and parent/carers is updated in the service recordsReporting all data breaches immediately as outlined in the Data Breach Response PlanSupervisors are responsible for:Ensure staff under their supervision are implementing this policy in their daily practiceSupport and direct staff in relation to reporting data breachesManagers are responsible for:Responding to requests from parents/carers and workers to see information held about themselvesCoordinating the Enrolment process for all clientsOrganising for Confidentiality Forms to be signed by volunteers/studentsBoard of Management are responsible for:Approval of this policy.7. DefinitionsAnonymity – means that an individual dealing with Firstchance cannot be identified and Firstchance does not collect personal information or identifiers.APP entities – refers to the organisations and Australian Government agencies that the Australian Privacy Principles (APP) apply to, including Firstchance.Board of Management – the governing body of Firstchance, comprised of elected or appointed members who jointly oversee the activities and legal responsibilities of the organisationCollecting by Fair means - a ‘fair means’ of collecting information is one that does not involve intimidation or deception, and is not unreasonably intrusive. Whether a collection uses unfair means will depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with a fraud investigation.The following are given as examples of where a collection of personal information may be unfair (some may also be unlawful):collecting from a file dumped by accident on a street, or from an electronic device which is lost or left unattendedcollecting from an individual who is traumatised, in a state of shock or intoxicatedcollecting in a way that disrespects cultural differencesmisrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested informationcollecting by telephoning an individual in the middle of the nightcollecting by deception, for example, wrongly claiming to be a police officer, doctor or trusted organisation.Collecting by lawful means – The term ‘lawful’ is not defined in the Privacy Act. It is lawful for an organisation to destroy or de-identify unsolicited personal information if it is not unlawful to do so. That is, if the destruction or de-identification is not criminal, illegal or prohibited or proscribed by law. Unlawful activity does not include breach of a contract. Examples of collection that would not be lawful include:collecting via computer hackingcollecting using telephone interception or a listening device except under the authority of a warrantrequesting or requiring information in connection with, or for the purpose of, an act of discriminationcollecting by a means that would constitute a civil wrong, for example, by trespassing on private property or threatening damage to a person unless information is providedcollecting information contrary to a court or tribunal order, for example, contrary to an injunction issued against the collector.Disclose (information/records/data) – where Firstchance makes personal and sensitive information accessible to others outside Firstchance and releases the subsequent handling of the information from the effective control of Firstchance. The release may be a proactive release or publication, a release in response to a specific request, an accidental release, or an unauthorised release by an employee.Data breach – may be one or more of the following:Unauthorised access: when personal information held by Firstchance is accessed by someone who is not permitted to have access, including an employee, independent contractor, or an external third party (such as by hacking). Examples of unauthorised access include: an employee browsing sensitive customer records without any legitimate purpose, and a computer network being compromised by an external attacker.Unauthorised disclosure: when Firstchance, whether intentionally or unintentionally, makes personal information accessible or visible to others outside Firstchance and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee, for example, accidentally publishing a confidential data file containing personal information of one or more individuals on the internet.Loss: accidental or inadvertent loss of personal information held by Firstchance, in circumstances where is it is likely to result in unauthorised access or disclosure, for example, where an employee leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) in a public location, or, electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure.Family – refers to the parents/caregivers of the children or young people that receive support from FirstchanceFirstchance – all Firstchance Incorporated services and programsManager – refers to the General Manager or Program Manager, whichever is relevant in the context of the situationOAIC – Office of the Australian Information Commissioner – a regulatory body with responsibilities and powers under the Privacy Act 1988, the Freedom of Information Act 1982 (FOI Act) and other related legislation. Its functions cover privacy, freedom of information (FOI), and government information management.Primary Purpose – the specific function or activity for which Firstchance collects personal informationPseudonym/pseudonymity – A pseudonym is a name, term or descriptor that is different to an individual’s actual name.Secondary Purpose – is any purpose other than the primary purpose for which Firstchance collects the personal informationSerious harm – in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. For example, financial fraud including unauthorised credit card transactions or credit fraud; identity theft causing financial loss or emotional and psychological harm; family violence; and, physical harm or intimidation.Staff – refers to employees and volunteers of the organisationSupervisor – refers to all senior staff who are responsible for supervising one or more staff membersVisitor – any person who is visiting a Firstchance service who is not a staff member, client or familyWorker – anyone who is carrying out work, in any capacity, for Firstchance. This includes employees, contractors/subcontractors and their employees, labour hire employees engaged to work in the organisation, outworkers, apprentices, trainees, students on work experience and volunteers Document review history DateSectionChangeAugust 2014DefinitionsIncluded definitions for “Collecting by Lawful means”, “Collecting by Fair means”, “Primary Purpose”, “Secondary Purpose”3.3/3.4Inclusion of the term “fair” in relation to collecting information in a lawful and fair way3.1.1Removal of Criminal History Check from list of personal information, as it is classified as sensitive information3.7Inclusion of de-identifying documentsMarch 20153Working with Children Checks moved from Personal Information list in 3.1 to Sensitive Information list in 3.2ReferencesNew Legislation – Disability Inclusion Act 2014Removed Children Legislation Amendment (Wood Enquiry Recommendations) Act 2009 – repealed 29/10/14June 2016AllRemoved any reference to Nominated or Certified Supervisor4Removal of reference to NQS, EYLF and National Regulations as Firstchance is no longer a licenced service, Removed reference to Enrolment Policy and included Family Handbook5Changed reference to Nominated Supervisor to Supervisor; Amended responsibility of all employees and Managers3.10Removed reference to CentresJuly 2018AllMost updates related to OAIC notifiable data breaches and responses.3.1Added detail to definition of ‘personal information’3.1.2Deleted detailed list of client files – referred reader to Record Keeping and Retention Policy.3.9New: ‘data breaches’ definition; managing breaches (referred to Data Breach Response Plan); eligible (notifiable) data breaches; notifying data breachesRelated policiesAdded: Complaints and Feedback procedures; Data Breach Response Plan; Work from Home/Remote Location PolicyReferencesAdded: OAIC documents (x 2) and Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)DefinitionsAdded: anonymity; disclose; data breach; OAIC; pseudonym/ pseudonymity; serious harm.April 20193.5.5Addition to clause to cover General Data Protection Regulations for information gathered from website users [1] Privacy Act 1988, section 6.