ATTACHMENT 7: Australian Privacy Principles
The commonwealth government made extensive amendments to the Privacy Act 1988 (Cth) with effect from 12 March 2014. Under these changes, organisations with an annual turnover greater than $ 3 million are required to comply with 13 new Australian Privacy Principles (APPs), which replace the current National Privacy Principles (NPPs). (ELAA advises services to seek specific advice from a legal professional about whether their organisation needs to comply with the Australian Privacy Principles)
From 12 March 2014, the APPs will apply to all existing and future collections of personal information. This means, that all existing arrangements for collecting, and handling personal information in services to which the old NPPs applied must be reviewed by services to ensure they comply with the new APPs.
Type of personal and health information to be collected
The service will only collect the information needed, and for which there is a legitimate purpose related to the service’s functions and/or legislative, regulatory or funding obligations.
The type of information collected and held by the service includes (but is not limited to) personal information, including health information, regarding:
- children and parents/guardians prior to and during the child’s attendance at the service (this information is collected in order to provide and/or administer services to children and parents/guardians)
- job applicants, employees, members, volunteers and contractors (this information is collected in order to manage the relationship and fulfil the service’s legal obligations)
- contact details of other parties that the service deals with
The service will collect information on the following identifiers (refer to Definitions):
- information required to access the Kindergarten Fee Subsidy for eligible families (refer to Fees Policy)
- tax file number for all employees, to assist with the deduction and forwarding of tax to the Australian Tax Office – failure to provide this would result in maximum tax being deducted
- for childcare services only: Customer Reference Number (CRN) for children attending childcare services to enable the family to access the Commonwealth Government’s Child Care Benefit (CCB) – failure to provide this would result in parents/guardians not obtaining the benefit.
The service will not use these government related identifiers as its own identifier of the individual unless it is required or authorised by law or a court order.
Method of collecting personal and health information
Personal and health information about individuals, either in relation to themselves or their children enrolled at the service, will generally be collected directly via forms filled out by parents/guardians. Other information may be collected from job applications, face-to-face interviews and telephone calls. Individuals from whom personal information is collected will be provided with a copy of the service’s Privacy Statement (Attachment 4).
When the service receives personal information about an individual in relation to themselves or children enrolled at the service from a source other than directly from the individual or the parents/guardians of the child concerned, the person receiving the information will notify the individual, or the parents/guardians of the child to whom the information relates, of receipt of this information. The service will advise that individual of their right to request access to this information. Access will be granted in accordance with the relevant legislation.
When the service receives unsolicited personal information about an individual, it will destroy the information if it is of the view that it could not have collected the information about the individual under the APP if it had solicited the information.
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves or using a pseudonym when entering into transactions with Ivanhoe Children's Community Cooperative.
Use and disclosure of personal information
Use of information
The service will use personal information collected for the primary purpose of collection (refer to the table below). The service may also use this information for any secondary purposes directly related to the primary purpose of collection, to which the individual has consented, or could reasonably be expected to consent.
The following table identifies the personal information that will be collected by the service, the primary purpose for its collection and some examples of how this information will be used.
|Personal and health information collected in relation to:||Primary purpose of collection:||Examples of how the service will use personal and health, (including sensitive) information include:|
|Children and parents/guardians||
|The Approved Provider if an individual, or members of the Committee of Management/Board if the Approved Provider is an organisation||
|Job applicants, employees, contractors, volunteers and students||
Disclosure of personal information, including health information
The service may disclose some personal information held about an individual to:
- educators at the service for the purpose of providing care and education to the child, and other related on and off site activities such as excursions etc.
- government departments or agencies, as part of its legal and funding obligations
- local government authorities, in relation to enrolment details for planning purposes
- organisations providing services related to staff entitlements and employment
- insurance providers, in relation to specific claims or for obtaining cover
- law enforcement agencies
- health organisations and/or families in circumstances where the person requires urgent medical assistance and is incapable of giving permission
- anyone to whom the individual authorises the service to disclose information.
Individuals aggrieved about the use of personal information collected by the service or concerned about the breach of the Australian Privacy Principles that applies to the service may complain to the service through its complaints processes (Refer to Complaints and Grievances Policy)
Disclosure of sensitive information (Privacy Principle 10)
The service will only collect sensitive information about an individual with the individual’s consent, and only if it is reasonably necessary for the provision of the service to children or their families. Sensitive information (refer to Definitions) will be used and disclosed only for the purpose for which it was collected or a directly related secondary purpose, unless the individual agrees otherwise, or where the use or disclosure of this sensitive information is allowed by law.
The service will take reasonable steps to ensure that the personal information it collects, uses and/or discloses is accurate, up-to-date, relevant and complete.
Integrity, storage and security of personal information
In order to protect the personal information from misuse, loss, unauthorised access, modification or disclosure, the Approved Provider and staff will ensure that, in relation to personal information:
- access will be limited to authorised staff, the Approved Provider or other individuals who require this information in order to fulfil their responsibilities and duties
- information will not be left in areas that allow unauthorised access to that information
- all materials will be physically stored in a secure cabinet or area
- computerised records containing personal or health information will be stored safely and secured with a password for access
- there is security in transmission of the information via email, fax or telephone, as detailed below:
- emails will only be sent to a person authorised to receive the information
- faxes will only be sent to a secure fax, which does not allow unauthorised access
- telephone – limited and necessary personal information will be provided over the telephone to persons authorised to receive that information
- transfer of information interstate and overseas will only occur with the permission of the person concerned or their parents/guardians, and the service will ensure that it will take reasonable steps to ensure that the overseas or interstate recipient does not breach the APPs in relation to the information.
Disposal of information
Personal information will not be stored any longer than necessary.
In disposing of personal information, those with authorised access to the information will ensure that it is either shredded or destroyed in such a way that the information is no longer accessible.
Access to personal information
Accessto information and updating personal information
Individuals have the right to ask for access to personal information the service holds about them without providing a reason for requesting access. An individual has the right to:
- request access to personal information that the service holds about them
- access this information
- make corrections if they consider the data is not accurate, complete or up to date.
The service can refuse access to personal information under the following circumstances:
- giving access would be unlawful, or prejudice any enforcement related activities conducted by or on behalf of an enforcement body
- denying access is required or authorised by or under an Australian law or a court/tribunal order
- the request is frivolous or vexatious
- providing access would have an unreasonable impact on the privacy of other individuals
- providing access would pose a serious threat to the life or health of any person
- the service is involved in the detection, investigation or remedying of serious improper conduct against an individual and providing access would prejudice that process or outcome
- the information relates to existing or anticipated legal proceedings between the service and the individual and would not be accessible by the process of discovery in those proceedings
- giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations
- giving access would reveal commercially sensitive information about the service, or information in relation to a commercially sensitive decision making process.
Process for considering access requests
A person may seek access, to view or update their personal or health information:
- if it relates to their child, by contacting the Nominated Supervisor
- for all other requests, by contacting the Approved Provider/secretary.
Personal information may be accessed in the following way:
- view and inspect the information
- take notes
- obtain a copy.
Individuals requiring access to, or updating of, personal information should nominate the type of access required and specify, if possible, what information is required. The Approved Provider will endeavour to respond to this request within 45 days of receiving the request.
The Approved Provider and employees will provide access in line with the privacy legislation. If the requested information cannot be provided, the reasons for denying access will be given in writing to the person requesting the information.
In accordance with the legislation, the service reserves the right to charge for information provided in order to cover the costs involved in providing that information.
The privacy legislation also provides an individual, about whom information is held by the service, the right to request the correction of information that is held. The service will respond to the request within 45 days of receiving the request for correction. If the individual is able to establish to the service’s satisfaction that the information held is incorrect, having regard to the purpose for which it is held, the service will endeavour to correct the information. The service will notify any other entity to which it has provided that information in accordance with the legislation, of the correction.