The Management Committee of SAF is committed to protecting the privacy of personal information which the organisation collects, holds and administers. Personal information is information which directly or indirectly identifies a person.
SAF collects and administers a range of personal information for a variety of reasons. The organisation is committed to protecting the privacy of personal information it collects, holds and administers.
SAF recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand and made accessible to them on the other. These privacy values are reflected in and supported by our core values and philosophies.
SAF is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.
- Collect only information which the organisation requires for its primary function;
- Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;
- Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent;
- Store personal information securely, protecting it from unauthorised access; and
- Provide stakeholders with access to their own information, and the right to seek its correction.
SAF’s Management Committee is responsible for developing, adopting and reviewing this policy.
SAF’s CEO is responsible for the implementation of this policy, for monitoring changes in Privacy legislation, and for advising on the need to review or revise this policy as and when the need arises.
Collection – SAF will:
- Only collect information that is necessary for the performance and primary function of Stretch-A-Family
- Notify stakeholders about why we collect the information and how it is administered
- Notify stakeholders that this information is accessible to them.
USE AND DISCLOSURE
- Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose
- For other uses, SAF will obtain consent from the affected person.
SAF will: Take reasonable steps to ensure the information the organisation collects is accurate, complete, up to date, and relevant to the functions we perform.
DATA SECURITY AND RETENTION
- Safeguard the information we collect and store against misuse, loss, unauthorised access and modification
- Only destroy records in accordance with the organisation’s Archiving Policy.
- Make this information freely available in relevant publications and on the organisation’s website.
ACCESS AND CORRECTION
SAF will: Ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date.
SAF will: Give stakeholders the option of not identifying themselves when completing evaluation forms or opinion surveys.
MAKING INFORMATION AVAILABLE TO OTHER ORGANISATIONS
- Only release personal information about a person with that person’s express permission. For personal information to be released, the person concerned must sign a release form
- Release information to third parties where it is requested by the person concerned.
NOTIFIABLE DATA BREACHES
Commencing on 22 February 2018 there are changes to the Privacy Act 1988 which make it compulsory for SAF to notify data breaches to the Office of the Australian Information Commissioner (OAIC) and individuals affected by the breach.
According to the Act, an eligible data breach occurs when:
- There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information that SAF holds;
- This is likely to result in serious harm to one or more individuals, and;
- SAF has not been able to prevent the likely risk of harm with remedial action.
“Serious harm” can be psychological, emotional, physical, reputational or financial harm.
If remedial action is taken that prevents the likelihood of serious harm, then the breach is not an eligible data breach. For breaches where personal information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.
HOW TO RESPOND TO DATA BREACH
Where an eligible data breach is suspected SAF must:
- Carry out a risk assessment to determine whether the breach is a notifiable breach
- Prepare a statement to the OAIC:
- Identifying SAF and Providing contact details
- Describing the eligible data breach
- Outline the nature of the breach
- Detailing the steps needed to respond to the breach.
- Submit the statement to the OAIC
- Contact all affected individuals directly, or indirectly by publishing information about the eligible data breach on publicly accessible forums.
Documentation and Record Keeping Policy; Archiving and Record Keeping Procedure; Commercial Confidentiality Policy; Employee Reference Policy.
CEO Maria Maxwell
20th March 2018