1 Collection of Information (APP3 - 5)
1.1 The personal information that ChangePath may request from a person will depend on the type of relationship the person has with ChangePath, for example, whether the person is an officer, employee, volunteer or donor.
1.2 It is ChangePath’s usual practice to collect personal information directly from the person.
1.3 Where a person is not able to provide the information, ChangePath may collect the information from another person who has legal responsibility for the person.
1.4 ChangePath allows people to have the opportunity to remain anonymous or to use a false name, except where it is not practical to do so (APP2).
1.6 ChangePath only collects personal information for purposes directly related to our activities (APP3), such as:
- responding to enquiries about our services; and
- administrative activities.
1.7 ChangePath may also collect personal information in its normal communications, including when a person:
- emails officers or employees;
- phones ChangePath as we may store their phone number on our telephone system;
- provides us with their business card.
1.8 ChangePath will endeavour to store personal information securely. Backups of electronic information may be kept with a third party storage provider.
1.9 There are some circumstances where ChangePath may receive personal information that it has not asked for. When this happens, ChangePath will decide whether or not we could have collected the information from that person, if we had asked. ChangePath may use or disclose that information to help us make that decision (APP4).
1.10 If allowed to, ChangePath will destroy or de-identify the information (APP4) if:
- ChangePath decides that we could not have collected the personal information if we had asked the person; and
- the personal information is not found in a Commonwealth record.
1.11 ChangePath does not sell, loan or give away any information that we collect.
1.12 Before, at the time of, or as soon as possible after ChangePath collects personal information, it takes steps to tell or make sure that the person whom it is about, is aware of the following:
- who ChangePath is and how to contact us;
- the fact that ChangePath has collected the information, if it was collected from someone else and how it was collected;
- whether the collection of the information is allowed under an Australian law or a court/tribunal order;
- the reasons why ChangePath collected the information;
- what will happen if the information is not collected;
- whether there is anyone else that ChangePath usually discloses personal information to including whether ChangePath is likely to disclose the personal information to anyone overseas; and, if yes, the countries in which those people are located (APP5);
2 Use and Disclosure of Information (APP6)
2.1 ChangePath only holds personal information for the primary purpose it was given to us. It is not to be used or disclosed to anyone else for a secondary purpose unless one of the following applies:
- the person has agreed;
- the person would expect ChangePath to use or disclose the personal information for the secondary purpose as it relates to the primary purpose;
- it is required or authorised by law;
- a permitted general situation exists (see s.16A of the Privacy Act);
- a permitted health situation exists (see s.16B of the Privacy Act), in which case, steps must be taken to de-identify the information before it is disclosed.
2.2 ChangePath believes that the use or disclosure of the information is necessary for an enforcement related activity (e.g.: Federal Police, Immigration, ATO) (APP6).
3 Direct Marketing (APP7)
3.1 ChangePath will not use or disclose personal information for use in direct marketing.
3.2 Exceptions include where a person has agreed to, or would expect ChangePath to use or disclose the information for direct marketing.
3.3 ChangePath will provide an easy way for the person to request not to receive direct marketing and will include a prominent statement that the person may make such a request.
3.4 A person may ask how ChangePath got their information. ChangePath will give them that information at no charge and within a reasonable timeframe.
4 Cross Border Disclosure (APP 8)
4.1 Before ChangePath discloses personal information about a person to someone who is not in Australia, it will make sure that the person overseas does not breach the APPs in relation to the information.
4.2 Exceptions include:
- if ChangePath believes that the overseas person is subject to a law that can protect the information in a way that is similar to the APPs;
- if the person agrees to the disclosure, after being told about this APP;
- the disclosure of the information is required by law;
- a permitted general situation exists (see s.16A of the Privacy Act);
- the disclosure of the information is required under an inter-Australian agreement; or
- ChangePath believes that the disclosure of the information is necessary for enforcement related activities.
4.3 ChangePath may disclose personal information about a person to officers resident in the United Kingdom or the United States of America, if required for the uses outlined in this policy.
5 Adoption, Use or Disclosure of Government Related Identifiers (APP9)
5.1 ChangePath will not adopt a government related identifier of a person (e.g.: Medicare or Driver’s Licence number) as its own identifier of that person unless it is allowed to do so.
5.2 ChangePath will not use or disclose a government related identifier of a person unless:
- it is necessary for ChangePath to verify the identity of the person;
- it is necessary for ChangePath to fulfil its obligations to an agency or a State or Territory authority;
- it is required by law or a court/tribunal order;
- a permitted general situation exists (see s.16A of the Privacy Act); or
- ChangePath believes it is necessary for an enforcement related activity.
6 Quality of Personal Information (APP 10)
6.1 ChangePath takes reasonable steps to make sure that the personal information it collects is accurate, up to date and complete.
6.2 ChangePath takes reasonable steps to make sure that the personal information that it uses or discloses is, considering the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
6.3 These steps include maintaining and updating personal information when we are advised by a person that their personal information has changed.
7 Security of Personal Information (APP 11)
7.1 ChangePath takes steps to protect the personal information it holds against misuse, interference, loss, unauthorised access, modification or disclosure. These steps include password protection for electronic files, securing paper files in locked cabinets and physical access restrictions.
7.2 When it is no longer required, personal information is destroyed, deleted or deidentified in a secure manner, unless ChangePath is required by law to keep the information (APP12).
7.3 If a person asks for access to their personal information held by ChangePath, we will allow access unless there is a reason under the Privacy Act or any other law not to give access to the information. These reasons include:
- a serious threat to the life, health or safety of any individual, or to public health/safety;
- it would impact on the privacy of other individuals;
- the request is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings;
- it would prejudice negotiations with the individual;
- it would be unlawful;
- denying access is authorised by law;
- unlawful activity, or serious misconduct relating to ChangePath’s functions may be engaged in and giving access would prejudice the taking of appropriate action;
- enforcement related activities may be prejudiced; or
- evaluative information generated within ChangePath in connection with a commercially sensitive decision-making process may be revealed.
7.4 ChangePath will respond to the request for access to the personal information within a reasonable time and will give access in the way requested by the person, if it is able to do so.
7.5 If ChangePath refuses to give access to the information or to give access in the way requested by the person, it will take steps to give access in a way that meets both its needs and those of the person, including through the use of a mutually agreed intermediary.
7.6 If ChangePath does not agree to provide access to personal information, we will advise the person in writing of the reasons why and how to complain about the refusal.
7.7 There is no fee for making a request to access personal information and any fee charged by ChangePath will not be excessive (e.g.: copying charges).
7.8 Further information about how to request access to the information we hold about a person can be obtained by contacting the Chief Privacy Officer. Further, anyone may seek advice from the Australian Information Commissioner by calling 1300 363 992 or by email: firstname.lastname@example.org
8 Correction (APP13)
8.1 ChangePath will take reasonable steps to correct personal information that it holds if:
- it is satisfied that, considering the purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
- the person requests that ChangePath correct the information.
8.2 If ChangePath corrects personal information that it previously disclosed to someone else, if requested, it will take reasonable steps to notify the other person of the correction.
8.3 If ChangePath refuses a request to correct the personal information, it will give the person a written notice that sets out the reasons for the refusal and how they may complain about the refusal.
8.4 Where ChangePath refuses a request to correct the personal information, the person may request that it associate or attach a statement that the information is inaccurate, out-of date, incomplete, irrelevant or misleading. ChangePath will take reasonable steps to associate or attach the statement so that it can be seen by anyone using the information.
8.5 If ChangePath is asked to correct personal information, it will respond within a reasonable time and will not charge the person for making the request, for making the correction or for associating the statement with the information.
9.1 Officers, employees, contractors and volunteers who may have access to personal and sensitive information in the course of their duties are bound by their commitment to confidentiality.
9.2 Breaches of confidentiality by officers, employees, contractors and volunteers will be dealt with in accordance with the conditions of appointment of those individuals and ChangePath’s policy.
10 Requesting Access or Change to Information
10.1 The request should be made in writing and directed to:
Chief Privacy Officer
10.2 You should expect a response within 7 days of the request being received. You will be advised of the time it may take to provide the information, or if there is any reason why the information cannot be provided or changed in accordance with your request. If you have requested access to information, you will also be advised of how you may need to access the information.
10.3 Generally the information will be available free of charge, unless substantial copying is required, in which case, ChangePath may request a reasonable fee to cover the cost of copying.
11 Complaints or Concerns in Relation to Privacy
11.1 If you have a complaint in relation to privacy, it should be made in writing, directed to:
Chief Privacy Officer
11.2 You should expect an acknowledgement within 7 days of the complaint or concern being received. You will be advised of how your complaint or concern will be dealt with.
11.3 Your complaint or concern will be investigated by the Chief Privacy Officer in consultation with the Chief Executive.
11.4 You will receive written advice of the response to your concern or complaint, or advice of further processes required, within 28 days.
11.5 If ChangePath’s response is not acceptable to you, we may suggest conciliation or arbitration on the matter. You may also make a formal complaint to the Australian Information Commissioner by calling 1300 363 992 or by email: email@example.com