Policies

Catherine House Inc. Privacy Policy (current as of October 2020)

Purpose

This policy outlines a framework with clear guidelines for all engaged in Catherine House activities to ensure all those who use or interact with its services are treated with respect, observing their rights to privacy and confidentiality and the safeguarding of their personal information or any other information that they entrust to Catherine House.

Scope

This Policy applies to all persons engaged in the activities of Catherine House (including volunteers) and includes activities at, or on behalf of, Catherine House including social and fundraising functions and where these persons are engaged in the collection, holding, use and disclosure of personal information to carry out Catherine House services and activities.

Definitions

Australian Privacy Principles – (APPs) 13 principles (replacing the Information Privacy Principles and National Privacy Principles) and formed as part of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.  The APPs regulate the collection, holding, management, use, disclosure or transfer of personal information by Australian Government agencies and some private sector organisations. 

Client/Customer – A person utilising, or who has utilised, a Catherine House Service, or program.

Collection – The act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means.  This does not include the receipt of unsolicited information.

Consent – Free and informed agreement with what is being done or proposed.  Consent can be either expressed or implied.  Expressed consent is given explicitly, either orally or in writing.  Expressed consent is unequivocal and does not require any inference on the part of the organisation seeking consent.  Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Correct – In relation to personal information, means to alter that information by way of amendment, deletion or addition.

Data breach – A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers an organisation or agency, they must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm.

Direct marketing – Direct marketing involves the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services.  A direct marketer may communicate with an individual through a variety of channels, including telephone, SMS, mail, email and online advertising.

Disclosure   – Making personal information available to others outside the organisation, other than the subject of the information.  Disclosure includes publication of personal information through any medium.

Enforcement agency

• The Australian Federal Police; or
• A police force or service of a State or Territory; or
• The National Crime Authority; or
• A crime commission; or
• An agency, to the extent that is responsible for administering; or
• Performing a function, under a law imposing a penalty or sanction; or the extent that it is responsible for the administration of a law relating to the protection of public revenue.

Identifier – An identifier assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation, but does not include the individual’s name.

Information Sharing Guidelines for Promoting Safety and Wellbeing (ISG) – Overarching principles and practice developed by an inter-agency committee of the SA Government and NGO representatives, and endorsed by State Cabinet in October 2008. They apply throughout the public sector and to relevant non-government organisations for the provision of care to all vulnerable people, including all adults irrespective of their status as parents or caregivers, children, young people and their families.  By sharing information and collaborating in the planning and delivery of services, efforts to keep vulnerable people safe from harm can happen earlier and more effectively. The ISG define the process for doing so.

Office of the Australian Information Commissioner (OAIC) – The independent national regulator for privacy and freedom of information under the Privacy Act 1988. The OAIC promotes and upholds rights to access government-held information and to have personal information protected.

Organisation – An association, business, charitable organisation, club, government body, institution, professional practice, union, corporation, group of bodies corporate that are related within the meaning of the Corporations Law, or any other collective entity.  ‘Organisation’ includes a sole trader or other individual (for example, a professional or freelance consultant) in his or her business capacity.

Personal information – Information (e.g. name, contact details, signature, photo, financial details) or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. This does not include information contained in a generally available publication.

Privacy Act 1988 – An Australian law which regulates the handling of personal information about individuals.  This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information. (Catherine House employee records, including past employee records and records relating to the operation of the service, including confidential communications between employees and professional advisers (e.g. legal advisors) in relation to employment matters are exempt from the Privacy Act and this policy does not apply to those records.)

Sensitive information – Information revealing racial or ethnic origin, political opinion, religious beliefs or affiliations, philosophical beliefs, membership of a political, professional or trade association or trade union, or details of sexual preference or practices, criminal record or health information about an individual.

Reasonable steps – Such steps (if any) as are, in the circumstances, reasonable.

Seriously improper conduct – Corruption, a serious abuse of power, a serious dereliction of duty, or

any other seriously reprehensible behaviour.

Subject of the information – In relation to personal information, this term means the individual to whom the information relates.

Third party – In relation to personal information, a person or body other than the organisation

holding the information and the individual who is the subject of the information.

Use – Refers to the treatment and handling of personal information within an organisation.

Policy Statement

Catherine House will respect and will hold as paramount the privacy rights of all persons engaged with Catherine House activities unless there are specific law enforcement, public health or public safety circumstances.  At all times Catherine House will balance the rights of individuals to maintain control over their personal information and its various moral, legal and professional obligations and will comply with the requirements of the Privacy Act 1988 and the Australian Privacy Principles as best privacy practices.

Policy Principles

Catherine House will:

1. Ensure that the collection, use, maintenance and disclosure of personal information by Catherine House will comply with the requirements of the Privacy Act 1988 and associated Australian Privacy Principles.

2. Collect personal information and maintain records for its own purposes and proper administration at all times endeavouring to only collect information needed to provide a service to clients or to carry out a particular function or activity.

3. Ensure personal information will be stored securely and will only be accessed by those in the organisation who have:

• a clear role in providing the service, function or activity
• a quality assurance responsibility i.e. auditing, supervision
• an administrative role related to records management

4. Ensure that personal information is maintained of the highest quality and that information is accurate, up to date, complete and relevant with a strong emphasis on consent and openness, within a confidentiality framework.

5. Ensure all engaged with Catherine House activities that involve collection, use and disclosure of personal information held by Catherine House are familiar with the Privacy Act 1988 and the Australian Privacy Principles and adhere to these.
6. Apply the Australian Privacy Principles in the following manner:

Open and transparent management of personal information (APP1, APP5)

• Catherine House will only collect information that is necessary for the service it provides.
• Catherine House will tell the client its purpose and what is intended to be done with information.
• Where practicable Catherine House will collect personal information directly from the client.
• Catherine House will always take reasonable steps to let a client know what type of personal information it holds, for what purposes and how it collects, holds, uses and discloses that information.
• The Catherine House Privacy Policy is available from the website at catherinehouse.org.au and is available in hard copy upon request for any Catherine House clients and other interested individuals.

Anonymity of personal information (APP2):

• In exceptional circumstances and where safe to do so, Catherine House may be able to give clients the option of not providing some or all of their personal details.

Sensitive Information (APP3):

• If Catherine House collects information about a client from someone else, permission will be sought from the client beforehand, unless where legislation prevents this.
• Catherine House will inform the client of the limits of confidentiality with regards to legal requirements of mandatory reporting and information sharing without consent.

Use and Disclosure of personal information (APP3, APP6):

• Catherine House will ask clients to document their consent to the release of information to allow for disclosure of information where jointly deemed appropriate. This consent will be specific and will include a timeframe after which consent will expire.
• Catherine House will only use or disclose information about clients in ways that are consistent with their expectations (informed consent) or where there is a legislative or legal requirement to do so.
• Catherine House will seek and respect the client’s informed consent for the sharing of information in all situations unless:
  • It is unsafe or impossible to gain consent or consent has been refused and
  • Without information being shared, it is anticipated that the client, or a child, young person or a member of the client’s family, will be at risk of serious harm, abuse or neglect, or poses a risk to their own or public safety.
• Catherine House will seek specific client permission for participation in research or other publications. This permission must be given in writing.
• While not all Catherine House workers are Mandatory Notifiers of Child Abuse under the Child Protection Act 1993 (SA), Catherine House requires all workers to report reasonable suspicion of child abuse/neglect.
• Catherine House also has a duty of care to other agencies and will only disclose information should there be an issue in relation to a threat to the safety of staff, volunteers, clients and members of the community.
• Catherine House will take steps to protect client privacy if personal information is sent about them to a third party.

Unsolicited personal information (APP4)

• Catherine House will destroy or de-identify as soon as practicable, if it is lawful and reasonable to do so unless otherwise consented by the provider, any unsolicited personal information or other basic information received that is not reasonably necessary for, or directly related to service delivery.
• Catherine House will not disclose or retain information collected indirectly in any way without consent unless the law requires it to be so used, disclosed or retained.

Direct marketing (APP 7)

• Catherine House will not use client information for direct marketing purposes, unless the information has been de-identified and is accompanied by written client consent.
• Catherine House will provide an individual with the option to not receive direct marketing communications when providing personal information for other purposes and will comply with such requests. This will be in a simple easy to read form.
• Catherine House will not provide personal information collected to third parties for use by the third party for their direct marketing purposes.
• Catherine House will not retain credit card and financial information once processed and will destroy as soon as practicable in a secure manner.

Cross-border disclosure of personal information (APP8)

• Catherine House does not send personal information to a third party in foreign countries.

Adoption, use or disclosure of government related identifiers (APP9):

• Catherine House will limit the use of identifiers that government agencies have assigned to clients and will not use or disclose them unless:
  • It is necessary to fulfil the obligations to the agency that assigned the identifier or,
  • If it is required or authorised by or under an Australian law or a court/tribunal order.

Quality of personal information (APP10):

• Catherine House will take reasonable steps in the circumstances to ensure that personal information is accurate, complete and up to date, both for internal use and for the purpose of disclosure as relevant to the purpose. This includes maintaining and updating personal information when advised that personal information has changed, and at other times as necessary.

Security of personal information (APP11):

• Catherine House will ensure reasonable steps are taken to protect personal information of all records, whether electronic or otherwise, held from misuse, interference and loss from unauthorised access, modification or disclosure.

Access to personal information (APP12):

• Wherever it is legally and ethically possible Catherine House will give clients access to their personal information, which the organisation holds about them, if requested to do so and with due process.

Correction of personal information (APP13):

• Clients have the right to have amended, if incorrect, information that Catherine House holds about them, unless doing so would be unreasonable or unsafe.
• Catherine House will respond to a request within 30 days.
• Catherine House will take reasonable steps to correct personal information held if it is considered incorrect, unless there is a law that allows or requires this not to be done.

Responsibilities

Applicable Legislation and Standards

Privacy Act 1988 – Commonwealth

 Privacy Amendment (Private Sector) Act 2000 – Commonwealth

Australian Privacy Principles Guidelines, Office of the Australian Information Commissioner (Privacy Act 1988 – Commonwealth) https://www.oaic.gov.au/assets/privacy/app-guidelines/app-guidelines-july-2019.pdf

Information Privacy Principles 1992 – South Australia

Information Sharing Guidelines for Promoting the Safety and Wellbeing of Children, Young People and their Families (ISG) – South Australia

www.privacy.gov.au is the Website for the Office of the Australian Information Commissioner

Other Related Documents

CH Client Records Policy

CH Security Policy

CH Human Resources Policies and Guidelines

CH Code of Conduct

CH Information Sharing Guidelines Appendix

CH Child Safe Environments Policy

Distribution

All persons engaged with Catherine House activities will receive a copy of this Policy.

Development and Review

Catherine House  Inc. and CHT Company  Ltd. Whistleblower Protection Policy (current as of June 2020)

Catherine House Disability Access and Inclusion Plan 2020 – 2023