V360 Australia Ltd.
Privacy Policy Statement
Purpose
V360 Australia Limited (V360) is strongly committed to ensuring that it collects and uses personal and sensitive information in accordance with privacy laws as part of the services it offers. V360 places great importance on protecting the privacy of its employees, valued clients and other stakeholders. Further, the Australian Privacy Principles, which were established by the Privacy Act 1988, apply to V360.
Therefore, this policy relates to personal and sensitive information collected through the course of V360’s services or by any other means and assumes that the information is acquired from an Australian resident.
The purpose of this policy is to:
- Give individuals a better and more complete understanding of the kinds of personal information that V360 collects and holds
- Clearly and concisely communicate how and when personal information is collected, disclosed, used, stored and otherwise handled by V360
- Inform individuals about the purposes for which V360 collects, holds, uses and discloses personal information
- Provide individuals with information about how they may access their personal information and seek correction of their personal information
- Provide individuals with information about how they may make a complaint and how V360 will deal with any such complaint
- Advise individuals of the circumstances in which V360 is likely to disclose personal information to overseas recipients
- Enhance the transparency of V360’s operations
Policy Statement
This policy sets out how V360 will comply with its obligations under the Privacy Act 1988 (Cth). V360 is bound by the Australian Privacy Principles, which regulate how V360 may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them.
V360 will ensure that all employees are aware of and understand V360’s obligations and their own obligations under the Act and are provided with training to enable them to fulfil these obligations. V360 will also achieve this through maintaining internal policies and processes to prevent personal information being collected, retained, shared/exchanged, accessed or disposed of improperly. For the purpose of this policy, the following terms will have the following meanings, as attributed to them by Section 6 of the Act:
Health information means:
(a). Information or an opinion about:
(i) The health or disability (at any time) of an individual
(ii) An individual’s expressed wishes about the future provision of health services to him or her
(iii) A health service provided, or to be provided, to an individual that is also personal information.
(b). Other personal information collected to provide, or in providing, a health service;
(c). Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; and
(d). Genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
Sensitive information means:
(a). Information or an opinion about an individual’s:
(i) Racial or ethnic origin
(ii) Political opinions
(iii) Membership of a political association
(iv) Religious beliefs or affiliations
(v) Philosophical beliefs
(vi) Membership of a professional or trade association
(vii) Membership of a trade union
(viii) Sexual orientation or practices
(ix) Criminal record.
(b). Health information about an individual;
(c). Genetic information about an individual that is not otherwise health information;
(d). Biometric information that is to be used for the purpose of automated biometric verification or biometric identification; and
(e). Biometric templates.
Collection of Personal Information
Personal information collected by V360 will usually fall into one of the following categories:
- Individuals information submitted and obtained from either the individual, family and/or other sources
- During interviews conducted by employees during case management
- Information provided by other stakeholders
- Staff information such as next of kin, contact telephone numbers or email addresses and tax file number
- Information obtained to assist in managing individuals and services relationships
- Information collected as part of V360’s normal communication processes, including when an individual emails V360; when an individual telephones V360, or when an individual hands an V360 representative their services card
Sensitive information collected by V360 will usually fall into one of the following categories:
- Medical/physiology/psychological disclosures during interviews
- Stakeholders (medical, psychological or physiology, other government agencies) assessment or orders
- Criminal history or intervention orders
Where practicable, V360 collects personal information directly from the individual. However, due to the nature of V360’s services (i.e. we work with third-party stakeholders), e.g. medical, psychological and psychological practitioners, personal information is provided to V360 by these stakeholders. The third party stakeholder collecting and exchanging the information have an obligation to advise the individual, about whom information is being exchanged with V360; and has the consented to collect and exchange such information. Only in circumstances where “sensitive information” has been provided to V360 by the third party stakeholders will V360 be required to seek direct consent from the individual to retain or use this information. Sometimes V360 will collect personal information from a third party or a publicly available source (social media) if it is unreasonable or impracticable to collect the personal information directly from the individual. V360 does not collect personal information unless it is reasonably necessary for, or directly related to, one or more of V360’s functions or activities. Where personal information is sensitive information, V360 will only collect that information where:
- It is reasonably necessary for one or more of V360’s functions or activities; and
- The individual consents to the collection of the information; or
- V360 is required or authorised by law to collect the sensitive information
If V360 receives personal information that it did not solicit from an individual and if V360 determines that it could not have lawfully collected that information as part of its functions or activities, then V360 will (if it is lawful and reasonable) destroy the information or ensure that its contents cannot be identified.
An individual may choose to deal with V360 anonymously or under a pseudonym where lawful and practical. Where anonymity or the use of a pseudonym will render V360 unable to provide the relevant service or reasonably conduct services, V360 may request that the individual identify himself or herself. For example, it would not be practical to deal with an individual anonymously if V360 is providing assistance in dealing with Government Agencies and/or Federal/State Police.
Use and disclosure of Personal Information
- Employee management
- Occupational safety and health
- Medical/psychological assessments/counselling
- DVA claim assistance
- Counselling services
- Services under the National Disability Insurance Scheme (NDIS)
- Training/education
- Client and services relationship management
- Research
V360 will only use and disclose personal information for the primary purpose for which it was initially collected, or for purposes which are directly related to one of V360’s functions or activities.
V360 will not disclose personal information about an individual to government agencies, private sector organisations or any third parties unless one of the following applies:
- The individual has consented
- The individual would reasonably expect, or has been told, that information of that kind is usually passed on to those individuals, bodies or agencies
- It is otherwise required or authorised by law
- Were fraud is suspected of being committed
- It is reasonably necessary for enforcement-related activities conducted by, or on behalf of, an enforcement body (e.g. police, government department, government agency)
- Where suspected self or harm to others may occur.
The collection by and use of personal information by third parties may be subject to separate privacy policies and/or the laws of other jurisdictions. V360 may transfer personal information to overseas countries including, but not limited to New Zealand in order to perform one or more of V360’s functions or services. In these circumstances, V360 will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.
Like many other services in Australia V360 has Memorandum of Understanding (MOU) about some of its services and/or relies on third-party stakeholders to provide specialised services such as employment services, cloud computing technology and data storage services, legal advice, financial services, medical/physiology/psychological services and advice. If personal information is provided to these suppliers and contractors in order to enable them to perform the agreed tasks, V360 will take reasonable measures to ensure that the stakeholder handles the personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
V360 will also require all stakeholders to provide privacy undertakings and enter confidentiality agreements where suppliers and contractors may have access to personal information. V360 will take active steps to ensure that all transfers of personal information to a stakeholders and use of such information by a third party is secure and compliant with the Privacy Act 1988 (Cth). For example, all out going email transmissions from V360 are SSL encrypted. However, V360 will not be held responsible for the theft of data by a third party, or the consequences resulting from the loss of data where that loss is associated with technical malfunction, computer viruses, third-party interference or any action or event that is beyond the reasonable control of V360.
Accuracy of Personal Information
V360 will ensure that all personal information it collects uses and/or discloses is accurate, complete and up-to-date. Please contact V360’s Administration Officer (contact information below) if you are aware of any personal information that does not meet this objective.
If V360 is aware that it holds personal information that (having regard to the purpose for which it was collected) is inaccurate, out of date, incomplete, or irrelevant, it will take reasonable steps to correct that information. An individual may also seek access to, and correction of, personal information held by V360 in accordance with the “Access to Personal Information” procedures, set out below.
Security
V360 is committed to keeping personal information secure and safe. Security measures are in place to protect information from unauthorised access, modification or disclosure and loss, misuse and interference. V360 will review and update these measures from time to time to ensure security is maintained. In addition, personal information and sensitive information held by V360 will be destroyed or have identification removed when it is no longer needed for a purpose for which it was initially collected.
Personal information may be stored in documentary form, but will generally be stored electronically on V360’s software or systems. V360 maintains physical security over its documentary and electronic data stores by using locks and security systems. Although V360 takes all reasonable steps to secure personal information from loss, misuse and unauthorised access, there is an inherent risk of loss of, misuse of or unauthorised access to such information. V360 will not be held responsible for such actions where the security of the personal information is not within V360’s control or V360 cannot reasonably prevent such an incident.
Protecting and Storing Personal Information
V360 is committed to keeping personal information secure and safe. Some of the ways we do this are:
- Requiring employees and stakeholders to enter into confidentiality agreements
- Secure hard copy document storage (i.e. storing hard copy documents in locked filing cabinets)
- Security measures for access to computer systems
- Password protected data storage devices such as lap-tops, tablets and smart-phones
- Providing a discreet environment for confidential discussions
- Access control for our buildings including waiting room/reception protocols and measures for securing premises when unattended
- Security measures for our websites
Roles and Responsibilities
- All V360 employees and stakeholders are aware of their responsibility to comply with the Privacy Act 1988 (Cth)
- V360 will ensure that all employees required to manage personal information are appropriately trained and supervised
- V360 will conduct regular reviews to ensure that personal information is managed correctly
- Breaches of policy or personal information management processes will be dealt with appropriately
- V360 will provide appropriate assistance to individuals and relevant third parties to make enquiries regarding personal information management
- Personal information will be retained according to the requirements of the Privacy Act 1988 (Cth)
Access to Personal Information and Correction
An individual may request access to personal information that V360 holds about them. The procedure for requesting and obtaining access is:
- All requests for access to personal information must be made in writing and must be addressed to V360’s Administration Officer (see below for contact details). All requests should specify how the information is proposed to be accessed (photocopies, electronic copy, or visual sighting)
- Any party making a request must provide as much detail as possible regarding the V360 department or person to whom it believes the personal information has been provided and when (this will allow V360 to process requests more efficiently)
- V360 will acknowledge a request within 14 days of the request being made
- Access will usually be granted within 14 days of V360’s acknowledgement; if the request cannot be processed within that time for whatever reason, V360 will let the party who has made the request the anticipated time-frame for a response to be provided
- The party making the request will need to verify identity and authority before access to personal information is granted
- V360 may charge a reasonable fee for access to personal information, which will be notified and required to be paid prior to the release of any information
- Once the request has been processed by V360, the party making the request will be notified of V360’s response and proposal for suitable access (provision of photocopies, digital copies or visual sighting, where appropriate)
- V360 may refuse to grant access to personal information under certain circumstances (see below)
- If, as a result of access being granted, you are aware that V360 holds personal information that you regard as being no longer accurate or incorrect, you may request the deletion or correction of such information
- Upon receipt of a request to correct or delete personal information, V360 will either make such corrections or deletions or provide written reasons as to why it declines to make such alterations (see below)
Under the Act, V360 may refuse to grant access to personal information if:
- V360 believes that granting access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
- Granting access would have an unreasonable impact upon the privacy of other individuals
- Denial of access is required or authorised by law or by a court or tribunal order
- Giving access would be unlawful
- The request for access is frivolous or vexatious
- Legal proceedings are under way or anticipated and the information would not be accessible by way of the discovery process in those proceedings
- Giving access would reveal the intentions of V360 in relation to negotiations between V360 and the party making the request in such a way as to prejudice those negotiations
- Giving access is likely to prejudice enforcement-related activities conducted by, or on behalf of, an enforcement body
- Giving access is likely to prejudice action being taken or to be taken with respect to suspected unlawful activity or serious misconduct relating to V360’s functions or activities
- Giving access would reveal information in connection with a commercially sensitive decision-making process
If V360 does not agree to make a correction to personal information, the party making the request may provide a statement about the requested corrections and V360 will ensure that the statement is apparent to any users of the relevant personal information.
If V360 does not agree to provide access to personal information or to correct the personal information, V360 will provide the party making the request with written reasons for the refusal and the mechanisms available to complain about the refusal.
Privacy Officer
V360 has a designated Administration Officer who is responsible for the management of:
- Requests for access to personal information
- Complaints regarding V360’s management of personal information
- Coordination of staff training
For information regarding privacy, contact details for V360’s Administration Officer are:
Administration Officer
PO BOX 194
DIANELLA WA 6059
info@v360.org.au
Complaints
If you consider that there has been a breach of the Australian Privacy Principles, you are entitled to complain to V360. All complaints are to be in writing and directed to the Administration Officer. The Administration Officer will acknowledge receipt of a written complaint within seven business days.
V360’s Administration Officer will investigate the complaint and attempt to resolve it within 21 business days after the written complaint was received. Where it is anticipated that this time-frame is not achievable, V360 will contact the person making the complaint to provide an estimate of how long it will take to investigate and respond to it.
If the complaint resides around the Administration Officer or they are unable to deal with it as a matter ‘conflict of interest’, then the Executive Committee will appoint another employee to deal with the complaint.
If an individual considers that V360 has not adequately dealt with a complaint, he or she may complain to the Privacy Commissioner:
Officer of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
enquiries@oaic.gov.au
1300 363 992
Legislative/Certification Requirements
Australian Privacy Principles – Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
- Principle 1 – Open and transparent management of personal information
- Principle 2 – Anonymity and pseudonymity
- Principle 3 – Collection of solicited personal information
- Principle 4 – Dealing with unsolicited personal information
- Principle 5 – Notification of the collection of personal information
- Principle 6 – Use or disclosure of personal information
- Principle 7 – Direct marketing
- Principle 8 – Cross-border disclosure of personal information
- Principle 9 – Adoption, use or disclosure of government-related identifiers
- Principle 10 – Quality of personal information
- Principle 11 – Security of personal information
- Principle 12 – Access to personal information
- Principle 13 – Correction of personal information
Refer to Privacy Fact Sheet 17 for further details on the 13 Australian Privacy Principles.
Disability Service Standards – V360’s Privacy Policy fulfils the requirements of the Australian Disability Service Standards, Standard 4 – Privacy, Dignity and Confidentiality.
Communication and Review
This policy is to be reviewed as follows:
- Annually (as a minimum)
- Following an information security incident
- Following significant changes to V360 systems
- Following changes to the relevant state/territory and Commonwealth legislation
Reviews examine the appropriateness of this Privacy Policy, taking into consideration corporate, system and compliance requirement changes since the last review was undertaken.
Monitoring and Training
Compliance with this Privacy Policy is subject to internal and regulatory audit. V360 will comply with all reporting requirements of the Act as they exist from time to time.
All staff will receive training with regard to privacy and the application of this Privacy Policy as part of their corporate induction.