Privacy & Confidentially
Choices & Rights (38 634 087 899) and its related bodies corporate (referred to in this document as we, us or our) recognises that your privacy is very important and we are committed to protecting the personal information we collect from you. The Privacy Act 1988 (Cth) (Privacy Act), and the Australian Privacy Principles (APPs) govern the way in which we must manage your personal information and this policy sets out how we collect, use, disclose and otherwise manage personal information about customers/beneficiaries, family members of customers/beneficiaries, donors, members of the public and Choices & Right’s workers (including volunteers, employees, delegates, candidates for volunteer work, and prospective employees).
The handling of some personal information by Choices & Rights is exempt from certain obligations under the Privacy Act where it directly relates to a current or former employment relationship, and an employee record held by us (where ‘employee record’ means a record of personal information relating to the employee’s employment). This will not apply to all Choices & Rights workers, as not all workers are employees.
Roles and responsibilities
CEO (Chief Executive Officer
- Ensure policy enacted appropriately.
Executive Leadership Team
- Ensures procedures correctly followed.
Risk and Quality Manager –
- Receive and respond to feedback related to Privacy and Confidentiality.
- Manage investigations, including where necessary, appointing relevant staff members to carry out investigations and report on findings.
- Complete all Privacy Training as directed by the organisation.
- Comply with Privacy related legislation as described in this procedure.
3.1.1 Types of information collected
We may collect and hold personal information about you (that is, information that can identify you) that is relevant to our functions and activities.
The kinds of information we collect from you depends on our relationship with you. Generally, however, we may collect your name, contact details, and other information relevant to providing you with the information, goods, and services you are, or someone else you know is, seeking.
If you are a customer/beneficiary, we will also generally collect your date of birth, gender, income, information on personal issues and experiences and relationships, family background and support, areas of interest, personal and emergency contact information, health and medical information, and bank account details. We may also collect photographs, videos, and other recordings of you where those assist us in providing you with services. In addition to health information, we are likely to collect and hold other sensitive information about you in providing you with services, including your racial or ethnic background, sexual orientation or practices, political opinions, and religious beliefs or affiliations.
If you are a donor, you may choose to provide us with demographic data, such as your date of birth, gender, income, and areas of interest. We use this information to help understand who engages with us.
If you are a worker, we will also generally collect your date of birth, personal information contained within an application and CV/resume, employment history, personal information derived from a reference, personal information derived from an interview, personal information derived through testing (including psychometric or aptitude testing), licences and other certificates and qualifications, and information included in a passport, birth certificate, visa or other documentation demonstrating a worker’s right to work in Australia.
If you are a current employee or volunteer, we will also generally collect information during the engagement and on-boarding process, bank account and superannuation fund information, tax file number, wage and entitlement information and other payroll information, drivers licence number, emergency contact information, information relating to your performance or conduct, information relating to your employment, training, disciplining, and resignation/termination, the terms, and conditions applicable to you, and photographs, videos, and other recordings.
In addition, we are likely to collect and hold sensitive information about you during your employment, including health and medical information, racial or ethnic background, sexual orientation or practices, criminal record and other information provided in a police check, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, biometric information, and biometric templates.
- Method of collection
We will generally collect personal information directly from you through a variety of avenues, including any of our standard forms, our assessment procedures for customers/beneficiaries, our volunteer and employment application process, registration, and attendance at our events, via emails or other communications, via phone, in person, via our surveys (where applicable), via our website (including online registration and contact forms), and social media accounts.
There may, however, be some instances where personal information about you will be collected indirectly because it is unreasonable or impractical to collect personal information directly from you. For example, we may collect personal information about customers/beneficiaries from responsible persons or other appointed attorneys for personal matters, approved family members, carers, other approved providers, or health service providers (approved third parties), and we may collect personal information about workers from referees when they provided references, academic institutions or training and certification providers, providers of licence and background-checking services, recruiters and other service providers who assist in the engagement process, and other publicly available sources such as social media platforms.
We will usually notify you about instances of collection from third parties in advance, or where that is not possible, as soon as reasonably practicable after the information has been collected.
If you are customer/beneficiary, we will ask you or your authorised representative to identify any parties from whom you do not wish personal information to be collected. We will record this information in your file and will comply with your instructions to the extent permitted by law.
If we receive unsolicited information about you that we did not request and which is not directly related to our functions or activities, we may be required to destroy or de-identify that information, providing it is lawful and reasonable to do so.
3.1.3 Purpose of collection
The personal information we collect and hold about you depends on your interaction with us. Generally, we will collect, use, and hold your personal information if it is reasonably necessary for or directly related to the performance of our functions and activities and for the purposes of:
(a) providing information, goods and services to you or someone else you know.
(b) processing your donation or purchase and providing receipts and communicating with you about how your donation is used.
(c) facilitating our internal business operations, including:
(i) the fulfilment of any legal requirements.
(ii) establishing our relationship with you.
(iii) maintaining and managing our relationship with you and communicating with you in the ordinary course of that relationship (including responding to feedback or complaints).
(iv) maintaining and managing the engagement of a worker and terminating that engagement.
(v) organising and facilitating events.
(vi) analysing our goods and services, customer/beneficiary needs, and worker needs with a view to developing new or improved goods and services or business operations.
(vii) contacting you to provide a testimonial for us.
(d) providing you with information about other goods and services that we or our related entities and other affiliated organisations offer that may be of interest to you.
Except as otherwise permitted by law, we only collect sensitive information about you if you consent to the collection of the information and if the information is reasonably necessary for the performance of our functions, as set out above.
3.1.4 Anonymity/Pseudonymity and failure to provide information
If you would like to access any information or any of our goods and services on an anonymous basis or using a pseudonym, please tell us. If this is possible and lawful, we will take all reasonable steps to comply with your request. However, we may not be able to provide the information or goods and services in question if we are not provided with the personal information requested.
- Internet users
If you access our website, we may collect additional personal information about you in the form of your IP address, browser type, and date and time of visit.
Our website may contain links to other websites. We are not responsible for the privacy practices of linked websites and linked websites are not subject to our privacy policies and procedures.
3.2 Use and Disclosure
Generally, we only use or disclose personal information about you for the purposes for which it was collected (as set out above). We may disclose personal information about you to:
(a) our workers, contractors, consultants, and other parties who require the information to assist us with facilitating our internal business processes, providing you with goods and services and information, and with establishing, maintaining, managing, or ending our relationship with you.
(b) our related entities to facilitate ours and their internal business processes.
(c) If you are customer/beneficiary: government departments and agencies, such as NDIS Quality & Safeguards Commission, the Queensland Department of Communities, Disability Services and Seniors, the Offices of the Public Guardian (Qld) who provide funding and other assistance in operating our business.
(e) third parties to whom you have agreed we may disclose your information or where the information was collected from you (or from an authorised discloser) for the purposes of passing it on to the third party.
(f) any other entity as otherwise permitted or required by law, including regulatory bodies such as WorkSafe.
If you are a customer/beneficiary, your personal information may also be disclosed to your approved third parties. We will ask you or your authorised representative to identify any parties to whom you do not wish personal information to be disclosed. We will record this information in your file and will comply with your instructions to the extent permitted by law. Photographs, videos, and other recordings taken of you to assist us in providing you with services will only be used internally and will not be disclosed to third parties without your consent, or where otherwise permitted or required by law.
We may expand or reduce our business and this may involve the sale and/or transfer of control of all or part of our business. Personal information, where it is relevant to any part of the business for sale and/or transfer, may be disclosed to a proposed new owner or newly controlling entity for their due diligence purposes, and upon completion of a sale or transfer, will be transferred to the new owner or newly controlling party to be used for the purposes for which it was provided. Additionally, in circumstances of a business sale, we are required under the FW Act to transfer employment records for each employee transferring to the new employer on request by the new employer. This will not apply to all Choices & Rights workers, as not all workers are employees.
Sensitive information (including health or medical information) is only used and disclosed for the purposes for which it was collected, unless your further consent is obtained, or otherwise as permitted or required by law. If we use your health information for internal research or statistical purposes, we will de-identify the information first.
3.2.1 Disclosure of personal information overseas
We are assisted by a variety of external services providers to operate our business, some of whom may be located overseas. These third parties are too numerous to list, and they change from time to time. Some examples of the types of third parties including technology service providers who may be located in the United States of America, are Google Analytics and Microsoft Office 365.
You consent to this overseas disclosure and agree that by providing consent, APP 8.1 under the Privacy Act no longer applies, and we are not required to take reasonable steps.
We store your personal information in different ways, including in paper and in electronic form. The security of your personal information is important to us. We take all reasonable measures to ensure that your personal information is stored safely to protect it from interference, misuse, loss, unauthorised access, modification or disclosure, including electronic and physical security measures.
Personal information collected is hosted on third party data servers located within Australia. We take reasonable steps to ensure any third-party data storage suppliers we partner with have appropriate cyber and physical security controls in place.
Where personal information held is no longer necessary for our operations, it deletes information or permanently de-identifies it, subject to specific laws in respect of data retention.
3.4 Access and Correction
You may access the personal information we hold about you, upon making a written request. We will respond to your request within a reasonable period. We may charge you a reasonable fee for processing your request (but not for making the request for access). For security reasons, you will be required to put your request in writing and provide proof of your identity. This is necessary to ensure that personal information is provided only to the correct individuals and that the privacy of others is not undermined.
Subject to our obligations under the FW Act (with respect to current and former employees), we may decline a request for access to personal information in circumstances prescribed by the Privacy Act, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.
Employee records prescribed by the FW Act must be made available to an employee or their representative upon request. These employee records include general employment details, pay records, records relating to leave entitlements, records relating to superannuation contributions, records relating to individual flexibility arrangements, records relating to guarantees of annual earnings, and termination of employment records. Under the Fair Work Regulations 2009 (Cth), we must make a copy of an employee record available in a legible form for inspection and copying on request by an employee or former employee to whom the record relates. If the employee record is kept at the premises at which the employee works or the former employee worked, we will make a copy available at the premises within 3 business days after receiving a request, or will post a copy of the employee record within 14 days after receiving a request. If the employee record is not kept at the premises, we will, as soon as practicable after receiving a request, make a copy available at the premises or post a copy of the employee record to the employee or former employee. This paragraph will not apply to all Choices & Rights workers, as not all workers are employees.
It is essential that the information contained in our records is accurate, complete, and up to date. If, upon receiving access to your personal information or at any other time, you believe the personal information we hold about you is inaccurate, incomplete, or out of date, please notify us immediately. We will take reasonable steps to correct the information so that it is accurate, complete, and up to date.
If we refuse to correct your personal information, we will give you a written notice that sets out our reasons for our refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.
3.5 Collection of information
We are required by the Fair Work Act 2009 (Cth) (FW Act) to collect certain information about employees, including name, basis of employment, rate of pay, information about deductions and entitlements, superannuation fund details and information about our payments into that fund, and information relating to an employee’s termination. This information must be retained by Choices & Rights for a period of 7 years. This will not apply to all Choices & Rights workers, as not all workers are employees.
3.6 Complaints and Feedback
Address: 2 Walter Street, Logan Central, QLD 414
Email address: email@example.com
Calls to our telephone number can be made for a local call cost from fixed residential landlines anywhere in Australia. Calls from mobile and pay phones may incur higher charges. Check with your service provider for costings from mobile and pay phones.
For more information about privacy in general, you can visit the Office of the Information Commissioner’s website at www.oaic.gov.au.
If after this process you are not satisfied with our response, you can submit a complaint to:
- the Office of the Information Commissioner, Queensland. To lodge a complaint, visit the ‘Privacy complaints’ section of the Queensland Information Commissioner’s website, located at https://www.oic.qld.gov.au/about/privacy/privacy-complaints , to obtain the relevant complaint forms, or contact the Queensland Information Commissioner’s office; or
- the Office of the Information Commissioner, Australia. To lodge a complaint, visit the ‘Complaints’ section of the Information Commissioner’s website, located at http://www.oaic.gov.au/privacy/privacy-complaints , to obtain the relevant complaint forms, or contact the Information Commissioner’s office.
3.7 Changes and Updates
The Privacy Act 1988 (Cth)
Information Privacy Act 2009 (Qld)
Fair Work Act 2009 (Cth)