Referring Policy: Privacy and Confidentiality Policy
Purpose
- To describe how personal information is managed to ensure compliance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cwlth) and the Information Privacy Principles (IPPs) contained in the Information Privacy Act 2009 (Qld).
- This procedure applies to all permanent and casual employees of CGQ, as well as contractors, employment agency staff, sub-contractors, work experience students and volunteers.
Procedure
Privacy and Confidentiality Policy
- The Privacy and Confidentiality Policy must remain clear and up-to-date.
- The Privacy and Confidentiality Policy must contain the information required by APP 1.4.
- The Privacy and Confidentiality Policy must be available free of charge. Reasonable steps must be taken to give the document on request in the form requested.
Anonymity and Pseudonimity
- Individuals are not permitted to remain anonymous or use a pseudonym as to do so would be impracticable for the effective operation of the business and for the effective delivery of services.
Collection
- Only personal information that is required for the effective operation of the business and for the effective delivery of service is collected from tenants, employees, volunteers, members and Directors. If the personal information is not required by Common Ground Queensland (CGQ), it should not be collected.
- Personal information is only collected by lawful and fair means on forms contained in or referenced by CGQ Management System. The design and availability of such forms is subject to the approval process as defined in the Document Control Procedure. As such, there is control over what information is actually collected.
- Meetings with tenants or potential tenants are held in offices where privacy is maintained. Personal information is only collected directly from the tenant or potential tenant (unless it is unreasonable or impracticable to do so).
Unsolicited Personal Information
- If it has collected unsolicited personal information, CGQ will make a determination as to whether it could have collected the information under APP 3.
- If CGQ makes a determination that it could not have collected unsolicited personal information it will destroy or de-identify the information as soon as practicable and lawful.
Notification of Collection
- In compliance with APP 5, CGQ will notify individuals if personal information is collected (and of certain other matters detailed in APP 5.2) via a Notification of Collection of Personal Information.
Disclosure of Personal Information for a Secondary Purpose
- CGQ will not use or disclose personal information for any other purpose unless:
- consent has been given by the individual, or
- the individual would reasonably expect CGQ to disclose the information for another purpose which is directly related/related to CGQ’s primary purpose, or
- CGQ is required or authorised by law and/or under the Privacy Act 1988 (Cwlth) or Information Privacy Act 2009 (Qld).
Marketing
- CGQ may use personal information for marketing and fundraising purposes but only with the individual’s consent or where an individual would reasonably expect CGQ to use their information for these purposes.
- An individual may request CGQ not to send direct marketing or reveal the source of the information behind direct marketing. CGQ must give effect to this request as soon as possible. There is no fee involved in giving effect to this request.
Oveseas Disclosure
- Personal information will not be disclosed to overseas recipients.
Government Related Identifiers
- CGQ will not adopt, use or disclose the government related identifier of an individual.
Consent to Gain and Release Personal Information
- Tenants are requested to sign an Authority to Request or Disclose Personal Information to External Parties Form when applying for tenancy at any CGQ facility. Personal information is collected from and shared with other domestic agencies only where written consent has been provided and only when information sharing is essential for effective service provision.
- Tenants can withdraw or modify consent at any time.
Quality of Information
- CGQ will take reasonable steps to ensure that the personal information that it collects, uses, or discloses (in the case of use or disclosure, having regard to the purpose of the use or disclosure) is accurate, up-to-date and complete.
Storage and Security
- Individual tenant files are established in both electronic and hard copy formats.
- Paper files are secured in locked filing cabinets in offices of the appropriate employees. These are locked outside of business hours.
- Electronic information is stored on dedicated file servers with controlled network access. Electronic information is secured to the extent that only network users with a valid username and password can access electronic records. Certain parts of the file system such as employee records and tenant records are available only to those employees with the appropriate access requirements.
- In the event that CGQ discontinues providing housing services, all records will be kept securely for a period of 12 months at which time they will be confidentially destroyed.
- Hard copy of tenant records will be kept in a secure location for 12 months after a lease has expired or terminated.
Access
- All tenants, employees, volunteers, members and Directors have the right to access information about them that is held by CGQ (including documents containing personal information).
- Information requested by an individual is provided within 48 hours of receipt of the request in the manner requested by the individual (if reasonable and practicable). If the request cannot be made in the manner requested, CGQ will take reasonable steps to give access in a way that meets the needs of CGQ and the individual.
- There is no fee involved in the retrieval of any documents.
Correction
- CGQ must ensure that personal information it holds about an individual is up-to-date, accurate, complete and relevant. This includes responding appropriately to requests for correction by individuals.
- A response to a request to correct information by an individual is provided within 48 hours of receipt of the request. Notice that satisfies APP 13.3 must be provided if the request is denied.
- A statement will be associated with any personal information that is subject to a correction request so that the users of personal information are aware that a correction request has been made in respect of that personal information.
- There is no fee involved in the correction of any information.
- If required by APP 13.2, CGQ must take reasonable steps to notify other APP entities of the correction of personal information.
Compliance
- Privacy and confidentiality matters should be a recurrent item on CGQ’s board and managerial agenda.
- Employees and volunteers should be aware of CGQ’s commitment to managing an individual’s personal information in an open and transparent way and the need to maintain an individual’s privacy regarding their personal information.
- Appropriate training and education should be made available to employees and volunteers to ensure CGQ’s obligations are understood.
- Furthermore, management should ensure that a culture of compliance and adherence to privacy policies and obligations is cultivated.
Referenced Documents
- Authority to Request or Disclose Personal Information to External Parties Form
- Document Control Procedure
- Information Privacy Act 2009 (Qld) (Information Privacy Principles)
- Notification of Collection of Personal Information
- Privacy Act 1988 (Australian Privacy Principles)
- Privacy and Confidentiality Policy
Version 8.0