Transition Village Wallan (TVW) is committed to protecting the privacy of personal information which the organisation collects, holds and administers. Personal information is information which directly or indirectly identifies a person.
The purpose of this document is to provide a framework for TVW in dealing with privacy considerations.
TVW collects and administers a range of personal information for the purposes of providing transitional housing assistance, training, holding community events and administering campaigns. The organisation is committed to protecting the privacy of personal information it collects, holds and administers.
TVW is bound by laws which impose specific obligations when it comes to handling information. These laws are serious, and failure to comply can result in civil penalties of up to $2.1 million. As such, the organisation has adopted the following principles contained as minimum standards in relation to handling personal information
- Collect only information which we require for our primary function;
Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;
- Use and disclose personal information only for our primary functions or a related purpose, or for another purpose with the person’s consent;
- Store personal information securely, protecting it from unauthorised access; and
- Provide stakeholders with access to their own information, and the right to seek its correction.
The following documents form part of this policy:
- Privacy Statement, which is included on our webpage(s)
- Data breach notification protocol
This Statement describes how TVW will collect and use your private and confidential information. Protecting your privacy and personal information is an important part of how we manage our services and campaign work.
TVW has obligations, and you have rights, under Commonwealth and Victorian privacy law. Privacy laws apply when we collect, use, disclose and dispose of your personal information. Personal information includes information that identifies you or could identify you, for example, your name, address or phone number, or identifying details from your client file.
As a service provider our staff are required to comply with all legislation and guidelines that provide for confidentiality and privacy of service users, colleagues and volunteers.
Collection of personal information
We collect personal information both directly from you, by telephone, email, online or face to face, and from third parties in the course of providing our services. With your informed consent we may collect sensitive information including about your financial affairs.
Our website (www.tvw.org.au) is hosted in Australia.
Tracking & Cookies Data
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyse our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
- Security Cookies. We use Security Cookies for security purposes.
Some information about your visits to our site is recorded and used for statistical and systems administration purposes. To the extent that these records might allow us to identify you we would not do so unless that is required by law.
Our websites do not collect or record personal information, other than information you choose to provide, for example, through our enquiries and email fields. Email addresses and any other contact details you provide to us will not be added to a mailing list without your consent.
Use and disclosure of personal information
We will generally only use personal information about you, or disclose it to third parties, for the purposes of providing you with a service, or, if you agree, referring you to other organisations.
We will sometimes use case studies based on the experience of our clients to explain what our service does, or to convince the government or other relevant organisations that laws and/or industry practices need to change to address homelessness effectively. Any case study relating to your matter will not identify you or your particular matter unless we have obtained consent from you. If you tell us that you do not want your personal information to be used for a particular purpose, we will agree to that request.
We are required to provide some information to funding agencies, whose use of it is governed by their own privacy policies, and these include procedures to ensure that small cohort reporting does not identify individuals. We do not provide funding agencies identifying information such as your name or address.
We may use the information you have provided us to monitor and evaluate the effectiveness of our service. This includes file review and risk management purposes, including review by an audit committee. We may also seek your consent for us or a third party to contact you to participate in research or other evaluation activities. You do not need to give your consent to this and we will provide you with the same services whether or not you provide such consent.
We may also use or disclose personal information to third parties if required to do so by law; in emergencies where life, health or safety of any person is at risk.
All of the personal information we hold is hosted on servers located in Australia, but in the course of the provision of some internet services including web-analytics, some information may be held or processed outside Australia, most likely including Singapore and the USA. Otherwise, we will not disclose personal information to overseas recipients other than at your express request.
Data quality, access and correction
We take all reasonable steps to ensure that personal information is accurate, complete, up to date and relevant, and generally ‘fit for purpose’. You can assist us by notifying us promptly of any changes or relevant new information. You have the right under privacy law to see any personal information that TVW holds about you, and to seek correction if you believe it is wrong.
We will take reasonable steps to ensure that the personal information held by TVW is protected from misuse, loss and from unauthorised access, modification and disclosure. You should however be aware that there are risks involved in transmitting personal information over the internet or by email.
Please tell us if you have any privacy or safety concerns about us leaving a message for you, especially if our message mentions TVW or your enquiry. In particular, please tell us if you have any concerns about us leaving that type of message:
- as a voice message on your land-line or mobile phone;
- by text to your mobile phone;
- with someone who answers your phone; or
- by email.
This might be a risk for you, for example, if you are experiencing family violence, or because your messages are not secure.
Keeping your information
We will take reasonable steps to de-identify or destroy personal information once it is no longer needed. Personal information kept in our electronic files will be kept for at least seven years after we close your file, and may be kept for longer. We will return any of your original documents in our possession when your matter is finalised.
Enquiries or complaints
If you have any concerns about our use of your information, please discuss these with us. We will always try to resolve them with you. You can contact us, make a complaint, or seek more details about our website or our privacy policies by:
- Emailing us at firstname.lastname@example.org
- Writing to:
Transition Village Wallan
36 Hadley Drive
WALLAN VIC 3756
You have the right to complain about alleged breaches of privacy to the Office of the Australian Information Commissioner (OAIC) See www.oaic.gov.au or call 1300 363 992.
DATA BREACH PROTOCOL
The Notifiable Data Breaches (NDB) Scheme, which came into effect on 22 February 2018, imposes new requirements on organisations that are required to secure personal information under the Privacy Act 1988. The NDB Scheme has been implemented to strengthen protections for personal information, and allow individuals to take steps to protect their information following a breach, or suspected breach.
Under the scheme, applicable organisations must notify individuals and the Office of the Australian Information Commissioner (OAIC) when there has been a data breach (or suspected breach) of personal information, if it is likely to result in serious harm to individuals whose privacy has been breached. The NDB scheme applies to TVW.
Data Breach: When personal information held by TVW is disclosed accidentally, lost, or accessed without permission. This can be as a result of human error, or through malicious action by an employee or an external party.
Examples include where a secure IT system containing personal information has been hacked, a storage device being lost by an employee, or an employee accidentally releasing personal information to the wrong person.
Personal information: ‘Information about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.’
Personal information includes a person’s health information, tax file number, and information about racial or ethnic origin, sexual orientation or criminal record.
When staff have reason to believe there has been a data breach, they should inform the CEO immediately.
At this time, details such as when and how the breach was discovered, and by whom, should be recorded. This will be recorded in the Complaints and Breach Register.
As soon as a breach or suspected breach has been identified, any steps to contain or limit the potential harm should be taken. This may include shutting down a system that has been breached, or recovering any records.
The CEO or their delegate will complete a preliminary assessment of the breach and take any immediate action to contain the breach if possible.
If the preliminary assessment finds that further investigation and assessment is necessary to understand the nature and extent of the breach, it will be escalated to the Executive Board. Together or individually, they will work to gather information, assess risks and the likelihood of serious harm from the breach, and therefore whether it is an ‘eligible’ (notifiable) breach.
To evaluate whether a known data breach is notifiable, consider the following three questions:
- Has there been unauthorised access, unauthorised disclosure, accidental loss, or theft of personal information that TVW holds?
For example, our database is hacked, a portable storage device containing personal information is lost, or the organisation accidentally releases personal information to the wrong person.
- Is it likely that this may result in serious harm to individual/s whose data has been breached?
This can include but is not limited to psychological, financial, emotional, physical or reputational harm. To be able to accurately assess the likelihood and seriousness of harm, it requires looking at the context of the data and how it may have been breached.
For information about the factors to consider when deciding whether harm is likely and/or serious, refer to section 26WG of the Privacy Act 1988.
- Does the likelihood of serious harm remain despite taking available remedial action?
The obligation to notify the OAIC can be avoided if the organisation takes remedial action in a timely manner to prevent the risk of harm occurring, either by making the harm unlikely to occur, or non-serious.
If the answer to the above three questions is yes, then the breach classifies as an eligible data breach and we are required to notify the OAIC and any affected individuals.
If there are reasonable grounds to suspect that there has been a data breach, the CEO should conduct an assessment of the suspected breach. The assessment of a suspected breach must take place within 30 days of TVW becoming aware of the grounds (or information) that caused it to suspect an eligible data breach had occurred. TVW should seek to find out the likelihood of serious harm occurring as a result of the suspected breach. If it is assessed to be likely, this has the same notification obligations as a known data breach under the NDB Scheme.
Take remedial action
Remedial action can be taken at any point throughout the data breach response process – the sooner the better. However, it may be that the full extent and nature of the breach, and therefore the actions that could be taken, are not known until after assessing and investigating the breach.
Examples of remedial action include remotely deleting sensitive information from a laptop which has been lost, or emailing affected individuals with advice about how to protect their privacy.
Remedial action should be documented, making sure to document rationale and reasoning as to why a certain conclusion has been made.
If, after the remedial action has been taken, the risk of harm is reduced so that it is unlikely to occur, or non-serious, then there is no requirement to notify.
Even if there is no requirement, however, we should consider whether to contact affected individuals with advice for further protecting their information as a customer service measure.
Once a breach has been assessed as eligible, relevant individuals and bodies should be notified as soon as practicable (which may include in addition to the OAIC, the police and the Australian Cyber Security Centre). Notification must include the following information as a minimum:
- TVW’s contact details and a relevant contact person
- Description of the data breach
- Type of information involved in the breach
- Advice and recommendations for individuals to take in response
- The OAIC
The CEO is responsible for notifying and liaising with the OAIC for data breaches which have been assessed as eligible for the purposes of the NDB Scheme, using the OAIC’s Notifiable Data Breach form.
- Notification of individuals who are at likely risk of serious harm due to the data breach
Notification of individuals should occur as soon as practicable after completing the notification statement for the OAIC. In general, the relevant Director is to make the notification using the method of notification through which is most appropriate (usually phone call, followed by written communication – either email or post).
Notification to affected individuals may contain an explanation of what happened to their personal information, an apology, description of what measures have been put in place as a result of the breach, and advice on what they can do to further protect their information.
Clients should also be made aware of their right to complain about our services in accordance with our complaints policy.
- Notification to our professional indemnity insurer
The CEO should also notify our professional indemnity insurers of an eligible data breach notification being made to the OAIC. This should be done as soon as practicable, and may be before the conclusion of the 30-day assessment period referred to above.
Record and review
Complaints and breach register
The Complaints and Breach register will record all instances of data breaches or suspected breaches, as well as document assessments of the breach and any changes made as a result of a breach. This register is located on G-Suite.
All staff should be made aware of the register, and the CEO will be responsible for ensuring that all breaches or suspected breaches are recorded accurately in the log.
Whether or not the breach or suspected breach was notifiable, a review should be conducted into processes relating to the breach to strengthen protections in the future. Depending on the type and seriousness of the breach, this may include:
- A full investigation into how the breach occurred
- Implement measures to ensure it does not reoccur, documented in a prevention plan
- Reviews of security, cybersecurity and ICT policies and procedures
- Audit of implementation of relevant policies and procedures
- Additional staff training about privacy and data breach responses