Privacy

Aim and justification

This privacy policy outlines how Wellways handles personal information, in accordance with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).

This policy document also describes how you can:

  • access and/or seek correction of the personal information we hold about you, and
  • make a complaint about a breach of the Australian Privacy Principles (APPs).

The specific legal obligations of Wellways when collecting and handling your personal information are outlined in the Privacy Act 1988 and in particular in the 13 Australian Privacy Principles found in that Act.

The Privacy Act defines personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’ (s 6(1)).

Under the Privacy Act, more stringent obligations apply to the handling of sensitive information, which is classed as a subset of personal information and is defined as:

  • information or an opinion (that is also personal information) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record;
  • health information about an individual;
  • genetic information (that is not otherwise health information) (s 6(1)).

This policy is written in simple language, and has been adapted from the Privacy Policy developed by the Office of the Australian Information Commissioner (OAIC) found on the OAIC website at www.oaic.gov.au.

Updates to this privacy policy will occur from time to time to reflect developments in the information handling practices of Wellways. Updates will be published on this website.

Policy

Overview

Wellways collects and uses personal information to carry out functions or activities under the Privacy Act 1988 (Privacy Act) and a range of other state and territory privacy law.

These functions and activities include:

  • delivery of services to Wellways program participants
  • coordination of engagement activities relating to membership, volunteering, fundraising, community education and advocacy
  • responding to general enquiries
  • human resources, payroll and financial operations
  • maintaining registers, such as contact lists for advocacy campaigns
  • communicating with the public, stakeholders and the media including through websites and social media.

Collection of your personal information

The nature and extent of the kinds of personal information and, where applicable, sensitive information, collected by Wellways varies depending on your particular interaction with us.

Anonymity

Where practicable, you may choose to interact with Wellways anonymously, or use a pseudonym. In some circumstances however, this may mean that we have limited capacity to provide you with information, a service or effective communication in response to your request, complaint, donation or application.

Personal information – collection

Types of personal information (that is not sensitive information) that Wellways collects can include:

  • contact details (such as name, address, telephone number, email);
  • date of birth;
  • details of correspondence, communication or complaint;
  • bank account details;
  • signature;
  • payment history;
  • record of attendance to Wellways events.

Wellways will only record information that is necessary for the particular function or activity for which it was collected. The purpose of the collection and use of the types of personal information outlined above relate directly to Wellways functions and activities, as described:

Administrative records - general enquiries

We may need your basic contact details so we can respond appropriately to your enquiry (for example, to provide you with information or refer you to another service).

Administrative records - events

When you register with us to attend an event, the details you provide allow us to manage RSVPs, to facilitate coordination of the event and to communicate with you about the event.

Administrative records – email lists

We collect your email address (and other contact details if you provide them) when you subscribe to an email list, such as our Stampede Stigma e-newsletter. We only use this information for the purpose of sending you publications or information to which you have subscribed, and to administer the lists.

Student files

Details that you provide when you register for a course delivered by Wellways’ Registered Training Organisation (RTO) allow us to be able to deliver the training and communicate with you.

Complaints, compliments and feedback files

Wellways seeks feedback to help us develop and deliver better services. For complaints, we would usually require personal information from you (including details of your complaint) in order to respond effectively and to communicate with you as part of our complaints process.

How we collect this information

Directly

Usually we collect personal information when you give it to us over the phone, in person, via email or by submitting an online or hard-copy form to us.

Indirectly

Sometimes we collect personal information from a third party or a publicly available source, but only if it is reasonable to expect that we would collect your personal information in this way, or when you have provided us with your consent.

The types of sensitive information that we may collect must relate specifically to the function or activity for which it is collected, and we collect this information only when it is necessary for this function or activity.

If Wellways needs to collect sensitive information from you, we will ask you to provide us with your express consent to the collection. Express consent differs from implied consent, and usually involves documentation such as a signed agreement or record of a verbal statement. We will also make sure your consent is informed consent, by way of explaining how your information will be used and disclosed. Consent must also be given voluntarily by an individual with the capacity to communicate such consent at the time it is given.

The kinds of sensitive information that we may collect (alongside the above-mentioned types of personal information) are listed below, relative to the function-related or activity-related file types to which they apply.

Collecting information through our website

Personal information that you provide via our website (for example, when you submit an online form or subscribe to our e-newsletter) is collected by Wellways via servers that are located in Australia and other locations.

Credit card details submitted via our online donation or membership forms are immediately encrypted via Australia Post’s SecurePay facility for secure online transaction processing, which means that Wellways does not store your credit card and debit card information.

We sometimes use third party platforms to deliver or collect information (SurveyMonkey, Eventbrite, TryBooking, Facebook, Twitter, Recruitmenthub). These are sites hosted and managed by organisations other than Wellways and have their own privacy policies. Before deciding whether to contribute to a third party site such as those listed above, you should read its privacy policy.

When you visit our website, you can choose to provide location based information in order to personalise your experience. If you choose to provide this information we will not share your location with other users or partners.

Other data collected through our website include website traffic information and visitor behaviour, including the IP address of your computer or device. However, this is not considered personal information, because you are not reasonably identifiable to Wellways through this type of data. We use Google Analytics for collecting such data, which are stored by Google on servers in the United States, Belgium and Finland. You can opt out of the collection of information via Google Analytics by downloading the Google Analytics Opt-out browser add-on.

How we use your personal information

We only use personal information for the purposes for which it is given to us, or for purposes which are directly related to one of our functions or activities. Refer to Personal information – collection.

With strict adherence to the Privacy Act and relevant state legislation, personal information is only disclosed for the purposes for which you gave it to us, or for directly related purposes that you would reasonably expect or if you agree. As specified in the Privacy Act, exceptions refer to situations where a disclosure is required or authorised by law or if a disclosure can lessen or prevent a serious threat to life, health or safety.

Examples of disclosure of personal information

Disclosure of personal information may occur when:

  • a member of staff contacts a referee or former employer, or conducts a police check, for the purposes of assessing an application for employment or volunteering role;
  • a key worker provides information to a participant’s carer, or to a health care professional involved in the care of the participant, in the course of delivering a service to that participant;
  • a fundraising administrator receives a request from a donor to receive no further contact from Wellways and passes on the details to our third party suppliers to ensure their wishes are respected.

Disclosure of personal information overseas

It is not the practice of Wellways to disclose personal information to overseas parties.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Storage and security of your personal information

We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include:

  • information technology (IT) security measures;
  • password protection for accessing our electronic IT systems;
  • password access for electronic files is limited to authorised personnel in relevant roles for undertaking the Wellways function or activity;
  • securing paper files in locked cabinets;
  • physical access restrictions;
  • staff training in file-handling procedures.
  • When no longer required, Wellways destroys paper records that contain personal information and deletes or digitally archives personal information in electronic files, in a secure manner and in accordance with relevant legislative requirements.

There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms. In relation to our own servers, we take all reasonable steps to manage data stored on our servers to ensure data security.

Access and correction of your personal information

You have the right to request access to the personal information we hold about you and to request that we correct that personal information. To make such a request, you can contact Wellways and ask to see your personal details. (See ‘How to contact us’ below) Participants of Wellways programs can also request access to their file via a key worker or allocated staff member.

We may need to verify your identity if you request access or corrections to your personal information, both as a privacy measure, and to ensure the quality of the personal information that we hold. Under the Privacy Act, there are limited circumstances in which some or all access to a record may be denied (for example, where it may violate the privacy of another individual). In such circumstances, we will provide an explanation in response to the request.

You may also contact us to request removal from a mailing list, alter or cancel automated donations or if you are on one of our automated email lists, you may opt out of further contact from us by clicking the 'unsubscribe' link at the bottom of the email.

Please be aware that donors who request to be removed from our mailing list or records are archived but not deleted. This ensures that we have a record of their wishes and do not approach them as prospective donors in the future. Without your written permission, we will not allow anyone other than you to access or alter your donor record or automated donation unless they provide written proof of Power of Attorney.

Notifiable Data Breach Scheme

On February 22nd 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) came into force to establish the Notifiable Data Breaches (NDB).

Under the NDB scheme, Wellways has an obligation to make a notification if:

  • a data breach is believed to have occurred, and;
  • it is likely to result in serious harm to the individual(s) whose personal information is involved in the breach, and
  • remedial action has not been able prevent the risk of serious harm.
  • The NDB scheme requires Wellways to assess the breach and make a notification to the particular individual(s) affected and the Australian Information Commissioner (the OAIC).

The following definitions have been put together to assist in application of the RDB scheme.

A data breach

A data breach occurs when personal information held by Wellways is lost or subjected to unauthorised access or disclosure.

The likelihood of serious harm

‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

The concept of ‘serious harm’ must be assessed from the perspective of a ‘reasonable person’ rather than the individual whose personal information was part of the data breach (or any other person).

The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).

Remedial action

Under the NDB scheme Wellways has the opportunity to take positive steps to address a data breach in a timely manner, and therefore avoid the need to notify.

The OAIC has developed a range of RDB scheme resources to assist with identifying, assessing, managing and reporting data breaches.

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.

If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.

If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

We will contact you to acknowledge that we have received your complaint within three business days. We will then contact you with a response, or a progress report on the actions being undertaken, within 30 days (This may not be possible with anonymous complaints).

If you are not satisfied with the outcome of your complaint, you can take your complaint to the Australian Information Commissioner (OAIC). The OAIC has the power to investigate Australian organisations and agencies that are bound by the Privacy Act, with respect to possible breaches of the Australian Privacy Principles.

How to contact us

You can contact us by:

Email
privacy@wellways.org (for privacy related enquiries or complaints)
info@stampedestigma.org (for all other general enquiries)

Phone
1300 111 400

Post
PO Box 359 Clifton Hill, Victoria 3068

Facsimile
61 03 84 864265