This policy document also describes how you can:
The specific legal obligations of Wellways when collecting and handling your personal information are outlined in the Privacy Act 1988 and in particular in the 13 Australian Privacy Principles found in that Act.
The Privacy Act defines personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’ (s 6(1)).
Under the Privacy Act, more stringent obligations apply to the handling of sensitive information, which is classed as a subset of personal information and is defined as:
Wellways collects and uses personal information to carry out functions or activities under the Privacy Act 1988 (Privacy Act) and a range of other state and territory privacy law.
These functions and activities include:
The nature and extent of the kinds of personal information and, where applicable, sensitive information, collected by Wellways varies depending on your particular interaction with us.
Where practicable, you may choose to interact with Wellways anonymously, or use a pseudonym. In some circumstances however, this may mean that we have limited capacity to provide you with information, a service or effective communication in response to your request, complaint, donation or application.
Types of personal information (that is not sensitive information) that Wellways collects can include:
Wellways will only record information that is necessary for the particular function or activity for which it was collected. The purpose of the collection and use of the types of personal information outlined above relate directly to Wellways functions and activities, as described:
Administrative records - general enquiries
We may need your basic contact details so we can respond appropriately to your enquiry (for example, to provide you with information or refer you to another service).
Administrative records - events
When you register with us to attend an event, the details you provide allow us to manage RSVPs, to facilitate coordination of the event and to communicate with you about the event.
Administrative records – email lists
We collect your email address (and other contact details if you provide them) when you subscribe to an email list, such as our Stampede Stigma e-newsletter. We only use this information for the purpose of sending you publications or information to which you have subscribed, and to administer the lists.
Details that you provide when you register for a course delivered by Wellways’ Registered Training Organisation (RTO) allow us to be able to deliver the training and communicate with you.
Complaints, compliments and feedback files
Wellways seeks feedback to help us develop and deliver better services. For complaints, we would usually require personal information from you (including details of your complaint) in order to respond effectively and to communicate with you as part of our complaints process.
Usually we collect personal information when you give it to us over the phone, in person, via email or by submitting an online or hard-copy form to us.
Sometimes we collect personal information from a third party or a publicly available source, but only if it is reasonable to expect that we would collect your personal information in this way, or when you have provided us with your consent.
The types of sensitive information that we may collect must relate specifically to the function or activity for which it is collected, and we collect this information only when it is necessary for this function or activity.
If Wellways needs to collect sensitive information from you, we will ask you to provide us with your express consent to the collection. Express consent differs from implied consent, and usually involves documentation such as a signed agreement or record of a verbal statement. We will also make sure your consent is informed consent, by way of explaining how your information will be used and disclosed. Consent must also be given voluntarily by an individual with the capacity to communicate such consent at the time it is given.
The kinds of sensitive information that we may collect (alongside the above-mentioned types of personal information) are listed below, relative to the function-related or activity-related file types to which they apply.
Personal information that you provide via our website (for example, when you submit an online form or subscribe to our e-newsletter) is collected by Wellways via servers that are located in Australia and other locations.
Credit card details submitted via our online donation or membership forms are immediately encrypted via Australia Post’s SecurePay facility for secure online transaction processing, which means that Wellways does not store your credit card and debit card information.
When you visit our website, you can choose to provide location based information in order to personalise your experience. If you choose to provide this information we will not share your location with other users or partners.
Other data collected through our website include website traffic information and visitor behaviour, including the IP address of your computer or device. However, this is not considered personal information, because you are not reasonably identifiable to Wellways through this type of data. We use Google Analytics for collecting such data, which are stored by Google on servers in the United States, Belgium and Finland. You can opt out of the collection of information via Google Analytics by downloading the Google Analytics Opt-out browser add-on.
We only use personal information for the purposes for which it is given to us, or for purposes which are directly related to one of our functions or activities. Refer to Personal information – collection.
With strict adherence to the Privacy Act and relevant state legislation, personal information is only disclosed for the purposes for which you gave it to us, or for directly related purposes that you would reasonably expect or if you agree. As specified in the Privacy Act, exceptions refer to situations where a disclosure is required or authorised by law or if a disclosure can lessen or prevent a serious threat to life, health or safety.
Disclosure of personal information may occur when:
It is not the practice of Wellways to disclose personal information to overseas parties.
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include:
There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms. In relation to our own servers, we take all reasonable steps to manage data stored on our servers to ensure data security.
You have the right to request access to the personal information we hold about you and to request that we correct that personal information. To make such a request, you can contact Wellways and ask to see your personal details. (See ‘How to contact us’ below) Participants of Wellways programs can also request access to their file via a key worker or allocated staff member.
We may need to verify your identity if you request access or corrections to your personal information, both as a privacy measure, and to ensure the quality of the personal information that we hold. Under the Privacy Act, there are limited circumstances in which some or all access to a record may be denied (for example, where it may violate the privacy of another individual). In such circumstances, we will provide an explanation in response to the request.
You may also contact us to request removal from a mailing list, alter or cancel automated donations or if you are on one of our automated email lists, you may opt out of further contact from us by clicking the 'unsubscribe' link at the bottom of the email.
Please be aware that donors who request to be removed from our mailing list or records are archived but not deleted. This ensures that we have a record of their wishes and do not approach them as prospective donors in the future. Without your written permission, we will not allow anyone other than you to access or alter your donor record or automated donation unless they provide written proof of Power of Attorney.
On February 22nd 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) came into force to establish the Notifiable Data Breaches (NDB).
Under the NDB scheme, Wellways has an obligation to make a notification if:
The following definitions have been put together to assist in application of the RDB scheme.
A data breach
A data breach occurs when personal information held by Wellways is lost or subjected to unauthorised access or disclosure.
The likelihood of serious harm
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
The concept of ‘serious harm’ must be assessed from the perspective of a ‘reasonable person’ rather than the individual whose personal information was part of the data breach (or any other person).
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
Under the NDB scheme Wellways has the opportunity to take positive steps to address a data breach in a timely manner, and therefore avoid the need to notify.
The OAIC has developed a range of RDB scheme resources to assist with identifying, assessing, managing and reporting data breaches.
If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.
We will contact you to acknowledge that we have received your complaint within three business days. We will then contact you with a response, or a progress report on the actions being undertaken, within 30 days (This may not be possible with anonymous complaints).
If you are not satisfied with the outcome of your complaint, you can take your complaint to the Australian Information Commissioner (OAIC). The OAIC has the power to investigate Australian organisations and agencies that are bound by the Privacy Act, with respect to possible breaches of the Australian Privacy Principles.
You can contact us by:
1300 111 400
PO Box 359 Clifton Hill, Victoria 3068
61 03 84 864265