You should read this policy if you are:
• a service recipient, program participant or client of MDSI
• a parent or legal guardian of a minor (persons under the age of 18) who is a service recipient, program participant or client of MDSI
• a third party service provider funded to deliver services under a MDSI funding agreement
• a person who volunteers at MDSI
• a student undertaking work placement
• a person seeking employment with MDSI
• a person who is or was employed by MDSI
• making a donation to MDSI
1.2 The Privacy Act 1988
Important changes to the Privacy Act 1988 (Cth) commenced on 12 March 2014.
Prior to this date MDSI followed the privacy principles set out in both the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs). As of 12 March 2014, the IPPs and NPPs were replaced by a single set of privacy principles – the Australian Privacy Principles (APPs).
It is the APPs that now regulate how we collect, hold, use and disclose personal information, and how individuals can access and/or correct that information.
1.3 MDSI and your privacy
MDSI is a not-for-profit charity that offers community and support services. MDSI seeks to ensure that our organisation and our services are relevant and accessible. Based on an integrated service delivery system MDSI’s programs are specifically tailored through five broad service areas: Children, Youth, Family, Disability and Aged.
MDSI takes privacy seriously and will only collect, hold, use and disclose your personal information in accordance with the Privacy Act.
If MDSI does not receive personal information about you the Privacy Act will not apply.
1.4 Remaining anonymous or using a pseudonym
MDSI understands that anonymity is an important element of privacy and some individual’s may wish to be anonymous or use a pseudonym when interacting with MDSI.
Where possible, individuals will have the right to remain anonymous or adopt a pseudonym when dealing with MDSI. For example, if you contact our Information Officer with a general query you do not need to provide us with your details. However, for most of our services and activities we need sufficient information to enable us carry out our functions and provide our services and programs.
1.5 Information held by contractors
Under the Privacy Act, MDSI is required to take contractual measures to ensure contracted service providers (including sub-contractors) comply with the same privacy requirements applicable to MDSI.
2. MDSI’s personal information handling practices
2.1 Collection of personal information
Generally, we collect personal information directly from the relevant individual. Sometimes, we may need to collect information about a client from a third party, such as their representative, a parent, carer, guardian or other responsible person or a third party such as a health service provider, government or similar agency or the client's educational institution or workplace.
We will do this if the client has consented for us to collect the information in this way, or where it is not reasonable or practical for us to collect this information directly from the client (such as in an emergency, because the client is not able to provide the information required or where collection in this way is a reasonable and efficient way to collect the information without inconvenience to the client).
We generally use forms, online portals and other electronic or paper correspondence to collect this information.
Information may be collected directly by MDSI or by people or organisations acting on behalf of MDSI. MDSI may also obtain personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations.
MDSI collects and holds a broad range of personal information in records relating to:
• employment and personnel matters for MDSI staff and volunteers (including security assessments)
• the performance of its legislative and administrative functions
• individuals participating in MDSI funded programs and initiatives
• the management of contracts and funding agreements
• the management of audits (both internal and external)
• correspondence from members of the public to MDSI
• compliments and complaints (including privacy complaints) made and feedback provided to MDSI
• requests made to MDSI under the Freedom of Information Act 1982 (Cth)
• the provision of legal advice by internal and external lawyers.
MDSI will not ask you for any personal information which we do not need. The Privacy Act requires that we should collect information for a purpose that is reasonably necessary for, or directly related to, a function or activity of MDSI.
When we collect personal information, we are required under the Privacy Act to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law and any person or body to whom we usually disclose the information. MDSI generally provides this notification by having Privacy Notices on our paper-based forms and online portals.
2.2 Kinds of personal information collected and held
In performing its functions, MDSI collects and holds the following kinds of personal information (which will vary depending on the context of the collection):
• name, address and contact details (e.g. phone, email and fax)
• information about your personal circumstances (e.g. marital status, age, gender, occupation, accommodation and relevant information about your partner or children)
• information about your financial affairs (e.g. income details, household expenses, bank account details and information about business and financial interests)
• information about your identity (e.g. date of birth, country of birth, passport details, visa details, drivers license, birth certificates)
• information about your employment (e.g. work history, referee comments, remuneration)
• information about your background (e.g. educational qualifications, the languages you speak and your English proficiency)
• government identifiers (e.g. Centrelink Reference number, Medicare number or Tax File number)
• information about assistance provided to you under MDSI’s funding arrangements
On occasions, a range of sensitive information may also be collected or held about you, including information about:
• your racial or ethnic origin;
• your health (including information about your medical history and any disability or injury you may have)
• any criminal record and/or traffic offence record you may have, and on occasion
• photographs, video recordings and audio recordings
2.3 How MDSI collects and holds personal information
MDSI collects personal information through a variety of different methods including:
• paper-based forms
• electronic forms (including online forms)
• face to face meetings
• telephone communications
• email communications
• communications by fax
• MDSI websites and
• MDSI social media websites.
MDSI holds personal information in a range of paper-based and electronic records.
All reasonable steps are taken to keep secure any information that is held about individuals.
MDSI employees and volunteers are obliged to respect the confidentiality of any personal
information held by us and are provided with training and information on the APPs.
2.4 Purposes for which personal information is collected, held, used and disclosed
MDSI collects personal information for a variety of different purposes relating to its functions and activities including:
• providing services to client
• performing its employment and personnel functions in relation to MDSI staff and volunteers
• performing its legislative and administrative functions
• policy development, research and evaluation
• complaints handling
• program management
• contract management and
• management of correspondence with the public.
MDSI only uses and discloses personal information for the primary purposes for which it is collected or for a closely related secondary purpose; e.g. where the client's needs have changed or become extended or the client has consented to the use or disclosure of the information for the secondary purpose. MDSI will only use your personal information for secondary purposes where it is able to do so in accordance with the Privacy Act.
If necessary to carry out our functions and provide our services and programs, we may need to disclose your personal and sensitive information to external service providers (such as utility/energy providers, legal service providers, other community service providers, etc.).
We may also be required to disclose information by or under law or for various legal purposes.
2.5 Direct Marketing
We collect contact details (which may include name, address, email address, and mobile phone number) when individuals interact with us in order to distribute newsletters and other communications in print and electronic form from time to time.
Please contact our Privacy Officer using the contact details set out at section 5.1 of this Policy to have your details removed from our mailing lists.
We do not supply our database information to other marketing organisations not acting on our behalf.
2.6 How to seek access to and correction of personal information
You have a right under the Privacy Act to access personal information we hold about you.
You also have a right under the Privacy Act to request corrections to any personal information that MDSI holds about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
However, the Privacy Act sets out circumstances in which MDSI can decline access to or correction of personal information (e.g. where access is unlawful under a secrecy provision in portfolio legislation, such as the Aged Care Act 1997).
To access or seek correction of personal information we hold about you, please contact MDSI using the contact details set out at section 5.1 of this Policy.
It is also possible to access and correct documents held by MDSI under the Freedom of Information Act 1982 (the FOI Act).
2.7 Accidental or unauthorised disclosure of personal information
MDSI will prevent unauthorised persons gaining access to an individual’s confidential records and permit individuals access to their own records when this is reasonable and appropriate.
MDSI will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.
If you believe we have breached the Australian Privacy Principles please contact our Privacy Officer using the contact details set out at section 5.1 of this Policy.
2.8 Data Security
Access to personal information held by MDSI is restricted to authorised persons who are MDSI employees or volunteers.
Electronic and paper records containing personal information are protected in accordance with the relevant MDSI policy and procedures.
MDSI regularly conducts audits to ensure we adhere to our protective and computer security policies.
2.9 Our Website
MDSI’s website is managed internally.
Generally MDSI only collects personal information from its website where a person chooses to provide that information.
If you visit our website to read or download information, MDSI records a range of technical information which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time of your visit to the website. This information is used for statistical and development purposes.
No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.
Some functionality of MDSI’s website is not run by MDSI and third parties may capture and store your personal information outside Australia. These third parties include (but are not limited to) Facebook, YouTube, MailChimp, SurveyMonkey, Twitter and Google and may not be subject to the Privacy Act. MDSI is not responsible for the privacy practices of these third parties and encourages you to examine each website's privacy policies and make your own decisions regarding their reliability.
The MDSI website contains links to other websites. MDSI is not responsible for the content and privacy practices of other websites and encourages you to examine each website's privacy policies and make your own decisions regarding the reliability of material and information found.
MDSI's websites may also detect and use your IP address or domain name for internet traffic monitoring and capacity purposes or to otherwise administer the website. No personal information is collected, rather the patterns of usage of visitors to the website may be tracked for the purposes of providing improved service and content based on aggregate or statistical review of user site traffic patterns.
2.11 Electronic Communication
There are inherent risks associated with the transmission of information over the Internet, including via email. You should be aware of this when sending personal information to us via email or via our website. If this is of concern to you then you may use other methods of communication with MDSI, such as post, fax, or phone (although these also have risks associated with them).
MDSI only records email addresses when a person sends a message or subscribes to a mailing list. Any personal information provided, including email addresses, will only be used or disclosed for the purpose for which it was provided.
2.12 Disclosure of personal information overseas
MDSI does not share your personal information with entities outside of Australia.
3.1 MDSI’s process for handling privacy breach complaints
If you believe we have breached the Australian Privacy Principles please contact our Privacy Officer using the contact details set out at section 5.2 of this Policy.
We take all complaints very seriously and we will endeavour to respond to your complaint and address your concerns as soon as reasonably practicable.
3.2 How to complain to the OAIC
You also have the option of contacting the OAIC (Office of the Australian Information Commissioner) if you wish to make a privacy complaint against MDSI.
The OAIC website (www.oaic.gov.au) contains information on how to make a privacy complaint.
If you make a complaint directly to the OAIC rather than to MDSI, the OAIC may recommend you try to resolve the complaint directly with MDSI in the first instance.
Privacy processes and systems are regularly audited as part of the MDSI audit program and staff, service users and other stakeholders are encouraged to provide ongoing feedback on issues and areas where improvements can be made.
5. How to contact us
5.1 Enquiries and requests to access or correct personal information
If you wish to:
• make a complaint about a breach of your privacy
• query how your personal information is collected, held, used or disclosed
• obtain access to or seek correction of your personal information
• remove your details from our mailing lists
please contact MDSI’s Privacy Officer using the following contact details:
• phone: 02 4627 1188
• fax: 02 4628 6068
• email: firstname.lastname@example.org
• mail: Privacy Officer, PO Box 525, Campbelltown, NSW 2560
5.2 Availability of this Policy
This policy is freely available in either hard copy and on our website.