Privacy Policy

---

Bucketts Way Neighbourhood Group Inc. (BWNG) is committed to protecting the privacy of personal information which the organisation collects, holds, uses and discloses. Personal information is information which directly or indirectly identifies a person. This policy and procedure provides a framework for BWNG in dealing with privacy considerations.

BWNG collects and administers a range of personal information for the purposes of government grant funding needs. BWNG is committed to protecting the privacy of personal information it collects, holds and administers. 

This policy is written in accordance with the Privacy Act 1988, Privacy Amendment Act 2017 (Notifiable Breaches) and the Australian Privacy Principles (APPs). 

BWNG recognises the essential right of individuals to have their information administered in ways that they would reasonably expect – protected on the one hand and made accessible to them on the other.  These privacy values are reflected in and supported by our core values and philosophies and also reflected in this policy and procedure.

BWNG is bound by laws that impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.

BWNG will:

• Collect only information that the organisation requires for its primary function.
• Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered.
• Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent.
• Store personal information securely, protecting it from unauthorised access. 
• Provide stakeholders with access to their own information and the right to seek its correction.
• Ensure an effective data breach response plan is in place.

Collection

BWNG will:

• Only collect information that is necessary for the performance and primary function of BWNG.
• Notify stakeholders about why we collect the information and how it is administered.
• Notify stakeholders that this information is accessible to them.
• Collect personal information from the person themselves wherever possible.
• Where personal information is collected from a third party, be able to advise the person whom the information concerns, from whom their personal information has been collected.
• Collect sensitive information only with the person’s consent. (Sensitive information includes health information and information about religious beliefs, race, gender, and others)
• Determine, where unsolicited information is received, whether the personal information could have been collected it in the usual way, and then if it could have, it will be treated normally. (If it could not have been, it must be destroyed, and the person whose personal information has been destroyed will be notified about the receipt and destruction of their      personal information)

Use and disclosure 

BWNG will:

• Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose.
• For other uses, obtain consent from the affected person.
• In relation to a secondary purpose, use or disclose the personal information only where:
  • A secondary purpose is related to the primary purpose and the individual would reasonably have expected us to use it for purposes.
  • The person has consented.
  • Certain other legal reasons exist, or 
  • Disclosure is required to prevent serious and imminent threat to life, health, or safety.
• State in this policy and procedure whether the information is sent overseas and further will ensure that any overseas providers of services are as compliant with privacy as BWNG is required to be.
• Provide all individuals access to personal information except where it is a threat to life or health or it is authorised by law to refuse and, if a person is able to establish that the personal information is not accurate, then BWNG must take steps to correct it. BWNG may allow a person to attach a statement to their information if BWNG disagrees it is inaccurate.
• Where, for a legal or other reason, we are not required to provide a person with access to the information, consider whether a mutually agreed intermediary would allow sufficient access to meet the needs of both parties.
• Make no charge for making a request for personal information, correcting the information, or associating a statement regarding accuracy with the personal information.

Storage and security 

BWNG takes steps to protect information from misuse and loss, unauthorised access, interference, unauthorised modification, or disclosure by: 

• Maintaining a quality Information Technology (IT) System that is password protected and has monitored authorised access.
• Ensuring all staff and volunteers are knowledgeable in their responsibilities in upholding this policy.
• Ensuring documents are protected and unable to be modified.
• Ensuring hard copy documents are stored in locked cabinets. 
• Ensuring offices remain locked when unattended.

Overseas recipients 

Before BWNG discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, a responsible delegate of the CEO will establish that they are privacy compliant and have sufficient security.

Destruction and de-identification

BWNG will: 

• Destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones.
• Change information to a pseudonym or treat it anonymously if required by the person whose information BWNG holds and will not use any government-related identifiers unless they are reasonably necessary for our functions.
• Hold and destroy records in accordance with BWNG’s Record Keeping Policy and      Procedure

Data Retention 

BWNG will retain employee, client, and financial records for seven (7) years, and all organisational information indefinitely. 

Openness 

BWNG will:

• Ensure stakeholders are aware of BWNG’s Privacy Policy and its purposes.
• Make this information freely available in relevant publications and on the organisation’s website.

Access and correction 

BWNG will ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading, or not up to date. Individuals are encouraged to submit a request in writing to their appropriate team or supervisor, who will respond within three (3) business days.

Anonymity 

BWNG will allow people from whom the personal information is being collected to not identify themselves or use a pseudonym unless it is impracticable, whereby an alternative means will be discussed and agreed upon.

Making information available to other organisations

BWNG can release information to third parties where it is requested and/or consent is obtained, in writing, from the person concerned and details which information, if not all, is consented to being released. 

Data breach response 

BWNG has an obligation to take reasonable steps to handle personal information in accordance with the APPs, including protecting personal information from misuse, interference and loss, unauthorised access, modification, or disclosure. The Office of the Australian Information Commissioner’s (OAIC) Data Breach Preparation and Response document defines a data breach as ‘unauthorised access to unauthorised disclosure of personal information, or a loss of personal information, that an entity holds.

Where any employee or volunteer suspects, or is informed of, a data breach they must report it to their direct supervisor immediately. In accordance with OAIC’s Data Breach Preparation and Response document, BWNG follows these four key steps: 

• Step One: Contain the suspected or known breach. Immediate steps to be taken is to contact BWNG’s IT provider and describe the details of the breach and assist with any requirements from the IT provider representative. 
• Step Two: Assess whether the data breach is likely to result in serious harm to any of the individuals whose information was involved. Where there is only suspicion of harm, an assessment will take place by a delegate of the CEO, who will investigate and make an evidence-based decision about whether serious harm is likely. All information will be documented and stored. 
• Step Three: Notify the appropriate bodies of the breach. Where serious harm is likely, a delegate of the CEO will prepare a statement for the Australian Privacy Commissioner using the form at www.oaic.gov.au.      A delegate of the CEO will notify either all individuals, or those at risk of serious harm. If neither of these are practical, a statement will be published on BWNG’s website to publicise the incident. 
• Step Four: Review the incident and consider what actions can be taken to prevent future breaches. This may include, but is not limited to:      
  • A full investigation of the breach.
  • Development of a prevention plan to avoid the same incident occurring.
  • Adapting the policies and procedures to reflect changes. 

Where relevant, BWNG will also notify other bodies such as the police, Australian Securities and Investments Commission, the Australian Taxation Office, or other bodies, as necessary.

The CEO is responsible for the implementation of this policy, for monitoring changes in Privacy legislation, and for advising on the need to review or revise this policy as and when the need arises. 

Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorized access, interference, unauthorized modification or disclosure.

Before BWNG discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, establish that they are privacy compliant. BWNG will have systems which provide sufficient security.

Ensure that BWNG’s data is up to date, accurate and complete.

BWNG reserves the right to vary the terms and conditions of this policy and procedure.