Last updated January 2021
Aim and justification
This policy document also describes how you can:
- access and/or seek correction of the personal information we hold about you, and
- make a complaint about a breach of the Australian Privacy Principles (APPs).
The Privacy Act defines personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’.
Under the Privacy Act, more stringent obligations apply to the handling of sensitive information, which is classed as a subset of personal information and is defined as:
- information or an opinion (that is also personal information) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record; and
- health information about an individual; and
- genetic information (that is not otherwise health information) defined in section 6(1)) of the Privacy Act 1988 (Cth).
Wellways collects and uses personal information to carry out functions or activities under the Privacy Act 1988 (Privacy Act) and a range of other state and territory privacy law.
These functions and activities include:
- delivery of services to Wellways program participants; and
- coordination of engagement activities relating to membership, volunteering, fundraising, community education and advocacy; and
- responding to general enquiries; and
- human resources, payroll and financial operations; and
- maintaining registers, such as contact lists for advocacy campaigns; and
- communicating with the public, stakeholders and the media including through websites and social media.
Collection of your personal information
The nature and extent of the kinds of personal information and, where applicable, sensitive information, collected by Wellways varies depending on the relationship with participant involved.
Where practicable, participants may choose to interact with Wellways anonymously, or use a pseudonym. In some circumstances however, this may mean that have limited capacity to provide you with information, a service or effective communication in response to your request, complaint, donation or application.
Personal information – collection
Types of personal information (that is not sensitive information) that Wellways collects can include:
- contact details (such as name, address, telephone number, email);
- date of birth;
- details of correspondence, communication or complaint;
- bank account details;
- payment history;
- record of attendance to Wellways events.
Wellways will only record information that is necessary for the particular function or activity for which it was collected. The purpose of the collection and use of the types of personal information outlined above relate directly to Wellways functions and activities, as illustrated in table 1.1.
|FILE OR RECORD TYPE||PURPOSE
Why we collect this information
|Administrative records - general enquiries||We may need your basic contact details so we can respond appropriately to your enquiry (for example, to provide you with information or refer you to another service).||
Usually we collect personal information when you give it to us over the phone, in person, via email or by submitting an online or hard-copy form to us.
Sometimes we collect personal information from a third party or a publicly available source, but only if it is reasonable to expect that we would collect your personal information in this way, or when you have provided us with your consent.
Examples of a third party include: a referee, your authorised representative (if you have one), a family member.
|Administrative records - events||When you register with us to attend an event, the details you provide allow us to manage RSVPs, to facilitate coordination of the event and to communicate with you about the event.|
|Administrative records – email lists||We collect your email address (and other contact details if you provide them) when you subscribe to an email list, such as our MI Voice e-newsletter. We only use this information for the purpose of sending you publications or information to which you have subscribed, and to administer the lists.|
|Student files||Details that you provide when you register for a course delivered by Wellways’ Registered Training Organisation (RTO) allow us to be able to deliver the training and communicate with you.|
|Complaints, compliments and feedback files||Wellways seeks feedback to help us develop and deliver better services. For complaints, we would usually require personal information from you (including details of your complaint) in order to respond effectively and to communicate with you as part of our complaints process.|
|Fundraising – donor files||Personal information in our donor files is required to communicate with donors for the purposes of fundraising, and to process and receipt donations. Sometimes we may publish the names of donors (for example, in our Annual Report), but not without seeking and obtaining your consent.
Your information may be shared with third party suppliers with whom we have confidentiality agreements for the purposes of fundraising activity and communications.
|Fundraising – credit card and bank account details||Credit card and bank account details are used to process donations and membership payments. Credit card account details are then encrypted or destroyed and are not stored by Wellways.||
We collect payment details directly from you by phone, in person, via our secure webpage or on a hard-copy payment form.
|These files may hold sensitive information in addition to the types of personal information listed above. For the reasons why we collect information for these file types, refer to the corresponding file type under ‘Sensitive information – collection’ below.||See ‘Sensitive information – collection’ below.|
Sensitive information – collection
The types of sensitive information that we may collect must relate specifically to the function or activity for which it is collected, and we collect this information only when it is necessary for this function or activity.
If Wellways needs to collect sensitive information from you, we will ask you to provide us with your express consent to the collection. Express consent differs from implied consent, and usually involves documentation such as a signed agreement or record of a verbal statement. We will also make sure your consent is informed consent, by way of explaining how your information will be used and disclosed. Consent must also be given voluntarily by an individual with the capacity to communicate such consent at the time it is given.
The kinds of sensitive information that we may collect (alongside the above-mentioned types of personal information) are listed below, relative to the function-related or activity-related file types to which they apply.
Employee, volunteer and applicant files
If required, the following types of personal and/or sensitive information are collected directly from an applicant to allow us to assess the suitability of individuals for particular roles with Wellways and to manage an effective employment or volunteer arrangement:
- employment or volunteer applications including resumes, statements addressing the criteria and referee reports;
- written tasks undertaken by an employee during the selection process;
- notes from the selection committee during the selection process;
- employment contracts or volunteer agreements and other records relating to the terms and conditions of employment or volunteering;
- details of financial and other personal interests supplied by some employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest;
- proof of Australian citizenship or residency;
- certified copies of academic qualifications;
- records relating to employee salary, benefits and leave;
- medical certificates or health related information supplied by an employee or their medical practitioner;
- details of emergency contacts;
- taxation and superannuation details;
- information relating to an employee or volunteer’s training and development;
- police check/criminal record details/working with children checks.
The types of sensitive information below are collected from participants in accordance with the:
- Health Records Act 2001 (VIC),
- Health Records (Privacy and Access) Act 1997 (ACT),
- Privacy Act 1988
- Privacy and Data Protection Act 2014 (Victoria)
- Health Records and Information Privacy Act 2002 (NSW),
- Privacy and Personal Information Protection Act 1998 (NSW)
- Personal Information Protection Act 2004 (Tasmania)
- Information Privacy Act 2009 (Queensland)
and when it is relevant and necessary, so as to enable Wellways to provide a participant with a service or to ensure an appropriate referral. This may include:
- health information;
- information relating to program participation (for example, attendance notes, assessment records), and;
- other personal information that is relevant and necessary for us to provide appropriate supports and services.
Please contact us for further information on the handling of personal information in participant files.
We collect personal information from membership applicants and current members for us to communicate directly to members, engage participation in membership activities, deliver member benefits, process membership payments and for the purposes of fundraising.
Members may also choose to provide us with sensitive information, which may be recorded in communication records where it is relevant to the member relationship, such as:
- a member’s personal connection with mental illness (for example, as a carer, consumer, health professional);
- health information;
- membership of a professional association;
- political opinion.
We collect personal information from financial supporters for the purposes of donation processing and receipting, but also for the purposes of relationship building, advocacy and fundraising.
Donors may also choose to provide us with sensitive information, which may be recorded in communication records where it is relevant to the donor relationship, such as:
- specific interests in relation to our programs and services;
- interest in attending events, becoming a member, supporting our advocacy efforts and other opportunities for engagement;
- communication preferences;
- a donor’s personal connection with mental illness (for example, as a carer, consumer, health professional).
Collecting information through our website
Personal information that you provide via our website (for example, when you submit an online form or subscribe to our e-newsletter) is collected by Wellways via servers that are located in Australia and other locations.
Credit card details submitted via our online donation or membership forms are immediately encrypted via Australia Post’s SecurePay facility for secure online transaction processing, which means that Wellways does not store your credit card and debit card information.
When you visit our website, you can choose to provide location based information in order to personalise your experience. If you choose to provide this information we will not share your location with other users or partners.
Other data collected through our website include website traffic information and visitor behaviour, including the IP address of your computer or device. However, this is not considered personal information, because you are not reasonably identifiable to Wellways through this type of data. We use Google Analytics for collecting such data, which are stored by Google on servers in the United States, Belgium and Finland. You can opt out of the collection of information via Google Analytics by downloading the Google Analytics Opt-out browser add-on.
How we use your personal information
We only use personal information for the purposes for which it is given to us, or for purposes which are directly related to one of our functions or activities. (Refer to Table 1.1 above.)
With strict adherence to the Privacy Act and relevant state legislation, personal information is only disclosed for the purposes for which you gave it to us, or for directly related purposes that you would reasonably expect or if you agree.
We may need to share employee information with data hosting providers or other service providers who assist us to administer our organisation and to implement and support our systems (including human resources, payroll and financial operations noted above) or to deliver our services. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing data protection provisions. We will take reasonable steps to ensure that our contracts with third party service providers include data protection provisions that require them to comply with the protection, use and disclosure requirements of or equivalent to, the Privacy Act.
As specified in the Privacy Act, exceptions refer to situations where a disclosure is required or authorised by law or if a disclosure can lessen or prevent a serious threat to life, health or safety.
Examples of disclosure of personal information
Disclosure of personal information may occur when:
- a member of staff contacts a referee or former employer, or conducts a police check, for the purposes of assessing an application for employment or volunteering role;
- as an employee, when your personal information is entered and stored into our third party hosting or service provider’s systems for administration purposes related to your employment;
- a key worker provides information to a participant’s carer, or to a health care professional involved in the care of the participant, in the course of delivering a service to that participant;
- a fundraising administrator receives a request from a donor to receive no further contact from Wellways and passes on the details to our third party suppliers to ensure their wishes are respected.
Disclosure of personal information overseas
It is not the practice of Wellways to disclose personal information to overseas parties except where we are using data hosting or other third party service providers for administrative support who may store information in other jurisdictions or may need to have access to personal information from locations overseas when providing support or other services.
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
Storage and security of your personal information
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include:
- information technology (IT) security measures;
- password protection for accessing our electronic IT systems;
- password access for electronic files is limited to authorised personnel in relevant roles for undertaking the Wellways function or activity;
- securing paper files in locked cabinets;
- physical access restrictions;
- staff training in file-handling procedures.
When no longer required, Wellways destroys paper records that contain personal information and deletes or digitally archives personal information in electronic files, in a secure manner and in accordance with relevant legislative requirements.
There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms. In relation to our own servers, we take all reasonable steps to manage data stored on our servers to ensure data security.
Access and correction of your personal information
You have the right to request access to the personal information we hold about you and to request that we correct that personal information. To make such a request, you can contact Wellways and ask to see your personal details. (See ‘How to contact us’ below) Participants of Wellways programs can also request access to their file via a key worker or allocated staff member.
We may need to verify your identity if you request access or corrections to your personal information, both as a privacy measure, and to ensure the quality of the personal information that we hold. Under the Privacy Act, there are limited circumstances in which some or all access to a record may be denied (for example, where it may violate the privacy of another individual). In such circumstances, we will provide an explanation in response to the request.
You may also contact us to request removal from a mailing list, alter or cancel automated donations or if you are on one of our automated email lists, you may opt out of further contact from us by clicking the 'unsubscribe' link at the bottom of the email.
Please be aware that donors who request to be removed from our mailing list or records are archived but not deleted. This ensures that we have a record of their wishes and do not approach them as prospective donors in the future. Without your written permission, we will not allow anyone other than you to access or alter your donor record or automated donation unless they provide written proof of Power of Attorney.
Notifiable Data Breach Scheme
On February 22nd 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) came into force to establish the Notifiable Data Breaches (NDB).
Under the NDB scheme, Wellways has an obligation to make a notification if:
- a data breach is believed to have occurred, and;
- it is likely to result in serious harm to the individual(s) whose personal information is involved in the breach, and
- remedial action has not been able prevent the risk of serious harm.
The NDB scheme requires Wellways to assess the breach and make a notification to the particular individual(s) affected and the Australian Information Commissioner (the OAIC).
The following definitions have been put together to assist in application of the RDB scheme.
|A data breach||A data breach occurs when personal information held by Wellways is lost or subjected to unauthorised access or disclosure.|
The likelihood of serious harm
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
The concept of ‘serious harm’ must be assessed from the perspective of a ‘reasonable person’ rather than the individual whose personal information was part of the data breach (or any other person).
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
|Remedial action||Under the NDB scheme Wellways has the opportunity to take positive steps to address a data breach in a timely manner, and therefore avoid the need to notify.|
The OAIC has developed a range of RDB scheme resources to assist with identifying, assessing, managing and reporting data breaches.
How to make a complaint
If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.
We will contact you to acknowledge that we have received your complaint within three business days. We will then contact you with a response, or a progress report on the actions being undertaken, within 30 days. This may not be possible with anonymous complaints.
If you are not satisfied with the outcome of your complaint, you can take your complaint to the Australian Information Commissioner (OAIC). The OAIC has the power to investigate Australian organisations and agencies that are bound by the Privacy Act, with respect to possible breaches of the Australian Privacy Principles.
|Personal information||Personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’ (s 6(1)).|
How to contact us
You can contact us by:
firstname.lastname@example.org (for privacy related enquiries or complaints)
email@example.com (for fundraising related enquiries or complaints)
firstname.lastname@example.org (for all other general enquiries)
|Phone||1300 111 400|
|Post||PO Box 359 Clifton Hill, Victoria 3068|
|Facsimile||61 03 84 864265|