This policy document also describes how you can:
The Privacy Act defines personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’.
Under the Privacy Act, more stringent obligations apply to the handling of sensitive information, which is classed as a subset of personal information and is defined as:
Wellways collects and uses personal information to carry out functions or activities under the Privacy Act 1988 (Privacy Act) and a range of other state and territory privacy law.
These functions and activities include:
The nature and extent of the kinds of personal information and, where applicable, sensitive information, collected by Wellways varies depending on the relationship with participant involved.
Where practicable, participants may choose to interact with Wellways anonymously, or use a pseudonym. In some circumstances however, this may mean that have limited capacity to provide you with information, a service or effective communication in response to your request, complaint, donation or application.
Types of personal information (that is not sensitive information) that Wellways collects can include:
Wellways will only record information that is necessary for the particular function or activity for which it was collected. The purpose of the collection and use of the types of personal information outlined above relate directly to Wellways functions and activities, as illustrated below.
We may need your basic contact details so we can respond appropriately to your enquiry (for example, to provide you with information or refer you to another service).
When you register with us to attend an event, the details you provide allow us to manage RSVPs, to facilitate coordination of the event and to communicate with you about the event.
We collect your email address (and other contact details if you provide them) when you subscribe to an email list, such as our e-newsletter. We only use this information for the purpose of sending you publications or information to which you have subscribed, and to administer the lists.
Personal information in our donor files is required to communicate with donors for the purposes of fundraising, and to process and receipt donations. Sometimes we may publish the names of donors (for example, in our Annual Report), but not without seeking and obtaining your consent.
Your information may be shared with third party suppliers with whom we have confidentiality agreements for the purposes of fundraising activity and communications.
Details that you provide when you register for a course delivered by Wellways’ Registered Training Organisation (RTO) allow us to be able to deliver the training and communicate with you.
Wellways seeks feedback to help us develop and deliver better services. For complaints, we would usually require personal information from you (including details of your complaint) in order to respond effectively and to communicate with you as part of our complaints process.
Credit card and bank account details are used to process donations and membership payments. Credit card account details are then encrypted or destroyed and are not stored by Wellways.
These files may hold sensitive information in addition to the types of personal information listed above. For the reasons why we collect information for these file types, refer to the corresponding file type under ‘Sensitive information – collection’ below.
Usually we collect personal information when you give it to us over the phone, in person, via email or by submitting an online or hard-copy form to us.
We collect payment details directly from you by phone, in person, via our secure webpage or on a hard-copy payment form.
Sometimes we collect personal information from a third party or a publicly available source, but only if it is reasonable to expect that we would collect your personal information in this way, or when you have provided us with your consent.
Examples of a third party include: a referee, your authorised representative (if you have one), a family member.
The types of sensitive information that we may collect must relate specifically to the function or activity for which it is collected, and we collect this information only when it is necessary for this function or activity.
If Wellways needs to collect sensitive information from you, we will ask you to provide us with your express consent to the collection. Express consent differs from implied consent, and usually involves documentation such as a signed agreement or record of a verbal statement. We will also make sure your consent is informed consent, by way of explaining how your information will be used and disclosed. Consent must also be given voluntarily by an individual with the capacity to communicate such consent at the time it is given.
The kinds of sensitive information that we may collect (alongside the above-mentioned types of personal information) are listed below, relative to the function-related or activity-related file types to which they apply.
If required, the following types of personal and/or sensitive information are collected directly from an applicant to allow us to assess the suitability of individuals for particular roles with Wellways and to manage an effective employment or volunteer arrangement:
The types of sensitive information below are collected from participants in accordance with the:
and when it is relevant and necessary, so as to enable Wellways to provide a participant with a service or to ensure an appropriate referral. This may include:
Please contact us for further information on the handling of personal information in participant files.
We collect personal information from membership applicants and current members for us to communicate directly to members, engage participation in membership activities, deliver member benefits, process membership payments and for the purposes of fundraising.
Members may also choose to provide us with sensitive information, which may be recorded in communication records where it is relevant to the member relationship, such as:
We collect personal information from financial supporters for the purposes of donation processing and receipting, but also for the purposes of relationship building, advocacy and fundraising.
Donors may also choose to provide us with sensitive information, which may be recorded in communication records where it is relevant to the donor relationship, such as:
Personal information that you provide via our website (for example, when you submit an online form or subscribe to our e-newsletter) is collected by Wellways via servers that are located in Australia and other locations.
Credit card details submitted via our online donation or membership forms are immediately encrypted via Australia Post’s SecurePay facility for secure online transaction processing, which means that Wellways does not store your credit card and debit card information.
When you visit our website, you can choose to provide location based information in order to personalise your experience. If you choose to provide this information we will not share your location with other users or partners.
Other data collected through our website include website traffic information and visitor behaviour, including the IP address of your computer or device. However, this is not considered personal information, because you are not reasonably identifiable to Wellways through this type of data. We use Google Analytics for collecting such data, which are stored by Google on servers in the United States, Belgium and Finland. You can opt out of the collection of information via Google Analytics by downloading the Google Analytics Opt-out browser add-on.
We only use personal information for the purposes for which it is given to us, or for purposes which are directly related to one of our functions or activities. (Refer to Table 1.1 above.)
With strict adherence to the Privacy Act and relevant state legislation, personal information is only disclosed for the purposes for which you gave it to us, or for directly related purposes that you would reasonably expect or if you agree.
We may need to share employee information with data hosting providers or other service providers who assist us to administer our organisation and to implement and support our systems (including human resources, payroll and financial operations noted above) or to deliver our services. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing data protection provisions. We will take reasonable steps to ensure that our contracts with third party service providers include data protection provisions that require them to comply with the protection, use and disclosure requirements of or equivalent to, the Privacy Act.
As specified in the Privacy Act, exceptions refer to situations where a disclosure is required or authorised by law or if a disclosure can lessen or prevent a serious threat to life, health or safety.
Disclosure of personal information may occur when:
It is not the practice of Wellways to disclose personal information to overseas parties except where we are using data hosting or other third party service providers for administrative support who may store information in other jurisdictions or may need to have access to personal information from locations overseas when providing support or other services.
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include:
When no longer required, Wellways destroys paper records that contain personal information and deletes or digitally archives personal information in electronic files, in a secure manner and in accordance with relevant legislative requirements.
There are inherent risks in transmitting information across the internet and we do not have the ability to control the security of information collected and stored on third party platforms. In relation to our own servers, we take all reasonable steps to manage data stored on our servers to ensure data security.
You have the right to request access to the personal information we hold about you and to request that we correct that personal information. To make such a request, you can contact Wellways and ask to see your personal details. (See ‘How to contact us’ below) Participants of Wellways programs can also request access to their file via a key worker or allocated staff member.
We may need to verify your identity if you request access or corrections to your personal information, both as a privacy measure, and to ensure the quality of the personal information that we hold. Under the Privacy Act, there are limited circumstances in which some or all access to a record may be denied (for example, where it may violate the privacy of another individual). In such circumstances, we will provide an explanation in response to the request.
You may also contact us to request removal from a mailing list, alter or cancel automated donations or if you are on one of our automated email lists, you may opt out of further contact from us by clicking the 'unsubscribe' link at the bottom of the email.
Please be aware that donors who request to be removed from our mailing list or records are archived but not deleted. This ensures that we have a record of their wishes and do not approach them as prospective donors in the future. Without your written permission, we will not allow anyone other than you to access or alter your donor record or automated donation unless they provide written proof of Power of Attorney.
On February 22nd 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) came into force to establish the Notifiable Data Breaches (NDB).
Under the NDB scheme, Wellways has an obligation to make a notification if:
The NDB scheme requires Wellways to assess the breach and make a notification to the particular individual(s) affected and the Australian Information Commissioner (the OAIC).
The following definitions have been put together to assist in application of the RDB scheme.
A data breach
A data breach occurs when personal information held by Wellways is lost or subjected to unauthorised access or disclosure.
The likelihood of serious harm
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
The concept of ‘serious harm’ must be assessed from the perspective of a ‘reasonable person’ rather than the individual whose personal information was part of the data breach (or any other person).
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
Under the NDB scheme Wellways has the opportunity to take positive steps to address a data breach in a timely manner, and therefore avoid the need to notify.
The OAIC has developed a range of RDB scheme resources to assist with identifying, assessing, managing and reporting data breaches.
If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.
We will contact you to acknowledge that we have received your complaint within three business days. We will then contact you with a response, or a progress report on the actions being undertaken, within 30 days. This may not be possible with anonymous complaints.
If you are not satisfied with the outcome of your complaint, you can take your complaint to the Australian Information Commissioner (OAIC). The OAIC has the power to investigate Australian organisations and agencies that are bound by the Privacy Act, with respect to possible breaches of the Australian Privacy Principles.
Personal information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’ (s 6(1)).
Phone: 1300 111 400
Post: PO Box 359 Clifton Hill, Victoria 3068
Facsimile: 61 03 84 864265
Last updated January 2021