MBDAC Privacy Policy

Background

Privacy and confidentiality of the personal information of clients, staff, and community members who support Marnin Bowa Dumba Aboriginal Corporation is necessary under both law and our values, due to the area we operate in.

The Privacy Act 1988 describes how organisations — including Marnin Bowa Dumbara (MBD) Aboriginal Corporation— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Privacy Act 1988 is underpinned by these thirteen principles:

1. The open and transparent management of personal information.
2. Anonymity and pseudonymity.
3. The collection of solicited personal information.
4. Dealing with unsolicited personal information.
5. Notification of the collection of personal information.
6. Use or disclosure of personal information.
7. Direct marketing.
8. Cross-border disclosure of personal information.
9. Adoption, use or disclosure of government-related identifiers.
10. Quality of personal information.
11. Security of personal information.
12. Access to personal information.
13. Correction of personal information.

We are committed to delivering supportive and confidential services. We are committed to safeguarding the privacy and security of your personal information. This document outlines our practices regarding the collection, use, sharing, and protection of your personal data in connection with our Family Healing Centre. By engaging with us or using our services, you agree to the terms outlined in this policy.

‍

Aim

To fulfil our mission, MBD Aboriginal Corporation sometimes needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

The purpose of this Privacy Policy and associated Procedures is to outline the standards we maintain and the steps and guidelines we take for ensuring the privacy and confidentiality of any information entrusted to us by a client, or by staff, or community members to meet our data protection standards, and to comply with relevant legislation.

This privacy policy and procedures ensures MBD Aboriginal Corporation:

• complies with data protection law and follow good practice
• protects the rights of staff, customers and partners
• how we store and process individuals’ data
• ensures we protect ourselves from the risks of a data breach.

‍

Policy statement

MBD Aboriginal Corporation Family Healing Centre privacy policy is built on the following principles:

1. Information Collection and Use:
   
   1. We may collect personal information from you when you engage with us, use our services, or visit our website. This information may include but is not limited to:
      1. Contact details (name, email address, phone number, address),
      2. Information on your relationships (family, dependents, support providers, etc.),
      3. Financial information (relating to payments you may have made to us),
      4. Other information voluntarily provided by you.
   2. We use this information to provide our services, communicate with you, and improve our services. We do not sell or rent your personal information to third parties.
2. Information Sharing:
   
   1. We may share your personal information with third parties only in the following circumstances:
      
      1. With your explicit consent, or
      2. To fulfill our contractual obligations and provide the services you requested, or
      3. With trusted service providers who assist us in delivering our services (e.g., IT support, accounting software providers, etc.),
      4. For marketing purposes, where you authorise us to identify you personally,
      5. When required by law, legal process, or to protect our rights and the safety of others
3. Data Security:
   
   1. We implement technical and organizational measures to protect your personal information from unauthorized access, loss, misuse, or alteration. However, no data transmission or storage system can be guaranteed to be 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.
4. Data Retention.
   
   1. We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. When your personal information is no longer necessary for the specified purposes, we will securely delete or anonymize it.
5. Your Rights:
   
   1. You have the right to access, correct, update, or request the deletion of your personal information. You also have the right to object to certain processing activities and to restrict the use of your data. To exercise these rights, please contact us at execadminassist@mbdfhc.org.au. We will respond to your request within a reasonable timeframe.
6. Cookies and Tracking:
   
   1. Our website may use cookies and similar technologies to enhance your browsing experience. You can set your browser to refuse cookies or alert you when cookies are being sent. However, please note that some features of our website may not function properly without cookies.
7. Changes to this Policy:
   
   1. We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes through our website or other appropriate means.

‍

Scope

Scope of Policy & Procedure

This privacy policy and procedures covers the following areas:

• Ensures MBD Aboriginal Corporation complies with data protection law and follow good practice.
• Protects the rights of staff, customers and partners.
• How we store and process individuals’ data.
• Ensures we protect ourselves from the risks of a data breach.

This policy aligns with the following organisational Value:

• Integrity: By ensuring we are accountable for our actions.
• Teamwork: This policy ensures we take responsibility for privacy and perform our roles positively, effectively, and professionally.

Scope of Responsibilities

The Board of Management is responsible for:

• Ensuring the Family Healing Centre has an effective privacy policy, and procedures to enforce the policy, in compliance with legislation.
• Review the Privacy Policy and Procedures on a regular basis, or when legislation or legislative instruments change.
• Ensuring the Family Healing Centre is resourced to maintain compliance with privacy legislation, including with ICT equipment and systems.

The Chief Executive Officer is responsible for:

• Acting as the Privacy Officer for MBD Aboriginal Corporation
• Implementing this Privacy Policy and Procedures.
• Ensuring documentation used to collect personal information from clients acknowledges privacy practices and is set up to collect appropriate authorisations from clients where required.
• Ensuring all systems, services and equipment used for storing and accessing data meet acceptable security standards.
• Monitoring the performance of contracted ICT provider to ensure compliance with this policy and procedures.
• Ensuring staff are trained in privacy and confidentiality legislation and organisational practices to ensure protection of privacy.
• Monitoring and reporting any data breaches.
• Handling, or delegating the handling of, a privacy complaint or data breach.

Operations Staff are responsible for:

• Following the requirements of this policy and procedures.
• Taking reasonable precautions to protect the privacy and confidentiality of client’s personal information, including:
  
  • Holding conversations in private, to ensure personal information disclosed by a client is not overheard by a third party.
  • Keeping client documents filed away and out of sight of other clients when not in use, and reasonably protected when in use.
  • Locking computer screens when away from the computer.
• Reporting any potential data breaches to the CEO or their delegate.

All staff are responsible for:

• Only accessing client data as it relates to their job role.
• Maintaining the privacy and confidentiality of any personal information or data for clients or staff. Data and information should not be shared informally.
• Using strong passwords and 2 Factor Authentication where required.
• Not disclosing information or data about clients in the community.
• Regularly reviewing client or staff information under their control, to ensure it is maintained securely and only as long as is necessary or in accordance with the laws or regulations.

‍

Definitions

In this policy the following terms have the meaning given:

• “Personal Information” refers to any information about an identified individual, or one who is reasonably identifiable, whether recorded in a material form or not. This includes names, addresses, dates of birth, email addresses, phone numbers, and any other identifiable data.
• “Sensitive information” is a subset of personal information such as racial or ethnic origin, political opinions, membership in a political association, religious beliefs or affiliations, philosophical beliefs, membership in a professional or trade association, membership in a trade union, sexual orientation or practices, criminal record, and health information.
• “Health information” is a type of sensitive information that includes information or an opinion about the health or a disability (at any time) of an individual, an individual’s expressed wishes about the future provision of health services to them, or a health service provided, or to be provided, to an individual.
• “Collection” refers to the act of gathering, acquiring, or obtaining personal information from any source and by any means, including information that is unsolicited.
• “Use” is the handling or management of personal information within an organization. This includes processing, sharing internally, or making decisions based on personal information.
• “Disclosure” is making personal information available to others outside the organization. This includes transferring data to third parties or making it accessible to external individuals or entities.
• “Consent” is informed, voluntary, and current permission from an individual for the collection, use, or disclosure of their personal information. Consent can be express or implied depending on the circumstances.
• “Data Breach” is unauthorized access to, or disclosure of, personal information, or a loss of personal information that an organization holds. This can result in serious harm to individuals and trigger mandatory notification requirements.
• An “eligible data breach” is one where a data breach has occurred, and it is likely to result in serious harm, and remedial action has been unable to prevent the likely risk of serious harm. It must be reported to the Australian Information Commissioner.
• “Unauthorized Access” occurs when personal information is accessed by someone who does not have permission to do so. This can include both internal and external parties.
• “Unauthorized Disclosure” occurs when personal information is made available or visible to others outside the organisation without consent.
• “Loss” refers to the accidental or inadvertent loss of personal information in circumstances that are likely to result in unauthorized access or disclosure. This can include losing devices like laptops or USB drives containing personal information.
• “Serious Harm” is assessed based on the sensitivity of the information, the potential for harm, and the circumstances of the breach. Factors that may affect the likelihood of serious harm include the nature of the information, who may have access to it, and the types of harm that could result.

‍

Procedure

Communication of this policy and procedures

• This policy and procedures should be made available to Board members and staff, whether in printed form, or via a website or intranet, or via email.
• Specific sections of this policy and procedures should be extracted and provided in a customer friendly format, and published on the MBD Family Healing Centre website. Section are as follows:
  
  • Background
  • Aim
  • Policy Statement
  • Definitions
  • Explanations on:
    
    • How to request access to own data
    • How to request update of inaccurate data
    • How to lodge a complaint about the collection, use and retention or disposal of your personal information.
    • How to provide feedback on organisational privacy practices.

‍

Implementing Privacy Practices

1. Collect Personal Information Lawfully:
   
   1. Collect only the personal information necessary for the corporation’s functions or activities.
   2. Obtain consent from individuals before collecting their information and inform them about how their information will be used and disclosed.
2. Use and Disclosure:
   
   1. Use personal information only for the purposes for which it was collected, or for related purposes the individual would reasonably expect.
   2. Obtain consent for any secondary use or disclosure of personal information, for example, for marketing or advertising purposes.
3. Data Quality and Security:
   
   1. Take reasonable steps to ensure that personal information collected is accurate, complete, and up-to-date.
   2. Implement security measures to protect personal information from unauthorized access, modification, or disclosure.
4. Anonymity and Pseudonymity:
   
   1. Allow individuals to interact anonymously or using a pseudonym where it is practical and lawful.

‍

Managing Access and Correction

A client of the Family Healing Centre has the right to request access to and/or update of information held by MBD Aboriginal Corporation. The process for handling this request is as follows:

1. Receive the request
   
   1. The request may be submitted in a range of forms – via email, letter, an online request form, or in person.
2. Acknowledge receipt
   
   1. Respond in writing, to acknowledge receipt of the request and provide and estimated timeframe for a response.
   2. Acknowledge receipt needs to be sent within 3 working days.
3. Verify the identity of the requester
   
   1. Verify the identity of the individual making the request to ensure that personal information is not disclosed to unauthorized persons.
   2. Request appropriate identification documentation, if necessary, while ensuring this process is respectful of the individual's privacy.
4. Assess the request
   
   1. Determine Scope:
      
      1. Clarify the scope of the request, including the specific personal information being sought, to ensure a comprehensive response.
      2. Contact the individual for clarification if the request is unclear or too broad.
   2. Consider Exceptions:
      
      1. Assess whether any exceptions apply under APP 12. Exceptions may include:
      2. The request is frivolous or vexatious.
      3. Providing access would have an unreasonable impact on the privacy of others.
      4. The information relates to existing or anticipated legal proceedings.
      5. Providing access would be unlawful or poses a serious threat to life or health.
      6. If an exception applies, document the rationale for refusing access.
5. Provide access if reasonable and necessary to do so
   
   1. Format of Access:
      
      1. Provide access in the manner requested by the individual, where reasonable and practicable. Options may include providing a copy of the information, allowing the individual to inspect the information, or providing a summary.
   2. Timely Response:
      
      1. Respond to access requests within a reasonable timeframe, typically within 30 calendar days.
   3. Cost of Access:
      
      1. A reasonable fee for access may be charge, if applicable, covering the cost of providing access (e.g., photocopying or postage). Ensure the fee is not excessive and is communicated upfront.
6. Refuse access if necessary
   
   1. Communicate Reasons for Refusal:
      
      1. If access is refused, inform the individual in writing of the reasons for refusal and the applicable exceptions.
   2. Provide Alternatives:
      
      1. Where possible, provide alternative means of access or offer to explain the content of the records verbally.
   3. Inform of Review Options:
      
      1. Advise the individual of their right to complain to the Office of the Australian Information Commissioner (OAIC) if they are dissatisfied with the decision.
7. Update information if necessary
   
   1. Where a request was to update information or where an access request leads to a request to update information, the following applies:
      
      1. Request correct information if not already provided.
      2. Check the information on record against the information supplied by the client.
      3. Update the record to the correct information supplied by the client.
      4. Advise the client of the successful update of information.
8. Maintain records
   
   1. Keep a record of all access requests, including the nature of the request, how it was handled, and the outcome.

‍

Managing Data Breaches

The response to a data breach will depend on the nature of the data breach, and how the data was accessed. In general, the following steps need to be taken:

1. Assess the nature and extent of the breach, e.g. has an ICT system been hacked? Has an email with personal information been sent in error to the wrong recipient?
2. Attempt to recover the data. E.g. if an email was sent in error, recall it, or notify the person who received it that it was sent in error, and ask them to confirm it has been deleted and not accessed. If necessary, make a phone call to the recipient. If it was a document left behind, then attempt to retrieve it as soon as possible.
3. If the data cannot be recovered, notify the client of the data breach. Also, notify the Office of the Information Commissioner according to the Notifiable Data Breach scheme, if the breach is likely to result in serious harm.
4. Review incidents to identify any weaknesses in data handling practices and implement measures to prevent future breaches.

‍

Reviewing and Improving Privacy Practices

• Conduct regular audits of privacy practices and procedures to ensure ongoing compliance with the Privacy Act and APPs.
• Regularly review access request handling procedures to identify areas for improvement and ensure compliance with legislative requirements.
• Regularly update privacy policies and procedures to reflect changes in legislation, organisational practices, or technological advancements.

‍

Managing Feedback and Complaints

Feedback and complaints about Privacy can be handled according to the Feedback policy and procedures.

Training for Staff and Organisational Awareness

1. Employee Training:
   
   1. Provide regular privacy training to all employees, ensuring they understand their responsibilities under the Privacy Act and APPs.
2. Awareness Programs:
   
   1. Develop programs to raise awareness of privacy issues and best practices within the organization.

‍

Related documents

Policy and procedures:

• Feedback policy and procedures

Forms, record keeping documents or other organisational documents:

• Information access and/or correction request form

‍

Standards

Relevant Standard(s) or Rule Book requirements:

• Australian Privacy Principles

Relevant Legislation and Regulations covering the operation of the service:

• Australian Charities and Not-for-profits Commission Act 2012 (Cth)
• Incorporated Associations Act 2015 (WA)
• Privacy Act 1988 (Cth)
• Corporations (Aboriginal and Torres Strait Islander) Act 2006
• CATSI Regulations
• Corporations Act 2001
• Work Health and Safety Act 2020
• Financial Management and Accountability Act 1997
• Commonwealth Independent Contractors Act 2006
• Australian Consumer Law (ACL)
• Children and Community Services Act 2004

‍

References

“Privacy Act 1988”. 2024. Australian Government. Accessed May 22, 2024, from Federal Register of Legislation (https://www.legislation.gov.au/C2004A03712/latest/text).

Office of the Australian Information Commissioner. 2023. “Australian Privacy Principles.” Commonwealth of Australia. Accessed from https://www.oaic.gov.au/privacy/australian-privacy-principles.

‍