Privacy Policy

Responsibilities

Donor Conceived Australia’s (DCA) Board is responsible for developing, adopting and reviewing this policy. DCA’s National Director is responsible for the implementation of this policy, for monitoring changes in Privacy legislation, and for advising on the need to review or revise this policy as and when the need arises.

Policy

DCA collects and administers a range of personal information for purposes including but not limited to:

• Service provision

• Referrals

• Advocacy and consultation

• Human resource management

• Research and evaluation

• Supervision

DCA is committed to protecting the privacy of personal information it collects, holds, and administers. DCA recognises the essential right of right to privacy of service users, staff, and volunteers to have their information administered in ways that they would reasonably expect – protected on one hand and made accessible to them on the other. This Privacy and Confidentiality Policy is compliant with the Privacy Act 1988 (Cth).

DCA is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.

DCA will:

• Collect only information which the organisation requires for its primary function;

• Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;

• Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent;

• Store personal information securely, protecting it from unauthorised access;

• Provide stakeholders with access to their own information, and the right to seek its correction.

This Privacy Policy applies to all staff members (I.e. full-time, part-time, contract, casual, temporary and voluntary) of DCA.

Procedures

Collection

DCA will:

• Only collect information that is necessary for the performance and primary function of DCA;

• Collect personal information only by lawful and fair means and not in an unreasonably intrusive way;

• Notify stakeholders about why we collect the information and how it is administered;

• Notify stakeholders that this information is accessible to them;

• Collect personal information from the person themselves wherever possible;

• Collect personal information with the informed consent of the person to whom the information relates;

• If collecting personal information from a third party, be able to advise the person whom the information concerns, from whom their personal information has been collected;

• Collect Sensitive information only with the person’s consent or if required by law. (Sensitive information includes health information and information about religious beliefs, race, gender and others).

• At or before the time of collecting the information, DCA will inform the individual whom the information concerns that it will not disclose the information without the individual’s consent with exceptions to confidentiality expressly outlined; and,

• Determine, where unsolicited information is received, whether the personal information could have collected it in the usual way, and then if it could have, it will be treated normally. (If it could not have been, it must be destroyed, and the person whose personal information has been destroyed will be notified about the receipt and destruction of their personal information).

Use and disclosure

DCA will:

• Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose;

• For other uses, DCA will obtain consent from the person to whom the information relates;

• In relation to a secondary purpose, use or disclose the personal information only where:

• a secondary purpose is related to the primary purpose and the individual would reasonably have expected us to use it for purposes; or,

• the person has consented; or,

• certain other legal reasons exist, or disclosure is required to prevent serious and imminent threat to life, health or safety;

• Non-identifying information of service users may be shared with external third parties for the purpose of advocacy, consultation, research, and evaluation;

• The personal information of individuals may be shared internally amongst relevant staff and volunteers during service provision and supervision;

• In relation to personal information which has been collected from a person, use the personal information for direct marketing, where that person would reasonably expect it to be used for this purpose, and DCA has provided an opt out and the opt out has not been taken up.

• In relation to personal information which has been collected other than from the person themselves, only use the personal information for direct marketing if the person whose personal information has been collected has consented (and they have not taken up the opt-out).

• In each direct marketing communication with the individual, DCA draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications.

• DCA uses data management and IT services that may require personal information to be sent overseas (e.g. IT services provided by Microsoft). In such cases, DCA will ensure that any overseas providers of services are as compliant with privacy as DCA is required to be. Such disclosures will only be made if:

• the overseas recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or,

• the individual consents to the transfer; or,

• the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre contractual measures taken in response to the individual’s request; or,

• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or,

• the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles;

• In relation to the overseas transfer of personal information, if it is impractical for DCA to receive the person’s consent to that transfer, DCA must have sufficient reasons to believe that the person would likely give consent could they be contacted.

• Provide all individuals access to personal information except where it is a threat to life or health or it is authorised by law to refuse and, if a person is able to establish that the personal information is not accurate, then DCA must take steps to correct it. DCA may allow a person to attach a statement to their information if DCA disagrees it is inaccurate.

• Where for a legal or other reason we are not required to provide a person with access to the information, consider whether a mutually agreed intermediary would allow sufficient access to meet the needs of both parties.

• Make no charge for making a request for personal information, correcting the information or associating a statement regarding accuracy with the personal information.

• Each written direct marketing communication with the individual must set out [organisation]’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically.

Exceptions to confidentiality

DCA has an obligation (with or without consent) to report personal information held by the organisation where:

• There is a concern that a person is a threat to themselves or others – DCA must notify the person in danger or notify someone who can respond to keep the person or others safe (e.g. emergency contact, police, and/or ambulance);

• If DCA has sufficient reasons to believe that an unlawful activity has been, is being or may be engaged in, and the disclosure of personal information becomes a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, the organisation may make such disclosures;

• DCA may further disclose personal information if its disclosure is mandated by an enforcement body or is required for the following:

• the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

• the enforcement of laws relating to the confiscation of the proceeds of crime;

• the protection of the public revenue;

• the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

• the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

• To provide a response to a request under freedom of information legislation.

Storage

DCA will:

• Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorised access, interference, unauthorised modification or disclosure;

• Before DCA discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, establish that they are privacy compliant. DCA will have systems which provide sufficient security; and,

• Ensure that DCA’s data is up to date, accurate and complete.

Destruction and de-identification

DCA will:

• Destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones; and,

• Change information to a pseudonym or treat it anonymously if required by the person whose information DCA holds and will not use any government related identifiers unless they are reasonably necessary for our functions.

Data quality

DCA will:

• Take reasonable steps to ensure the information DCA collects is accurate, complete, up to date, and relevant to the functions we perform.

Data security and retention

• DCA will only destroy records in accordance with the organisation’s Records Management Policy;

• DCA staff and volunteer access to personal records will be withdrawn immediately upon that staff member or volunteer ceasing work with DCA.

Openness

DCA will:

• Ensure stakeholders are aware of DCA’s Privacy Policy and its purposes;

• Make this information freely available in relevant publications and on the organisation’s website;

On request by a person, DCA must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

Access and correction

• DCA will ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date;

• If the individual and DCA disagree about whether the information is accurate, complete and up to date, and the individual asks DCA to associate with the information a statement claiming that the information is not accurate, complete or up to date, DCA will take reasonable steps to do so;

• DCA will provide to the individual its reasons for denial of access or a refusal to correct personal information;

• DCA can withhold the access of an individual to his/her information if:

• providing access would pose a serious and imminent threat to the life or health of any individual;

• providing access would have an unreasonable impact upon the privacy of other individuals; or,

• the request for access is frivolous or vexatious; or,

• the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or,

• providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or,

• providing access would be unlawful; or,

• providing access would be likely to prejudice an investigation of possible unlawful activity; or,

• an enforcement body performing a lawful security function asks DCA not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

• Where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, DCA may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

• If DCA decides not to provide the individual with access to the information on the basis of the above-mentioned reasons, DCA will consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

• DCA may charge for providing access to personal information. However, the charges will be nominal and will not apply to lodging a request for access.

Identifiers

DCA will not adopt as its own identifier of an individual an identifier that has been assigned by any third party. It may however adopt a prescribed identifier by a prescribed organisation in prescribed circumstances; and,

• DCA will not use or disclose the identifier assigned to an individual by a third party unless:

• the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or,

• the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Anonymity

DCA will:

• Allow people from whom the personal information is being collected to not identify themselves or use a pseudonym unless it is impracticable to deal with them on this basis.

Making information available to other organisations

DCA can:

• Release information to third parties where it is requested by the person concerned.