1.1. Early Links is committed to protecting personal information in accordance with our obligations under the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012.
1.2. The purpose of this document is to outline how Early Links will comply with these legislative requirements.
1.3. The supporting systems and procedures will ensure that there are some guidelines and consistency on the following:
- What kind of personal and sensitive information that Early Links collects and holds.
- How Early Links will collect and hold personal and sensitive information.
- The purposes for which Early Links collects, holds, uses and discloses personal and sensitive information.
- How people can access their personal and sensitive information held by Early Links and seek the correction of such information.
- How people can make a complaint about the way Early Links collects, holds, uses or discloses personal and sensitive information, and how Early Links will deal with Privacy related complaints.
- Whether Early Links is likely to disclose personal or sensitive information to overseas recipients, and where those recipients might be located.
This policy applies to all Early Links stakeholders, including children, families/carers and all workers for Early Links (employees, volunteers, students, contractors, and third parties/partners), community members, donors and sponsors.
3.1. What is Personal Information
3.1.1. Personal information will only be collected if it is reasonably necessary for Early Links service activities and functions (Australian Privacy Principle 3). Examples of personal information Early Links would collect includes a person’s name, address, a photograph, details of education qualifications or an email address. We will collect relevant information depending on your relationship with Early Links:
i. Employee Records – personal information in relation to the employment of an individual. This may include any of the following information:
- Recruitment, training, disciplining or resignation
- Termination of employment
- Terms and conditions of employment
- Personal and emergency contact details
- Performance or conduct documents
- Hours of employment
- Detail of salary or wages
- Membership of a professional or trade association
- Trade union membership details
- Leave records – annual, long service, personal/carers, parental or other leave;
- Taxation, banking or superannuation details
- Working with children check
- Criminal Record Check.
ii. Client Files – personal information collected from children and their families to assist us in providing safe, relevant and effective advice and support in relation to early intervention strategies for children living with a disability.
iii. Donor/Sponsor details – personal information collected from community members, workers and/or clients who provide financial or in-kind support to the work of Early Links.
3.2. What is Sensitive Information
3.2.1. Sensitive information can only be collected with the individual’s consent, and where it is reasonably necessary for Early Links service activities and functions (Australian Privacy Principle 3).
3.2.2. Sensitive information may include any of the following information or opinion about an individual:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual orientation or practices
- criminal record
- health information about an individual.
3.3. Collection of personal information
3.3.1. Where possible, Early Links will collect personal information directly from the individual it relates to (or their legal guardian). In some instances, Early Links may need to obtain personal information from third parties, like in the instance of the employment of an individual, where Early Links may obtain work history information from a referee. Where reasonable, Early Links will notify the individual that this personal information has been collected. Early Links will only collect personal information by lawful means (Australian Privacy Principle 3).
3.4. Unsolicited personal information
3.4.1. Should Early Links receive personal information that they did not request and determine that they could not have obtained this information using the lawful means identified in section 3.3. Early Links will destroy this information (Australian Privacy Principle 4).
3.5. Use and disclosure
3.5.1. Personal information which is collected for the primary purpose of Early Links service delivery, activities and functions will not be disclosed for secondary purposes unless the individual consents to the disclosure of the information or; the secondary purpose is directly related to the primary purpose or; the disclosure of information is required under Australian law (Australian Privacy Principle 6).
3.5.2. Early Links will not disclose personal information, including sensitive information, for the purpose of direct marketing or fundraising without the consent of the individual (Australian Privacy Principle 7).
3.5.3. Early Links will not disclose personal information to an overseas recipient unless required by Australian law (Australian Privacy Principle 8).
3.5.4. Early Links will not adopt a government related identifier (such as a Medicare number) as a unique identifier, nor will we disclose any identifiers we store (Australian Privacy Principle 9).
3.6. Data Collected through Social Platforms
3.6.1. Website: Early Links uses Google Analytics and other services to record anonymous information when visitors access the Early Links website such as:
- Server address
- Date and time of visit
- Pages visited
- Geographic location
- Device used
- Demographic and interests
3.6.2. Remarketing: Early Links may use services such as Google and Facebook for the purpose of remarketing. This involves reconnecting with people who have visited the Early Links website on other online platforms for the purpose of advertising. Google details policy requirements for Google Analytics Advertising Features here – https://support.google.com/analytics/answer/2700409?hl=en
3.6.4. Email: Early Links will be building a database of email addresses for the purpose of issuing email campaigns such as newsletters. Visitors to the website will be able to subscribe by completing a form on the website. The emails we issue will include an option to unsubscribe and comply with the Spam Act 2003.
3.7. Data Quality and Correction
3.7.1. Early Links will take reasonable steps to ensure the all personal information collected from stakeholders is accurate, complete and up to date. Parents/carers will be required to up-date their details annually, or whenever they experience a change in circumstances. Computer records will be updated as soon as new information is provided. In the event that Early Links discloses personal information we will reasonably ensure it is accurate and relevant as per our commitment to data quality (Australian Privacy Principle 10).
3.7.2. Similarly, should Early Links believe that personal information stored is out of date, or an individual requests to update personal information, they will take reasonable steps to correct the information and will update computer records (Australian Privacy Principle 13).
3.8. Data Security
3.8.1. Early Links is committed to securely storing the personal information we collect and will take all reasonable steps to prevent the unauthorised access, misuse, loss or disclosure of such information. In the event that Early Links no longer needs, or is no longer required under Australian law to store personal information, we will de-identify and/ or destroy the information (Australian Privacy Principle 11).
3.8.2. If the personal information of a person supported by Early Links or their parent/carer were to be lost, damaged or the security of their personal information were to be compromised, Early Links would notify the parent/carer within 48hrs of becoming aware of this situation. Early Links would also notify the Privacy Commissioner and any other and external agencies required and take all reasonable steps to minimise the impact of the data breach and remediate the situation. If personal or sensitive information is used for the purpose of evaluation, case studies or research, including in Assessment tasks completed by Student Placements, we will ensure that any documents provided are de-identified.
3.9. Data Breaches (Privacy Amendment (Notifiable Data Breaches) Act 2017)
3.9.1. A data breach occurs when personal information held by Early Links is subject to unauthorised access or disclosure or is lost. A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples include, loss or theft of physical laptops and storage devices or paper records, unauthorised access by an employee, or inadvertent disclosure of personal information due to ‘human error’ (e.g., email sent to the wrong person).
3.9.2. Management of data breaches: Early Links has a Data Breach Response Plan covering how data breaches are assessed and managed; staff roles and responsibilities; how data breaches are recorded and reviewed; how to improve information security because of a breach; and, notifying data breaches.
3.9.3. Eligible (notifiable) data breaches: Early Links may notify certain data breaches to the OAIC and to individuals about whom the personal information relates. ‘Eligible data breaches’ occur when all three of the following criteria are met:
i. There is unauthorised access to or disclosure of personal information held by Early Links (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
ii. This is likely to result in serious harm to any of the individuals to whom the information relates.
iii. Early Links has been unable to prevent the likely risk of serious harm with remedial action.
3.9.4. Notifying data breaches: The method Early Links will use to notify individuals will depend on the type of data breach and who it affects. We may notify each individual to whom the relevant information relates, notify only individuals at risk of serious harm, or publish a notification (e.g. on the Early Links website). Any notification will not identify specific individuals who accessed information unless it is relevant to the steps Early Links recommends individuals might take in response.
3.10. Access and Correction
3.10.1. Where reasonable, Early Links will allow individuals access to their personal information in a prompt and convenient manner. Parents/carers wishing to access their personal information must make written application to the CEO, who will arrange an appropriate time for this to occur. The CEO will protect the security of the information by checking the identity of the applicant, and ensuring someone is with them while they access the information to ensure the information is not changed or removed without the CEO’s knowledge.
3.10.2. In the event that Early Links believes that access to personal information: poses a risk to health and safety; unreasonably impacts the privacy of others; or relates to anticipated legal proceedings between Early Links and the individual, Early Links may reasonably refuse access and will outline the decision in writing.
3.11. Anonymity and pseudonymity
3.11.1. Individuals have the right to not identify themselves in relation to a particular matter, unless it is impractical to do so, or where it is required by law or court/tribunal order (Australian Privacy Principle 2).
3.12.2. The CEO will deal with privacy complaints promptly and in a consistent manner, following the Early Links Complaints and Feedback procedures. Where the aggrieved person is dissatisfied after going through the complaints process, they should refer to the Office of the Australian Information Commission website oaic.gov.au and submit a Privacy Complaint Form. Alternatively, they should phone the hotline on 1300 363 992.
3.13. Advocacy/legal advice/independent support
3.13.1. Early Links welcomes the inclusion of support for families which is external to the organisation, to assist families in their interactions with Early Links. Assistance may be provided by a friend, family member, staff member, translator, community visitor, advocate or anyone else who is acceptable to the family / person. Where necessary, Early Links will offer assistance to a family by making a referral to an advocacy service with the consent of the family.
NDIS Practice Standards and Quality Indicators Core Module
1. Rights and Responsibilities
Privacy and Dignity
Outcome: Each client accesses supports that respect and protect their dignity and right to privacy.
2. Provider Governance and Operational Management
Outcome: Management of each client’s information ensures that it is identifiable, accurately recorded, current and confidential. Each client’s information is easily accessible to the client and appropriately utilised by relevant workers.
Feedback and Complaints Management
Outcome: Each client has knowledge of and access to the provider’s complaints management and resolution system. Complaints and other feedback made by all parties are welcomed, acknowledged, respected and well-managed.
Human Resource Management
Outcome: Each client’s support needs are met by workers who are competent in relation to their role, hold relevant qualifications, and who have relevant expertise and experience to provide person-centred support.
4. Support Provision Environment
Outcome: Each client accesses supports in a safe environment that is appropriate to their needs.
The National Disability Insurance Scheme Act 2013 (NDIS Act)
National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018
National Disability Insurance Scheme (Quality Indicators) Guidelines 2018 Privacy Act 1988
Australian Privacy Principles
Privacy Amendment (Notifiable Data Breaches) Act 2017 Privacy Amendment (Enhancing Privacy Protection) Act 2012
United Nations Convention of the Rights of a Child Freedom of Information Act 1989
Child Protection Act 1998
NSW Children and Young Person’s (Care and Protection) Act (1998)
5. Persons Responsible
All staff are responsible for:
- Implementing this policy.
- Recording documentation in an accurate and strengths-based way.
- Maintaining Privacy and Confidentiality responsibilities as outlined in their employment contract.
- Ensuring that changes to enrolment and other relevant information about children/ and parent/carers is updated in the service records.
The CEO is responsible for:
- Responding to requests from parents/carers and workers to see information held about themselves.
- Organising for Confidentiality Forms to be signed by volunteers/students.
Management Committee is responsible for:
- Approval of this policy document and/or amendment as necessary.
Early Links – all Early Links offices, services and programs
Manager – refers to the CEO who is responsible for supervising staff members
Staff – refers to employees and volunteers of the organisation
Client – any person for which Early Links provides a service
Family – refers to the parents/caregivers of the children that are clients of the organisation
Visitor – any person who is visiting an Early Links service who is not a staff member, client or family
APP entities – refers to the organisations and Australian Government agencies that these principles apply to, including Early Links.
Anonymity – means that an individual dealing with Early Links cannot be identified and Early Links does not collect personal information or identifiers.
Management Committee – the governing body of Early Links, comprised of elected or appointed members who jointly oversee the activities and legal responsibilities of the organisation.
Worker – anyone who is carrying out work, in any capacity, for Early Links. This includes employees, contractors/subcontractors and their employees, labour hire employees engaged to work in the organisation, outworkers, apprentices, trainees, students on work experience and volunteers.
Data breach – may be one or more of the following:
- Unauthorised access: when personal information held by Early Links is accessed by someone who is not permitted to have access, including an employee, independent contractor, or an external third party (such as by hacking). Examples of unauthorised access include: an employee browsing sensitive customer records without any legitimate purpose, and a computer network being compromised by an external attacker.
- Unauthorised disclosure: when Early Links, whether intentionally or unintentionally, makes personal information accessible or visible to others outside Early Links and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee, for example, accidentally publishing a confidential data file containing personal information of one or more individuals on the internet.
- Loss: accidental or inadvertent loss of personal information held by Early Links, in circumstances where is it is likely to result in unauthorised access or disclosure, for example, where an employee leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) in a public location, or, electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure.
OAIC – Office of the Australian Information Commissioner – a regulatory body with responsibilities and powers under the Privacy Act 1988, the Freedom of Information Act 1982 (FOI Act) and other related legislation. Its functions cover privacy, freedom of information (FOI), and government information management.
Primary Purpose – the specific function or activity for which Early Links collects personal information
Pseudonym/pseudonymity – A pseudonym is a name, term or descriptor that is different to an individual’s actual name.
Secondary Purpose – is any purpose other than the primary purpose for which Early Links collects the personal information
Serious harm – in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. For example, financial fraud including unauthorised credit card transactions or credit fraud; identity theft causing financial loss or emotional and psychological harm; family violence; and, physical harm
Disclose (information/records/data) – where Early Links makes personal and sensitive information accessible to others outside Early Links and releases the subsequent handling of the information from the effective control of Early Links. The release may be a proactive release or publication, a release in response to a specific request, an accidental release, or an unauthorised release by an employee.