Olympus’ respects the privacy of all individuals. All personal information, including sensitive information, collected by Olympus, is collected in accordance with the Privacy Act 1988 and the Australian Privacy Principles (Privacy Amendment (Enhancing Privacy Protection) Act 2012). This policy also ensures compliance with the National Disability Service Standards and Article 22 of the United Nations Convention of the Rights of Persons with Disabilities.
The organisation takes reasonable steps to protect any personal information received from clients, families, employees, volunteers or other service providers. These steps apply to the way the organisation collects, stores, uses or discloses personal information. Personal information will not be disclosed to any unauthorised third party without the consent of the individual.
The type of information we collect, and the way we use this will depend on the individual’s relationship with Olympus (e.g. as a client, family member/carer, employee, volunteer or other service provider). Personal information may be used to:
- provide a service
- respond to feedback or complaints
- answer queries
- report to government or other funding bodies how funding is used
- process donations and provide receipts
- send information on events and copies of our newsletters.
- the kinds of personal information collected by the organisation
- how the organisation keeps personal information secure
- the ways the organisation collects personal information
- the purposes for which personal information is collected, held, used and disclosed
- how individuals can access, update or correct their personal information
- how an individuals can make a complaint if they feel Olympus has breached the Australian Privacy Principles.
Australian Privacy Principles (APP):
- legally binding principles which are the cornerstone of the privacy protection framework in the Privacy Act,
- set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information,
- apply to most Australian Government agencies and some private sector organisations — collectively referred to as APP entities.
The APPs are grouped into five parts to reflect the personal information lifecycle:
- Part 1 — Consideration of personal information privacy (APPs 1 and 2)
- Part 2 — Collection of personal information (APPs 3, 4 and 5)
- Part 3 — Dealing with personal information (APPs 6, 7, 8 and 9)
- Part 4 — Integrity of personal information (APPs 10 and 11)
- Part 5 — Access to, and correction of, personal information (APPs 12 and 13).
Personal information – is any information or an opinion about an identified individual, or an individual who is reasonably identifiable. Personal information collected by Olympus may include: an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and/or employment details.
Personal information that has been de-identified will no longer be personal information.
De-identified information – personal information is de-identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’. Generally, de-identification includes:
- removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information,
- removing or altering other information that may allow an individual to be identified, for example, a unique characteristic of the individual,.
De-identification may not altogether remove the risk that an individual can be re-identified.
Sensitive information – is part of the personal information about an individual. Sensitive information collected by Olympus may include: racial or ethnic origin, religious beliefs, health information or criminal record.
Sensitive information is generally afforded a higher level of privacy protection than other personal information. Inappropriate handling of sensitive information can have adverse consequences for an individual; it may cause humiliation, embarrassment or undermine an individual’s dignity.
Reasonable Steps – it is the responsibility of Olympus to be able to justify that reasonable steps were taken.
Government identifier – an identifier is a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
Application of Australian Privacy Principles within Olympus
Part 1 — Consideration of personal information privacy (APPs 1 and 2)
Open and Transparent Management of Information
a. our policy statement is available on the Olympus website
- Olympus has procedures for dealing with privacy related inquiries and complaints.
a. Olympus has practices, procedures and systems to ensure the organisation complies with the APPs and any binding registered APP code.
Anonymity and Pseudonymity
- Where it is not unlawful or impracticable, individuals have the option of remaining anonymous or using a pseudonym when dealing with Olympus.
a. Olympus is not required to provide those options where:
i. the organisation is required or authorised by law or a court or tribunal order to deal with identified individuals, or
ii. it is impracticable for the organisation to deal with individuals who have not identified themselves.
Part 2 — Collection of personal information (APPs 3, 4 and 5)
- Olympus may only collect personal information that is reasonably necessary for, or directly related to, one or more of Olympus’ functions or activities.
- Olympus must solicit and collect personal information:
a. by lawful and fair means
b. directly from the individual, unless:
i. the individual consents to the collection of the information from someone other than the individual; or
ii. Olympus is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or
iii. it is unreasonable or impracticable to do so.
- Olympus may only collect sensitive information where:
a. the individual has consented to the collection of that information and the information is reasonably necessary for Olympus’ to carry out one or more of its’ functions or activities, or
b. the collection of information is required or authorised by or under Australian law or a court/tribunal order,
c. Olympus reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
- Where it receives unsolicited personal information, Olympus must decide within a reasonable period of time whether that personal information about an individual could have been lawfully collected by Olympus itself, and:
b. If not, and the information is not contained within a Commonwealth record, Olympus will, as soon as practicable, but only if lawful and reasonable to do so, destroy the information or ensure the information is de-identified.
Notification of Collection
- At or before the time Olympus collects personal information from an individual, or as soon as practicable after that, the organisation will take reasonable steps to ensure the individual is aware:
a. Olympus is the collector of the personal information
b. of contact details, telephone number and email address (firstname.lastname@example.org), for the person responsible for handling enquiries and requests relating to the Privacy Act
c. how, when and from where the personal information was collected
d. whether the collection is required or authorised by law
e. the purposes for which the information has been collected
f. the consequences if all or part of the personal information is not collected by Olympus
g. the organisations (or the types of organisations) to which Olympus usually discloses personal information of the kind being collected
h. they can access their personal information and seek correction of this, if required
i. whether the personal information will be transferred overseas, and if practicable or known, to which the countries
- If an individual is concerned about how Olympus handles their personal information or that they have breached the APP they can make a complaint:
a. directly to Olympus through the Olympus website or our internal complaints mechanism
i. the organisation manages all complaints in line with our Complaints Procedure, a copy of which is available on request
ii. the Company Secretary is responsible for handling enquiries, requests, complaints relating to the Privacy Act (email@example.com)
b. to the Office of the Australian Information Commissioner (OAIC). Further information is available on their website: http://www.oaic.gov.au/privacy/privacy-complaints
Part 3 – Dealing with personal information (APPs 6, 7, 8 and 9)
Use and Disclosure
- Olympus can only use or disclose personal information for a purpose for which it was collected (the ‘primary purpose’).
- Where the information is sensitive information, Olympus may only use that information for a primary purpose or a directly related purpose the individual has consented to.
- Olympus may sometimes use or disclose personal information about an individual for a ‘secondary purpose’. However, Olympus will only use or disclose personal information about an individual for a secondary purpose in limited circumstances. Olympus will, wherever reasonably possible, seek consent from individuals before using their personal information for a secondary purpose.
- Olympus may use personal information about an individual for a secondary purpose if
a. the individual has consented to a secondary use or disclosure
b. the individual would reasonably expect Olympus to use or disclose the information for the secondary purpose, and that secondary purpose is:
i. if the information is personal information, it is related to the primary purpose of collection, or,
ii. in the case of sensitive information, it is directly related to the primary purpose
iii. the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
- Some special situations set out in the Law allow the use or disclosure of personal information without consent. In each case, if it does this, Olympus will comply with the relevant Australian Privacy Principle or Rules made by the Privacy Commissioner. Some of these special situations are:
a. where Olympus reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
b. Olympus has reason to suspect an individual may have done something unlawful or engaged in serious misconduct that relates to Olympus functions or activities, and Olympus needs to disclose the information so that it can take appropriate action; or
c. Olympus reasonably believes that the use or disclosure is reasonably necessary to assist another person to locate a person reported as missing, or
d. Olympus reasonably believes that the use or disclosure of the information is reasonably necessary for an enforcement body’s enforcement related activities
i. Olympus will make a written note that Olympus has used the information for that purpose.
e. A complete list of these special situations is contained in law.
- Whether or not an individual has consented to the use or disclosure, in the case of any obligation Olympus has under a Commonwealth contract, Olympus is entitled to comply with a requirement under that Commonwealth contract to disclose personal or sensitive information to the Commonwealth agency funding the activity.
- Olympus may only use personal information about an individual for direct marketing where an exception applies under the Law. In every situation where Olympus is permitted to use or disclose personal information for direct marketing, Olympus will allow the individual to ‘opt out’ and will act on the individual’s request to ‘opt out’.
- Olympus may use personal information (other than sensitive information) about an individual for direct marketing if:
a. Olympus collected the information from the individual:
i. and the individual would reasonably expect Olympus to use or disclose the information for direct marketing; and
ii. Olympus has provided a simple means so the individual can easily request not to receive direct marketing communications from Olympus; and
iii. the individual has not made a prior request to Olympus to not receive direct marketing communications from Olympus.
b. Olympus collected the information from someone other than the individual and:
i. either the individual has consented to the use or disclosure for the purpose, or it is impracticable to obtain the individual’s consent; and
ii. in each direct marketing communication with the individual, Olympus includes a prominent statement that the individual can ask not to receive further direct marketing communications from Olympus; or
iii. Olympus otherwise draws the individual’s attention in some other way to the fact that the individual may make that request; and
iv. the individual has not made a request asking Olympus to stop sending direct marketing communications.
- If Olympus uses or discloses personal information about an individual for:
a. direct marketing, an individual may ask Olympus to stop sending direct marketing communications from Olympus and Olympus must do that within 14 days after receiving the request unless exceptional circumstances apply; or
b. where the personal information is used for the purpose of facilitating direct marketing by other organisations on behalf of Olympus, an individual may request Olympus not to use or disclose the individual’s information for direct marketing by other organisations and Olympus must act on that request within 14 days after receiving the request (unless exceptional circumstances apply).
- The individual may request Olympus to provide details of where his or her personal information came from (e.g. which other organisation) and Olympus must do so within 14 days after receiving the request (except in exceptional circumstances) unless it is impractical or unreasonable to do so.
- Olympus will not charge any individual for the making of, or to give effect to, these requests.
Cross border disclosure
- Occasionally, Olympus may be required transfer personal information to an organisation (other than Olympus or the individual concerned) that is in a foreign country or, Olympus may store some personal information on databases that are in the cloud. In most cases, where Olympus transfers information, the information will be de-identified.
- Olympus will only send information overseas if it has taken reasonable steps to ensure the transferred information, will be held, used or disclosed by the recipient organisation consistent with the APP. Further details on these steps can be found in the Law.
Adoption use or disclosure of Government Identifiers
- Olympus will not adopt a government related identifier of an individual as its own identifier of the individual unless the adoption of the government related identifier is required or authorised by law or a court/tribunal order.
- Olympus will not use or disclose a government related identifier of an individual unless:
a. the use or disclosure of the identifier is reasonably necessary for Olympus to verify the identity of the individual for the purposes of the Olympus’ activities or functions; or
b. the use or disclosure of the identifier is reasonably necessary for Olympus to fulfil its obligations to an agency or a State or Territory authority; or
c. the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
d. some of the ‘[special situations’ under the Law allow the use or disclosure. In each case, if it does this, Olympus will comply with the relevant APP or Rules made by the Privacy Commissioner. Some of these ‘special situations’ are:
i. where Olympus reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
ii. Olympus has reason to suspect an individual may done something unlawful or engaged in serious misconduct that relates to Olympus functions or activities, and Olympus needs to disclose the information so that it can take appropriate action; or
iii. Olympus reasonably believes that the use or disclosure is reasonably necessary to assist another person to locate a person reported as missing; or
iv. Olympus reasonably believes that the use or disclosure of the information is reasonably necessary for an enforcement body’s enforcement related activities (and Olympus will make a written note that Olympus has used the information for that purpose).
- The complete list of these special situations is contained in the Law.
Part 4 — Integrity of personal information (APPs 10 and 11)
Quality of Personal Information
- Olympus will take all reasonable steps to ensure that the personal information it collects is accurate, complete and up-to-date and relevant, having regard to the purposes of the use or disclosure of the personal information that is collected.
Security of Personal Information
- Olympus will take all reasonable steps to protect the personal information it holds from misuse, interference (which may include measures to protect against computer attacks), loss and unauthorised access, modification or disclosure.
- Olympus data handling practices are regularly reviewed. All sensitive information is separately stored and shared among employees on a need to know basis only.
- Olympus will take all reasonable steps to destroy or permanently de-identify personal information about an individual that it holds, if the information is no longer needed for any purpose for which it is able to be used or disclosed, and where there is no law or Court/tribunal or Commonwealth contract that requires Olympus to keep the information.
- Client records on the on the CMS are not able to be deleted or removed. Where a client leaves the program/service or is deceased their records can be de-activated.
Part 5 – Access to, and correction of, personal information (APPs 12 and 13).
Access to personal information
- If Olympus holds personal information about an individual, and the individual wants access to that information, Olympus will provide the individual with access to that information.
- This principle lists ten grounds on which Olympus can refuse to give access to personal information. Olympus need not to rely on any such ground and provide access upon request, unless disclosure is prohibited. Before relying on any of these grounds Olympus should consider whether redacting some information would enable access to be provided (for example, redacting personal information about another person).
- The ten grounds are:
a. Olympus reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
b. giving access would have an unreasonable impact upon the privacy of other individuals; or
c. the request for access is frivolous or vexatious; or
d. the information relates to existing or anticipated legal proceedings between Olympus and the individual, and the information would not be provided by the process of discovery in those proceedings; or
e. providing access would reveal the intentions of Olympus in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
f. providing access would be unlawful; or
g. denying access is required or authorised by or under an Australian law or a court/tribunal order; or
h. Both of the following apply:
i. Olympus has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates the Olympus functions or activities has been or is being or may be engaged in; and
ii. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
i. providing access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
j. giving access would reveal evaluative information generated within Olympus in connection with a commercially sensitive decision-making process.
- Olympus will respond to an access request within a reasonable period after the request is made and will give access to the personal information in the manner requested by the individual, if it is reasonable and practicable to do so. Olympus may, in appropriate circumstances, charge the individual an appropriate (and not excessive) fee for giving access to the personal information.
- If Olympus refuses to give access to personal information in the manner requested by the individual or because one or more of the exceptions referred to in paragraph 35 of this policy apply, Olympus will give the individual a written notice about the refusal that complies with the regulations to the Law and includes information about how a person can complain about the refusal.
Correction of personal information
- Olympus will take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. This requirement applies where:
a. Olympus is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or
b. the individual requests Olympus to correct the personal information.
- APP 13 sets out the following minimum procedural requirements in relation to correcting personal information:
a. take reasonable steps to notify other APP entities of a correction to an individual’s personal information
b. respond to a request for correction or to associate a statement, and
c. not charge an individual for making a request, correcting personal information or associating a statement.
- If Olympus refuses to correct the personal information when requested to do so by an individual:
a. Olympus will give the individual a written notice about the refusal that complies with the regulations to the Law and includes information about how a person can complain about the refusal.
b. An individual can request Olympus to attach a statement to information saying that the information is inaccurate, out of date, incomplete, irrelevant or misleading. Olympus will answer that request within a reasonable period after it is made and will take reasonable steps as are to ensure the statement is able to be seen by the users of the information.
- Special considerations apply to Commonwealth records, which can only be destroyed or altered in accordance with the Archives Act 1983 (Archives Act).
Notifiable Data Breaches
A notifiable data breach (NDB) scheme commenced in Australia on 22 February 2018 and applies to eligible data breaches that occur on, or after, that date. The NDB scheme requires us to notify individuals and the Office of the Australian Information Commissioner if there is a data breach that is likely to result in serious harm to any individual to whom the information relates and occurs when personal information is lost or subjected to unauthorised access or disclosure. Exceptions to the NDB scheme apply for some data breaches.
If you require any further information please email firstname.lastname@example.org