POLICY
This procedure must be read with the Hope Valley Plus Privacy Policy.
The Privacy Policy must include a ‘last updated’ date wherever it is displayed.
APPLICATION
This procedure applies to all staff and contractors Hope Valley Plus. Staff and contractors must understand what personal information is, and how to use or disclose that information in accordance with the law and our Privacy Policy.
The Privacy Policy and these procedures apply to all personal information collected by Hope Valley Plus whether through the company’s website/s or any other method.
Where a Privacy Officer has not been appointed, the most senior person working in the business will be deemed to be the Privacy Officer, responsible for managing the Privacy Policy and this Procedure.
UNDERSTANDING WHAT IS PERSONAL INFORMATION
All staff are responsible for understanding what is personal information.
Personal information is only information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Examples of personal information are:
• name and address
• bank account details and credit card information
• credit worthiness information
• information about a person’s preferences
• photos
• tax file numbers
Some personal information is considered sensitive and requires greater protection. All staff must monitor the collection of personal information to ensure that we DO NOT collect this kind of information.
• criminal record
• genetic information
• health or medical information
• membership of a political association, professional or trade association or trade union
• political opinion
• racial or ethnic origin
• religious beliefs or affiliations
• sexual preferences or practices
WHAT IS NOT PERSONAL INFORMATION
Confidential Information
Information exchanged between people in a relationship that has inherent requirements of confidentiality, eg. doctor and patient or lawyer and client, may be confidential. This does not apply to this company.
Parties may also enter into an agreement to keep information private and confidential. That is a contractual agreement and does not affect the privacy of personal information. Information that is exchanged pursuant to a deed of confidentiality may not be personal information.
Freedom of Information (FOI) or Right to Information (RTI)
Only government agencies have to answer requests made under FOI or RTI requests. FOI or RTI requests do not apply to this company.
HOW WE COLLECT PERSONAL INFORMATION
All staff are responsible for monitoring how we collect information, consistent with the following:
– through sign in and contact forms on our website/s
– by collecting business cards
– Including demographic information collect via website browser cookies if used
SECURE STORAGE OF PERSONAL INFORMATION
Management must ensure that business information systems and local recordkeeping systems have access-control protocols and procedures that so that:
– records are stored with an appropriate level of security (eg. records containing personal information must be kept locked or password protected).
– records can only be accessed by staff for legitimate work purposes.
– record and archival integrity is maintained.
– staff who access records are aware of their responsibilities for protecting privacy and confidentiality where relevant.
– the business understands the data storage laws of the country Australia where the data is hosted.
Information that is collected electronically must only be stored in the Customer Relationship Management system.
Information that is collected in hard copy, we transfer the collected data into our electronic Customer Relationship Management system and the securely destroy the hard copy.
WHY WE COLLECT PERSONAL INFORMATION
Management is responsible for monitoring the collection of personal information to ensure that it is not collected for any purpose not stated in this procedure.
We collect personal information for the purposes of:
– marketing our products and services to customers and prospective customers
– marketing related products and services to our customers
– building business relationships
USE AND DISCLOSURE OF PERSONAL INFORMATION
All staff are responsible for monitoring how we use the personal information we collect in ways that support the purpose for collection. We do not make collated personal information available to others, unless they are providing a service that supports what we do, for example, mail delivery companies or telemarketers employed by us.
ANTI-SPAM
Spam is electronic junk mail sent via email or mobile phone. Management is responsible for monitoring the transmission of messages so that that we do not send ‘junk’ and we do not send electronic mail unless:
1. We have consent from the person we are sending it to, either express or implied
2. We identify our business and how we can be contacted
3. We provide people with the opportunity to ‘unsubscribe’ to allow recipients to opt out of receiving our messages.
DISCLOSURE TO GOVERNMENT AGENCIES
Only the company Privacy Officer is authorised to respond to requests from government agencies. Please forward all requests to info@hopevalleyplus.com.au.
Information requested by government agencies must:
– be in writing on appropriate letterhead
– state the relevant law authorising the request for information
– provide specific detail of the information requested
– sufficient information to assist staff to determine whether or not the request is reasonably necessary
MANAGING REQUESTS FOR ACCESS TO PERSONAL INFORMATION
If a person requests a copy of the personal information held about them, the request must be referred to the Privacy Officer info@hopevalleyplus.com.au. Receipt of requests must be acknowledged to the applicant within 2 business days of receipt.
A request for access to information must be made in writing. The purpose of the request is not relevant. There can be no charge for making the request.
The Privacy Officer may ask for more detail regarding the information requested.
The Privacy Officer may choose to provide access to the information in the following ways:
– via inspection in person by the applicant
– via hard copy delivered by ordinary post
– via electronic copy delivered to the confirmed personal email address of the applicant
A reasonable charge may be levied for provision of information to cover the administrative costs incurred in providing that information.
The response to a request for access should be delivered to the applicant within 30 days of the request being received.
INTEGRITY OF PERSONAL INFORMATION
Where staff are aware that personal information is incorrect, they must rectify that information as soon as possible.
If a person advises that their personal information is incorrect, and the Privacy Officer does not agree with their assertion, any request that person makes to amend their personal information must be stored with the personal information already held.
RECORDS MANAGEMENT PROCEDURES
All personal information should be securely destroyed after it is no longer required.
Personal information will be retained for a period of 7 years after last use for the purpose of meeting legal, accounting and auditing requirements, unless a longer period of retention is legally required.
MANAGING COMPLAINTS
Any complaint of breach of the Privacy Policy must be referred to the Privacy Officer as soon as possible. The Privacy Officer must:
– acknowledge receipt of the complaint as soon as possible
– decide whether or not there has been a breach of the privacy policy
– obtain evidence relevant to the breach
– investigate the breach
– make sure that there are no further breaches regarding the person in question, or the type of information disclosed
– assess the cause (eg. as lack of training or awareness of privacy requirements)
– assess the potential harm from the breach (harm to the individual whose personal information has been disclosed and harm to the company)
– implement any actions necessary to reduce potential harm or prevent it happening again
– decide what to tell the affected person (whether or not there was a breach; if so, how it happened; what has been done to control or reduce potential harm; what has been done/ will be done to prevent it happening again)
– decide whether anyone else needs to be notified eg. Privacy Commissioner (depends on the level of perceived harm – for example if credit card details have been disclosed) and
– keep a record of the complaint, the investigation and the response to the complainant.
Payment of financial compensation is not a remedy for breach of the Privacy Policy.
The complainant must be notified of the ability to make a complaint to the state or federal office of the Privacy Commissioner if they are not satisfied with the way the complaint was handled.
Last Updated: 10_09_2014
