GOV02 Privacy and handling of protected information policy
Document History
Version |
Board approval date |
Author |
Change history |
Review date |
1.0 |
18 March 2019 |
S Lim |
New policy for Board Approval |
12 months |
1.1 |
12 May 2020 |
S Lim |
Annual review Update template |
12 months |
1.2 |
May 2021 |
S Lim |
Annual review – update contact details |
12 months |
2.0 |
May 2022 |
S Lim |
Revised to include data breach response plan and link to records management |
12 months |
2.1 |
May 2023 |
S Lim |
Revised to include cyber security incident BCP |
12 months |
2.1 |
May 2024 |
S Lim |
No changes |
12 months |
1.0 Company’s Purpose
1.1 The Company’s purpose is to be the national body of The Uniting Church in Australia (the Uniting Church) to respond to and provide support for children and vulnerable persons who have suffered abuse at the hands of the Uniting Church or participating institutions, including by participation in a nationally consistent equitable redress scheme.
2.0 Policy Purpose
2.1 Under the Company’s constitution, Clause 30.4 states;
- The directors may make regulations and policies consistent with this constitution for the proper control, management and administration of the company and amend or rescind those documents.
The purpose of this policy is to set out the Company’s approach to the proper handling of personal and protected information.
3.0 Application
3.1 This policy applies to the directors and employees of UCA Redress Limited. All persons who deal with requests for information from the National Redress Scheme are required to operate under the principles of this policy.
4.0 Policy statement
4.1 The Company is committed to protecting information about people who make contact with the Company, through application to the National Redress Scheme or in any other manner.
4.2 The Company will adhere to the Privacy Act 1988 (Cth) (the Privacy Act) and to the proper handling of protected information under the National Redress Scheme for Child Sexual Abuse Act 2018 (Cth) (the National Redress Act). The Company will publish this policy on its website.
4.3 In some cases, UCA Redress Ltd or other Uniting Church entities will be required by law to report information about possible misconduct or criminal conduct in accordance with reportable conduct schemes or to report to police or other authorities.
5.0 Privacy policy
5.1 This document is our privacy policy and it tells you how we collect and manage both personal information collected from the website and by the officers of the UCA Redress Ltd. We respect your rights to privacy under the Privacy Act and we will comply with all of the Privacy Act’s requirements in respect of the collection, management and disclosure of your personal information.
Synods and institutions of the UCA that participate in the National Redress Scheme through UCA Redress Ltd are responsible for producing their own privacy policy in accordance with the Privacy Act.
- What is your personal information?
When used in this privacy policy, the term “personal information” has the meaning given to it in the Privacy Act. In general terms, it is any information that can be used to personally identify you. This may include your name, address, telephone number, email address and profession or occupation. If the information we collect personally identifies you, or you are reasonably identifiable from it, the information will be considered personal information.
- What personal information do we collect and hold?
We may collect the following types of personal information:
- name
- mailing or street address
- email address
- telephone number
- facsimile number
- age or birth date
- profession, occupation or job title
- details of the services that we have provided to you or which you have enquired about, together with any additional information necessary to deliver those services and respond to your enquiries
- any additional information relating to you that you provide to us directly through our websites or indirectly through use of our websites or online presence, through our representatives or otherwise
- information you provide to us through our activities and services, surveys or visits by our representatives from time to time
- information contained in your application to the National Redress Scheme.
We may also collect some information that is not personal information because it does not identify you or anyone else. For example, we may collect anonymous answers to surveys or aggregated information about how users use our website.
We may also collect health information with your consent and where it is reasonably necessary for one or more of our functions or activities.
- How do we collect your personal information?
We collect your personal information directly from you unless it is unreasonable or impracticable to do so. When collecting personal information from you, we may collect it in a variety of ways including:
- through your access and use of our website
- during conversations and via correspondence between you and our representatives
- when you complete an application or purchase order
- when you register for mailing lists or updates
- when you complete our forms for the provision of services
- when you complete a survey or make a donation.
We may also collect personal information from third parties including from third party companies such as credit reporting agencies, law enforcement agencies and other government entities and specialist agencies that assist us in achieving our objectives. This collection of information from third parties would occur in circumstances such as during recruitment when conducting a criminal record check or when verifying a Working with Children Check.
- Anonymity
We will generally provide individuals with the option of not identifying themselves when contacting us or participating in activities or obtaining services or assistance from us unless we are authorised by law not to do so or it is impracticable for us to deal with individuals who have not identified themselves or have used a pseudonym (in such circumstances we will only obtain as much personal information as is necessary to provide you with the service or assistance you require). If we do not have your personal information then we may be limited in our ability to provide you with the services or assistance or advise you of information relating to our operations and the activities we carry out.
- Cookies
In some cases we may also collect your personal information through the use of cookies. When you access our website, we may send a ‘cookie’ (which is a small summary text file containing a unique ID number) to your computer. This enables us to recognise your computer and greet you each time you visit our website without bothering you with a request to register. It also enables us to keep track of services and products you view so that, if you consent, we can send you news about those services and products.
In some cases we may use Google Analytics to measure traffic patterns to determine which areas of our website have been visited and to measure transactions patterns in the aggregate. We use this to research our user’s habits so that we can improve our online presence, information and services. Our cookies do not collect personal information. If you do not wish to receive cookies, you can set your browser so that your computer does not accept them. Our use of Google Analytics will not involve the collection of personal information.
We may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer our website, track users movements, and gather broad demographic information and for security reasons. The logging of IP addresses are not used for identifying users.
- What happens if we can’t collect your personal information?
If you do not provide us with the personal information described above, some or all of the following may happen:
- we may not be able to provide the requested activities or services to you, either to the same standard or at all
- we may not be able to provide you with information about activities and services that you may want
- we may be unable to tailor the content of our websites to your preferences and your experience of our websites may not be as enjoyable or useful
- we may not be able to contact you in relation to the various activities we undertake and services we provide.
- For what purposes do we collect, hold, use and disclose your personal information?
We collect personal information about you so that we can perform our activities and functions and to provide best possible quality of service.
We collect, hold, use and disclose your personal information for the following purposes:
- to provide services to you and to send communications requested by you
- to arrange the various activities of UCA Redress Ltd
- to answer enquiries and provide information or advice about existing and new services
- to provide you with access to protected areas of our website
- to assess the performance of our website and to improve the operation of our website
- to conduct service processing functions, which may include providing personal information to our various organisations, contractors, service providers or other third parties
- for the administrative, marketing (including direct marketing), planning, product or service development, quality control and research purposes of UCA Redress Ltd, its various organisations, contractors or service providers
- to update your personal information held by our related bodies, contractors or service providers
- to update our records and keep your contact details up to date
- to establish and maintain your involvement with the UCA Redress Ltd
- to answer your enquiries
- to register you for events, conferences and activities
- for direct promotion of services and to keep you informed of new developments we believe may be of interest to you. If we contact you in this way without obtaining your prior consent, we will provide you with the opportunity to decline any further promotional communications
- to third parties where we have retained those third parties to assist us to provide the services you have requested, such as religious education instructors, catering and event coordinators, promotions companies, transport providers, health care providers, website hosts and IT consultants, and our professional advisers such as consultants, lawyers and accountants. In some circumstances we may need to disclose sensitive information about you to third parties as part of the services you have requested to different parts of the Church to enable the development and promotion of other activities and services and to improve our general ability to assist Church attendees and the wider community
- to process and respond to any complaint made by you
- to track clients’ use of any services we offer
- to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of any country (or political sub-division of a country).
Your personal information will not be shared, sold, rented or disclosed other than as described in this Privacy Policy.
- To whom may we disclose your information?
We may disclose your personal information to:
- our employees, the various Uniting Church entities, contractors or service providers for the purposes of operation of our website or our operations, fulfilling requests by you, and to otherwise provide services to you including, without limitation, web hosting providers, IT systems administrators, mailing houses, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors, and professional advisors such as accountants, solicitors, business advisors and consultants
- suppliers and other third parties with whom we have commercial relationships, for operations, and related purposes
- any organisation for any authorised purpose with your express consent
We may combine or share any information that we collect from you with information collected by any of our various member organisations (within Australia).
- Direct marketing materials
We may send you direct marketing communications and information about our activities and services that we consider may be of interest to you. These communications may be sent in various forms, including mail, SMS, fax and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so. In addition, at any time you may opt-out of receiving marketing communications from us by contacting us (see the details below) or by using opt-out facilities provided in the marketing communications and we will then endeavour to ensure that your name is removed from our mailing list.
We do not provide your personal information to other organisations for the purposes of direct marketing.
- Use of Commonwealth Government identifiers
We will not use Commonwealth government identifiers, such as Medicare numbers or your driver’s licence numbers, as its own identifier of individuals. We will only use or disclose such identifiers in the circumstances permitted by the Privacy Act or under the National Redress Scheme.
- How can you access and correct your personal information?
You may request access to any personal information we hold about you at any time by contacting us (see the details below). Where we hold information that you are entitled to access, we will try to provide you with suitable means of accessing it (for example, by mailing or emailing it to you). We may charge you a fee to cover our administrative and other reasonable costs (eg photocopying, faxing, etc) in providing the information to you and, if so, we may charge a reasonable fee for providing access. An administrative fee may be applied for pages scanned or photocopied where the total amount of pages requested is above 10 pages. Currently the charge will be $0.20 per page photocopied or scanned. We will not charge for simply making the request and will not charge for making any corrections to your personal information. Depending on the nature of the request, we may ask you to verify your identity or to put your request in writing.
There may be instances where we cannot grant you access to the personal information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it by contacting us via the contact details below. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment then we will add a note to the personal information stating that you disagree with it.
- What is the process for complaining about a breach of privacy?
If you believe that your privacy has been breached or you are not happy with the way your personal information has been handled by us, please contact our Privacy Officer using the contact information below and provide details of the incident (preferably in writing) so that we can investigate it.
We will attempt to confirm as appropriate with you your understanding of the conduct relevant to the complaint and what you expect as an outcome. We will inform you whether we will conduct an investigation, the name, title, and contact details of the investigating officer and the estimated completion date for the investigation process.
After we have completed our enquiries, we will contact you, usually in writing, to advise the outcome and invite a response to our conclusions about the complaint. If we receive a response from you, we will assess it and advise if we have changed our view. If you are unsatisfied with the outcome, we will advise you about further options including, if appropriate, review by the Privacy Commissioner within the Office of the Australian Information Commissioner.
- Do we disclose your personal information to anyone outside Australia?
We do not disclose personal information to overseas recipients, except with your consent.
- Security
We take reasonable steps to ensure your personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. We may hold your information in either electronic or hard copy form. Personal information is destroyed or de-identified when no longer needed.
As our website is linked to the internet, and the internet is inherently insecure, we cannot provide any assurance regarding the security of transmission of information you communicate to us online. We also cannot guarantee that the information you supply will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information which you transmit to us online is transmitted at your own risk.
- Links
Our website may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third party website and we are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing you about their own privacy practices.
- Contacting us
If you have any questions about this privacy policy, any concerns or a complaint regarding the treatment of your privacy or a possible breach of your privacy, please use the contact link on our website or contact our Privacy Officer using the details set out below.
We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to discuss your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in a timely and appropriate manner.
Please contact our Privacy Officer at:
Privacy Officer
UCA Redress Ltd
Email: info@redress.uca.org.au
By mail: UCA Redress Ltd, GPO Box A2266 Sydney South NSW 1235.
- Changes to our privacy policy
We may change this privacy policy from time to time. Any updated versions of this privacy policy will be posted on our website.
6.0 Information under the National Redress Scheme
6.1 This section outlines how we collect and manage information obtained under the National Redress Scheme.
6.2 Under the National Redress Scheme, UCA Redress Ltd will receive requests for information from the Commonwealth. In doing so, UCA Redress Ltd will be provided with “protected information” under the National Redress Act.
6.3 As the central contact point for the Uniting Church in relation to the National Redress Scheme, UCA Redress Ltd will send and receive protected information to other Uniting Church entities for the purposes of the Scheme, in accordance with section 98 of the National Redress Act, including to:
- respond to requests for information
- for the purposes of providing a direct personal response
- for facilitating a claim under an insurance policy
- for the purpose of the participating institution undertaking internal investigation and disciplinary procedures.
6.4 Information will be stored securely and only shared with those individuals who have a need to know for the above purposes. In sharing protected information for the purposes of the Scheme, individuals will be reminded of their confidentiality obligations under the National Redress Act.
7.0 Data breach
7.1 Any possible data breaches will be dealt with under GOV02-01 Data breach response plan.
7.2 Any cyber security incidents will be dealt with under GOV07-01 Cyber security incident business continuity plan.
7.3 Where a cyber security incident involves possible data breach, both of these may be in operation.
8.0 Related documents
GOV04 Complaints and feedback policy
GOV08 Records management policy
GOV07 Business continuity planning policy and framework