Services Privacy Statement
This services privacy statement explains how we manage your personal information.
At Worn Gundidj Aboriginal Co-operative Ltd (‘Worn Gundidj’) we are committed to protecting your privacy and your personal information and we are bound by the Privacy Act 1988 (Cth) (‘Privacy Act’) and will protect your personal information in accordance with the Australian Privacy Principles. These principles govern how we can collect, use, hold and disclose your personal information, as well as ensuring the quality and security of your personal information.
- Australian Privacy Principles in the Privacy Act 1998
- the Information Privacy Principles in the Information Privacy Act 2000 (Vic)
- Privacy and Data Protection Act 2014 (Vic)
- Health Records Act 2001 (Vic)
- Children, Youth and Families Act 2005 (Vic)
What is personal information?
Personal information is any information which identifies an individual and information from which an individual’s identity can be reasonably ascertained. It includes information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not. For example, your name, date-of-birth, nationality or heritage, home address and telephone number are personal information.
Personal information includes “sensitive information”, which means information or an opinion about an individual’s racial origin, membership of a political association or trade union, gender identity, religious beliefs, sexual identity or criminal record.
Personal information also includes “health information”, which means information, or an opinion about the health or a disability of an individual, or individual’s wishes about the provision of health services.
What kinds of personal information do we collect and hold?
Worn Gundidj collects personal information directly from individuals, in writing, by telephone, email or via our website. We collect and manage a range of personal information for the purposes of carrying out our services and activities. The types of personal information we collect may include:
- names
- mailing and street addresses
- email addresses, telephone numbers, social media and other telecommunications identifiers
- age and birth date
- health information
- lifestyle factors such as cultural background and individual life goals and plans
- images and video content
- sensitive information
- banking and financial details where relevant
- profession, occupation, or job title
- engagement with our website through the submission of electronic forms, surveys or providing any messages or comments on our website
- engagement social media platform
- other family members details including children, partners, carers, dependents, and other authorised representatives.
Worn Gundidj will usually collect personal information directly from you and with your consent. We may also receive personal information from a variety of other sources, including:
- information about individuals which is given to us by government or non-government agencies acting on behalf of those individuals
- information about personal attributes of officers, employees and other representatives of other organisations including information about their roles and means of communications, collected incidentally in the course of dealings
- publicly available sources of information, such as public registers
- other organisations, who jointly with us, provide services
- your previous employer
- if required to do so in accordance with legislation.
Personal information collected will be stored confidentially unless disclosure is required by law.
For what purpose do we collect, hold, use and disclose personal information?
All personal information collected by Worn Gundidj will be used only for the primary purpose intended:
- to facilitate the provision of services and activities
- for the employment of staff, volunteers, and carers
- recording and processing of donations
Worn Gundidj may not be able to provide some or all services to an individual, unless the organisation is provided with the personal information requested.
Worn Gundidj may collect and use personal information to comply with legislative, regulatory and funding reporting requirements.
Worn Gundidj may also disclose your personal information if:
- required or authorised by law or where there is a public duty to do so, in the case of suspected or actual child abuse or other matters of a serious or criminal nature as outlined in related
- information Sharing Entity (ISE) and Risk Assessment Entity (RAE) under the Family Violence Sharing Scheme (FVIS) and Child Information Sharing Scheme (CISS)
- an individual has expressly consented to the disclosure, or the consent may be reasonably inferred from the circumstances
- an individual has applied for a position with the organisation, and we are required to exchange some or all of your personal information with your referees, police, Centrelink and recruitment consultants for purposes relating to considering your application
- where the organisation is otherwise permitted to disclose the information under the Privacy Act
- there is reasonable belief a child or young person is at risk of harm.
Worn Gundidj may find it necessary to share some of your personal information with our volunteers or agencies, who jointly work with us, provide services to clients, to contractors or third-party providers where tasks are outsourced.
Worn Gundidj may seek your consent in writing to capture the moments, achievements, and creations associated with the service and activities we provide for media purposes.
How do we hold personal information?
Much of the personal information Worn Gundidj holds will be stored electronically in secure databases and/or data centres. Some personal information may also be stored in paper files.
Worn Gundidj takes measures to ensure your personal information is accurate, up-to-date, complete and relevant, and is protected from unauthorised access, loss, misuse, disclosure or alteration. Worn Gundidj uses a variety of physical, electronic and procedural security measures to protect the security of personal information held. For example:
- Physically securing the areas in which the personal information is stored
- Building security systems
- Using an accredited document storage provider for archived files
- IT security systems e.g., password protection, virus protection and firewalls, internet and email filters electronic audit trails on databases, server security policies, Vulnerability scans and data encrypted at rest and in transit (where possible)
- Two-factor authentication is required to be used by all staff when accessing our systems
- IT access hierarchy and permission controls (where possible)
- All computer and mobile devices have content erased when they are decommissioned
- All employees are required to complete induction and training about information security and are required to sign a code-of-conduct as part of their contract of employment.
- access to information systems is controlled through identity and access management
- employees are bound by internal information security procedures and are required to keep information secure
- Worn Gundidj regularly monitors and reviews our compliance with internal policies and industry best practice.
Personal information Worn Gundidj holds is stored electronically in secure data bases and servers which are located within Australia. However, where our software or service providers are located or store data located outside of Australia, we will ensure these software providers have privacy protections in place which are substantially similar to Australian privacy laws.
Paper-based records are archived following the last point of contact in accordance with the Public Records Act 1973 (Vic), other relevant legislation and Worn Gundidj’s archiving procedures.
With the exception of what is contained in this Privacy Statement, we do not sell or otherwise disclose your personal information to other organisations.
We also take reasonable measures to remove, destroy or de-identify your personal information in a timely manner when it is no longer required for the purpose for which it was collected.
How do we deal with unsolicited personal information?
If we receive personal information about you that we have not requested, and we determine that we could not have lawfully collected that information under the Australian Privacy Principles had we asked for it, we will destroy or de-identify the information if it is lawful and reasonable to do so.
Who do we disclose your personal information to, and why?
Worn Gundidj may find it necessary to share some of your personal information. Generally, the organisation discloses personal information to other organisations that help with our work, to facilitate the provision of services and to protect the safety of our clients. This information is disclosed with the understanding that all parties comply with the Privacy Act and obligations are made to use the personal information disclosed for the specific purpose we ask them to perform.
Organisations that may receive personal information from Worn Gundidj in accordance with the Privacy Act, include:
- contractors or external service providers (including mailing houses or technology service providers)
- health care providers
- non-government agencies or organisations, who jointly with us, provide services to our clients
- client representatives (including legal advisors, guardians, carers or trustees)
- regulatory bodies and government agencies and law enforcement bodies in jurisdictions in which Worn Gundidj operates.
Worn Gundidj may also disclose your personal information if:
- required or authorised by law or where there is a public duty to do so, in the case of suspected or actual child abuse or other matters of a serious or criminal nature as outlined in the Family Law Act 1975
- an individual has expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances
- your health is at risk, an individual has applied for a position with the organisation and we are required to exchange some or all of your personal information with your referees, police, Centrelink and recruitment consultants for purposes relating to considering your application, or
- where the organisation is otherwise permitted to disclose the information under the Privacy Act or relevant state legislation.
Do we disclose information interstate or overseas?
Worn Gundidj provides services to children, young people and families in Victoria. Worn Gundidj does not transfer information outside Victoria unless satisfied that the recipient organisation is subject to a binding legal obligation to protect privacy that is equivalent to the obligations that apply to us.
Reasons for disclosing information may include:
- recruitment of an employee, volunteer or carer from another Australian state or overseas
- a request is made from a government agency or law enforcement body from another jurisdiction
- a request is made from a former client now living in another jurisdiction or overseas.
Do we use or disclose personal information for marketing?
Worn Gundidj may use personal information, only if we have received express consent to do so. If you no longer wish to receive marketing material please advise us.
Do we collect personal information electronically?
Worn Gundidj will collect information from individuals electronically, for instance through internet browsing, mobile or tablet applications.
Worn Gundidj does not collect personal information through our website, unless provided by an individual.
Our website may record non-identifiable information about an individual for statistical reporting, administration and maintenance purposes. Information collected may include:
- date and time of visit(s)
- pages viewed
- users navigation through the site and interaction with pages (including fields completed in forms, information downloaded and applications completed)
- location information about users
- information about the device used to visit our website, and
- IP address.
Worn Gundidj takes care to ensure that information provided on our website is protected.
Worn Gundidj uses remarketing to advertise online, this is conducted through third-party vendors, including Google, who show ads on sites across the Internet. These third-party vendors use cookies to serve ads based on someone’s past visits to our website. Cookies are small pieces of information stored on your hard drive or memory. They can record information about your visit to the site, allowing it to remember you the next time you visit and provide a more meaningful experience.
One of the reasons for using cookies is to offer you increased security. The cookies we send to your computer cannot read your hard drive, obtain any information from your browser or command your computer to perform any action. They are designed so they cannot be sent to another site, or be retrieved by any non- Worn Gundidj site. Visitors can opt out of Google’s use of cookies by visiting Google’s Ads Settings.
No warranty
Worn Gundidj cannot ensure or warrant the security of any information sent to us or received online or via email. Worn Gundidj takes all reasonable steps to protect personal information once it has been received.
Access to and correction of personal information
Worn Gundidj takes all reasonable steps to ensure that personal information held is accurate and as up-to-date as is possible.
Individuals can request access to the personal information we hold about them and can ask for corrections to be made. Worn Gundidj will always provide access to any personal information we hold about an individual. Individuals are able to contact Worn Gundidj at any time and ask for corrections if it is felt the information held is inaccurate, incomplete or out-of-date.
There are some circumstances in which Worn Gundidj is not required to give access to an individual’s personal information, for example,
- the request does not relate to the personal information of the person making the request
- providing access would pose a serious threat to the life, health or safety of the person making the requests
- Providing the information would have an unreasonable impact on the privacy of other individuals
- the request for access is frivolous or vexatious
- the information relates to existing or anticipated legal proceedings
- providing access would prejudice negotiations with the individual making the request
- providing access would be unlawful
- denying access is required or authorised by law
- providing access would be likely to prejudice:
- law enforcement activities
- an action relating to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of Worn Gundidj
- access discloses a commercially sensitive decision-making process or information; or
- any other reason that is provided for under the privacy legislation.
If Worn Gundidj refuse to provide access individuals will be provided with an explanation of the reasons, except where it is unreasonable to do so. If Worn Gundidj refuse a request an individual has the right to request that a statement be associated with their personal information noting that they disagree with its accuracy. The organisation will also provide information on how you can complain about the refusal.
Before Worn Gundidj provides access to personal information proof of identity is required. This is to protect the confidentiality of personal information.
Resolving your privacy concerns and complaints – your rights
If you have any questions or are concerned about how personal information is being handled or have a complaint about a breach by us of the Australian Privacy Principles, please contact the Privacy Officer on (03) 5561 5315. You may also make a complaint to the relevant external body (see contact details below under ‘For more information on privacy’).
Changes to our Privacy Statement
Worn Gundidj’s Privacy Statement will be updated to reflect any changes made to the Australian Privacy Act or Victoria’s Privacy and Data Protection Act. Worn Gundidj may change the way we handle personal information from time to time. In these instances, our Privacy Statement will be amended. This website will reflect the most up-to-date version.
Further information
If you wish to gain access to your personal information or have a complaint about a breach of privacy or any other query about our collection, use or handling of personal information, you can contact (03) 5561 5315 and ask for the Privacy Officer.