Preamble
The National Privacy Principles will affect the Clinical Oncological Society of Australia (COSA) from December 21 2001. Accordingly, we are obliged to have a policy for dealing with matters related to privacy, which conforms to the Privacy Act of 1988.
This Privacy Policy will be updated as required and will be filed at all times with the relevant Act and Regulation.
What is personal information?
From the Privacy Act 1988:
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Sensitive information means:
(a) Information or an opinion about an individual's:
1. racial or ethnic origins; or
2. political opinions; or
3. membership of a political association; or
4. religious beliefs; or
5. philosophical beliefs; or
6. membership of a professional or trade association; or
7. membership of a trade union; or
8. sexual preferences or practices; or
9. criminal record;
that is also personal information; or
(b) Health information about an individual.
A record means:
a. a document;
b. a database (however kept); or
c. a photograph or other pictorial representation of a person;
But does not include:
d. a generally available publication
e. anything kept in a library, art gallery or museum for the purpose of reference, study or exhibition;
f. Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purpose of that Act;
g. Documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
h. Letters or other articles in the course of transmission by post.
Non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.
Enforcement agency/body means:
(a) Australian Federal Police; or
(b) The National Crime Authority; or
(c) The Australian Customs Service; or
(d) The Australian Prudential regulation Authority; or
(e) The Australian Securities and Investments Commission; or
(f) Police Force/Service of a state or territory; or
(g) NSW Crime Commission; or
(h) Independent Commission Against Corruption of NSW; or
(i) Police integrity Commission of NSW; or
(j) The Criminal Justice Commission of Queensland;
And other agencies listed on page 154 of the Privacy Act 1988.
COSA and the National Privacy Principles
COSA commits itself to meeting the National Privacy Principles (NPPs). From here on "we" or "us" refers to COSA and how we will meet the guidelines of the National Privacy Principles.
1. Collection
1.1 We will not collect personal information unless the information is necessary for one or more of our activities or functions.
1.2 We will collect personal information in a fair, unobtrusive and lawful manner.
1.3 We will take reasonable steps at or before the time personal information is collected to ensure that the individual is aware of:
(a) our company name and how to contact us;
(b) the fact that they (the individual) are able to gain access to the information we hold on them;
(c) the purpose for the collected information;
(d) the names and /or types of organisations to which we disclose information of that nature (if any);
(e) any law that requires a particular piece of information to be collected; and
(f) the main consequences for the individual (if any) if they do not provide all or part of the information.
1.4 We will endeavour to collect information about an individual from the individual concerned.
2. Use and Disclosure of Personal Information
Note: These provisions are not all likely to apply to our collected information.
2.1 We will not disclose personal information for any purpose other than the primary purpose of collection unless:
(a) The secondary purpose is related to the primary purpose of collection and the individual concerned would reasonably expect us to use or disclose the information for the secondary purpose.
(b) The individual has given their consent to use or disclose the information
(c) It is not sensitive information and the information is for direct marketing:
(i) It is impracticable for us to seek the individual's consent prior to use; and
(ii) We will not charge the individual if they inform us that they do not want to receive direct marketing communications; and
(iii) The individual has not made a request to not receive direct marketing communications; and
(iv) We will prominently draw the individual's attention to, or prominently display a notice in each direct marketing communication that they can express a wish not to receive further direct marketing communications; and
(v) In each direct marketing communication we will include our business name, address and telephone number. If communication is by facsimile or other electronic means we will include a number or address that individual's can contact us on electronically.
(d) If it is health information necessary for research, compiling statistics, relevant to public health or public safety:
(i) It is impracticable for us to seek the individual's consent before the use or disclosure;
(ii) We use or disclose the information in accordance with section 95 of the Privacy Act;
(iii) We believe that in disclosing the information the recipient of the health information will not disclose the health or personal information.
(e) We reasonably believe that using or disclosing an individual's information is necessary to prevent or lessen a serious threat to public health or safety and/or a serious and imminent threat to an individual's life, health or safety.
(f) We are using personal information to investigate or report concerns to relevant persons or authorities if we suspect involvement in unlawful activity.
(g) We are required to use or disclose personal information under law.
(h) We reasonably believe that using or disclosing the information is necessary for one or more of the following by or on behalf of an enforcement body:
1. The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law mposing a penalty or sanction or breaches of a prescribed law;
2. The enforcement of laws relating to the confiscation of the proceeds of crime;
3. The protection of the public revenue;
4. The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
5. The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
2.2 We will keep written documentation of any use or disclosure of personal information under paragraph 2.1(h).
3. Data Quality
3.1 We will take reasonable steps to ensure that the personal information we collect, use and disclose is complete, accurate and up-to-date.
4. Data Security
4.1 We will protect personal information we hold from misuse or loss and from unauthorised access, modification or disclosure.
4.2 We will take all necessary steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose (including the use of information under National Privacy Principal 2. This will involve shredding of paper documents (must be done in-house) and reformatting or destroying floppy disks.
5. Openness
5.1 We will make available to all individuals a document of policies on the management of personal information.
5.2 On request, we will take all reasonable steps to let an individual know what personal information we hold, how we collect, hold, use and disclose the information.
6. Access and Correction
6.1 If we hold personal information about an individual we will provide access to that information on request from the individual unless:
(a) Providing access to that information would compromise the privacy of other individuals;
(b) The request for access is frivolous or vexatious;
(c) The information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings;
(d) Proving access would reveal our intentions in relation to negotiations with the individual and would prejudice those negotiations;
(e) Providing access would be unlawful;
(f) Denying access is required or authorised by under law;
(g) Providing access would be likely to prejudice an investigation of unlawful activity;
(h) Providing access would be likely to prejudice actions being undertaken by an enforcement body (See NPP 6 for further details).
6.2 If direct access to the records would divulge commercially sensitive decision-making processes, eg. giving an individual an explanation for our decision rather than divulging sensitive decision-making information.
6.3 If we charge for providing access to personal information, the charges will not be excessive and they must not apply to lodging a request for access.
6.4 If the information held on file is found to be out-of-date by the individual concerned, we must correct the information.
6.5 We must provide reasons to deny access or to refuse to correct personal information.
7. Identifiers
7.1 We must identify an individual by our own unique identifier. We can not use a Commonwealth Government issued identifier eg. Medicare number or Tax File number. An individual's name or ABN is not considered a Commonwealth Government identifier.
8. Anonymity
8.1 We accept the right for individuals to deal with us anonymously if it is lawful and practicable to do so.
9. Transborder data flows
9.1 We may transfer personal information in a foreign country only if:
(a) We believe the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principals for fair handling of the information that are similar to the National Privacy Principals; or
(b) The individual consents to the transfer; or
(c) The transfer is necessary for the performance of a contract;
(d) All of the following:
- It benefits the individual;
- It is impracticable to obtain the individual's consent to the transfer;
- If it was practicable to obtain consent, the individual would be likely to give it.
10. Sensitive information
10.1 We must not collect sensitive information unless:
a) We have consent of the individual;
b) We are required by law to collect the information;
c) It is necessary to collect the information to lessen a serious and imminent threat to the life or health of any individual;
d) The individual is physically or legally incapable of giving consent;
e) The individual can not physically communicate consent.
Especially for non-profit organisations:
10.2 The information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;
10.3 At or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual's consent
Applications of the Privacy Policy for COSA
Examples of personal information held by COSA:
- Mailing lists
- Committee lists
- Membership lists
- ASM registration lists
- Staff lists
- Contact lists of individuals eg. colleagues, researchers, anyone external to this office.
If we hold or collect personal information we must be able to demonstrate:
- the purpose for collecting the information
- justification for collecting the personal information
- that we are collecting the information lawfully
When we collect personal information we will inform the individual:
- how the information will be used
- the name and address of the person collecting the information (eg. Sally Smith from COSA, Level 1, 120 Chalmers Street, Surry Hills NSW 2010)
- who will have access to the information
- of any legal requirements to provide specific information and the opportunity to decline giving information if there is no legal obligation to do so
- that they (the individual) have a right to access the information and to correct the information at any time.
Any forms that collect personal information must include information relating to the above points. If the information is given over the phone we will either recite a standard verbal message or send a notice of use of personal information following the telephone call.
Communication methods
Facsimile
We will not send personal information via fax machines except in cases of extreme urgency.
All faxes are to have a standard privacy warning on the cover sheet.
Warning: The information contained in this fax may be privileged and confidential. If you have received it in error, please telephone the sender on +61(02) 8063 4100 and destroy all copies.
E mail
We will not send personal information via email.
All email signatures are to include the following privacy statement.
The information contained in this message is intended for the named addressee only, and is confidential to the sender and intended recipient. Please do not forward, copy, distribute, take action on or disclose anything in this e-mail message to any other person or organisation. If you have received this message in error please notify us immediately.
Telephone
We will only transmit personal information via telephone when we are certain as to the recipient of the information and they can give proof of identity. No personal information is to be left on voice mail.
Computer Disk
When sending personal information on computer disk it should have a label on the disk containing the following privacy information:
The data on this disk has been released by COSA to (recipient's name) for the purpose of (purpose). The information is only to be used for the agreed purpose and the disk must be reformatted or destroyed at the completion of the agreed purpose or by (a maximum date of twelve [12] months from the disk's production).
Printing and photocopying
We will not copy paper records of personal information unless it is essential to do so, and then only producing as many copies as required. When photocopying or printing personal information the person responsible for its printing will remove the documents from the printer and in the case of photocopying, remain at the photocopier for the duration of the copy.
Paper records
All paper records containing personal information are to be marked 'confidential' and for use by the appropriate staff only.
All paper records will be stored in filing cabinets in the office and out of public view.
Computer screens
Computer screens will be placed to limit visibility from all but the user to protect personal information on the screen. If the computer is left unattended the personal information must be removed from the screen. Screen savers with passwords should be used to protect highly confidential personal information.
Identification for accessing personal information
Two forms of identification will be required to ensure we know who is seeking access to their personal information. One form of identification must be photo id (eg. driver's licence) and the second form of identification must include the individual's place of residence (eg health care card, recent rate notice, bank statement, telephone bill etc)
Grievance procedure relating to the Privacy Act
1. Complaint registered by an individual. This must be in writing.
2. Complaint given to Privacy Officer for assessment and investigation in consultation with the EO (Margaret McJannett).
3. Written response sent to individual with seven (7) days of complaint being received.
4. If our response is found to be unacceptable to the individual we could suggest arbitration on the matter.
5. If the individual makes a formal complaint to the Privacy Commissioner the President (David Goldstein) is to be the respondent on behalf of COSA.
1 October 2007