Privacy

Privacy and confidentiality policy

Introduction

This policy explains how Children and Young People with Disability Australia (CYDA) handles personal information.
CYDA is the National Disability Representative Organisation for children and young people (aged 0-25) with disability.

CYDA has the mandate to advocate for children and young people with disability living in Australia and provides a link between the direct experiences of children and young people with disability and their families to federal government and other key stakeholders. To learn more about CYDA visit www.cyda.org.au

CYDA is committed to protecting the privacy and confidentiality of all personal information which the organisation collects, holds and administers. CYDA respects everyone’s rights to privacy and any personal information collected by CYDA is managed in accordance with the privacy principles contained in the Australian Privacy Act (1988).

What is personal information?

Personal information is almost any information that can be used to personally identify a person such as name, address, phone number, email address, occupation or photographs etc. Some personal information is considered sensitive, such as ethnic origin, sexual orientation or criminal record. It may also include health information which is information that relates to an identifiable living or deceased person and concerns their health, disability or genetic make-up.

What personal information does CYDA collect?

CYDA collects a range of personal information from members, staff, volunteers and the general public that is necessary and required for its primary functions and activities and for legal requirements only.

CYDA may collect the following types of personal information:

  • name
  • mailing or street address
  • email address
  • telephone number
  • age or birth date
  • profession, occupation or job title
  • details of any calls or enquiries made to CYDA as well as any additional information that was necessary to respond to those calls or enquiries
  • information obtained through surveys and consultations with CYDA members, stakeholders and the general public
  • any additional information relating to a person that is provided to us directly through our websites or indirectly through use of our websites or online presence, or otherwise

CYDA may also collect some information that is not personal information because it does not identify any individual. For example, CYDA may collect anonymous answers to surveys or aggregated information about visitors to the CYDA website.

How does CYDA use personal information?

The main ways CYDA uses personal information are to:

  • help advocate for people with disability and any related issues
  • inform submissions and/or publications on disability related matters
  • answer enquiries and resolve complaints
  • provide updates on our publications and services
  • recruit and manage staff
  • meet our workplace safety obligations.

CYDA also uses this information, after removing identifying details, to meet its reporting obligations.

When does CYDA disclose personal information?

CYDA will generally only disclose information for the primary purpose for which it was collected or a directly related secondary purpose where the individual would reasonably have expected us to use it for those purposes.

For other uses CYDA will obtain consent from the affected person, unless the disclosure is required by law or the need for the disclosure (e.g. health & safety of individuals) outweighs the need for privacy

How does CYDA ensure the quality of personal and health information recorded?

CYDA takes all reasonable steps to ensure the information collected about individuals is accurate, up-to-date and relevant to the functions and activities of the organisation. CYDA will ask people to tell us when their personal information changes so we can update our records. Where possible, CYDA checks the accuracy of information before it is used.

How does CYDA keep personal and health information safe?

Personal information held by CYDA may be in either hard copy or electronic form. CYDA does its best to protect information from loss, misuse, unauthorised access, modification and disclosure. To do this CYDA uses procedural, physical and software safeguards.

The CYDA website and social media pages are linked to the internet which can be insecure. CYDA cannot provide any assurance regarding the security of transmission of information sent to us online. CYDA also cannot guarantee that information supplied will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information transmitted to CYDA online is transmitted at a person’s own risk.

CYDA requires staff to handle personal information with care and access only what they need to do their job.

CYDA destroys personal information when it is no longer required.

Anonymity of personal information

In the course of its advocacy work CYDA frequently uses personal experiences and stories in its communications and publications. Members or individuals who have provided this information will not be identified unless they have specifically consented to be identified. CYDA will also adhere to any requests from members or individuals to not use their personal experiences.

CYDA can change information to a pseudonym or treat it anonymously if required by the person whose information CYDA holds. CYDA will not use any government related identifiers unless they are reasonably necessary.

CYDA also provides members and Stakeholders the option of not identifying themselves when completing evaluation forms or opinion surveys.

CYDA may collect sensitive information

CYDA does sometimes ask for sensitive information (as defined in the Privacy Act 1988). Such information is only ever collected with the person’s consent or if required by law.

Personal information and social media

CYDA social media pages including Facebook and Twitter are public pages on the internet. Any personal information posted on these sites are provided at a person’s own risk as CYDA cannot guarantee the privacy of the information. CYDA uses information provided on these social media sites, such as experiences and stories to inform our advocacy work.

Links

The CYDA website may contain links to other websites operated by third parties. CYDA make no representations or warranties in relation to the privacy practices of any third party website and are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing individuals about their own privacy practices.

Accessing and updating personal information

CYDA will, on request by an individual, give the individual access to their personal information except where it is a threat to life or health, it could interfere with the privacy of others or if it is authorised by law to refuse. If CYDA are unable to provide access to personal information the person will be informed in writing of the reasons.

If a person is able to establish that their personal information is not accurate, then CYDA will take steps to correct it.

CYDA will make no charge to individuals for making a request for personal information, correcting the information or associating a statement regarding accuracy with the personal information.

Complaints and privacy and confidentiality

Any individual who has a complaint about how CYDA has handled their personal information should contact CYDA as soon as possible (see www.cyda.org.au for contact information). CYDA aims to resolve complaints quickly and fairly.

If however CYDA cannot resolve the complaint directly a complaint can be lodged to the Office of the Australian Information Commissioner. www.oaic.gov.au

Responsibility

The Board of CYDA is responsible for adopting the Privacy & Confidentiality Policy

CYDA’s Board, Chief Executive Officer and all staff members, contractors and volunteers are responsible for the implementation of the Privacy & Confidentiality Policy and Procedures.

The Chief Executive Officer is responsible for monitoring changes in Privacy legislation and for advising the board of the need to review the Privacy & Confidentiality Policy.

Privacy and confidentiality procedures

CYDA is committed to protecting the privacy and confidentiality of all personal information that the organisation collects, holds and administers. Personal information collected by CYDA is managed in accordance with the privacy principles contained in the Australian Privacy Act (1998).

Personal information is almost any information, including numbers or images that relates to an identifiable person. Some personal information is considered sensitive, such as ethnic origin, sexual orientation or criminal record. Sensitive information may also include health information which is information that relates to an identifiable living or deceased person and concerns their health, disability or genetic make-up.

Procedures

Collection of Personal Information

CYDA collects a range of personal information from members and broader constituency, staff and volunteers that is necessary and required for its primary functions and activities and for legal requirements

CYDA will:

  • Only collect information that is necessary for the performance of its primary function and activities. This includes but is not limited to:
    • information obtained from calls and enquiries to CYDA from members and members of the public about issues, direct experience, complaints and/or personal circumstances related to disability.
    • Information obtained through surveys and consultations with CYDA members, stakeholders and the general public
    • education and employment history from people who work for CYDA, or apply to work for CYDA
    • contact details of members, stakeholders, staff, contractors and members of the public
  • Notify stakeholders about why we collect the information and how it is administered.
  • Notify stakeholders that this information is accessible to them.
  • Collect personal information from the person themselves wherever possible.
  • If collecting personal information from a third party, ensure that the person whom the information concerns is aware of who has provided their personal information and provides consent.
  • Collect sensitive information only with the person’s consent. (Sensitive information includes health information and information about religious beliefs, race, gender and other areas).
  • Determine, where unsolicited information is received, whether the personal information could have been collected in the usual way, and then if it could have, it will be treated normally. If it could not have been, it must be destroyed, and the person whose personal information has been destroyed will be notified about the receipt and destruction of their personal information.

Use and Disclosure of Personal Information

The main ways CYDA uses personal information are to:

  • advocate for people with disability
  • inform submissions and/or publications on disability related matters
  • answer enquiries and resolve complaints
  • provide updates on our publications and services
  • recruit and manage staff
  • meet our workplace safety obligations.
  • to meet its reporting obligations (de-identified data).

CYDA will:

  • Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose.
  • For other uses CYDA will obtain consent from the affected person (unless the disclosure is required by law; or the need for the disclosure (e.g. health & safety of individuals) outweighs the need for privacy.
  • Only release personal information where the person concerned has consented for it to be released in writing.
  • Ensure all staff and volunteers are explicitly made aware of their responsibilities in relation to confidentiality as part of their induction to the organisation; and sign an agreement accordingly.
  • Ensure that in the unlikely event where personal information is required to be sent overseas that the overseas agency or organisation complies with acceptable privacy procedures and regulations.
  • Provide all individuals, upon request, with access to their personal information except where it is a threat to life or health or it is authorized by law to refuse. If a person is able to establish that their personal information is not accurate, then CYDA will take steps to correct it.
  • Make no charge to an individual for making a request for their personal information or correcting the information.

Data Security and Retention

CYDA will:

  • Safeguard the information collected and store against misuse, loss, unauthorised access and modification.
  • Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorized access, interference, unauthorized modification or disclosure.
  • Ensure any personal information that is retained on a system that can potentially be accessed overseas, such as from an IT service providing servers or cloud services, is protected by sufficient security.
  • Ensure that all CYDA’s data is up to date, accurate and complete.

Destruction, de-identification and anonymity

CYDA frequently collects information about personal experiences and stories in its communications and publications. Members or individuals who have provided this information will not be identified unless they have specifically consented to be identified.

CYDA will:

  • not identify individuals who have provided information for any of its communications or publications without their prior consent.
  • destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones.
  • change information to a pseudonym or treat it anonymously if required by the person whose information CYDA holds,
  • will not use any government related identifiers unless they are reasonably necessary for our functions.
  • provide members stakeholders and the option of not identifying themselves when completing evaluation forms or opinion surveys
  • respect any request not to use or refer to specific examples of direct experience shared with CYDA when undertaking advocacy

Data Quality

CYDA takes all reasonable steps to ensure the information collected about individuals is accurate, up-to-date and relevant to the functions and activities of the organisation.

CYDA, through membership emails, social media etc ask people to inform us when their personal information changes so we can update our records. Where possible or necessary, CYDA will check the accuracy of information before it is used.

Data Security and Retention

CYDA has the following procedures in place to protect personal information from loss, misuse, unauthorised access, modification and disclosure.

  • CYDA limits access to its buildings and systems and only uses external information storage partners (including IT services providing server storage or cloud services) when confident they will protect the information.
  • CYDA staff and volunteers must handle personal information with care and access only what they need to do their job.
  • CYDA destroys personal information when it is no longer required. This includes information stored on decommissioned organisation laptops and mobile phones.

Personal Information and Social Media

CYDA social media pages including Facebook and Twitter are public pages on the internet. Any personal information posted on these sites are provided at a person’s own risk as CYDA cannot guarantee the privacy of the information. CYDA uses information provided on these social media sites, such as experiences and stories to inform our advocacy work.

Complaints about Privacy and Confidentiality Procedure

Any individual who has a complaint about how CYDA has handled their personal information should be referred to the Chief Executive Officer (CEO).

If the CEO is unable to resolve the complaint directly then the complainant should be referred to the Office of the Australian Information Commissioner. www.oaic.gov.au

Responsibility

The Board of CYDA is responsible for adopting the Privacy & Confidentiality Policy

CYDA’s Board, CEO and all staff members, contractors and volunteers are responsible for the implementation of the Privacy & Confidentiality Policy and Procedures.

The CEO is responsible for monitoring changes in Privacy legislation and for advising the board of the need to review the Privacy & Confidentiality policy.