Language Disorder Australia values privacy and takes seriously its obligations to collect, store and manage data in such a way that protects the privacy of its employees, students, clients, parents, and others with whom we work.
- 1.1. Language Disorder Australia is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988 (the Act). The purpose of this policy is to detail how we protect the privacy of our clients, students and employees and how we comply with the requirements of the Act and the 13 Australian Privacy Principles. The Policy also describes:
- 1.1.1. the types of personal information collected and held by us;
- 1.1.2. who we collected information from;
- 1.1.3. how this information is collected and held;
- 1.1.4. the purposes for which personal information is collected, held, used and disclosed;
- 1.1.5. how clients and employees can gain access to their personal information and seek its correction;
- 1.1.6. how a complaint or inquiry can be made about our collection, handling, use or disclosure of personal information and how that complaint or inquiry will be handled; and
- 1.1.7. whether we are likely to disclose personal information to overseas recipients.
- 1.2. This policy applies to all personal information held by Language Disorder Australia.
- 2.1. This Policy applies to all employees, members, parents/carers, students, contractors, volunteers, Board members and agents of Language Disorder Australia, as well as those persons undertaking work experience or vocational placements.
- 4.1. What kind of personal information does Language Disorder Australia collect? The kind of personal information Language Disorder Australia collects is largely dependent upon whose information is being collected and why it is being collected. At all times we try to collect only the personal information required to carry out our functions or activities. In general terms, the organisation may collect:
- 4.1.1. Personal Information including names, addresses and other contact details; dates of birth; next of kin details; financial information; photographic images; audio recordings; video recordings; employee records; and attendance records.
- 4.1.2. Sensitive Information (particularly in relation to client records) including health and medical information; religious beliefs; government identifiers; nationality; country of birth; languages spoken at home; professional memberships; family court orders; and criminal records.
- 4.1.3. Any other information that is relevant to providing someone with the services they, or someone else they know, is seeking.
- 4.2. Who does Language Disorder Australia collect information from? Language Disorder Australia collects personal information directly from parents, prospective parents, job applicants, volunteers and others including past students, contractors, visitors and others that come into contact with the organisation.It is noted that employee records are not covered by the Australian Privacy Principles where they relate to current or former employment relations between the organisation and the employee.
- 4.3. How does Language Disorder Australia collect personal information? How personal information is collected will largely depend on whose information is being collected. If it is reasonable and practical to do so, Language Disorder Australia will collect personal information directly from the individual to whom the information relates to, or a person authorised to act on the individual’s behalf (e.g. parent or guardian of a minor).Where possible, the organisation has attempted to standardise the collection of personal information by using specifically designed forms (e.g. enrolment forms, referral forms), and/or through specific permission (e.g. research activities). However, given the nature of Language Disorder Australia’s operations, personal information may also be received by email, letters, notes, over the telephone, in face to face meetings, and through financial transactions. Language Disorder Australia may also collect personal information from other people (e.g. a personal reference) or independent sources (e.g. LinkedIn), however will only do so where it is not reasonable or practical to collect the information directly from the individual the information relates to. We will usually notify the individual about these instances in advance, or where that is not possible, as soon as reasonably practicable after the information has been collected.Sometimes Language Disorder Australia may be provided with personal information without having sought it through the normal means of collection. This is referred to as “unsolicited information”. Where Language Disorder Australia has collected unsolicited information, it will only be held, used and/or disclosed if Language Disorder Australia could have collected the information by normal means. If the unsolicited information could not have been collected by normal means, then it will be destroyed, permanently deleted or de-identified as appropriate.
- 4.4. How does Language Disorder Australia use personal information? Generally, the personal information that we collect and hold about someone, depends on their interaction with us. Language Disorder Australia will only use personal information about an individual that is reasonably necessary for one or more of its functions or activities (the primary purpose) or for a related secondary purpose that would be reasonably expected by the individual the information relates to, or where consent has been granted. Generally, we collect, use and hold personal information for the purposes of:
- 4.4.1. providing education, pastoral care, and extra-curricular services;
- 4.4.2. providing health services;
- 4.4.3. keeping parents informed about matters related to their child’s schooling and/or health care, which may include the distribution of newsletters and magazines, as well as other forms of correspondence;
- 4.4.4. satisfying our internal business operations, including the fulfilment of legal obligations, and duty of care and child protection obligations;
- 4.4.5. providing information about other services that we offer that may be of interest;
- 4.4.6. marketing, promotional and fundraising activities;
- 4.4.7. the organisation’s administration, including for insurance purposes;
- 4.4.8. the employment of employees;
- 4.4.9. the engagement of volunteers;
- 4.4.10. continuous improvement of day-to-day operations, including employee training, systems development, developing new programs and services, and undertaking planning, research and statistical analysis.
- 4.5. How does Language Disorder Australia treat sensitive information? Sensitive information is a subset of personal information and includes information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or preferences or criminal record and health information about an individual. Language Disorder Australia will only collect sensitive information that is reasonably necessary for one or more of its functions or activities, if consent has been given by the individual to whom the sensitive information relates, or if consent is provided by a person acting on the individual’s behalf (e.g. parent or guardian of a minor). Language Disorder Australia may also collect sensitive information as permitted under the Australian Privacy Principles or otherwise permitted by law, or if the collection is necessary to lessen or prevent a serious threat to life, health or safety, or another permitted general situation (such as locating a missing person) or permitted health situation (such as the collection of health information to provide a health service) exists. Language Disorder Australia will only use or disclose sensitive information for a secondary purpose if the individual would reasonably expect Language Disorder Australia to use or disclose the information and the secondary purpose is directly related to the primary purpose.
- 4.6. Exchange of information between services There may be occasions in which personal and/or sensitive information is exchanged between Language Disorder Australia’s service providers Such information will only be exchanged where it is reasonably necessary for the organisation to fulfil its legal or service obligations, and/or the individual to whom the information relates would reasonably expect the exchange, or where consent has been granted.
- 4.7. Storage and security of personal information Language Disorder Australia stores personal information in a variety of formats, including in databases, in hard copy files, and on personal devices such as laptop computers, mobile phones, cameras and other recording devices.The security of personal information is important and Language Disorder Australia takes all reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, interference, modification or disclosure. These steps include:
- 4.7.1. restricting access to information on the organisation’s databases on a need to know basis with different levels of security being allocated to employees based on their roles and responsibilities and security profile.
- 4.7.2. Ensuring all employees are aware that they are not to reveal or share personal passwords.
- 4.7.3. Ensuring where sensitive information is stored in hard copy files that these files are stored in lockable filing cabinets in lockable rooms. Access to these records is restricted to employees on a need-to-know basis.
- 4.7.4. Implementing physical security measures around the organisation’s buildings and grounds to prevent break-ins.
- 4.7.5. Implementing ICT security systems, policies and procedures, designed to protect personal information storage on computer networks.
- 4.7.6. Implementing human resources policies and procedures, such as email and internet usage, confidentiality and document security policies, designed to ensure that employees follow correct protocols when handling personal information.
- 4.7.7. Providing adequate training to employees about privacy and the handling of personal information.
- 4.7.8. Undertaking due diligence with respect to third party service providers who may have access to personal information, including cloud service providers, to ensure as far as practicable that they are compliant with the Australian Privacy Principles or a similar privacy regime.
Personal information held by Language Disorder Australia that is no longer needed is destroyed in a secure manner, deleted, or de-identified as appropriate.
- 4.8. Failure to provide information If the personal information provided to Language Disorder Australia is incomplete or inaccurate, Language Disorder Australia may be unable to provide the services sought.
- 4.10. Disclosure of personal information Language Disorder Australia will only use personal information for the purposes for which it was collected, or for purposes which are related (or directly related in the case of sensitive information) to one or more of its functions or activities. When compelled to, Language Disorder Australia may disclose personal information to:
- 4.11. Personal information of a minor The Act does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information. At Language Disorder Australia, a common-sense approach is taken to dealing with a minor’s personal information and generally requests for personal information will be referred to the individual’s parents/carers. Language Disorder Australia will treat notices provided to parents/carers as notices provided to the client/student, and will treat consents provided by parents/carers as consents provided by the client/student. Language Disorder Australia is however cognisant of the fact that children do have rights under the Act, and that in certain circumstances (especially when dealing with older clients/students and especially when dealing with sensitive information), it will be appropriate to seek and obtain consent directly from the client/student. Language Disorder Australia also acknowledges that there may be occasions where a client/student may give or withhold consent with respect to the use of their personal information independently from their parents/carers.There may also be occasions where parents/carers are denied access to information with respect to their child(ren), because to provide such information would have an unreasonable impact on the privacy of others, or result in a breach of the organisation’s duty of care to the client/student.
- 4.12. Disclosure of personal information to overseas recipients Language Disorder Australia is not likely to disclose personal information overseas. Language Disorder Australia will take all reasonable steps not to disclose an individual’s personal information to overseas recipients unless Language Disorder Australia:
- 4.12.1. has the individual’s consent (which may be implied); or
- 4.12.2. is satisfied that the overseas recipient is compliant with the Australian Privacy Principles, or a similar privacy regime; or
- 4.12.3. forms the opinion that the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety; or
- 4.12.4. is taking appropriate action in relation to suspected unlawful activity or serious misconduct.
- 4.13. Ensuring the quality of personal information Language Disorder Australia takes all reasonable steps to ensure the personal information it holds, uses, and discloses is accurate, complete and up to date at the time of collection and when using or disclosing the personal information. Language Disorder Australia maintains and updates personal information on an ongoing basis, as and when individuals advise of changes or when Language Disorder Australia becomes aware through other means that the personal information being held has changed. Language Disorder Australia expects the individual, or their parent/carer (if applicable), to contact the organisation if any of the details provided change. Language Disorder Australia should also be contacted if the individual believes the information held by the organisation is inaccurate, incomplete or not up to date.
- 4.14. Data Breaches It will be deemed that an ‘eligible data breach’ has occurred if:
- 4.14.1. there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals)
- 4.14.2. a reasonable person would conclude there is a likelihood of serious harm to any affected individuals as a result
- 4.14.3. the information is lost in circumstances where:
- 18.104.22.168. unauthorised access to, or unauthorised disclosure of, the information is likely to occur
- 22.214.171.124. assuming unauthorised access to, or unauthorised disclosure of, the information was to occur, a reasonable person would conclude that it would be more likely to result in serious harm to the affected individuals.Serious harm may include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.
If Language Disorder Australia suspects that an eligible data breach has occurred, it will carry out a reasonable and expedient assessment/investigation within thirty (30) days. If such an assessment/investigation indicates there are reasonable grounds to believe an eligible data breach has occurred, then Language Disorder Australia will be required to lodge a statement to the Privacy Commissioner. Where practicable to do so, the organisation will also notify the affected individuals. If it is not practicable to notify the affected individuals, Language Disorder Australia will publish a copy of the statement on its website, or publicise it in another manner. An exception to the requirement to notify will exist if there is a data breach and immediate remedial action is taken, and as a result of that action:
- 4.14.4. there is no unauthorised access to, or unauthorised disclosure of, the information
- 4.14.5. there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude the breach is not likely to result in serious harm.
- 4.15. Access to and correction of personal information An individual may request access to the personal information Language Disorder Australia holds about them, or request that their personal information be changed, by contacting Language Disorder Australia, or its applicable service provider in writing. Should Language Disorder Australia not agree to provide an individual with access to their personal information, or to change the information as requested, Language Disorder Australia will notify the individual, and provide reasons for the refusal (unless it would be unreasonable to provide those reasons) and provide the individual with a statement regarding the mechanisms available to make a complaint. If the rejection relates to a request to change personal information, the individual may make a statement about the requested change, which will be attached to the individual’s record. Language Disorder Australia may require an individual to verify their identity and specify what information they require. Language Disorder Australia may charge a fee to cover the cost of verifying, locating, retrieving, reviewing and providing access to any material requested (but not for making the request for access). If the information sought is extensive, Language Disorder Australia will advise the likely cost in advance.
- 4.16. Privacy complaints A complaint about a breach by Language Disorder Australia of the Australian Privacy Principles may be made in writing and can be submitted by email, letter, or by personal delivery to the organisation’s Privacy Officer as noted below. A complaint may also be made verbally. Language Disorder Australia will respond to a complaint within a reasonable time (usually no longer than 30 days) and may seek further information from the complainant in order to provide a full and complete response.Complaints may also be taken to the Office of the Australian Information Commissioner.
- 4.17. How to contact Language Disorder Australia An individual can contact Language Disorder Australia about this Policy or their personal information by:
If practical, an individual can contact Language Disorder Australia anonymously (i.e. without identifying themselves) or by using a pseudonym. However, if an individual chooses not to identify themselves, Language Disorder Australia may not be able to provide the requested information, or the assistance they might otherwise be able to provide.
- 5.1. This policy is due to be reviewed annually or as appropriate, to take account of new laws and technology, changes to the organisation’s operations and practices and to make sure it remains appropriate to the changing environment.
Last updated: February 2022, v1.00