Privacy and Policy

1.    Policy Statement
1.1    The Y NSW is committed to the responsible collection, handling, storage, disclosure, and destruction of personal information, as specified in the Privacy Act 1988 (Cth) (Privacy Act). 
1.2    The Y NSW respects the privacy of all staff, customers, partners, and the wider community. 
1.3    The Y NSW commits that:
1.3.1    any personal information collected is professionally managed in accordance with the Privacy Act, the Australian Privacy Principles (APPs) and all relevant state legislation. 
1.3.2    all staff use appropriate processes and procedures in their day-to-day duties to protect the privacy of individuals and keep it confidential; and 
1.3.3    a data breach is managed according to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

2.    Purpose
This policy clearly outlines the requirements for the Y NSW to fulfil our commitment to privacy and confidentiality. Y NSW will ensure full compliance to the APPs, as detailed in section 14 of the Privacy Act. 

3.    Scope and Implications
3.1    This policy applies to the Y NSW staff who may collect, store and/or have access to confidential information.
3.2    This policy may be accessed via the Y NSW website by any person who has dealings with the Y NSW, including staff, customers, partners, and the wider community. 
3.3    Any breach of this policy is considered serious and may lead to disciplinary action, up to and including termination of employment or the cessation of the volunteer’s engagement.
4.    Definitions

5.    Policy Principles 
5.1    At the Y NSW we collect: 
5.1.1    Personal information of our staff and customers, including participants in our programs, parents and visitors to our facilities. When we receive personal information about you, we will handle it in accordance with the Privacy Act 1988 and the APPs. We only collect personal information if it is reasonably necessary for one or more of our functions or activities.
5.1.2    The minimum personal information that is necessary to provide you with a service that you have requested, or to ensure that we comply with legislative requirements. If you do not wish to provide us with your personal information, we may not be able to provide you with a service that you have requested.
5.1.3    sensitive information when we are authorised to do so for the purposes of preventing or lessening a serious threat to life, health or safety, human resource management, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other bodies. 
5.2    We will give you the option of remaining anonymous or using a pseudonym in your dealings with us, provided that it is lawful or practical to do so.

6.    Collection of Information
6.1    Collection of Personal Information
6.1.1    The personal information that we may collect, and hold includes:
a.    Name, gender, contact details and address.
b.    date and place of birth
c.    bank account and credit card details
d.    emergency contact details
e.    occupation
f.    driver's licence number
g.    Centrelink reference number
h.    custody order information
i.    details of the Y NSW services used
j.    research data (such as surveys and testimonials)
6.2    Collection of Sensitive Information
6.2.1 In performing our functions and activities we may collect sensitive information about our staff and customers, including:
a.    Ethnic and cultural background
b.    Religion
c.    Health information (including medical practitioner details and Medicare or health fund details)
d.    Criminal records
e.    The APPs require that we only collect sensitive information from you if:
i.    you provide your consent.
ii.    the information is reasonably necessary for one or more of our services or programs.
6.3    Collection of Personal Information About Children and Young People
6.3.1    We collect personal information about children and young people under the age of 18 to deliver services and programs.
6.3.2    We collect personal information about children and young people only with the written consent of a parent or guardian or another authorised person.
6.4    How We Collect and Hold Personal Information
6.4.1    We collect personal information by fair and lawful means. We use forms, online portals, and other electronic and paper correspondence to collect personal information. We may also collect your personal information if you:
a.    communicate with us by telephone, mail, email or fax.
b.    attend one of our facilities in person.
c.    attend an event we are running or participating in.
d.    interact with us on our social media.
6.4.2    As far as practical we collect personal information directly from you. We collect personal information from third parties only where it is unreasonable or impracticable to collect the information directly from you. Personal information may be collected from third parties including councils, health services, government agencies, authorised representatives, partners and legal advisers. We may also collect personal information from publicly available sources of information.
6.4.3    We hold personal information in a range of paper-based and electronic records, including in cloud computing. Personal information is stored securely, and we conduct regular audits and reviews of our record keeping systems. We store personal information in Australia, except as specified in subclause 10.1 of this policy.
6.5    Security and Storage of Personal Information
6.5.1    Your personal information will be stored in a manner as a priority, and the Y NSW will take reasonable steps to protect all information from misuse and loss and from unauthorised access, modification, or disclosure.
6.5.2    When your personal information is no longer needed for the purpose for which it was obtained, the Y NSW will take reasonable steps to destroy or permanently delete your personal information. 
6.5.3    Most of the personal information will be stored in customers files securely in electronic and/or hard copy format and will be kept by for a minimum of 7years.
6.6    Quality of Personal Information
6.6.1    We take all reasonable steps to ensure that the personal information we collect, use and disclose is accurate, complete, up-to-date and relevant. However, the accuracy of that information depends on the information you provide to us.
6.6.2    We recommend that you:
a.    inform us if there are any errors in your personal information; and
b.    keep us up to date with changes to your personal information such as contact details, billing information or medical information.
6.6.3    We require staff and customers in some of our programs to update their details on a regular basis, or whenever they experience a change in circumstances. We will advise you if these requirements apply to you.
6.7    Consent
By signing or submitting paper documents or agreeing to the terms and conditions for the use of our electronic documents, you are consenting to the collection of any personal information you provide to us. By acquiring or using our services, products or facilities, you consent to the reasonable collection, use and disclosure of personal information.

7.    Data Breaches
7.1    A data breach occurs when personal information, in any format, held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference. The primary cause of a data breach is not limited to malicious or criminal attack, such as theft or hacking, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure.
7.2    The Notifiable Data Breaches (NDB) scheme where required by the Privacy Act establishes requirements for entities in responding to data breaches. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Privacy Act from 22 February 2018, including Y NSW.
7.3    The NDB scheme requires agencies and organisations to notify particular individuals and the Office of the Australian Information Commissioner (OAIC) if an ‘eligible data breach’ occurs. A data breach is eligible if it’s likely to result in serious harm (psychological, emotional, physical, reputational or other forms of harm) to any of the individuals to whom the information relates. The eligible data breach provision applies to the information outlined in clause 6 (sub 1 and 2) of this policy:
7.3.1    A breach may be exempt from being defined as eligible if the entity takes remedial actions prior to any serious harm occurring. In this circumstance the legislation provides that there never was a breach, and as such, the breach is not eligible.
7.3.2    In the event of a data breach occurring whether by malicious interference or human error, the Y NSW will control the process of responding to the breach in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

8.    Purposes for Which We Collect, Hold, Use and Disclose Personal Information
8.1    To the extent practicable, we will take reasonable steps to notify you of the purpose for which we are collecting personal information at the time when we collect it. We collect personal information for the following purposes:
8.1.1    Administering and managing the services we provide
8.1.2    Human resources management for staff and partners
8.1.3    Ensuring the range and quality of services we provide
8.1.4    Establishing eligibility for our services, and prioritising individuals for those services
8.1.5    Assessing your needs and developing personalised plans (such as Individual Care Plans, Positive Behaviour Support Plans, and Fitness, Aquatic and Recreation plans)
8.1.6    Researching and developing Y NSW services
8.1.7    Providing information to funding bodies and government agencies (in accordance with the law)

9.    Marketing and Promotion of Our Services
9.1    Personal information that you provide to us may be placed on our internal database. You will usually receive the option to opt in to enable us to advise you of the various products, services and events that we provide. If you do not wish to be contacted regarding our other services, you can opt out of receiving those types of communications by instructing us using the contact details at clauses 14 & 15 of this policy.
9.2    It is your responsibility to notify us if you no longer wish to receive our communications either by following the instructions at the unsubscribe link contained in our communications or via emails to communications.nsw@ymcansw.org.au.
9.3    We may seek feedback, testimonials, photographs and/or video footage for marketing and promotional use.  We will seek your express permission prior to use of your personal information and/or visual content containing you and your likeness by asking you to complete and sign a Talent Consent form. 

10.    Our Website
If you visit our website and read or download materials, we will receive information types detailed in subclauses below, which will not be used to identify you personally.
10.1    Device Information
To enable communication between your device and the server hosting our website, it is necessary for your web browser to provide your device's network address. This allows our web server to reply to the correct device. We will not use this type of information to personally identify you.
10.2    Navigation and Click-Stream Data
When you browse our website, you generate a 'footprint' or trail of the pages you have visited, the amount of data transferred and the time and duration of access. This information is recorded against the network address supplied by your web browser. We will not use this type of information to personally identify you.
10.3    Cookies
A cookie is a very small text file placed on to your device when you visit a website. Cookies are used to enhance the online experience. The cookie is not used to collect or store information about you, only to allocate a temporary identifier to the search session. Most web browsers recognise when a cookie has been offered or placed on your device and enables you to decide whether you wish to reject or accept the cookie. Check with your software supplier if you are not sure. If cookies are disabled, you may find that our website provides reduced functionality and speed. We do not use cookies to identify you personally, to connect your personal identity with your device address or to track the navigational or browsing habits of identified visitors.
10.4    Information logs
The information we collect about the use of our website is recorded in logs; logs are retained and used to manage our website.  We use statistics drawn from these logs to help us to improve our website and to make it more interesting and relevant to browsers. The statistics also help us to determine market preferences for the services we offer. We may use statistics about the use of our website to promote our goods and services or to research market preferences and trends. No statistical information collected about the use of our website will be linked to your name, address or other identifier.

11.    Disclosure of Personal Information
11.1    Third-Party Organisations and Individuals
11.1.1    We hold, use and disclose personal information for the primary purpose for which it was collected as per clauses 5 & 6  of this policy. We may disclose personal information to the following kinds of third-party organisations and individuals:
a.    Our professional advisers, including auditors and lawyers.
b.    A person to whom we are legally required to disclose the information (for example, to a person who has subpoenaed records from us under a court process)
c.    Emergency services personnel (in the event of an emergency)
d.    Other Australian YMCA bodies. 
e.    Service providers which assist us to perform certain functions of our business.
f.    Government, regulatory and other organisations, as required or authorised by law (for example, the NSW Department of Communities and Justice, NSW Police Force and NSW Children’s Guardian)
g.    Contract managers and funding sources for reporting purposes
11.2    Under the Age of 18
11.2.1    We do not disclose personal information about anyone under the age of 18 unless we have the prior written consent of a parent, carer or guardian, or we are legally permitted or required to do so.
11.2.2    We will only use or disclose your personal information for secondary purposes where we are permitted to do so in accordance with the Privacy Act 1988. This may include where:
a.    you have consented to this secondary purpose.
b.    the secondary purpose is related (or if the information is sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose.
c.    it is required or authorised by law.
d.    a permitted general situation exists such as to prevent or lessen a serious threat to life, health or safety.
11.3    Overseas Disclosures of Personal Information
We may store your personal information in facilities supplied by our contractors that may be located outside of Australia, including our data hosting and cloud-based information technology service providers in Australia and overseas, for some of the purposes listed in clauses 5 & 6 of this policy. Those contractors do not disclose, share or on-sell your personal information. We take reasonable steps to ensure that our overseas contractors do not breach privacy and confidentiality obligations relating to your personal information.

12.    Accessing, Correcting and Deleting of Personal Information
12.1    You have a right under the Privacy Act to access personal information we hold about you. You may also request corrections to, or deletion of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
12.2    To access or seek correction or request deletion of personal information we hold about you, please contact us using the contact details set out in clauses 14 & 15of this policy. If you request access to or correction of your personal information, we will respond to you within a reasonable period (usually 30 days).
12.3    The APPs outline circumstances in which we may refuse to give you access or decline to correct your personal information. If we refuse to give you access or make corrections to, or delete your personal information, we will provide you with written notice that lists our reasons for refusing your request.
13.    Roles and Responsibilities

14.    Complaints
14.1    If you think we may have breached your privacy you may contact us to make a complaint. Contact details are set out at clause 15 of this policy. Complaints should be made to us in writing.
14.2    We are committed to prompt and fair resolution of complaints and will ensure that your complaint is taken seriously and investigated. We will keep you informed throughout the investigation of your complaint and will provide you with a written response. We will usually provide you with a response within 30 days of receiving your written complaint.
14.3    If you are not satisfied with the way we have handled your complaint, you may contact the Office of the Australian Information Commissioner (OAIC) to refer your complaint for further investigation. The Information Commissioner may not investigate if you have not first brought your complaint to our attention.
14.4    Office of the Australian Information Commissioner:
Telephone:     1300 363 992
Email:            enquiries@oaic.gov.au
Post:             GPO Box 5218, Sydney NSW 2001

15.    Contact us
15.1    If you would like to:
a.    ask a question about this Privacy Policy.
b.    request a copy of this Policy in another format (such as a paper copy);
c.    opt out of receiving marketing and promotional emails from us.
d.    request access to your personal information.
e.    seek correction of your personal information; or
15.2    Contact our nominated Privacy Officer using the details below:
Telephone:   02 9687 6233
Email:          safetyrisk&procurement@ymcansw.org.au or Safety@ymcansw.org.au
Post:            Privacy Officer, Executive Leader – Risk and Safety, Y NSW, PO Box 1433, Parramatta NSW 2124

16.    Related Documents
Policies and Procedures
•    Photography Policy
•    Records Management Policy
•    Records Management Procedure
•    Safe Behaviours Policy
•    Social Media Policy
•    Speak Up Policy
•    Standards of Conduct
•    Y NSW Safeguarding Children, Young People and Vulnerable Adults Policy

Legislation
•    Children (Education and Care Services National Law Application) Act 2010 (NSW)
•    Children and Young Persons (Care and Protection) Act 1998 No 157
•    Disability Inclusion Act 2014 (NSW)
•    Freedom of Information Act 1982 (Cth)
•    Health Records and Information Privacy Act 2002 No (NSW)
•    Health Records (Privacy and Access) Act 1997 (ACT)
•    Information Privacy Act 2014 (ACT)
•    Privacy Act 1988 (Cth)
•    Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)
•    Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
•    Privacy and Personal Information Protection Act 1998 (NSW)

Other References
•    Education and Care Services National Regulations (NSW)
•    NSW Disability Services Standards (NSW)
•    Office of the Australian Information Commissioner, Privacy Fact Sheet 17: Australian Privacy Principles
•    Privacy Regulation 2013 (Cth)
•    Talent Consent form

17.    Document control
Policy owner:              Michael Noakes Executive Leader Risk and Safety 
Policy sponsor:           Michael Noakes Executive Leader Risk and Safety
Policy date:                18 July 2023
Policy approver:         Susannah Le Bron, Chief Executive Officer
Version number:        4
Date due for review:  17 July 2026