At Elwood St Kilda Neighbourhood Learning Centre (ESNLC) we are committed to protecting the privacy of personal information we collect, store, use and manage. Personal information is information which directly or indirectly identifies a person. This policy outlines how ESNLC handles personal and sensitive information including:
- collection & safeguarding of personal and sensitive information
- use and disclosure of personal and sensitive information
- an individual’s rights to access personal and sensitive information
- data breach response plan
This policy applies to all organisational areas and is binding of all employees, contractors, Committee of Management (CoM), volunteers and clients. This policy requires employees, contractors, CoM and volunteers to be consistent and careful in the way they manage what is written and said about individuals and how we decide who can see or hear this information.
Our participants have legislated rights to privacy. It is essential that we protect and uphold these rights, and that we act correctly in those circumstances where the right to privacy may be overridden by other considerations.
To uphold the rights of participants to privacy, authorised volunteers and each employee, contractor and CoM member needs an appropriate level of understanding about how we meet our legal obligations.
ESNLC collects and administers a range of personal information for the purposes of many of the services it provides including enrolment into programs and courses, collection of fees, and reporting of data to funding bodies such as Neighbourhood Houses Victoria, City of Port Phillip, ACFE and many more. Personal information collected includes names, addresses, contact details and information specific to the service being delivered. ESNLC is committed to protecting the privacy of personal information it collects, holds and administers.
ESNLC is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.
- Only collect and store information which ESNLC requires for its primary function and reporting;
- Use fair and lawful ways to collect personal and sensitive information;
- Ensure that stakeholders are informed as to why we collect the information, how we administer the information gathered and their right to access their personal and sensitive information;
- Collect personal information only by consent from an individual;
- Collect sensitive information only when necessary and when the individual has given consent;
- Make every effort to collect personal information directly from the individual. Where this is not possible, such as when an individual is referred by a third party the third party is expected (under government funding arrangements) to maintain privacy policies in compliance with the relevant privacy acts;
- Use and disclose personal and sensitive information only for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public;
- Make every effort to ensure that the personal and sensitive information we receive, and hold is up to date and complete;
- Store personal and sensitive information securely, taking all reasonable steps to protect it from unauthorised access, modification, disclosure, misuse or loss;
- Provide stakeholders with access to their own information, and the right to seek its correction;
- Restrict access to personal and sensitive information to the relevant, authorised employees, contractors, volunteers and CoM members;
- Destroy or deidentify personal and sensitive information deemed inaccurate, irrelevant, or no longer needed and/or after legal requirements for retaining documents have expired;
- Provide an individual with access to their personal and sensitive information upon request at no cost. Where an individual can show that information held about them is not accurate, current or complete ESNLC will take reasonable steps to correct that information;
- Conduct the following data breach response plan if a data breach (loss of, unauthorised access to, or unauthorised disclosure of personal and sensitive information) occurs or is suspected:
- Notify the Manager within 24 hours of the data breach, or suspected data breach.
- Contain the data breach to prevent any further compromise of personal information.
- Assess severity of breach, evaluate the risks, and take action to remediate any risk or harm.
- Notify individuals and Commissioner if required.
- Review the incident and consider what actions can be taken to prevent future breaches.
ENSLC employees, contractors, volunteers and CoM are responsible for the management of personal and sensitive information to which they have access. The Manager is responsible for the implementation of this policy, for monitoring changes in Privacy Legislation and for advising on the need to review or revise this policy as and when the need arises.
ESNLC CoM is responsible for developing, adopting and reviewing this policy.
For further information on this policy or to request access to personal and sensitive information, or to make a privacy complaint please contact the Manager on 03 95311954 or by email [email protected] or by post at the below address.
Elwood St Kilda Neighbourhood Learning Centre
87 Tennyson Street, Elwood, 3184
Version 2 – December 2022