Rise Above is exempt from the application of the Privacy Act 1988 (Cth). However, given the nature of the personal information it handles, it seeks to handle such information in a manner consistent with the Australian Privacy Principles.
Rise Above considers the privacy of personal information we hold in respect of the patients to whom we provide charitable support, particularly their health information, to be of the greatest importance.
Chairman of the Board
21 August 2018
|Drafted by||Andrew Heath||Approved by CEO on||21 August 2018|
|Responsible person||CEO||Scheduled review date||21 August 2021|
The CEO is the Privacy Officer for Rise Above.
It is the responsibility of CEO to ensure that:
- Employees and members are aware of this policy;
- any breaches of this policy coming to the attention of the CEO are dealt with appropriately.
It is the responsibility of the all employees and members to ensure that their usage of personal information held by Rise Above conforms to this policy, and that any breaches coming to their attention are brought to the attention of the CEO.
What is personal information?
Personal information means information or an opinion about an identified person, or a person who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
The types of personal information Rise Above collects may include name, date of birth, gender, contact information, credit/debit card information, health information, other information about a person’s history with, or relationship to cancer and other information about a person’s interactions with Rise Above.
Whose personal information is collected?
Rise Above collects personal information from people who are connected to our operations and activities – including employees, donors, members, recipients of charitable support, health professionals, suppliers, service providers, governments and participants in advocacy campaigns or health promotion projects.
How is personal information collected?
Where possible, Rise Above collects personal information directly from the person concerned. This may be in person, in written form, on the telephone, or online.
Rise Above may also obtain personal information from third parties such as contractors (including fundraising service providers), list vendors, health professionals, social and community workers. If Rise Above collects personal information about a person from a third party and it is unclear that they have consented to the disclosure of their personal information to Rise Above, reasonable steps will be taken to contact the person and ensure that they are aware of the circumstances surrounding the collection and purposes for which their personal information has been collected.
Why is personal information collected?
Rise Above may collect personal information for a number of purposes, including:
- Support services: to provide charitable support and information, and to evaluate and report on these
- Marketing: to communicate about donations, events, products, services, campaigns, and causes
- Volunteering and other support: to enable people to assist us with volunteering, community fundraising, advocacy and other activities where we seek the community’s assistance
- Health promotion: to provide information about cancer risk factors, such as sun, tobacco and obesity, and to seek support for campaigns
- Other issues: communicating in relation to Rise Above operations, activities and objectives, to verify a person’s identity, to improve and evaluate Rise Above programs and services and to comply with relevant laws
Where Rise Above collects personal information for a specific purpose not outlined above, it will provide the person concerned with a collection notice which explains the primary purpose and any related secondary purposes for which it is collecting their personal information.
Health information and other sensitive information
As part of administering charitable support, Rise Above may collect health information and other sensitive information. For example, it may collect medical history information, if a person is seeking charitable support. Sensitive information also includes the following type of information: personal financial information; marital/relationship status and family details. Rise Above will limit the collection of sensitive information to the minimum amount required to provide its charitable support.
What happens if all this information is not provided?
If a person does not provide some or all of the personal information requested, Rise Above may not be able to offer them services or provide them with information about Rise Above activities, causes, events, programs and projects.
Website usage information and cookies
A cookie does not identify individuals personally, but it does identify computers. The user can set their browser to notify them when they receive a cookie and this will provide them with an opportunity to either accept or reject it in each instance. Rise Above may gather the user’s IP address as part of its business activities and to assist with any operational difficulties or support issues with its services. This information does not identify the user personally.
Rise Above may use a web analytics service to monitor web traffic such as Google Analytics. A web analytics service informs how visitors use the Rise Above website based on their browsing habits, so that improvements can be made to the website to make it easier for visitors to find the information they are seeking. External providers of web analytics services, such as Google, may also receive this information as a visitor browses the website. If a visitor would like to optout of being tracked, they can do so be using Ad Settings or by using the Google Analytics Optout Browser Addon (so they are not tracked Google Analytics).
Opting out of direct marketing communications
Where Rise Above uses personal information to send marketing and promotional information by post, email or telephone, it will provide recipients with an opportunity to opt-out of receiving such information. By electing not to opt-out, Rise Above assumes it has their implied consent to receive similar information and communications in the future. Rise Above will always ensure that opt-out notices are clear, conspicuous and easy to take up.
If a person does not wish to receive direct marketing communications from Rise Above, they should contact Rise Above, PO Box 1351, Queanbeyan NSW 2620, Tel: 02 6297 1261 and email: email@example.com.
To whom does Rise Above disclose personal information?
Rise Above may disclose personal information to its employees, members and members of the Board.
Health information and other sensitive information is handled with a higher degree of confidentiality, and is disclosed to employees, members on a ‘need to know’ basis (at the discretion of the Chief Executive Officer of Rise Above). That is, the information is disclosed to assist the recipient of the information to undertake activities which will directly or indirectly enable the provision of charitable support by Rise Above to the person who is the subject of the information. Rise Above will not disclose health information and other sensitive information to a third party (other than a member or third party providing data hosting facilities and/or services) without the prior consent of the person concerned.
Rise Above may need to disclose personal information to others in order to carry out its activities. This may include:
- Contractors and service providers who perform services on behalf of Rise Above, such as mailing houses, printers, information technology services providers (including offshore cloud computing service providers), database contractors and telemarketing agencies.
- Third parties for marketing purposes: Rise Above may provide a person’s contact details to other like-minded organisations to contact the person with information that may be of interest to them. From time to time, Rise Above may participate in data collectives where it shares a person’s personal information (other than health and sensitive information) with other organisations.
- External support services: to health care professionals, lawyers, accountants, other professionals, counsellors, funders, financiers, co-ordinators, members, service providers, agencies and not-for-profits that provide support services.
- The governments of New South Wales and the Australian Capital Territory, also the Queanbeyan-Palerang Regional Council, and any other local government authority which Rise Above has dealings with.
Wherever Rise Above proposes to disclose personal information to a third party not outlined above, it will provide the person concerned with a collection notice which explains the circumstances in which it might disclose their personal information.
Cross-border disclosures of personal information
Rise Above may use data hosting facilities and third party service providers to assist it with providing goods and services. As a result, personal information may be transferred to, and stored at, a destination outside Australia, including but not limited to New Zealand, Netherlands, China, Singapore, Hong Kong, Ireland, Canada, United States of America and the United Kingdom
Personal information may also be processed by staff or by other third parties operating outside Australia who work for Rise Above or for one of its suppliers, agents, or partners. Rise Above takes such steps as are necessary in the circumstances to ensure that any overseas third party service providers it engages do not breach the Australian Privacy Principles, including through contractual arrangements.
Where is personal information stored?
Rise Above takes all reasonable steps to protect all of the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Personal information will be stored on a password protected electronic database, which may be on a database maintained by Rise Above, a database maintained by a cloud hosting service provider or other third party database storage or server provider. Backups of electronic information are written to drives which are stored offsite.
Hard copy information is generally stored in offices of Rise Above, which are secured to prevent entry by unauthorised people. Any personal information not actively being used is archived, usually for 7 years, and may be held with a third-party provider of secure archiving services.
Where personal information is stored with a third party, Rise Above has arrangements which require those third parties to maintain the security of the information. Rise Above takes reasonable steps to protect the privacy and security of that information, but is not liable for any unauthorised access or use of that information. Personal information will stay on the database indefinitely until advice is received that a person would like it removed, unless it is de-identified or destroyed earlier in accordance with privacy law requirements.
Direct debit or credit cards
Access to personal information
Rise Above will, upon request, and subject to applicable privacy laws, provide a person with access to their personal information that is held by it. However, Rise Above requests that the requester identify, as clearly as possible, the type(s) of information requested. Rise Above will deal with the request to provide access to personal information within 30 days and the requester agrees Rise Above may charge them reasonable costs incurred in supplying them with access to this information.
Rights to access personal information are not absolute and privacy laws dictate that Rise Above are not required to grant access in certain circumstances such as where:
- access would pose a serious threat to the life, safety or health of any individual or to public health or public safety
- access would have an unreasonable impact on the privacy of other individuals
- the request is frivolous or vexatious
- denying access is required or authorised by a law or a court or tribunal order
- access would be unlawful, or
- access may prejudice commercial negotiations, legal proceedings, enforcement activities or appropriate action being taken in respect of a suspected unlawful activity or serious misconduct.
If Rise Above refuses to grant a person access to their personal information, it will provide them with reasons for that decision (unless it is unreasonable to do so) and the avenues available for them to complain about the refusal.
Updating personal information
A person may ask Rise Above to update or correct the personal information held about them at any time. Rise Above will take reasonable steps to verify the person’s identity before granting access or making any corrections to their information. Rise Above also have obligations to take reasonable steps to correct personal information it holds when it is satisfied that it is inaccurate, out- of-date, incomplete, irrelevant or misleading for the purpose for which it is held.
If a person requires access to, or wish to update their personal information, please contact Rise Above, PO Box 1351, Queanbeyan NSW 2620, Tel: + 61 2 6297 1261 and email: firstname.lastname@example.org.
The Chief Executive Officer is responsible for the management of data breaches. All significant data breaches are reported to the Board of Rise Above.
Rise Above will notify individuals when there is a data breach (that is, when there is unauthorised access or disclosure) that involves their personal information, and that a reasonable person would conclude that the breach would be likely to result in serious harm to the individuals to who the information relates. Rise Above will not notify individuals that a data breach has occurred where as a result of remedial action taken by Rise Above in relation to the breach (before it results in serious harm to any individual to whom the information relates) a reasonable person would conclude that the unauthorised access or disclosure of the information would not be likely to result in serious harm to any of those individuals.
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations. As such, Rise Above does not have a single way of responding to a data breach. Each breach will be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
Data breaches will be managed in accordance with the following framework:
- Contain the breach, do a preliminary assessment and determine who needs to be notified immediately
- Evaluate the risks associated with the breach, considering:
- the type of personal information involved
- the context of the affected information and the breach
- establish the cause and extent of the breach
- assess the risk of harm to the affected individuals
- assess the risk of other harms
- Notification, considering the who, what, when, why and how in terms of notifying affected individuals
- Prevent future breaches, taking the time to investigate the cause and consider whether to review the existing data breach prevention plan or, if there is no plan in place in a specific instance, developing one.