Rise Above Privacy Policy

Privacy Policy

 

Policy Statement

The ACT Eden Monaro Cancer Support Group (ABN 68 997 342 984), trading as “Rise Above – Capital Region Cancer Relief” (Rise Above) is committed to transparency, accountability and good governance, and endeavours to handle personal information in accordance with this Privacy Policy (the Policy) and the Australian Privacy Principles.

Purpose

This Policy describes how Rise Above handles personal information it collects.

Policy

Rise Above is categorised as a small business operator, and, given the nature of the personal information it collects, it seeks to handle such information in a manner consistent with this Policy and the Australian Privacy Principles.

Rise Above considers the privacy of personal information it holds in respect of the patients to whom the charity provides charitable services, particularly health information, to be of the greatest importance.

Rise Above may revise this Policy from time to time by updating the relevant section of its website. The revised Policy will take effect when it is posted on the website.

Authorisation

 

Kim Stonham

Acting Chair of the Board 21 March 2023

 

 

Procedure number

003

Version

4

Reviewed by

Board

Approved on

Reviewed on

21 August 2018

21 March 2023

Responsible person

CEO

Scheduled review date

21 March 2025

 

 

Responsibilities

The CEO is the Privacy Officer for Rise Above. It is the responsibility of CEO to ensure that:

  • employees, members and volunteers are aware of this policy, and
  • any breaches of this policy coming to the attention of the CEO are dealt with

It is the responsibility of all employees, members and volunteers to ensure that their usage of personal information held by Rise Above conforms to this policy, and that any breaches coming to their attention are brought to the attention of the CEO at the earliest possible moment.

 

 

Definitions

Personal information” has the same meaning given to that term in clause 6 of the Privacy Act 1999 (Cth),

Sensitive information” has the same meaning given to that term in clause 6 of the Privacy Act 1999 (Cth),

Small business operator” has the same meaning given to that term in clause 6D of the

Privacy Act 1999 (Cth),

 

Processes

What is “personal information”?

In this Policy, “personal information” includes information or an opinion about an identified person, or a person who is reasonably identifiable:

  • whether the information or opinion is true or not, and
  • whether the information or opinion is recorded in a material form or

Personal information includes ‘sensitive information’, which Rise Above may handle from

time to time, including in the circumstances described by this Policy.

 

What kinds of personal information does Rise Above handle?

The types of personal information Rise Above will collect and maintain will depend on how you interact with us, but will generally include name, date of birth, gender, contact information (including address, telephone numbers and email address), credit/debit card

information, health information, other information about a person’s history with, or relationship to cancer and other information about the nature of a person’s interactions with Rise Above.

Rise Above may collect other personal information from time to time, in accordance with this Policy and the Australian Privacy Principles.

Whose personal information is collected?

Rise Above collects personal information from people who are connected to its operations and activities – including employees, contractors, donors, members, volunteers, sponsors, recipients of charitable services, health professionals, suppliers, service providers, governments and participants in advocacy campaigns or health promotion projects.

How is personal information collected?

Most often, Rise Above collects personal information directly from the person concerned. This may be in person, in written form, on the telephone, or online.

Rise Above may also obtain personal information from third parties such as contractors (including fundraising service providers), vendors, health professionals, social and community workers. If Rise Above collects personal information about a person from a third party and it is unclear that the person has consented to the disclosure of their personal information to Rise Above, reasonable steps will be taken to contact the person and ensure that they are aware of the circumstances surrounding the collection and purposes for which their personal information has been collected.

Why is personal information collected?

Rise Above may collect, hold, use and disclose personal information for a number of purposes, including:

  • support services: to provide charitable services and information, and to evaluate and report on these,
  • administrative services: maintaining membership and volunteer records,
  • marketing and promotion: to communicate about donations, events, products, services, campaigns, and causes,
  • volunteering and other support: to enable people to assist Rise Above with volunteering, community fundraising, advocacy and other activities where we seek the community’s assistance,
  • health promotion: to provide information about cancer risk factors (such as sun, tobacco and obesity), and to seek support for campaigns, and
  • other issues: communicating in relation to Rise Above operations, activities and objectives, to verify a person’s identity, to improve and evaluate Rise Above programs and services and to comply with relevant laws.

Where Rise Above collects personal information for a specific purpose not outlined above, it will provide the person concerned with a collection notice which explains the primary purpose and any related secondary purposes for which it is collecting their personal information.

Health information and other sensitive information

As part of administering charitable services, Rise Above may collect:

  • health information (for example, current and historical medical information of a person seeking charitable services from Rise Above) and,
  • other sensitive information (for example marital/relationship status which may indicate sexual orientation).

Rise Above will limit the collection of sensitive information to the minimum amount required to provide its charitable services.

What happens if personal information is not provided?

If a person does not provide some or all of the personal information requested, Rise Above may not be able to offer them services or provide them with information about Rise Above activities, causes, events, programs and projects.

Website usage information and cookies

When a person accesses the Rise Above website (https://riseabovecbr.org.au/), software may be in use, embedded in the website (such as Javascript). Rise Above may place small data files (or cookies) on the user’s computer or other device to collect information about which pages they view and how they reach Rise Above, what they do when they visit a page, the length of time they remain on the page, and how Rise Above performs in providing content to them.

A cookie does not identify individuals personally, but it does identify computers. The user can set their browser to notify them when they receive a cookie, and this will provide them with an opportunity to either accept or reject it in each instance. Rise Above may gather the user’s IP address as part of its business activities and to assist with any operational difficulties or support issues with its services. This information does not identify the user personally.

Rise Above may use a web analytics service to monitor web traffic such as Google Analytics. A web analytics service informs how visitors use the Rise Above website based on their browsing habits, so that improvements can be made to the website to make it easier for visitors to find the information they are seeking. External providers of web analytics services, such as Google, may also receive this information as a visitor browses the website. If a visitor would like to opt-out of being tracked, they can do so be using Ad Settings or by using the Google Analytics Opt-out Browser Add-on (so they are not tracked by Google Analytics).

This Policy applies to Rise Above’s website only, and does not apply to any third party websites that may be linked from Rise Above’s website or social media pages. If a person navigates to a third party’s website from Rise Above’s website, that person will be subject to the third party’s privacy policy, and will not be covered by this Policy.

Opting out of direct marketing communications

Where Rise Above uses personal information to send marketing and promotional information by post, email or telephone, it will provide recipients with an opportunity to opt-out of receiving such information. By electing not to opt-out, Rise Above assumes it has their implied consent to receive similar information and communications in the future. Rise Above will always ensure that opt-out notices are clear, conspicuous and easy to take up.

If a person does not wish to receive direct marketing communications from Rise Above, they should contact Rise Above, PO Box 1351, Queanbeyan NSW 2620, Tel: 02 6297 1261 or email: admin@riseabovecbr.org.au.

To whom does Rise Above disclose personal information?

Rise Above may disclose personal information to its employees, members and volunteers and members of the Board in their Board capacity.

Health information and other sensitive information is handled with a higher degree of confidentiality, and is disclosed to employees, members or volunteers on a ‘need to know’ basis (at the discretion of the Chief Executive Officer of Rise Above). That is, the information is disclosed to assist the recipient of the information to undertake activities which will directly or indirectly enable the provision of charitable services by Rise Above to the person who is the subject of the information. Rise Above will not disclose health information and other sensitive information to a third party (other than a member, volunteer or third-party providing data hosting facilities and/or services) without the prior consent of the person concerned.

Rise Above may need to disclose personal information to others in order to carry out its activities. This may include:

  • Contractors and service providers who perform services on behalf of Rise Above, such as mailing houses, printers, information technology services providers (including offshore cloud computing service providers), database contractors and telemarketing agencies.
  • Third parties for marketing purposes: Rise Above may provide a person’s contact details to other like-minded organisations to contact the person with information that may be of interest to them.
  • External support services: to health care professionals, lawyers, accountants, other professionals, counsellors, funders, financiers, coordinators, members, volunteers, service providers, agencies and not-for-profits that provide support services.
  • The governments of New South Wales and the Australian Capital Territory, also the Queanbeyan-Palerang Regional Council, and any other local government authority which Rise Above has dealings with.
  • Where Rise Above is compelled to disclose the information by law, or where Rise Above has reason to suspect that unlawful activity, or serious misconduct that relates to Rise Above’s functions or services has been, is being or may be engaged in.
  • Where a person(s) has provided his/her/their consent to the

Wherever Rise Above proposes to disclose personal information to a third party not outlined above, it will provide the person concerned with a collection notice which explains the circumstances in which it might disclose their personal information.

Cross-border disclosures of personal information

Rise Above may use data hosting facilities and third-party service providers to assist it with providing goods and services. As a result, personal information may be transferred to, and stored at, a destination outside Australia, including but not limited to New Zealand, Netherlands, China, Singapore, Hong Kong, Ireland, Canada, United States of America and the United Kingdom.

Personal information may also be processed by staff or by other third parties operating outside Australia who work for Rise Above or for one of its suppliers, agents, or partners. Rise Above takes such steps as are necessary in the circumstances to ensure that any overseas third party service providers deals with personal information in a manner consistent with the Australian Privacy Principles, including through contractual arrangements.

If a person’s personal information is collected using a collection notice that references this Policy, they are taken to consent to the disclosure, transfer, storing or processing of their personal information outside of Australia. They also acknowledge and understand that by providing such consent that Rise Above will not be required to take such steps as are reasonable in the circumstances to ensure such third parties comply with the Australian Privacy Principles.

Where is personal information stored?

Rise Above takes all reasonable steps to protect all of the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Personal information will be stored on a password protected electronic database, which may be on a database maintained by Rise Above, a database maintained by a cloud hosting service provider or other third-party database storage or server provider. Backups of electronic information are written to drives which are stored offsite.

Hard copy information is generally stored in offices of Rise Above, which are secured to prevent entry by unauthorised people. Any personal information not actively being used is archived, usually for 7 years, and may be held with a third-party provider of secure archiving services.

Where personal information is stored with a third party, Rise Above has arrangements which require those third parties to maintain the security of the information. Rise Above takes reasonable steps to protect the privacy and security of that information but is not liable for any unauthorised access or use of that information. Personal information will stay on the database indefinitely until advice is received that a person would like it removed, unless it is de-identified or destroyed earlier in accordance with privacy law requirements.

Direct debit or credit cards

Rise Above uses Stripe as an online portal for all financial transactions involving donations and registrations. The Rise Above website does not take financial details from anyone.

Please contact Stripe (privacy policy (stripe.com)) for its privacy policy when submitting an online transaction for donations and registrations with Rise Above.

Access to personal information

Rise Above will, upon request, and subject to applicable privacy laws, provide a person with access to their personal information that is held by it. However, Rise Above requests that the requester identify, as clearly as possible, the type(s) of information requested. Rise Above will deal with the request to provide access to personal information within 30 days and the requester agrees Rise Above may charge them reasonable costs incurred in supplying them with access to this information.

Rights to access personal information are not absolute and privacy laws dictate that Rise Above are not required to grant access in certain circumstances such as where:

  • access would pose a serious threat to the life, safety or health of any individual or to public health or public safety,
  • access would have an unreasonable impact on the privacy of other individuals,
  • the request is frivolous or vexatious,
  • denying access is required or authorised by a law or a court or tribunal order,
  • access would be unlawful, or
  • access may prejudice commercial negotiations, legal proceedings, enforcement activities or appropriate action being taken in respect of a suspected unlawful activity or serious misconduct.

If Rise Above refuses to grant a person access to their personal information, it will provide them with reasons for that decision (unless it is unreasonable to do so) and the avenues available for them to complain about the refusal.

Updating personal information

A person may ask Rise Above to update or correct the personal information held about them at any time. Rise Above will take reasonable steps to verify the person’s identity before granting access or making any corrections to their information. Rise Above also has obligations to take reasonable steps to correct personal information it holds when it is satisfied that it is inaccurate, out- of-date, incomplete, irrelevant or misleading for the purpose for which it is held.

If a person requires access to, or wish to update their personal information, please contact Rise Above, PO Box 1351, Queanbeyan NSW 2620, Tel: + 61 2 6297 1261 or email: admin@riseabovecbr.org.au.

Complaints

If a person has any queries or would like to make a complaint regarding relating to this Policy or the manner in which personal information has been handled, please contact Rise Above’s Privacy Officer, on 02 6297 1261 or email ceo@riseabovecbr.org.au. The Privacy Officer endeavours to respond to complaints and queries within fourteen calendar days of their receipt. If a person is dissatisfied with the response of Rise Above, they may refer the matter to the Australian Information Commissioner (see www.oaic.gov.au).

Data breaches

The Chief Executive Officer is responsible for the management of data breaches. All significant data breaches are reported to the Board of Rise Above.

Rise Above will notify individuals when there is a data breach (that is, when there is unauthorised access or disclosure) that involves their personal information, and that a reasonable person would conclude that the breach would be likely to result in serious harm to the individuals to who the information relates. Rise Above will not notify individuals that a data breach has occurred whereas a result of remedial action taken by Rise Above in relation to the breach (before it results in serious harm to any individual to whom the information relates) a reasonable person would conclude that the unauthorised access or disclosure of the information would not be likely to result in serious harm to any of those individuals.

Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations. As such, Rise Above does not have a single way of responding to a data breach. Each breach will be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.

Data breaches will be managed in accordance with the following framework:

  1. Contain the breach, undertake a preliminary assessment and determine who needs to be notified immediately,
  2. Evaluate the risks associated with the breach, considering:
    1. the type of personal information involved,
    2. the context of the affected information and the breach,
    3. establish the cause and extent of the breach,
    4. assess the risk of harm to the affected individuals,
    5. assess the risk of other harms,
  3. Notification, considering the who, what, when, why and how in terms of notifying affected individuals, and
  4. Prevent future breaches, taking the time to investigate the cause and consider whether to review the existing data breach prevention plan or, if there is no plan in place in a specific instance, developing one.