This Policy sets out how Open Dialogue Centre (ODC) complies with our obligations under Australian privacy law. ODC is bound by the Australian Privacy Principles (APPs) and other laws which regulate how organisations collect, use, disclose, store or otherwise treat personal information as well as how individuals, including our clients, access or correct personal information about them.
This policy applies to all Open Dialogue Centre staff and services.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable. This applies whether the information or opinion is true, and regardless of how, or whether, the information or opinion is recorded. It includes information such as your name, address, date of birth, contact details and emergency contacts and photos and videos which may lead to identification of person or location/address.
Sensitive personal information is a specific type of personal information, or opinion about that information, that risks adverse consequences for the individual if not strictly managed. This is information regarding a person’s racial or ethnic origin;; political opinions;; membership of a political association;; religious beliefs or affiliations;; philosophical beliefs;; membership of a professional or trade association or trade union;; sexual orientation or practices;; or criminal record. Sensitive personal information also includes all health information, genetic information, and biometric information.
Data Breach means personal information is accessed or disclosed without authorisation or is lost.
Open Dialogue Centre is committed to protecting the privacy and the rights of individuals regarding the personal information the organisation collects, holds, and administers. Open Dialogue Centre will ensure individuals have opportunity to access to their information and request correction of any errors where applicable. Open Dialogue Centre welcomes feedback and will address any complaints about the way the organisation manages personal information.
Open Dialogue Centre is committed to its obligations under the Commonwealth Privacy Act 1988 (‘the Act’) and Australian Privacy Principles contained therein. The organisation will:
- collect only the information required for the running of the business
- inform stakeholders (our clients, employees, customers, and prospective staff) of why we collect, and how we administer, the information
- use and disclose (where necessary) personal information only for its primary business function, or a directly related purpose, or for other reasons with the person’s consent
- securely store personal information and protect it from unauthorised access
- provide stakeholders with access to their information and correct the information where it is in error.
Open Dialogue Centre is required to collect personal information of individuals with whom we do business, both within and outside the organisation. This is necessary for the effective operation of the organisation in order to carry out its internal business functions and provide programs and services to members of the public. The organisation is committed to its responsibility to use such information only for the intended purpose.
All individuals working, volunteering, on student placement, or otherwise engaged by Open Dialogue Centre and its associated programs and businesses (hereafter referred to as ‘staff’) must comply with this policy and associated processes when collecting, accessing, disclosing, and managing personal information.
1. Personal information the organisation may collect
The term ‘personal information’ used throughout this policy has the meaning given to it in the Act and includes private and sensitive information. In general terms, it is any information that can be used to personally identify a person and includes opinions about the person.
Examples of personal information the organisation collects for relevant business purposes include a person’s:
- name, age, date of birth
- contact, and emergency contact details such as email, phone, fax number, street address
- profession, occupation, or job title
- financial details such as bank details, credit card number, tax file number
- photo of the person or photo ID such as driver licence or passport details
- health information of any kind whether or not it is current
- details used when assessing an application to volunteer, to receive services, or to become an employee. This may also include sensitive information such as relates to disability, aboriginality, nationality, gender, or criminal record
- Centrelink Customer Reference Number.
Where practical, individuals can choose to interact with Open Dialogue Centre anonymously or by using a pseudonym, such as when making general enquiries about services. However, for most business functions Open Dialogue Centre will generally need enough personal information to allow the organisation to manage the enquiry, application, request, or complaint fairly and efficiently.
3. Collection, use, and disclosure of personal information
Open Dialogue Centre will advise individuals whenever the organisation is collecting, or is about to collect, personal or sensitive information as described in this policy. Personal information is collected directly from the individual unless it is unreasonable or impractical to do so, or if the person has nominated an authorised representative. The organisation may collect personal information from third parties including referees of applicants for employment and volunteering.
The organisation may also collect information from individuals when signing up to mailing lists, providing feedback on services, registering for events, or participating in surveys.
Open Dialogue Centre collects, uses, and may disclose personal information for a range of business purposes, specifically:
- to assess a person’s needs as a customer and to provide services to the person
- for the purposes of recruitment, employment, volunteering, and student placement
- to comply with reporting obligations to government and other funding bodies
- for financial recordkeeping purposes such as taxation, expenses, and donations
- for the organisation’s administrative, planning, service development, and quality control purposes
- to communicate with individuals to inform them about the organisation’s work, objectives, programs, and activities
- to update the organisation’s records and keep the person’s contact details up to date
- to process and respond to complaints and access requests and
- to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-ˇoperation with any governmental authority.
3.1 Unsolicited personal information
Personal information provided to Open Dialogue Centre that the organisation has not requested, and is not likely to request, will be de-ˇidentified or destroyed as soon as practicable.
Open Dialogue Centre does not provide personal information to other organisations for direct marketing purposes.
Open Dialogue Centre may choose to use personal information for its own direct marketing purposes, where the individual has consented to the use of their information for that purpose. The organisation may send information regarding its services and products in forms such as newsletters or email updates but will endeavour to use the person’s preferred method were possible.
Open Dialogue Centre marketing material will contain opt-ˇout information. Where a person chooses to opt out their name will be removed from the relevant mailing list. To unsubscribe from any of our communications at any time please contact: email@example.com or click “unsubscribe” if the option is available
5. Information Security
Open Dialogue Centre uses physical, technical, and administrative safeguards to protect the privacy of information the organisation collects and holds. Information security is tested and updated on an ongoing basis.
The organisation reinforces with its employees their responsibilities to maintain confidentiality and protect the privacy and security of information. Access to personal information is limited to staff who need the information for operational business purposes or to provide business services. Information is de-ˇidentified and/or securely destroyed when no longer needed or when obsolete.
5.1 Unsolicited personal information
As the Open Dialogue Centre website is linked to the internet the organisation cannot provide any assurance concerning the security of information that is sent or received online. There is no guarantee that information sent or received via the internet will not be intercepted during transmission. As such, individuals who send personal information to the organisation via online or other electronic methods do so at their own risk.
Open Dialogue Centre uses interfaces with social media sites including Twitter, Facebook, Instagram, LinkedIn and others, and users are advised to read their privacy policies if choosing to ‘like’, ‘share’, or enter information relating to Open Dialogue Centre through these sites. Engaging with these sites provides Open Dialogue Centre with the individual’s username and access to their public profile.
6. Data Breaches
Any suspected or actual data breaches should be immediately reported as an Incident in RMSS with the category ‘Data Breach’ selected and your line manager notified as soon as practicable. Staff are required to follow the Notifiable Data Breach Procedure for guidance on the process.
Open Dialogue Centre will quickly respond in the event of suspected or actual data breach. All incidents will be managed on a case by case basis and the appropriate course of action taken in response. Open Dialogue Centre will work to contain the breach, evaluate the associated risks, and assess the level of possible harm. Open Dialogue Centre will always endeavour to take appropriate remedial action in a timely manner to prevent a data breach from resulting in serious harm (see section 6.1 below).
6.1 Eligible breaches
Some breaches of data are considered so significant as to be eligible to be notified to the Office of the Australian Information Commissioner (OAIC) and any individual whose personal data has been breached. An eligible data breach occurs when all the following criteria are met:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that the organisation holds
- this is likely to result in serious harm to one or more individuals, and
- the organisation has not been able to prevent the likely risk of serious harm with remedial action.
Serious harm regarding a data breach includes serious physical, psychological, emotional, financial, or reputational harm. When assessing the risk of serious harm to individuals whose personal information is part of a data breach, Open Dialogue Centre will consider the likelihood of the harm eventuating and the likely consequences of the harm.
Upon becoming aware of a suspected data breach Open Dialogue Centre will quickly act to assess whether the breach constitutes an eligible data breach. If during the assessment there are reasonable grounds to believe that there has been an eligible data breach, or it becomes clear that an eligible breach has occurred, the organisation’s Privacy Officer will notify the OAIC as soon as practicable of becoming aware of the breach or suspected breach.
Where practicable the organisation will also notify each individual directly affected by the breach, unless remedial action has already occurred to prevent serious harm. Where it is not practicable to notify each individual (for example where all clients or staff are affected) the organisation will publicise the statement made to the OAIC on the Open Dialogue Centre website. Open Dialogue Centre will include the following information about the eligible data breach:
- the organisation’s name and contact details
- a description of the eligible data breach (e.g. the date/date range of the breach, date the breach was detected, circumstances of the breach, who has/is like to have access to the information, action taken to contain the breach)
- the kind or kinds of information involved in the eligible data breach
- steps the organisation recommends the individuals take in response to the eligible data breach
After the breach has been addressed and notification has occurred Open Dialogue Centre will thoroughly review the matter to reduce the likelihood of recurrence. The organisation will review and where necessary update its policies and processes, conduct additional training, enhance cyber security measures, and/or other action as appropriate.
7. Requests and Complaints
Individuals may request access to any personal information the organisation holds about them at any time by emailing firstname.lastname@example.org or by writing to:
Privacy at Open Dialogue Centre
PO Box 371
North Ryde BC
The organisation will endeavour to provide access to the information by the most suitable means such as by mail, email, or arranging for the individual to view the information at a Open Dialogue Centre office. Open Dialogue Centre will require the person to provide evidence of their identity before access is granted or amendments are made.
The organisation may refuse access to all or part of a person’s record if it would interfere with the privacy of others, or if it would reveal confidential business information, or for any other applicable reasons described in Australian Privacy Principle 12.3. Individuals will be notified in writing of the reasons for any such refusal.
7.1 Request to amend personal information
Individuals may request that their personal information be amended if they believe that information is not incomplete, inaccurate, or not up to date.
All requests to amend personal information will be assessed before being actioned. Where this assessment determines there is no grounds for amending the information the organisation will add a note to the personal information stating that the individual disagrees with the content of the record.
7.2 Making a complaint about a breach of the Australian Privacy Principles
Individuals may make a complaint about the way the organisation handles their information by emailing their concerns to email@example.com . An authorised representative of the organisation will respond to the complaint within a reasonable period, generally within 10 business days. If it appears the complaint will take longer to resolve the representative will notify the individual of the expected resolution date.
This policy and associated documents will be reviewed every three (3) years.
Relevant External Documents
APS Code of Ethics
Data Breach Preparation and Response Guide
Relevant Open Dialogue Centre Documents
Notifiable Data Breach Procedure
Privacy Impact Assessment (PIA) Tool
Privacy Information Brochure
Brand Marketing and Communications Policy
Customer Service Policy
Incident Management Procedure
Quality Management Framework
Release of Client Information Procedure
Privacy and Confidentiality Forms
Release of Client Information Template Letters