PRIVACY POLICY
1.0 PURPOSE
The procedures outlined in this policy aim to ensure the safe and appropriate management of all data used, collected and stored throughout the process of standard business operations.
2.0 SCOPE
This policy and procedure applies to all Directors, Managers, Employees and Independent Contractors of Productivity Matters. It does not form part of any employee’s contract of employment.
3.0 RESPONSBILITIES
This document allocates responsibilities for:
- Board of Directors
- CEO
- Senior Leadership Team
- Productivity Matters Staff
- Productivity Matters Contractors
4.0 POLICY STATEMENT
Productivity Matters is committed to providing quality services to all stakeholders and this policy outlines the company’s ongoing obligations in respect to the management of Personal Information.
Productivity Matter’s has adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The APPs govern the way in which Personal Information is collected, used, disclosed, stored, secured and disposed of.
A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at www.aoic.gov.au
5.0 POLICY
Protecting the privacy and the confidentiality of personal and business information is vital. Employees should never disclose private information that they have access as a result of their employment or responsibilities. This also includes personal information relating to their peers.
The duty to protect the privacy of personal information continues even after the end of an assignment or relationship between Productivity Matters and the client, including if the employee leaves the Productivity Matters team.
5.1 Collection
1.1 Productivity Matters will not collect personal information unless the information is necessary for one or more of its functions or activities.
1.2 Productivity Matters will collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) Productivity Matters collects personal information about an individual from the individual, Productivity Matters will take reasonable steps to ensure that the individual is aware of:
(a) the identity of Productivity Matters and how to contact them; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which Productivity Matters usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, Productivity Matters will collect personal information about an individual only from that individual.
1.5 When Productivity Matters collects personal information about an individual from someone else, it will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in sub clause 1.3, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
5.2 Use and Disclosure
2.1 Productivity Matters will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect Productivity Matters to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for Productivity Matters to seek the individual’s consent before that particular use;
(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
(i) it is impracticable for Productivity Matters to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A of the Privacy Act 1988 for the purposes of this subparagraph; and
(iii) in the case of disclosure – Productivity Matters reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
(e) Productivity Matters reasonably believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
(f) Productivity Matters has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from lawfully co‑operating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Sub clause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in Sub clause 2.1 requires Productivity Matters to disclose personal information; Productivity Matters is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: Productivity Matters is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.
2.2 When Productivity Matters uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.
2.3 When Productivity Matters provides services to an individual, we may disclose health information about the individual to a person who is responsible for the individual if:
(a) The individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) Physically cannot communicate consent to the disclosure; and
(b) A natural person (the carer) providing the health service for the organisation is satisfied that either:
(i) The disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) The disclosure is made for compassionate reasons; and
(c) The disclosure is not contrary to any wish:
(i) Expressed by the individual before the individual became unable to give or communicate consent; and
(ii) Of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
(d) The disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.4 For the purposes of Sub clause 2.4, a person is responsible for an individual if the person is:
(a) A parent of the individual; or
(b) A child or sibling of the individual and at least 18 years old; or
(c) A spouse or de facto spouse of the individual; or
(d) A relative of the individual, at least 18 years old and a member of the individual’s household; or
(e) A guardian of the individual; or
(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or
(g) A person who has an intimate personal relationship with the individual; or
(h) A person nominated by the individual to be contacted in case of emergency.
2.5 In Subclause 2.5:
Child of an individual includes an adopted child, a stepchild and a foster child, of the individual.
Parent of an individual includes a stepparent, adoptive parent and a foster parent, of the individual.
Relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
Sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step brother, step sister, foster brother and foster sister, of the individual.
5.3 Data Quality
Productivity Matters will take reasonable steps to make sure that the personal information it collects uses or discloses is accurate, complete and up to date.
5.4 Data Security
4.1 Productivity Matters will work with its IT provider to ensure that the personal information it holds is secure and protected from misuse and loss, unauthorised access, modification or disclosure.
4.2 Productivity Matters will take reasonable steps to destroy or permanently de‑identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed.
5.5 Access to Personal Information
5.1 On request, Productivity Matters will notify individuals of the type of personal information it holds about them, the purposes for which it is used, and how it collects, holds, uses and discloses that information.
5.6 Access and Correction
6.1 When Productivity Matters holds personal information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that:
(a) providing access would pose a serious and imminent threat to the life or health of any individual;
(b) Providing access would have an unreasonable impact upon the privacy of other individuals; or
(c) The request for access is frivolous or vexatious; or
(d) The information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(e) Providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(f) Providing access would be unlawful; or
(g) Denying access is required or authorised by or under law; or
(h) Providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) Providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
By or on behalf of an enforcement body; or
(k) An enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, Productivity Matters may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
6.3 If Productivity Matters is not required to provide an individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), Productivity Matters will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 Productivity Matters may charge for providing access to personal information, but those charges:
(a) Will not be excessive; and
(b) Will not apply to lodging a request for access.
6.5 When Productivity Matters holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, Productivity Matters will take reasonable steps to correct the information so that it is accurate, complete and up to date.
6.6 If the individual and Productivity Matters disagree about whether the information is accurate, complete and up to date, and the individual asks Productivity Matters to associate with the information a statement claiming that the information is not accurate, complete or up to date, Productivity Matters will take reasonable steps to do so.
6.7 Productivity Matters will provide reasons for denial of access or a refusal to correct personal information.
5.7 Identifiers
7.1 Productivity Matters will not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) An agency; or
(b) An agent of an agency acting in its capacity as agent; or
(c) A contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.1A However, Sub clause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).
7.2 Productivity Matters will not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in Sub clause 7.1, unless:
(a) The use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or
(b) One or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) The use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
7.3 In this clause:
Identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
5.8 Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with Productivity Matters.
5.9 Transborder Data Flows
Productivity Matters may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) Productivity Matters reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles (NPPs); or
(b) The individual consents to the transfer; or
(c) The transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre‑contractual measures taken in response to the individual’s request; or
(d) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Productivity Matters and a third party; or
(e) All of the following apply:
(i) The transfer is for the benefit of the individual;
(ii) It is impracticable to obtain the consent of the individual to that transfer;
(iii) If it were practicable to obtain such consent, the individual would be likely to give it; or
(f) Productivity Matters has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs.
5.10 Sensitive Information
10.1 Productivity Matters will not collect sensitive information about an individual unless:
(a) The individual has consented; or
(b) The collection is required by law; or
(c) The collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) Is physically or legally incapable of giving consent to the collection; or
(ii) Physically cannot communicate consent to the collection; or
10.2 Despite Sub clause 10.1, Productivity Matters may collect health information about an individual if:
(a) The information is necessary to provide services to the individual; and
(b) The information is collected:
(i) As required by law (other than this Act); or
(ii) In accordance with rules established by competent health and medical bodies that deal with obligations of professional confidentiality which bind the organisation.
10.3 Despite Sub clause 10.1, Productivity Matters may collect health information about an individual if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) That purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and
(c) It is impracticable for the organisation to seek the individual’s consent to the collection; and
(d) The information is collected:
(i) As required by law (other than this Act); or
(ii) In accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;
(iii) In accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.
10.4 If Productivity Matters collects health information about an individual in accordance with Sub clause 10.3, Productivity Matters will take reasonable steps to permanently deidentify the information before the organisation discloses it.
10.5 In this clause:
Non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade unions aims.
6.0 ACCOUNTABILITIES
The maintenance of privacy through the appropriate handling of data is the responsibility of everyone involved in data use, collection and storage.
The Productivity Matters Directors and Managers have the ultimate responsibility for the development and effective implementation of appropriate privacy handling procedures at Productivity Matters.
