Legal
CLC.PO.07 Privacy Policy Purpose and Principles

Settlement Services International Limited and its subsidiary entities (SSI Group) is a group of community-based humanitarian organisations that work with a range of stakeholders in undertaking a broad scope of humanitarian activities. In assisting its clients, SSI Group is often required to obtain personal information about the individual, which may include health records, and/or sensitive information about the individual’s racial or ethnic origins, religious beliefs and government identifiers for the purpose of providing the relevant services.

SSI Group recognises the importance of protecting the privacy of individuals and their rights in relation to their personal information. This includes only collecting such information as is reasonably necessary for the relevant services being provided, only using the information for that purpose, and only disclosing it for that purpose unless a specific exemption exists, such as in emergency situations.

This privacy policy explains how SSI Group collects, holds, uses and discloses individuals’ personal information, including sensitive information. This privacy policy demonstrates how SSI Group complies with privacy laws applicable to it, namely the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs), which can be found on the Office of the Australian Information Commissioner (OAIC) website at www.oaic.gov.au.

SSI Group strives to ensure that its stakeholders also comply with the privacy laws in relation to the collection, use and disclosure of personal information collected by them in the course of conducting their activities for and on behalf of SSI Group.

Scope

This policy applies to all SSI Group Board directors, staff, volunteers, contractors and subcontractors who are engaged by SSI Group to assist in its activities.

It is the responsibility of every person within this scope to ensure that they comply with this policy.

SSI Group’s NSW Privacy Management Plan sits alongside this Privacy Policy, and specifically addresses the requirements under NSW privacy legislation, namely, the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) (which SSI is required to comply with as if it were a public sector agency under various NSW funding contracts), and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) (which applies to all health information held by SSI, in addition to the Privacy Act 1988 (Cth).

Specific programs within SSI Group may impose additional privacy obligations that exceed or are alternate to the SSI Group Privacy Policy. In general, all staff members are required to be aware of any privacy requirements and obligations that pertain to their particular program. Each program is responsible for documenting their specific procedures relating to privacy (in concert with SSI Group’s Privacy Officer), and ensuring that applicable staff are made aware and follow them.

Policy

  1. Open and transparent management of information

    • 1.1 This privacy policy is available on SSI Group’s website at www.ssi.org.au and SSI Group will take reasonable steps to provide a printed copy of this policy to anyone who asks for it. A copy of the policy may be requested by contacting SSI Group’s Privacy Officer on the contact details in 8.1 below.
    • 1.2 SSI Group personnel assisting clients will seek to explain this policy as relevant as part of the provision of the services SSI Group provides.
    • 1.3 SSI Group also has a detailed Privacy Management Plan, which outlines how SSI Group complies with NSW privacy laws, which also apply to certain personal information and health information collected, used and disclosed by SSI Group.

  2. Option to remain anonymous

    • 2.1 Where it is not unlawful or impracticable, individuals will be given the option of not identifying themselves (i.e. remaining anonymous), or of using a pseudonym (i.e. a replacement name or nickname), when dealing with SSI Group.
  3. Collection of personal information
    • 3.1 SSI Group has a broad range of operations implementing its role as a community- based humanitarian organisation. As such, SSI Group collects personal and sensitive information, sometimes including health information, from individuals for many different purposes under this broad umbrella, and in different ways, some examples of which are identified below.

    The purposes for which SSI Group collects, holds, uses and discloses personal information

    • 33.2 SSI Group will only collect personal information when the information is reasonably necessary for, or directly related to, one or more of SSI Group’s functions or activities (which will be the ‘primary purpose’).
    • 3.3 Some examples of the primary purposes for which SSI Group collects personal information include (but are not limited to):
      • 3.3.1 Ascertaining suitability of SSI Group’s programs for individuals, and their eligibility to receive services
      • 3.3.2 Providing program services to individuals, including providing disability support services
      • 3.3.3 Connecting with our organisation and other members and supporters, and sending communications requested by individuals
      • 3.3.4 Assessing, placing and engaging staff and volunteers, and
      • 3.3.5 Conducting assessments and reference checks such as police checks.

    • The kinds of personal information that SSI Group collects and holds

      3.4 Examples of the types of personal information that may be collected by SSI Group include (but are not limited to):

      • 3.4.1 Contact details such as name, address, telephone number, and email address; and other personal details such as age or date of birth, and profession, occupation or job title;
      • 3.4.2 Any information provided to SSI Group directly through SSI Group’s websites, or indirectly through use of our websites or online presence, through SSI Group’s representatives or otherwise;
      • 3.4.3 For clients: information relating to clients’ personal circumstances and history, relevant to the services being provided to them, which may include visa status, and health information; and
      • 3.4.4 For staff members and prospective staff members (including unpaid staff): qualifications, employment history, skills and hobbies, background checks (including police checks and Working with Children Checks), banking and financial details, identity documents, and photographs.

    • How SSI Group collects personal information

      3.5 SSI Group collects personal information by various means, including (but not limited to) when:

      • 3.5.1 Clients and prospective clients make direct contact with SSI Group in relation to program services, and during ongoing case management between SSI Group and the client;
      • 3.5.2 Staff and prospective staff (including volunteers) apply for positions with SSI Group, and during any ongoing engagement;
      • 3.5.3 Individuals attend events and training workshops held by SSI Group;
      • 3.5.4 Clients provide information relating to other family members or other individuals as relevant to the services they receive from SSI Group; and
      • 3.5.5 Individual’s access and use SSI Group’s website, or subscribe to SSI Group’s newsletter.
    • 3.6 SSI Group will only collect personal information by lawful and fair means.
    • 3.7 Where it is reasonable and practicable to do so, SSI Group will only collect personal information from the individual to which it relates.
    • 3.8 If SSI Group receives information about an individual from a third party, SSI Group will take reasonable steps to ensure that the individual is or has been made aware that the information has been collected, how it was collected, and from whom, and will comply with the requirements in 3.13 below.
    • 3.9 SSI Group may, in some circumstances, collect personal information (excluding sensitive information) from its subsidiary entities but only in order to deliver services to SSI Group clients.

    Collection of sensitive information

    • 3.10 SSI Group will not collect sensitive information about an individual unless:
      • 3.10.1 The individual has consented to the collection of that information and the information is reasonably necessary for SSI Group to carry one or more of its functions or activities; or
      • 3.10.2 The information relates to individuals that have regular contact with SSI Group (for example, clients), and relates to SSI Group’s core purpose activities; or
      • 3.10.3 The collection of the information is required or authorised by an Australian law or court/tribunal order; or
      • 3.10.4 A general exception applies.
    • 3.11 SSI Group will also comply with any applicable state health privacy legislation with respect to the collection of health information.

    Unsolicited information

    • 3.12 If SSI Group receives unsolicited personal information that it could not lawfully have collected, and it is not contained in a Commonwealth record, SSI Group will as soon as practicable, but only if lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

    Notification of the collection

    • 3.13 At the time of collecting personal information from an individual, unless an exemption applies, SSI Group will advise them of matters specifically related to the personal information being collected, and will take reasonable steps to ensure that the individual is aware of the following (for example this may often be through a privacy statement, or contained in a consent form, or similar):
      • 3.13.1 That SSI Group is the collector, and how to contact SSI Group;
      • 3.13.2 The nature of the collection, including whether the information is being collected over the phone, by software applications such as cookies, or from a third party;
      • 3.13.3 The purposes for which the information is collected, including the primary purpose, as well as (where appropriate and known), secondary and/or related purposes;
      • 3.13.4 Details of any Australian law or court/tribunal order that requires or authorises the information to be collected;
      • 3.13.5 The main consequences for the individual if any of the information is not provided to SSI Group (for example, reduced ability or inability of SSI Group to provide services to the individual);
      • 3.13.6 Organisations or other parties to which SSI Group usually discloses information of the kind being collected;
      • 3.13.7 That the individual is able to access the information being collected and able to correct the information (with reference to this privacy policy);
      • 3.13.8 That this privacy policy contains information about how the individual can make a complaint about a breach of the APPs, and how SSI Group will deal with such a complaint; and
      • 3.13.9 Whether or not the individual’s personal information is likely to be disclosed or transferred overseas (which may include information stored in the cloud overseas), and where possible, the respective countries.

  4. Use and disclosure of personal information

    Primary purpose

    • 4.1 SSI Group may use or disclose the personal information collected about an individual for the primary purpose for which it was collected (see 3.2 to 3.3 above), which will be notified to the individual at the time of collection.
    • 4.2 If SSI Group has collected personal information (excluding sensitive information) from one of its subsidiary entities (see 3.9 above), SSI Group may use or disclose it for the primary purpose for which it was originally collected by the subsidiary.

    Secondary purposes

    • 4.3 SSI Group may use or disclose personal information about an individual (except for government-related identifiers) for a secondary purpose. This will only be done in limited situations, and, where reasonably possible, SSI Group will seek consent from individuals before using any personal information for a secondary purpose. Instances where SSI Group may use or disclose personal information for other purposes include:
      • 4.3.1 If the individual has specifically consented to a secondary purpose; or
      • 4.3.2 If the individual would reasonably expect SSI Group to use or disclose it for a secondary purpose that is related to the primary purpose (it must be directly related for sensitive information); or
      • 4.3.3 If the use or disclosure is required or authorised by an Australian law or court/tribunal order; or
      • 4.3.4 If a general exception applies; or
      • 4.3.5 If SSI Group reasonably believes that the further use or disclosure is reasonably necessary for law enforcement activities (in this case, a file note must be made about the disclosure).
    • 4.4 Where personal or sensitive information has been collected by SSI Group in relation to a Commonwealth contract, it may become part of a Commonwealth record, and SSI may therefore be required to disclose that information to the relevant Commonwealth department or agency funding the activity, even if the individual has not specifically consented to that disclosure.

    Direct marketing purposes (including fundraising)

    • 4.5 SSI Group may also use or disclose personal information it holds about an individual for direct marketing purposes (including for fundraising), for example, sending newsletters or invitations within the following parameters:
      • 4.5.1 SSI Group will seek to obtain the individual’s consent to this use or disclosure, unless the individual would reasonably expect SSI Group to use or disclose their personal information for direct marketing purposes;
      • 4.5.2 SSI Group will not use or disclose any sensitive information about an individual for direct marketing purposes unless the individual has specifically consented to that purpose;
      • 4.5.3 SSI Group will ensure that individuals can, at any time, clearly and easily opt out of receiving marketing materials; and, where done, SSI Group will:
        • a. action the request within a reasonable time and without any charge; and
        • b. continue to send the individual any essential information relating to the services provided to them by SSI Group.
    • 4.6 SSI Group may also use or disclose personal information it holds about an individual for direct marketing purposes if it is obliged to do so under a Commonwealth contract.

    General disclosures

    • 4.7 In addition to any expected disclosures of personal information to other organisations or third parties that are notified to individuals at the time of collection, SSI Group may also disclose some relevant personal information with its staff, subsidiaries, and contractors as appropriate and required for the primary purpose of collection set out in this policy. This includes disclosure to third party service providers, such as web hosting providers, insurers, archiving service providers, and professional advisors such as auditors, lawyers, and business consultants.

    Disclosures to overseas recipients (including cloud storage)

    • 4.8 Subject to 4.9 below, SSI Group generally does not transfer any personal information intentionally outside of Australia, without seeking specific consent from the
      relevant individual.
    • 4.9 SSI Group may store personal information on databases that are in the cloud, in line with the following
      considerations:

      • 4.9.1 Wherever possible, SSI Group seeks to ensure that personal information stored in the cloud is held on cloud servers that are located within Australia.
      • 4.9.2 Where that is not possible or practicable, and where information is stored in cloud servers located outside Australia, SSI Group will take reasonable steps to ensure that personal information is held, stored and dealt with consistently with the APPs.
      • 4.9.3 Some of SSI Group’s funding contracts with the government may require information collected for the purposes of the relevant program only be stored within Australia. Where this is the case, SSI Group will comply with its contractual requirements.
    • 4.10 SSI Group may also disclose personal information to overseas recipients in the following situations:
      • 4.10.1 Where SSI Group reasonably believes the overseas recipient is subject to a law providing substantially similar and enforceable protections for personal information as the APPs; or
      • 4.10.2 Where the disclosure is authorised or required by law (including in relation to certain general exceptions).

  5. How SSI Group holds and stores personal information (data security)

    • 5.1 SSI Group may hold personal information in hard copy and electronic form, including on secure networks and cloud-based servers.
    • 5.2 SSI Group will take all reasonable steps to protect the personal information it holds from misuse, interference, loss, and from unauthorised access, modification or disclosure.
    • 5.3 SSI Group’s personal information handling practices are regularly reviewed. All sensitive information is securely stored and shared only among employees on a need to know basis.
    • 5.4 Client management records that include any personal, sensitive and health information are stored on separate databases and are accessible only to those who require the information to undertake the relevant services, for example a case manager.
    • 5.5 SSI Group will take reasonable steps to destroy or permanently de-identify personal information about an individual that it holds if it is no longer required to be held by SSI Group (unless it is part of a Commonwealth record or otherwise required to be retained by an Australian law or court/tribunal order).
    • 5.6 The security of the SSI Group website and electronic systems is maintained at all times, however, no data transmission over the internet is 100% risk-free. SSI Group does not accept responsibility for the security of information sent to us by clients, or received from us over the internet.

  6. Access to and correction of personal information

    Access

    • 6.1 If SSI Group holds personal information about an individual, the individual can request access to that information by contacting SSI Group’s Privacy Officer, on the contact details in 8.1 below.
    • 6.2 Upon such a request, SSI Group will provide the individual with access to that information, within a reasonable period of time after the request is made, unless:
      • 6.2.1 SSI Group reasonably believes that giving access would pose a serious threat to the life, health of safety of any individual, or to public health or public safety;
      • 6.2.2 giving access would have an unreasonable impact on the privacy of other individuals;
      • 6.2.3 the request for access is frivolous or vexatious;
      • 6.2.4 the information relates to existing or anticipated legal proceedings between SSI Group and the individual, and the information would not be provided in the process of discovery in those proceedings;
      • 6.2.5 giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations;
      • 6.2.6 providing access would be unlawful;
      • 6.2.7 denying access is required or authorised by an Australian law or a court/tribunal order;
      • 6.2.8 giving access would be likely to prejudice the taking of appropriate action in relation to reasonably suspected unlawful activity, or misconduct of a serious nature, relating to SSI Group’s functions or activities;
      • 6.2.9 giving access would be likely to prejudice law enforcement activities; or
      • 6.2.10 giving access would reveal evaluative information generated within SSI Group in connection with a commercially sensitive decision-making process.
    • 6.3 Unless it is prohibited from doing so as a contracted service provider to Commonwealth, State and Territory government departments, SSI Group may charge a fee to cover its administrative and other reasonable costs in providing an individual with access to their personal information.
    • 6.4 If SSI Group refuses to provide an individual with access to some or all of their personal information held by SSI Group, or does not provide it in the manner requested by them, SSI Group will:
      • 6.4.1 take any reasonable steps available to give access in a way that meets the needs of SSI Group and the individual; and
      • 6.4.2 give the individual a written notice setting out the reasons for the refusal (unless it is unreasonable to do so), and how they can make a complaint about it.

    Correction

    • 6.5 An individual can request that SSI Group correct personal information held by SSI Group (and update any third parties to whom SSI Group has provided the information), and SSI Group will respond to the request within a reasonable period of time, free of charge.
    • 6.6 SSI Group will take reasonable steps to correct personal information about an individual to ensure that it is accurate, up-to-date, complete, relevant for the purpose for which it is held, and not misleading.
    • 6.7 If SSI Group decides not to correct the personal information when requested to do so by an individual, SSI Group will:
    • 6.7.1 give the individual a written notice with reasons for the refusal and information about how they can complain about the refusal; and
    • 6.7.2 if the individual requests, include a statement about the requested correction that is visible to anyone using the information.

  7. Government related identifiers

    • 7.1 SSI Group will not adopt a government related identifier of an individual as its own identifier of the individual unless doing so is required or authorised by Australian law.
    • 7.2 SSI Group will not use or disclose a government related identifier of an individual unless:
    • 7.2.1 Doing so is reasonably necessary for SSI Group to verify the identity of the individual for the purposes of SSI Group activities or functions;
    • 7.2.2 Doing so is reasonably necessary for SSI Group to fulfil its obligations to an Australian government agency or authority;
    • 7.2.3 Doing so is required or authorised by an Australian law or court/tribunal order; or
    • 7.2.4 One of the first three general exceptions applies; or
    • 7.2.5 SSI Group reasonably believes the use or disclosure is reasonably necessary for a law enforcement activity.

  8. Contact and complaints

    • 8.1 Questions or concerns about this Privacy Policy, and complaints regarding the treatment of privacy by SSI Group or a possible breach of privacy, can be raised by contacting SSI Group’s Privacy Officer on the below details:

      Privacy Officer
      Settlement Services International Limited Level 2, 158 Liverpool Road
      Ashfield NSW 2131
      Tel: (02) 8799-6700
      Email: privacy@ssi.org.au

    • 8.2 SSI Group will treat all requests or complaints confidentially, and will respond within a reasonable time after receipt of a request or complaint.
    • 8.3 Where a complaint is received, SSI Group will:
      • 8.3.1 Attempt to confirm as appropriate and necessary the complainant’s understanding of the conduct relevant to the complaint, and the expected outcome,
      • 8.3.2 Assess whether there may have been a notifiable data breach, and if so, follow SSI Group’s relevant policy and procedures
      • 8.3.3 Inform the complainant whether an investigation will be conducted, and if so, the name, title, and contact details of the investigating officer and the estimated completion date for the investigation process,
      • 8.3.4 After enquiries have been completed, contact the complainant, usually in writing, to advise the outcome and invite a response,
      • 8.3.5 Assess any response received, and advise the complainant if SSI Group’s views have changed, and
      • 8.3.6 Aim to ensure that complaints are resolved in a timely and appropriate manner.

  9. Review and changes to this privacy policy

    • 9.1 This privacy policy will be reviewed every two years in accordance with SSI Group’s Document Management Procedure (CQA.PR.01), when there are any changes to the Law, or updated as required. Pending any updates or review, the previous version remains effective.

Definitions

Term Definition
Commonwealth contract for the purposes of this policy, means any funding agreement between a Commonwealth department or agency and SSI Group that requires SSI Group to disclose personal and/or sensitive information about individuals to that department or agency.
Commonwealth Record means a record that is the property of the Commonwealth, which may record include personal or sensitive information collected by SSI Group in
General exceptions means those general situations where the collection, use, or disclosure of personal information by SSI Group is acceptable and appropriate due to the specific circumstances, being those classified in the Privacy Act as “permitted general situations”, in which:

  • a. SSI Group reasonably believes that the collection, use or disclosure of personal information is necessary to:
    • 1. lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent;
    • 2. to take appropriate action in relation to suspected unlawful activity, or misconduct of a serious nature, relating to SSI Group’s functions or activities; or
    • 3. assist in locating a missing person (within legal parameters); or
  • b. the collection, use or disclosure is reasonably necessary to establish or

defend a legal or equitable claim, or for a confidential alternative dispute resolution process.
Government related identifier means an identifier of an individual that has been assigned by a government agency or authority, or by a contracted service provider under a government contract. For example, Medicare number, passport number, drivers licence number, etc. Client identifiers assigned by SSI Group for clients of its government-funded programs may also be government related identifiers.
Health information is a special category of personal information and sensitive information, which includes information or opinion about a person’s physical and mental health, disabilities, and use of health services and preferences (among other things). Health information may be collected by SSI Group in its client intake procedures and during the provision of its services, such as information regarding their physical and mental health and impairments, medical and psychological reports, or where an individual may express an opinion in relation to the future provision of health services or a health service provided. SSI Group’s collection and handling of health information may also be regulated by the applicable state laws.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or untrue. Personal information can be written, verbal, or in photographic form. Personal information collected by SSI Group includes contact details, personal history and personal financial information, and may also include health information or other sensitive information. More detail is included in paragraph 3.4.
Sensitive information is a particular subset of personal information and includes information SSI Group may collect such as racial or ethnic origin, religious beliefs, criminal record or health information. The Law provides greater protections for sensitive information as set out below.
SSI Group refers to Settlement Services International Limited and its subsidiary entities: Access Community Services Limited, Access Community Enterprises Limited, Brisbane Multicultural Arts Centre Limited, Multicultural Centre for Mental Health & Well Being Limited.

Definitions

Related Policies/Procedures

Document code Document title
CLC.PO.07 NSW Privacy Management Plan
CPAC.PR.16 Clean Desk Procedure
CPAC.PO.01 Code of Conduct Policy
CIT.PO.01 Information Technology & Communications Procedure
CIT.PR.05 Data Breach Procedure

Related References

Description
Privacy Act 1988 (Cth), including the Australian Privacy Principles
Health Records and Information Privacy Act 2002 (NSW)
Health Records Act 2001 (VIC)
National Disability Insurance Scheme Act 2013 (Cth)
Information Technology & Communications Procedure

Version History

Version Created Author Description
1 25 November 2014 Project Manager, Policies and Procedures New procedure approved for implementation
2 22 October 2014 Legal Officer Procedure information migrated to a policy document. External law firm provided guidance.
2.1 12 August 2016 Project Manager, Policies and Procedures Minor updates. References to “you” changed to staff
2.2 20 September 2016 Legal Counsel Minor updates to contact information
3.1 9 January 2019 Legal Counsel Contact information updated
4 1 August 2020 Legal Counsel Major review and updates throughout
4.1 30 June 2022 Legal Counsel QMS review with minor updates