1 Purpose
The purpose of this Policy is to —
- protect the Thriving Community from the misuse of Personal Information and Sensitive Information;
- provide alignment with the Australian Privacy Principles; and
- contribute to upholding the rights of members of the Thriving Community to fair treatment.
The scope of this Policy applies to the entire organisation and all Employees when collecting, holding, accessing, utilising and correcting Personal Information and Sensitive Information on behalf of Thriving. Contractors, consultants and agents of Thriving may also be required under the terms of their agreement with Thriving to comply with this Policy, and/or the terms of the Australian Privacy Principles in collecting, holding, using or disclosing Personal Information on behalf of Thriving.
2 Personal Information
Personal Information means information or an opinion about an identified, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.
Sensitive Information means information or an opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, association memberships, sexual orientation, criminal record or health, genetic or biometric information that is also Personal Information.
Thriving will collect and hold different types of Personal Information and Sensitive Information depending on the circumstance and relationship between Thriving and an individual.
3 Collection and Use of Personal Information
Thriving will collect and use Personal Information where that information is reasonably necessary for the performance of one or more functions and/or activities as an employer and provider of training/education, and in performing Thriving Activities and/or Thriving Business. Thriving will collect and use Personal Information by lawful, fair and transparent means and, where possible, directly from the individual. Thriving will collect Personal Information that is adequate, relevant and limited to what is required for Thriving purposes. Thriving may collect Personal Information in a number of ways, including but not limited to —
- enrolment, registration or subscription process;
- direct contact in the course of providing services or administration of Thriving Activity and/or Thriving Business;
- forms that are submitted by individuals (including via online portals);
- from cookies set from web browsers visiting the Thriving’s website;
- from public health databases where the relevant consent processes described in the national research and ethics codes are followed;
- from an individual’s usage of Thriving’s IT Assets;
- from third parties with which Thriving collaborates; and
- when undertaking research.
Thriving will not collect Sensitive Information unless —
- it has obtained the individual’s consent;
- an exemption exists under, or it is required or authorised by Australian law or court/tribunal order.
Thriving will only collect and use an individual’s Personal Information or Sensitive Information —
- for the purpose for which it was collected (the primary purpose);
- for a secondary purpose that is related to the primary purpose (if the information is sensitive information, it will only be used or disclosed for a secondary purpose which is directly related to the primary purpose) and that the individual would reasonably expect his or her information to be used or disclosed for this secondary purpose;
- with the individual’s consent; or
- as otherwise allowed, required or authorised by law.
Thriving may amalgamate, consolidate and aggregate Personal Information with other Thriving Information and will, where appropriate, ensure such information is anonymised.
4 Disclosure of Personal Information
Thriving may disclose Personal Information to the following types of recipients —
- Internal functions within Thriving beyond that in which the information was collected, and where this is in accordance with section 3 of this Policy;
- collaborating parties, to the extent that such personal information is required for the collaborative activity to be undertaken (e.g. collaborative research; jointly delivered courses or programs);
- external service providers, which may be located interstate or overseas, to the extent that the information is required to provide services to Thriving (e.g. software-as-a-service, cloud providers, website hosts);
- government departments and funding agencies to satisfy reporting requirements;
- a nominated emergency contact, emergency services or other person necessary to respond in the case of an emergency; and
- to law enforcement agencies to provide information for law enforcement purposes where required or authorised by law.
5 Management of Personal Information
Thriving will manage Personal Information by appropriate and reasonable means, ensuring a proactive approach to protecting such information from invasive events, embedding privacy into design of processes and systems and establishing accountabilities and responsibilities for Personal Information.
5.1 Responsibilities
- Employees must ensure reasonable steps are taken regarding Thriving Information, whether electronic or physical, to comply with this Policy.
- Managers will be responsible for implementing and monitoring all reasonable steps that Thriving may take to manage Thriving Information in accordance with this Policy.
- All members of the Thriving Community must ensure their collection, use, disclosure and correction of Personal Information is in accordance with this Policy.
6 Access and Correction of Personal Information
Thriving must, upon request by an individual, provide access to, or correction of, Personal Information we hold about that individual, unless providing that individual with access would have an unreasonable impact on the privacy of others or would contravene Thriving’s other legislative obligations. Thriving must take all reasonable measures to amend or remove Personal Information if it can be proved that having regard to the purpose for which the information is held, the information is inaccurate, out of date, incomplete or misleading.
7 Privacy Collection Notice
Thriving will, where it collects Personal Information, provide a privacy collection notice or reference to where the notice can be accessed, to inform the individual of the intended use of their Personal Information. A privacy collection notice is a practical summary of the personal data being collected, its purpose, how it may be used or disclosed and the individual rights relating to the data.
8 Website Privacy
Thriving collects logs relating to activity on its websites which record limited information relating to visitors’ details and activities. These logs will be managed in accordance with this Policy and Thriving’s record keeping obligations. Thriving’s websites also utilise digital cookies on its websites which may be used to provide personalised experiences.
9 General Data Protection Regulations (GDPR)
Thriving must, in addition to all other sections of this Policy, ensure that in limited circumstances personal information it holds may permit an individual to —
- withdraw their consent at any time in accordance with this Policy; and
- exercise the right to erasure, data portability and the right to object.
10 Personal Information Requests and Complaints
An individual may contact Thriving to lodge a Privacy Request or complaint using the contact details set out in the Privacy Collection Notice where they —
- seek to access or correct their Personal Information; or
- seeking to exercise their rights under the GDPR; or
- believe that Thriving has breached this Policy in its collection, use or management of personal information; or
- suspect there has been a data breach.
11 Breach of Policy
Thriving will investigate all suspected breaches of this Policy. Thriving will, where such an investigation indicates the potential or actual unauthorised access to, disclosure of, or loss of personal information, assess whether —
- the breach is an eligible data breach; and
- the types of notifications required.
An eligible data breach is any unauthorised access, disclosure of or loss of personal data which requires mandatory data breach notification under an applicable law. Where the breach is categorised as an eligible data breach Thriving will notify —
- the Office of the Australian Information Commissioner or other statutory authority; and/or
- an affected individual
Failure to comply with this Policy may result in disciplinary action.
12 Definitions
Employee means an individual employed by Thriving under a common law employment agreement.
IT Asset means any tangible or intangible thing, belonging to, or contracted to Thriving or members of the Thriving Community, which is worth protecting and used to access, process, store or transmit data.
Manager is defined in the Policy Definitions.
Personal Information is defined in section 2
Policy is defined in the Policy Definitions.
Sensitive Information is defined in section 2
Thriving Activity is defined in the Policy Definitions.
Thriving Business is defined in the Policy Definitions.
Thriving Community is defined in the Policy Definitions.
Thriving Information is defined in the Policy Definitions.
Thriving Property is defined in the Policy Definitions.