Privacy Management Plan
This Privacy Management Plan (the Plan) details Chelsea Planning & Consulting Pty Ltd’s, t/as Credit Fix Solution’s (herein noted as CFS throughout the remainder of the document) plan to handling the personal information of staff, clients and the general public in their dealings with CFS, in accordance with the principles set out in the Privacy and Information Access Policy.
This Plan supports CFS’s compliance with its obligations under the Privacy and Personal Information Protection Act (PPIPA) and the Health Records and Information Protection Act (HRIPA) by:
1.1 Informing individuals of how their personal information will be handled by CFS and their rights under the legislation;
1.2 Creating a culture of privacy awareness across CFS so that staff of CFS are aware of their responsibilities under the legislation;
1.3 Considering the Information Protection Principles and Health Privacy Principles, where relevant, in the design and/or review of processes, systems and projects undertaken or implemented by CFS.
CFS policies and practices that support this Plan are listed in Schedule One.
- Audience
2.1 This Plan applies to all staff, contractors, conjoints, volunteers and other representatives of CFS.
2.2 Controlled entities:
2.2.1 CFS requires controlled entities to manage personal and health information in accordance with this Plan.
2.2.2 Controlled entities may also have other requirements under the Australian Protection Principles and/or other legislation.
2.2.3 If a complaint or internal review is received by CFS about the conduct of a controlled entity, CFS may conduct a review if deemed necessary.
2.3 A copy of this Plan is provided to the Privacy Commissioner, in line with Section 33 (5) of the PPIPA.
This Plan will be reviewed on at least a three yearly basis. The supporting schedules will be reviewed to confirm currency and to reflect any improvements made to practice. An issues register is maintained by CFS to support the review process, and issues or feedback may be e-mailed to info@creditfixsolutions.com.au.
4.1 CFS publishes records of clients in our CRM, Ontraport, including the name of the client and the work completed.
5.1 Under the PPIPA there are 12 Information Protection Principles (IPPs). These are contained in Sections 8 to 19 of the PPIPA. In this Plan the IPPs are described in accordance with information produced by the NSW Privacy Commissioner.
5.2 Under the HRIPA there are 15 Health Privacy Principles (HPPs) that apply to CFS. In this Plan, the HPPs are described in accordance with information produced by the NSW Privacy Commissioner.
5.3 The first 12 Principles are substantially similar across both Acts and are therefore discussed together and used interchangeably as appropriate within this Plan.
5.4 CFS is primarily governed by NSW privacy legislation. Certain information (such as Tax File Numbers) is expressly governed by the Commonwealth Privacy Act 1998 (Commonwealth Act). In particular functions or Commonwealth funded research projects CFS may also have obligations under the Australian Privacy Principles (APPs) which are outlined in that Act. The APPs are not outlined in full in this Plan, however, reference is made to relevant APPs for guidance. APPs are detailed in Schedule One of the Commonwealth Act.
5.5 This Plan does not cover the responsibilities of any controlled entities under the Commonwealth Act, and questions regarding those responsibilities should be directed to the entity.
6.1 IPP 1 and HPP 1 and 2 require that CFS only collect personal or health information for:
6.1.1 a lawful purpose that is directly related to a CFS function or activity; and
6.1.2 if the information is reasonably necessary for that purpose.
6.2 The object and functions of CFS are outlined in CFS’s Privacy Policy and include viewing a credit report and advocating on a client’s behalf to amend information on the credit report.
6.3 Examples of why personal or health information may be collected and used by CFS include:
6.3.1 provision of credit repair;
6.3.2 research;
6.3.3 fundraising;
6.3.4 promotion of events;
6.3.5 surveys and competitions;
6.3.6 news and updates;
6.3.7 providing support services such as advocacy services;
6.3.8 managing complaints or disputes;
6.4 Schedule Two provides further examples of CFS functions for which CFS may collect personal or health information.
6.5 IPP 2 and HPP 3 require that when collecting personal or health information, CFS collect the information directly from the individual to whom the information relates, unless:
6.5.1 the individual has authorised collection of the personal information from someone else;
6.5.2 the personal information is provided by a parent or guardian of a person who is under the age of 16 years; or,
6.5.3 for health information, if it is unreasonable or impracticable to do so.
6.6 In cases where CFS collects personal or health information from another individual, agency or party, consent needs to be documented by way of the individual:
6.6.1 accepting terms & conditions;
6.6.2 entering into a contract; or
6.6.3 providing valid and express consent.
6.7 In certain cases, provision of personal or health information will be authorised and the consent managed by another party, prior to the information being provided to CFS. An example may be where a client authorises information to be provided by another organisation, or medical practitioner.
6.8 IPP 4 and HPP 4 require that when collecting personal or health information (at the time or as soon afterward as possible) the individual CFS is collecting the information from must be informed about:
6.1.1 why CFS is collecting it;
6.1.2 what CFS will do with it;
6.1.3 who else might see it;
6.1.4 how they can view and correct their personal information;
6.1.5 whether the information is required by law or is voluntary; and
6.1.6 any consequences if they decide not to provide the information.
6.9 In cases where CFS collects personal or health information, CFS should provide information in line with IPP 3 and HPP 3. This may be by way of:
6.1.1 terms & conditions;
6.1.2 a collection notice on a form or agreement;
6.1.3 a published privacy notice;
6.1.4 correspondence (i.e. E-mail communication or contemporary file note).
6.10 IPP 4 and HPP 4 require that CFS ensure that personal and health information is relevant, accurate, complete, up-to-date, not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.
6.11 Staff should take steps to ensure that:
6.1.1 information is not collected or duplicated unnecessarily;
6.1.2 databases and systems are maintained and reviewed to ensure information is accurate;
6.1.3 processes are in place and are easily identifiable for individuals to update or amend their information (see IPP 8 and HPP 8); and
6.1.4 only information required is sought (this will depend on the purpose for which the information is collected).
6.12 Staff, clients and other members of CFS’s community are asked to update their personal details as they change and ensure information is accurate.
7.1 IPP 5 and HPP 5 require that CFS:
7.1.1 store personal or health information securely;
7.1.2 keep it for no longer than is necessary;
7.1.3 dispose of it appropriately; and
7.1.4 protect it from unauthorised access, use, modification or disclosure.
7.2 Staff should take steps to protect information by:
7.2.1 identifying and classifying records and handling them accordingly;
7.2.2 storing records in CFS or CFS’s approved systems (appropriate privacy and security measures must be incorporated into any agreements with external system providers or contractors);
7.2.3 ensuring access to systems or databases containing personal information is only granted on a need to know basis and that these systems are password protected;
7.2.4 ensuring that, wherever available, systems established to collect information are used effectively;
7.2.5 ensuring information within systems is only accessed or viewed as required for a CFS function;
7.2.6 ensuring information is only transferred between parties when it is necessary to fulfil a CFS function and that steps are taken to prevent accidental disclosure;
7.2.7 storing paper records securely, for example, in locked offices or cabinets, as appropriate;
7.2.8 ensuring information is destroyed securely, that is, paper records are shredded or placed in a confidential bin, and electronic systems are erased;
7.2.9 ensuring information is not kept for longer than is necessary (staff must observe the relevant retention disposal authorities issued by the State Records Authority NSW, in line with the State Records Act NSW 1998).
7.3 A list of examples used by CFS to manage or hold personal information is included in Schedule Three.
8.1 IPP 6 and HPP 6 require that CFS explain to an individual:
8.1.1 what personal or health information about them is being stored;
8.1.2 why it is being used; and
8.1.3 any rights they have to access it.
8.2 CFS will generally inform individuals of the above factors at the point of collection, via CFS systems, and upon request as appropriate.
8.3 IPP 7 and HPP 7 – 8 require that CFS allow individuals to:
8.3.1 access their personal or health information without excessive delay or expense; and
8.3.2 update, correct or amend their personal or health information where necessary.
8.4 Personal or health information will generally be provided informally, via an existing process or on request. In some cases an administrative fee may be required (for example, customer notes and documents are available for purchase).
8.5 Staff and clients may generally correct or amend their personal or health information automatically or routinely by emailing us at info@creditfixsolutions.com.au.
8.6 In cases where personal or health information cannot be provided or corrected and amended electronically or by contacting the officer involved, assistance may be sought from:
8.1.1 a Human Resource Services Support Staff, for requests from staff; or
8.1.2 CEO Victoria Coster
8.7 In response to a request, CFS may amend an individual’s personal or health information or make an annotation on the document to detail the request.
8.8 IfCFS considers that the personal or health information held is correct and does not require amendment, information will be provided advising the reasons for this decision.
8.9 Requests for correction or amendment of personal or health information may also be referred or made to the Complaints Compliance and Policy Officer for advice or action as appropriate.
8.10 In certain cases, requests may be referred for action under the Government Information (Public Access) Act NSW 2009 (GIPA Act) application process. Examples of such cases include where the information:
8.1.1 contains personal or health information about another individual;
8.1.2 may require further consideration and advice; or
8.1.3 is held across several different units.
9.1 IPP 9 and HPP 9 require that CFSensures that the personal or health information is relevant, accurate, up-to-date and complete before using it.
9.2 Steps should be taken to verify personal or health information and follow any relevant processes relating to evidence required before using information, especially where the use of the information could lead to negative consequences for the individual.
9.3 IPP 10 and HPP 10 require that CFS only use personal or health information for the purpose it was collected for:
9.3.1 unless the individual has given their consent; or
9.3.2 the purpose of use is directly related to the purpose for which it was collected; or
9.3.3 the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another individual.
9.4 The use of personal or health information primarily refers to its use within CFS.
9.5 Where personal or health information is to be used for a directly related purpose that is not the original purpose, staff should take steps to identify and document as appropriate why they have considered that use to be directly related to the original purpose.
9.6 In considering whether a purpose is directly related to the original purpose, staff may consider what the reasonable expectations of an individual (who values their privacy) may be.
9.7 Where personal or health information is used for direct marketing, steps may be taken to comply with APP 7.
9.8 IPP 11 and HPP 11 require that CFS only disclose personal or health information:
9.8.1 with an individual’s consent or if the individual was told at the time that it would be disclosed;
9.8.2 if disclosure is directly related to the purpose for which the information was collected and there is no reason to believe the individual would object;
9.8.3 the individual has been made aware that information of that kind is usually disclosed; or
9.8.4 CFS believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another individual.
9.9 Disclosure primarily refers to the sharing of information held by CFS with another agency or individual outside of CFS.
9.10 Staff should take steps to ensure that personal or health information is not disclosed, either routinely or on a single occasion, without the knowledge of the individual, unless an exemption applies.
9.11 Individuals would likely be considered to have knowledge of a disclosure if:
9.11.1 there is documentation to indicate the individual provided valid consent;
9.11.2 they were made aware that the information may be disclosed on collection; or
9.11.3 there is a clear policy or process indicating that information of that type is usually disclosed.
9.12 Steps should be taken to accord with APP 8 when considering disclosure of information to an overseas party.
10.1 IPP 12 requires that CFSnot disclose sensitive personal information without an individual’s consent, for example: information about ethnic or racial origin; political opinions; religious or philosophical beliefs; sexual activities or trade union membership. CFS can only disclose sensitive information without consent in order to deal with a serious and imminent threat to any individual’s health or safety.
10.2 Staff should take steps to ensure that any sensitive information provided is not disclosed to a third party, or in certain cases a discrete unit within CFS, without the explicit consent of the individual. This may involve the removal of detail before sharing a record.
11.1 HPP 12 requires that CFS only identify individuals by using unique identifiers if it is reasonably necessary to carry out CFS functions efficiently.
11.2 HPP 13 requires that CFS give an individual the option of receiving services anonymously, where lawful or practicable.
11.3 CFS will generally require information about an individual’s identity in order to deliver a service. However, in line with the above principle, anonymity should be allowed wherever possible.
11.4 Staff should consider the application of this Principle for general personal information as well as health information in line with APP 2.
11.5 HPP 14 requires that CFS only transfer health information outside of New South Wales in accordance with specific requirements set out below, that is if:
11.1.1 the recipient is subject to principles that are substantially similar;
11.1.2 the individual consents to the transfer;
11.1.3 the transfer is necessary for the performance of a contract (either between the individual and CFS or in the interests of the individual if the contract is between CFS and a third party);
11.1.4 the information is required to prevent or lessen a serious or imminent threat; or
11.1.5 the use is authorised or required by another law.
11.6 HPP 15 requires that CFS only use health records linkage systems if the individual has provided or expressed their consent.
11.7 Statutory guidelines expand upon the HPPs within the HRIPA. Their purpose is to guide organisations in their handling of health information (including for research and training) (links) and provide more detailed information regarding the scope of the principles.
11.8 Where CFS seeks to use or disclose health information (without the individual’s consent), CFS must comply with the guideline in order to rely on the research exemptions set out in HPP 10(1)(f) or 11(1)(f) of the HRIPA.
12.1 The NSW Privacy Commissioner has issued a public interest direction, in accordance with Section 41 of the PPIPA, to allow agencies to conduct investigations and handle complaints.
12.2 CFS need not comply with IPPs 2, 3, 6, 7, 8, 9, 10, or 11(1) if non-compliance is reasonably necessary for the proper exercise of its investigative functions or its conduct of any lawful investigations.
13.1 CFS will require law enforcement agencies to present a warrant, notice to produce or subpoena to CFS where they require CFS to disclose personal information. All warrants, notices to produce and subpoenas must be served to the CFS’s CEO Victoria Coster.
13.2 CFS may exercise discretion and provide personal or health information to a law enforcement agency if it is permitted to do so under the legislation in the particular circumstances.
13.3 This discretion may be exercised by:
13.3.1 the CEO Victoria Coster, where the information relates to a staff member or former staff member.
14.1 Staff should consider the requirements of the IPPs and HPPs when implementing or reviewing a project, process or system to identify issues and implement strategies to address those issues.
15.1 Information on the CFS’s Training and Awareness programs is included in Schedule Five.
16.1 Individuals may raise concerns and complaints about the way in which CFS has handled their personal or health information.
16.2 A privacy complaint will be considered under the CFS’s complaint handling principles.
16.3 An individual may also request that CFS undertake an internal review under Section 53 of the PPIPA or Section 21 of the HRIPA, which can be initiated by completing the internal review form.
16.4 Individuals may lodge a complaint with the NSW Privacy Commissioner or seek an external review with the NSW Civil and Administrative Tribunal, whose details are set out below.
NSW Privacy Commissioner
GPO Box 7011, SYDNEY NSW 2001
Level 11, 1 Castlereagh Street, SYDNEY NSW 2000
NSW Civil and Administrative Tribunal
Level 9 John Maddison Tower
86-90 Goulburn Street
SYDNEY NSW 2000
16.5 Further information on privacy complaints and the Internal Review process is set out in Schedule Four.
17.1 Where CFS becomes aware of a breach, appropriate steps will be taken to address the situation.
17.2 Breaches or potential breaches are to be reported to the CEO Victoria Coster.
- Appendices
18.1 Schedule One: Policy and process to support compliance with this Plan
18.2 Schedule Two: Examples of purposes for which information may be collected, used or disclosed.
18.3 Schedule Three: Examples of systems used by CFS to hold or manage personalinformation.
18.4 Schedule Four: Complaints and Internal Review
18.5 Schedule Five: Training and Awareness
- Supporting information
19.1 Legislation
Privacy and Personal Information Protection Act 1998 NSW
Health Records and Information Protection Act 2002 NSW
Relevant legislative guidelines
19.2 Policy
Privacy Form
19.3 Other documents
N/A
FURTHER INFORMATION
For further information, please contact:
| Position | Contact details |
| Complaints, Compliance and Policy Officer | info@creditfixsolutions.com.au |
Approval Authority
| Approved by | CEO |
| Policy owner | Victoria Coster |
Approval – This Revision
| Amendments | Complete Review conducted by Victoria Coster |
| Approved by | Victoria Coster |
| Date approved | 4/1/2016 |
| Date for review | 4/1/2019 |
Review History
| No. | Effective Date | Approved by | Amendment |
| 1 | 4/1/2016 | Victoria Coster | First version |
Schedule One – Policy and process to support compliance with this Plan
CFS has a number of policies, procedures and processes that refer to or affect how personal and health information are managed by CFS. This schedule will be reviewed and updated as necessary to support staff to comply with the Principles outlined in this Plan.
| Communication
|
The following documents support compliance with the principles outlined in this Plan:
· CFS Code of Conduct · Electronic Mail Policy · CFS Computing and Communications Facilities Conditions of Use Policy · Social Media Communication Policy
|
| Systems and Security | The following documents support compliance with the principles outlined in this Plan:
· Network Security Policy · CFS Computing and Communications Facilities Conditions of Use Policy · Records Management Policy · CCTV Policy and Procedure
|
| Client Information | The following documents support compliance with the principles outlined in this Plan:
· Applications and processing of credit repair · Client information
|
| Staff Information | The following documents support compliance with the principles outlined in this Plan:
· Respectful and Collaborative Workplace Policy · Work Health and Safety Procedure
|
| Access to Information | The following documents support compliance with the principles outlined in this Plan:
· Agency Information Guide
|
| Complaints and Investigations | The following documents support compliance with the principles outlined in this Plan:
· Complaints Policy · Ethical and Accountable Conduct – Public Interest Disclosures Policy
|
| Research | The following documents support compliance with the principles outlined in this Plan:
· Ethics approval process and procedures
|
Schedule Two – Examples of purposes for which information may be collected, used or disclosed.
This information provides an overview of functions of CFS for which personal information may be collected, used or disclosed. It does not replace privacy statements or collection notices.
This schedule will be reviewed by the Privacy Officer and updated as necessary to support staff to comply with the Principles outlined in the Plan.
| GENERAL FUNCTION | SPECIFIC FUNCTION/PURPOSE |
| Client information,and administration
Information collected and used for the purpose of client administration may include addresses and telephone numbers, personal details, sensitive information and/or health information. |
· Provision of information to prospective clients
· Applications · Set up of accounts and systems (i.e. email account) · Communication with clients(including via email) · Credit Repair administration
· Delivery of credit repair services · Teaching and assessment of staff · Career development of staff · Financial administration · Special/adverse circumstances information · Disability services information · Client advocacy · Support services · Complaints or investigations · Misconduct information · Incident/emergency information · Mandatory reporting or notification, for example to a government agency · Surveys and statistical reporting
|
| Staff Administration
Information collected for employee administration may include biographical detail, sensitive personal information and/or health personal information. |
· Recruitment, appointment and termination
· Absence management · Administration of salary · Administration of leave · Promotion and or professional development · Performance review · Disputes or complaints · Work, Health & Safety · Equity and Diversity · Statistical purposes for reporting · Mandatory reporting or notification, for example to a government agency · Surveys and statistical reporting
|
| Research
Information collected for research purposes may include biographical detail, sensitive personal information and/or health personal information. |
· Collation and assessment of data (i.e. surveys)
|
| Office and Community
Information collected for office and community purposes may include biographical detail, sensitive personal information and/or health personal information. |
· Gifts and Donations
· Maintaining database · Communication about CFS, CFS events or news · Requests for information · Requests for or use of a service · Community programs and events · Recording and promotion of activities and events · Administration of volunteers · Security and Safety · CCTV |
| Assurance, Reporting and Marketing
Personal information may be collected or used for the purpose of assurance, reporting and or marketing. |
· Surveys
· As part of a request for service or support
|
Schedule Three – Examples of systems used by CFS to hold or manage personal information.
This schedule will be reviewed by the Privacy Officer and updated as necessary to support staff to comply with the Principles outlined in the Plan.
| CATEGORY | SYSTEM | OTHER |
| Primary Systems | ||
| Human Resources | Ontraport (CRM)
|
|
| Finance | MYOB
|
|
| Research Information | Ontraport (CRM)
Mailchimp Google Analytics & Google Adwords |
|
| Student Administration | Ontraport (CRM)
Excel Mailchimp Googlesites |
|
| Records Management | Ontraport (CRM)
Google Sites
|
|
| Communication | Microsoft Outlook email system
|
Externally hosted by Netregistry |
| Other Systems | ||
| Management | Ontraport | |
| Xcel spread sheets | ||
| Mailchimp | ||
| Google Drive
Google Sites |
||
Schedule Four – Complaints and Internal Review
Where an individual is aggrieved by the way CFS has managed their personal or health information, they have a right to make a complaint or seek a review of the conduct they are concerned about.
Guidance for raising concerns is outlined below:
Step 1: Individuals should first inform CFS of their concerns, so that any available steps may be taken to remedy a privacy issue. Where CFS is made aware of a breach, appropriate steps will be taken to address the situation.
Step 2: Individuals may raise a complaint about privacy through the CFS’s complaint handling processes, by contacting the CEO Victoria Coster.
Step 3: Individuals may also seek an Internal Review of the conduct under Section 53 of the PPIPA or Section 21 of the HRIPA by completing the form.
Internal Reviews
Internal reviews are conducted in accordance with the requirements of Part 5 of the PPIPA and with regard to guidance produced by the NSW Privacy Commissioner (the Commissioner).
Role of the Commissioner
The Commissioner will be advised:
- that an Internal Review has been received;
- of the progress of the review;
- of the draft findings;
- of the final determination.
The Commissioner may wish to make a submission on the subject matter of the review and CFS must consider any submissions received in making the final determination.
Who will undertake the review?
A staff member, who has no conflict of interest or involvement in the conduct concerned, will undertake the review. The applicant will be notified when their application is formally acknowledged of the name and contact details of the reviewing officer.
How the applicant is advised of the findings
The applicant will be advised of:
- the findings of the Internal Review and the reasons for those findings;
- the action proposed and the reasons for these actions; and
- their right to seek a review of CFS’s decision.
Possible actions arising from an internal review include:
- taking no further action;
- making a formal apology;
- taking appropriate remedial action;
- providing an undertaking that the conduct will not occur again; and/or
- the implementation of administrative measures to ensure the conduct is not repeated.
External Review
An applicant may seek an external review by the NSW Civil and Administrative Tribunal if:
- the Internal Review is not finalised within the required period;
- the applicant is not satisfied with the findings; or
- the applicant is not satisfied with the actions proposed.
Reporting
CFS is required to report internally as per the CEO’s direction.
Further Information
Schedule Five – Training and Awareness
This schedule will be updated as necessary to advise of changes and developments to the program and to record any awareness sessions run in addition to the normal program.
| Training | Privacy Sessions for new and continuing staff are available in the company’s Googsites. This session is an induction requirement. |
| Privacy Sessions, both general and tailored to a specific area, are available on request of the Complaints, Compliance and Policy Officer. | |
| Awareness | CFS participates in Privacy Awareness Week.
|
| Please send any suggestions for training or awareness campaigns or requests for training to info@creditfixsolutions.com.au | |