Privacy and Confidentiality
Speech and Language Development Australia values privacy and takes seriously its obligations to collect, store and manage data in such a way that protects the privacy of its employees, students, clients, parents, and others with whom we work.
- 1.1. Speech & Language Development Australia (SALDA) is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988 (the Act). The purpose of this policy is to detail how we protect the privacy of our clients, students and employees and how we comply with the requirements of the Act and the 13 Australian Privacy Principles. The Policy also describes:
- 1.1.1. the types of personal information collected and held by us;
- 1.1.2. who we collected information from;
- 1.1.3. how this information is collected and held;
- 1.1.4. the purposes for which personal information is collected, held, used and disclosed;
- 1.1.5. how clients and employees can gain access to their personal information and seek its correction;
- 1.1.6. how a complaint or inquiry can be made about our collection, handling, use or disclosure of personal information and how that complaint or inquiry will be handled; and
- 1.1.7. whether we are likely to disclose personal information to overseas recipients.
- 1.2. This policy applies to all personal information held by SALDA.
- 2.1. This Policy applies to all employees, members, parents/carers, students, contractors, volunteers, Board members and agents of SALDA, as well as those persons undertaking work experience or vocational placements.
- 3.1. Privacy Act 1988
- 3.2. Privacy Amendment (Enhancing Privacy Protection) Act 2012
- 3.3. Australian Privacy Principles
- 4.1. What kind of personal information does SALDA collect?The kind of personal information SALDA collects is largely dependent upon whose information is being collected and why it is being collected. At all times we try to collect only the personal information required to carry out our functions or activities. In general terms, the organisation may collect:
- 4.1.1. Personal Information including names, addresses and other contact details; dates of birth; next of kin details; financial information; photographic images; audio recordings; video recordings; employee records; and attendance records.
- 4.1.2. Sensitive Information (particularly in relation to client records) including health and medical information; religious beliefs; government identifiers; nationality; country of birth; languages spoken at home; professional memberships; family court orders; and criminal records.
- 4.1.3. Any other information that is relevant to providing someone with the services they, or someone else they know, is seeking.
- 4.2. Who does SALDA collect information from?
SALDA collects personal information directly from parents, prospective parents, job applicants, volunteers and others including past students, contractors, visitors and others that come into contact with the organisation.It is noted that employee records are not covered by the Australian Privacy Principles where they relate to current or former employment relations between the organisation and the employee.
- 4.3. How does SALDA collect personal information?
How personal information is collected will largely depend on whose information is being collected. If it is reasonable and practical to do so, SALDA will collect personal information directly from the individual to whom the information relates to, or a person authorised to act on the individual’s behalf (e.g. parent or guardian of a minor).Where possible, the organisation has attempted to standardise the collection of personal information by using specifically designed forms (e.g. enrolment forms, referral forms), and/or through specific permission (e.g. research activities). However, given the nature of SALDA’s operations, personal information may also be received by email, letters, notes, over the telephone, in face to face meetings, and through financial transactions.SALDA may also collect personal information from other people (e.g. a personal reference) or independent sources (e.g. LinkedIn), however will only do so where it is not reasonable or practical to collect the information directly from the individual the information relates to. We will usually notify the individual about these instances in advance, or where that is not possible, as soon as reasonably practicable after the information has been collected.Sometimes SALDA may be provided with personal information without having sought it through the normal means of collection. This is referred to as “unsolicited information”. Where SALDA has collected unsolicited information, it will only be held, used and/or disclosed if SALDA could have collected the information by normal means. If the unsolicited information could not have been collected by normal means, then it will be destroyed, permanently deleted or de-identified as appropriate.
- 4.4. How does SALDA use personal information?Generally, the personal information that we collect and hold about someone, depends on their interaction with us. SALDA will only use personal information about an individual that is reasonably necessary for one or more of its functions or activities (the primary purpose) or for a related secondary purpose that would be reasonably expected by the individual the information relates to, or where consent has been granted. Generally, we collect, use and hold personal information for the purposes of:
- 4.4.1. providing education, pastoral care, and extra-curricular services;
- 4.4.2. providing health services;
- 4.4.3. keeping parents informed about matters related to their child’s schooling and/or health care, which may include the distribution of newsletters and magazines, as well as other forms of correspondence;
- 4.4.4. satisfying our internal business operations, including the fulfilment of legal obligations, and duty of care and child protection obligations;
- 4.4.5. providing information about other services that we offer that may be of interest;
- 4.4.6. marketing, promotional and fundraising activities;
- 4.4.7. the organisation’s administration, including for insurance purposes;
- 4.4.8. the employment of employees;
- 4.4.9. the engagement of volunteers;
- 4.4.10. continuous improvement of day-to-day operations, including employee training, systems development, developing new programs and services, and undertaking planning, research and statistical analysis.
- 4.5. How does SALDA treat sensitive information?
Sensitive information is a subset of personal information and includes information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or preferences or criminal record and health information about an individual.SALDA will only collect sensitive information that is reasonably necessary for one or more of its functions or activities, if consent has been given by the individual to whom the sensitive information relates, or if consent is provided by a person acting on the individual’s behalf (e.g. parent or guardian of a minor).SALDA may also collect sensitive information as permitted under the Australian Privacy Principles or otherwise permitted by law, or if the collection is necessary to lessen or prevent a serious threat to life, health or safety, or another permitted general situation (such as locating a missing person) or permitted health situation (such as the collection of health information to provide a health service) exists.SALDA will only use or disclose sensitive information for a secondary purpose if the individual would reasonably expect SALDA to use or disclose the information and the secondary purpose is directly related to the primary purpose.
- 4.6. Exchange of information between services
There may be occasions in which personal and/or sensitive information is exchanged between SALDA’s service providers Such information will only be exchanged where it is reasonably necessary for the organisation to fulfil its legal or service obligations, and/or the individual to whom the information relates would reasonably expect the exchange, or where consent has been granted.
- 4.7. Storage and security of personal informationSALDA stores personal information in a variety of formats, including in databases, in hard copy files, and on personal devices such as laptop computers, mobile phones, cameras and other recording devices.The security of personal information is important and SALDA takes all reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, interference, modification or disclosure. These steps include:
- 4.7.1. restricting access to information on the organisation’s databases on a need to know basis with different levels of security being allocated to employees based on their roles and responsibilities and security profile.
- 4.7.2. Ensuring all employees are aware that they are not to reveal or share personal passwords.
- 4.7.3. Ensuring where sensitive information is stored in hard copy files that these files are stored in lockable filing cabinets in lockable rooms. Access to these records is restricted to employees on a need-to-know basis.
- 4.7.4. Implementing physical security measures around the organisation’s buildings and grounds to prevent break-ins.
- 4.7.5. Implementing ICT security systems, policies and procedures, designed to protect personal information storage on computer networks.
- 4.7.6. Implementing human resources policies and procedures, such as email and internet usage, confidentiality and document security policies, designed to ensure that employees follow correct protocols when handling personal information.
- 4.7.7. Providing adequate training to employees about privacy and the handling of personal information.
- 4.7.8. Undertaking due diligence with respect to third party service providers who may have access to personal information, including cloud service providers, to ensure as far as practicable that they are compliant with the Australian Privacy Principles or a similar privacy regime.
Personal information held by SALDA that is no longer needed is destroyed in a secure manner, deleted, or de-identified as appropriate.
- 4.8. Failure to provide information
If the personal information provided to SALDA is incomplete or inaccurate, SALDA may be unable to provide the services sought.
- 4.9. Internet users
- 4.10. Disclosure of personal informationSALDA will only use personal information for the purposes for which it was collected, or for purposes which are related (or directly related in the case of sensitive information) to one or more of its functions or activities. When compelled to, SALDA may disclose personal information to:
- 4.10.1. government agencies;
- 4.10.3. recipients of SALDA publications;
- 4.10.4. other parents, schools, visiting teachers, counsellors and coaches, service providers, agents, contractors, business partners and other recipients from time to time, only if one or more of the following apply:
- 22.214.171.124. consent to disclose the information has been granted;
- 126.96.36.199. the individual to whom the information relates would reasonably expect SALDA to use or disclose their personal information in this way;
- 188.8.131.52. SALDA is authorised or required to do so by law;
- 184.108.40.206.disclosure will lessen or prevent a serious threat to life, health or safety of an individual or to public safety;
- 220.127.116.11. where another permitted general situation or permitted health situation exception applies;
- 18.104.22.168. disclosure is reasonably necessary for a law enforcement related activity.
In some circumstances, the law may permit or require SALDA to use or disclose personal information for other purposes (for instance where reasonably expected and the purpose is related to the purpose of the collection).
- 4.11. Personal information of a minor
The Act does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information.At SALDA, a common-sense approach is taken to dealing with a minor’s personal information and generally requests for personal information will be referred to the individual’s parents/carers. SALDA will treat notices provided to parents/carers as notices provided to the client/student, and will treat consents provided by parents/carers as consents provided by the client/student.SALDA is however cognisant of the fact that children do have rights under the Act, and that in certain circumstances (especially when dealing with older clients/students and especially when dealing with sensitive information), it will be appropriate to seek and obtain consent directly from the client/student. SALDA also acknowledges that there may be occasions where a client/student may give or withhold consent with respect to the use of their personal information independently from their parents/carers.There may also be occasions where parents/carers are denied access to information with respect to their child(ren), because to provide such information would have an unreasonable impact on the privacy of others, or result in a breach of the organisation’s duty of care to the client/student.
- 4.12. Disclosure of personal information to overseas recipientsSALDA is not likely to disclose personal information overseas.SALDA will take all reasonable steps not to disclose an individual’s personal information to overseas recipients unless SALDA:
- 4.12.1. has the individual’s consent (which may be implied); or
- 4.12.2. is satisfied that the overseas recipient is compliant with the Australian Privacy Principles, or a similar privacy regime; or
- 4.12.3. forms the opinion that the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety; or
- 4.12.4. is taking appropriate action in relation to suspected unlawful activity or serious misconduct.
- 4.13. Ensuring the quality of personal information
SALDA takes all reasonable steps to ensure the personal information it holds, uses, and discloses is accurate, complete and up to date at the time of collection and when using or disclosing the personal information. SALDA maintains and updates personal information on an ongoing basis, as and when individuals advise of changes or when SALDA becomes aware through other means that the personal information being held has changed.SALDA expects the individual, or their parent/carer (if applicable), to contact the organisation if any of the details provided change. SALDA should also be contacted if the individual believes the information held by the organisation is inaccurate, incomplete or not up to date.
- 4.14. Data BreachesIt will be deemed that an ‘eligible data breach’ has occurred if:
- 4.14.1. there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals)
- 4.14.2. a reasonable person would conclude there is a likelihood of serious harm to any affected individuals as a result
- 4.14.3. the information is lost in circumstances where:
- 22.214.171.124. unauthorised access to, or unauthorised disclosure of, the information is likely to occur
- 126.96.36.199. assuming unauthorised access to, or unauthorised disclosure of, the information was to occur, a reasonable person would conclude that it would be more likely to result in serious harm to the affected individuals.Serious harm may include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.
If SALDA suspects that an eligible data breach has occurred, it will carry out a reasonable and expedient assessment/investigation within thirty (30) days.
If such an assessment/investigation indicates there are reasonable grounds to believe an eligible data breach has occurred, then SALDA will be required to lodge a statement to the Privacy Commissioner. Where practicable to do so, the organisation will also notify the affected individuals. If it is not practicable to notify the affected individuals, SALDA will publish a copy of the statement on its website, or publicise it in another manner.
An exception to the requirement to notify will exist if there is a data breach and immediate remedial action is taken, and as a result of that action:
- 4.14.4. there is no unauthorised access to, or unauthorised disclosure of, the information
- 4.14.5. there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude the breach is not likely to result in serious harm.
- 4.15. Access to and correction of personal information
An individual may request access to the personal information SALDA holds about them, or request that their personal information be changed, by contacting SALDA, or its applicable service provider in writing.Should SALDA not agree to provide an individual with access to their personal information, or to change the information as requested, SALDA will notify the individual, and provide reasons for the refusal (unless it would be unreasonable to provide those reasons) and provide the individual with a statement regarding the mechanisms available to make a complaint. If the rejection relates to a request to change personal information, the individual may make a statement about the requested change, which will be attached to the individual’s record.SALDA may require an individual to verify their identity and specify what information they require. SALDA may charge a fee to cover the cost of verifying, locating, retrieving, reviewing and providing access to any material requested (but not for making the request for access). If the information sought is extensive, SALDA will advise the likely cost in advance.
- 4.16. Privacy complaints
A complaint about a breach by SALDA of the Australian Privacy Principles may be made in writing and can be submitted by email, letter, or by personal delivery to the organisation’s Privacy Officer as noted below. A complaint may also be made verbally.SALDA will respond to a complaint within a reasonable time (usually no longer than 30 days) and may seek further information from the complainant in order to provide a full and complete response.Complaints may also be taken to the Office of the Australian Information Commissioner.
- 4.17. How to contact SALDAAn individual can contact SALDA about this Policy or their personal information by:
- 4.17.1. Emailing firstname.lastname@example.org
- 4.17.2. Calling 1300 881 763
- 4.17.3. Writing to the Privacy Officer at:
Speech & Language Development Australia
33 Cubberla Street
FIG TREE POCKET QLD 4069
If practical, an individual can contact SALDA anonymously (i.e. without identifying themselves) or by using a pseudonym. However, if an individual chooses not to identify themselves, SALDA may not be able to provide the requested information, or the assistance they might otherwise be able to provide.
- 5.1. This policy is due to be reviewed annually or as appropriate, to take account of new laws and technology, changes to the organisation’s operations and practices and to make sure it remains appropriate to the changing environment.
Last updated: December 2020, v3.00