Yooralla is committed to providing quality services. We respect and protect clients’ right to privacy and confidentiality in all aspects of their contact with us. We recognise our ongoing obligations to clients and comply with the requirements of the Privacy Act 1988 (Cth), National Disability Insurance Scheme Act 2013 (Cth), Disability Act 2006 (Vic), Equal Opportunity Act 2010 (Vic), Privacy and Data Protection Act 2014 (Vic) and Health Records Act 2001 (Vic) in the collection, management and disclosure of personal information, health information and sensitive information as a necessary part of our business functions to deliver services. All Yooralla employees undertake training on privacy, data security and data quality requirements and learn how the Information and Health Privacy Principles apply to their day-to-day work.
Personal information is information or an opinion that identifies an individual such as a person’s name, address, email address, phone number, date of birth, gender, NDIS number, relevant payment or billing information and details of guardians and nominees, including their names, addresses and contact details. Personal Information includes sensitive information about an individual’s physical or mental health or disability. We collect and hold personal information that is necessary for us to undertake and provide our services and activities, so we do collect and use sensitive information, including health conditions as they relate to disability services and supports, in the normal course of business. We collect personal information from clients directly or from people who are authorised to represent them. In the case of child, we liaise with their parents or legal guardians rather than with them directly. We sometimes collect personal information from a third party if the person has consented, been told of this practice, or would reasonably expect us to collect the information in this way. We only collect personal information and sensitive information in a lawful and fair way and will not be unreasonably intrusive.
We will only disclose certain information if the disclosure is required or authorised by law or the disclosure is necessary for the business of Yooralla. Personal information will be disclosed to fulfil mandatory reporting obligations to Victorian and/or Commonwealth departments and agencies such as the National Disability Insurance Agency, the National Disability Insurance Scheme (NDIS) Quality and Safeguards Commission, the Department of Families, Fairness and Housing, the Department of Education and Training, the Commission for Children and Young People, the Coroners Court of Victoria, Victoria Police, the Office of the Public Advocate, the Community Visitors Board and the Disability Services Commissioner and the Commonwealth Department of Social Services.
We have systems and procedures in place to ensure that personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. We may hold information in either electronic or hard copy form. When personal and sensitive information is no longer needed for the purpose for which it was obtained, it is destroyed in a secure manner, or archived or deleted in accordance with our legal obligations.
Individuals may request access to any personal information we hold about them by contacting Yooralla’s Privacy Officer.
Anyone who believes that their privacy has been breached or who has a concern or complaint about the way we have collected, used, stored, disclosed or otherwise handled their personal, health or sensitive information should contact Yooralla’s Privacy Officer and provide details of the incident so we can investigate it
2. Scope of Policy
This policy relates to all employees, contractors, volunteers and students on placement responsible for collecting, storing, using or disclosing individuals’ information on behalf of Yooralla.
Failure to appropriately collect, store, use and disclose information can leave Yooralla without key information to support clients efficiently and effectively and it also exposes clients to risk. This policy assists employees to:
- understand their obligations in relation to privacy and information security
- become familiar with the relevant legislative and compliance frameworks, including how Yooralla will be monitored in relation to privacy and information security
- develop a privacy aware culture through best practice information management
- know where to get further information and resources.
4. Policy Statement
What personal information does Yooralla collect?
The kind of personal information that Yooralla collects about individuals depends on the type of dealings they have with Yooralla. For example, if a person:
is someone Yooralla supports or is connected to a person Yooralla supports (e.g. a family member, carer, advocate or nominated representative), Yooralla may collect their:
- name, address, telephone and email contact details
- gender, date of birth and marital status, information about their disability and support needs
- health and medical information
- Medicare number and other identifiers used by Government Agencies or other organisations to identify individuals
- financial information and billing details including information about the services individuals are funded to receive, whether under the National Disability Insurance Scheme or otherwise
- records of interactions with individuals such as system notes and records of conversations individuals have had with Yooralla’s employees
- information about the services Yooralla provides to individuals and the way in which Yooralla will deliver those to individuals
becomes a member of Yooralla, Yooralla may collect their name, organisation, contact details and hold records relating to their membership including renewal and billing information
registers for a subscription to a Yooralla publication, Yooralla may collect their name, organisation and contact details and details about the information individuals access in Yooralla’s publications
makes a donation, Yooralla may collect their name, organisation, contact details, the amount and frequency of their donation and payment details from individuals directly or from another fundraising entity that allows Yooralla to contact their supporters and provides Yooralla with their contact details
attends a Yooralla event, Yooralla may collect their name, organisation, contact details, payment details (if applicable) and any dietary and accessibility requirements
participates in Yooralla’s surveys, Yooralla may collect their name, organisation contact details and their survey responses
sends Yooralla an enquiry, Yooralla may collect their name, contact details and details of their query
visits Yooralla’s website, Yooralla will use ‘cookies’ and may use tools to track visits to the Yooralla website including how individuals arrive at the website and which pages they use. Yooralla may also collect data to enable Yooralla to personalise a webpage or pre-fill a form with their details
makes a complaint, Yooralla may collect their name, contact details, the details of their complaint, information collected in any investigation of the matter and details of the resolution of the complaint
applies for a job or volunteer role at Yooralla, Yooralla may collect the information individuals included in their application, including their cover letter, resume, contact details and referee reports, their tax file number and other identifiers used by Government Agencies or other organisations to identify individuals, information from police checks, working with children checks (or similar), and information about their right to work in Australia
Yooralla employees must only collect sensitive information where it is reasonably necessary for Yooralla’s functions or activities and either:
- the individual has consented or
- Yooralla is required or authorised by or under law (including applicable privacy legislation) to do so. Yooralla will use tools that protect client privacy when disclosing sensitive information such as multi factor authentication and/or password protection.
Yooralla is obliged to dispose of sensitive information when it is no longer required. For example, to provide Yooralla’s services to a client or to respond to a potential client’s inquiries about services, Yooralla may be required to collect and hold their sensitive information including health and medical information and information relating to their disability and support requirements.
What if a client doesn't provide Yooralla with their personal information?
The nature of the business carried on by Yooralla means that, generally, it is not possible for Yooralla to provide services to clients or otherwise deal with individuals in an anonymous way.
However, in some circumstances Yooralla allows individuals the option of not identifying themselves, or of using a pseudonym, when dealing with Yooralla (for example, when viewing Yooralla’s website or making general phone queries). Donations may also be made anonymously, but in this case Yooralla may not be able to issue a tax-deductible receipt.
How does Yooralla collect personal information?
Yooralla employees must only collect personal information by lawful and fair means as required by the Privacy Act. Yooralla employees must also only collect personal information directly from clients or their representatives where this is reasonable and practicable.
Yooralla collects personal information in a number of ways, including:
- through Yooralla’s websites (for example, if individuals choose to donate to Yooralla online through the secure payment gateway)
- when individuals correspond with Yooralla (for example by letter, fax, email or telephone)
- on hard copy forms
- in person
- from referring third parties (for example, the National Disability Insurance Scheme or a support coordinator)
- at events and forums
- from third party funding and Government Agencies such as the NDIA or NDIS Quality and Safeguards Commission
- from third party fundraising entities and fundraising service providers who permit access to their donors lists for fundraising purposes.
Where Yooralla collects personal information about individuals, Yooralla employees must take reasonable steps to notify them of certain matters. Employees must do this at or before the time of collection, or as soon as practicable afterwards.
Why does Yooralla collect personal information?
Yooralla provides a wide range of support services for children and adults with disability, their families and carers. This range of essential, quality services includes: accommodation services, respite, in-home support, therapy, personalised support, specialised equipment, employment assistance, recreation, information and training, and practical skills for everyday living. Yooralla also addresses disability related issues through policy work and education, using evidence from case work and the stories of Yooralla’s clients to promote Yooralla’s work and bring about change.
The main purposes for which Yooralla collects, holds, uses and discloses personal information are set out below.
Provision of support services:
- Providing individuals with information about Yooralla’s services and supports
- Answering their inquiries and deliver service to clients
- Administering Yooralla’s services and supports and process payments
- Conducting quality assurance activities including conducting surveys, research and analysis and resolving complaints
- Complying with laws and regulations and to report to funding and Government Agencies.
- Carrying out law reform and policy work (for example, National Disability Insurance Scheme policy work on safeguarding people’s rights)
- Promoting Yooralla and its activities, including through events and forums
- Conducting research and statistical analysis relevant to Yooralla's activities (including inviting individuals to participate in research projects and activities)
- Preparing case studies of clients for use in advocacy work and in publications (individually identifying case studies will only be used with consent).
Education and information
- Providing disability related information or resources
- Running professional development / community training programs (for example, educating Public Transport Victoria’s employees on the challenges people with a disability experience when using public transport.
- Seeking funding and donations
- Organising fundraising events
- Reporting to funding providers.
- Recruiting employees, contractors and volunteers
- Processing payments
- Answering queries and resolving complaints
- Evaluating Yooralla’s work and reporting externally
- Carrying out internal functions including administration, training, accounting, audit and information technology.
Yooralla may also collect, hold, use and disclose personal information for other purposes which are explained at the time of collection, purposes which are required or authorised by or under law (including, without limitation, privacy legislation) or purposes for which an individual has provided their consent.
Information collected about individuals that does not identify individuals may be used for research, evaluation of services, quality assurance activities, and education. If individuals do not wish for their de-identified data to be used this way, they should contact Yooralla.
Yooralla may use individuals’ personal information to keep them informed and up to date about Yooralla’s work, for example, changes to the National Disability Insurance Scheme or information about disability supports, either where Yooralla has their express or implied consent, or where Yooralla is otherwise permitted by law to do so. Yooralla may send this information in a variety of ways, including by mail, email, SMS, telephone, or social media.
Where individuals have consented to receiving marketing communications from Yooralla, that consent will remain current until they advise Yooralla otherwise. However, individuals can opt out at any time, as explained below.
Individuals can opt out of receiving marketing communications from Yooralla by:
- advising they have received a marketing call and that they no longer wish to receive these calls;
- using the unsubscribe facility that Yooralla includes in its commercial electronic messages (such as emails and SMS’s) to opt out of receiving those messages; or
- contacting Yooralla by email at email@example.com, by phone on
03 9666 4500 or by sending a letter to Marketing, Yooralla, PO Box 238 Collins Street West, Melbourne, VIC 8007.
Yooralla website cookies
Yooralla uses tools that tell Yooralla when a computer or device has visited or accessed Yooralla’s content. This allows Yooralla to tailor advertising, both on Yooralla’s website and through advertising networks on other websites, based on their visits or behaviour through cookies on their device. Individuals can control how cookies are used and for what through the settings on their chosen browser.
The Yooralla site also uses a Marketo tracking cookie, which allows Yooralla to collect information about how individuals use Yooralla’s site after they have received a marketing email from us. The cookie tracks data linked to their email address and includes data such as how individuals arrived at the site, how often they visited, and which pages they have viewed.
Client Privacy Statement
Through Yooralla’s Customer Privacy Statement clients and relevant others are also informed about how their personal information will be used and disclosed, including how their personal information is protected from misuse, loss, unauthorised access, modification and disclosure.
What third parties does Yooralla disclose personal information to?
Yooralla may disclose personal information to third parties where appropriate for the purposes set out above, including disclosure to:
- Yooralla’s funding providers;
- Government and regulatory bodies, including the National Disability Insurance Agency, Medicare, the Department of Social Services, the Department of Families, Fairness and Housing, and the Australian Taxation Office;
- NDIS Quality and Safeguards Commission
- people acting on their behalf including their nominated representatives, legal guardians, executors, trustees and legal representatives;
- the police, or to the Disability Services Commissioner, or to comply with compulsory notices from courts of law, tribunals or Government Agencies;
- financial institutions for payment processing;
- referees whose details are provided to Yooralla by job applicants; and
- Yooralla's contracted service providers, including:
- information technology service providers
- invoice processing service providers
- conference, function and training organisers
- marketing and communications service providers including call centres
- research agencies
- freight and courier services
- printers and distributors of direct marketing material including mail houses
- external business advisers (such as recruitment advisors, auditors and lawyers).
In the case of these contracted service providers, Yooralla may disclose personal information to the service provider and the service provider may in turn provide Yooralla with personal information collected from individuals in the course of providing the relevant products or services.
Cross border disclosure of personal information
Yooralla utilises technology infrastructure that makes use of cloud infrastructure or servers that are located interstate or located out of Australia. Other than this, Yooralla does not typically transfer personal information interstate or overseas. By providing their personal information to Yooralla or using Yooralla’s services and supports, individuals are taken to have consented to this transfer.
If Yooralla transfers information overseas for other purposes, it will only do so with their consent or otherwise in accordance with Australian law. Yooralla will require that the recipient of the information complies with privacy obligations to maintain the security of the information.
Data quality and security
Yooralla holds personal information in a number of ways, including in hard copy documents, electronic databases, email contact lists, and in paper files held in drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.
Yooralla employees must take reasonable steps to:
- make sure that the personal information that Yooralla collects, uses and discloses is accurate, up to date and complete and (in the case of use and disclosure) relevant;
- protect the personal information that Yooralla holds from misuse, interference and loss and from unauthorised access, modification or disclosure; and
- destroy or permanently de-identify personal information that is no longer needed for any purpose that is permitted by the APPs, subject to other legal obligations and retention requirements applicable to Yooralla.
Unfortunately, there are inherent risks in the management of personal information and Yooralla cannot and does not guarantee that unauthorised access to individuals’ personal information will not occur.
The steps Yooralla takes to secure the personal information Yooralla holds include website protection measures (such as multi factor authentication, encryption, firewalls and anti-virus software), security restrictions on access to Yooralla’s computer systems (such as login and password protection), controlled access to Yooralla’s premises, policies on document storage and security, personnel security (including restricting the use of personal information by Yooralla employees) and training and workplace policies.
Online credit card payment security
Yooralla processes donations and other online credit card payments using a secure payment gateway. The donor’s complete credit card number cannot be viewed by Yooralla and all transactions are secured using 128-bit SSL encryption.
While Yooralla strives to protect the personal information and privacy of users of Yooralla’s website, Yooralla cannot guarantee the security of any information that individuals disclose online and individuals disclose that information at their own risk. If individuals are concerned about sending their information over the internet, individuals can contact Yooralla by telephone or post (details under heading 5.13 below).
Individuals can also help to protect the privacy of their personal information by letting Yooralla know as soon as possible if individuals become aware of any security breach.
Third party websites
How Yooralla handles personal information
All Yooralla employees must complete the e-learning training about privacy, data security and data quality requirements and learn how the Information and Health Privacy Principles apply to their day-to-day work.
Handling personal information
Yooralla employees must only access and use personal information for a valid work purpose. When handling personal information, employees should:
- confirm recipient details before sending faxes or emails
- always store any hard copies of confidential information that is not being used in a secure cabinet or room
- be aware of the surroundings and people nearby
- limit taking hard copy information away from secure sites
- secure information when travelling e.g. in briefcase, folder etc.
- dispose unneeded copies of information securely
- ensure the information is available to people who need to access it
Sharing personal information
Yooralla employees may only share personal information as set out under this policy and in circumstances permitted under law. To minimise the risk of unauthorised disclosure, employees should:
- check with a manager before sharing confidential information if the basis for sharing is not clear
- not use Internet-based file sharing software to share confidential information (e.g. BitTorrent, Dropbox).
When sharing information with authorised persons via email, employees should:
- ensure all confidential information is attached to the email in a password protected zip folder
- enable encryption where available
- not include confidential information in the subject line or body of the email
- not send information to or from free web-based email accounts such as Gmail, Hotmail or Yahoo!
- not share or discuss confidential information on social networking applications such as Instagram, Facebook and/or Twitter
User IDs and passwords for access to computer services are for the sole use of the person to whom they are allocated. Yooralla employees should:
- make passwords difficult to guess
- keep all passwords secret and not provide them to another person
- change passwords regularly
Downloading software and applications
Software and applications downloaded from the Internet can contain viruses that threaten the security of information stored on users’ computers. Employees should:
- not download unauthorised software from the Internet onto a computer
- lodge a formal request with a manager if software needs to be installed in order to complete work activities
Unsolicited and suspicious emails
Unsolicited emails can contain viruses that threaten the security of information stored on users’ computers. If an employee receives an email from an unknown sender and it looks suspicious, an employee should:
- not open the email or click on links contained in its subject line or body
- report the email to a manager and delete the email immediately.
Free web-based email accounts and file sharing software
Free web-based accounts and file sharing software are often owned by international companies in foreign jurisdictions. Information is stored on systems outside of Australia with differing legislation applied to the information. Examples of free web-based email accounts include:
Examples of file sharing programs include:
- Google Drive
Once information has been sent to web-based email accounts or uploaded onto file sharing programs it can no longer be controlled. Personal information should not be sent:
- to or from a free web-based email account
- via internet-based file sharing software.
Clear desks and screens
Work environments should be clear of personal information when unattended. This means employees should:
- not leave documents containing confidential information unattended on photocopiers, fax machines or printers
- lock a computer’s screen when leaving it unattended
- only print documents when absolutely necessary
- store portable storage devices and hard copies of confidential information in a secure drawer or cabinet, not on a desk.
Employees should ensure record retention requirements have been met prior to the disposal of any personal information.
When disposing of personal information, employees should:
- Place unneeded working documents or copies of information in secure bins or adequate shredders.
- Ensure any electronic media including computers, hard drives, USB keys etc. are sanitised when no longer required.
To help minimise the risks to the security of personal information, employees should:
- ensure all visitors are registered and accompanied at all times
- be aware of unaccompanied people who are not known
- notify a manager if an unauthorised person is present on premises.
Portable storage devices
Portable storage devices are usually small and capable of storing large amounts of information, and in some cases can be used to copy, transmit or share information. Examples of portable storage devices include:
- removable media (e.g. external hard drives, DVDs, USB drives)
- laptops, tablet computers and slates (e.g. iPads)
- mobile phones.
Using portable storage devices to access, store or transport personal information involves considerable risk because:
- they can be easily lost or stolen, and then accessed by unauthorised people
- using portable storage devices in public or non-work premises increases the chance of accidentally disclosing personal information to unauthorised people.
To minimise the information security risks associated with using portable storage devices, employees should:
- only use encrypted portable storage devices to store personal information
- avoid storing personal information on portable storage devices, where possible
- secure portable storage devices when unattended e.g. lock in a drawer
- be careful of what is said and what information is viewed in public
- report lost or stolen portable storage devices immediately to a manager.
Privacy incidents may result from unauthorised people accessing, changing or destroying personal information. Examples of situations from which incidents may arise include:
- accidental download of a virus onto an agency computer
- discussing or sharing of personal information on a social networking website such as Facebook
- loss or theft of a portable storage device containing personal information
- non-secure disposal of hard copies of personal information (i.e. placing readable paper in recycle bin or hard waste bin)
- documents sent to the wrong fax number or email address
- documents sent to a free web-based email account such as Yahoo!, Gmail or Hotmail.
Privacy incidents can:
- occur due to accidental or deliberate actions
- result from human error or technical failures
- apply to information in any form, whether electronic or hard copy.
It is vital all privacy incidents are reported as soon as possible so that their impact may be minimised. Employees should be aware of:
- how to identify potential privacy incidents
- the reason for reporting incidents is so their impact can be minimised - not to punish individuals
- the need to report all incidents to their manager as soon as they become aware of them.
A breach of client privacy may have a major impact, a non-major impact, or be a near miss or an incident with no apparent impact on a client. In each case, the incident has to be reported as a client incident on RiskMan. Depending on the severity of the privacy breach, Yooralla must report a client related privacy incident to the Office of the Australian Information Commissioner.
Access and Correction
Individuals have a legal right to request access or correction of their personal information held by us.
Yooralla may ask individuals to verify their identity before processing any access or correction requests, to ensure that the personal information Yooralla holds is properly protected.
Requests for information are generally managed under the Freedom of Information Act 1982 – (Vic). However some requests for personal information may be dealt with informally (outside the Freedom of Information Act 1982). Individuals can contact their Yooralla contact or Yooralla’s Privacy Officer (details below) to discuss their requirements.
Freedom of Information requests need to be in writing stating as precisely as possible what information is required or needs correction. Yooralla has a Freedom of Information request form which is available on request or individuals may wish to use the Victorian Information Commissioner’s form.
Any Freedom of Information requests should be addressed to:
Freedom of Information Officer
PO Box 238
Collins Street West VIC 8007
Phone: 03 9666 4500
Individuals need to include the relevant application fee or give evidence of hardship if they are asking for a waiver. Any fees charged for copies of documents released will be in accordance with Freedom of Information (Access Charges) Regulations 2014 (Vic).
If individuals have a complaint about how Yooralla has collected or handled their personal information, please contact Yooralla’s Privacy Officer (details below).
Yooralla will ask individuals to explain the circumstances of the matter that they are complaining about, how they believe their privacy has been interfered with and how they believe their complaint should be resolved.
Yooralla will complete a review of their complaint in accordance with its Customer Feedback and Complaints Policy. This may include, for example, gathering the relevant facts, locating and reviewing relevant documents and speaking to relevant individuals.
Yooralla will try to resolve their complaint in a fair and reasonable way. In most cases, Yooralla expects that complaints will be investigated and a response provided within 21 days of receipt of the complaint. If the matter is more complex and the investigation may take longer, Yooralla will write and let the complainant know, and tell them when Yooralla expects to provide a response.
If the person is unhappy with Yooralla’s response, they can refer their complaint to the NDIS Quality and Safeguards Commission, the Office of the Australian Information Commissioner or, in some instances, other regulatory bodies, such as the Victorian Information Commissioner or the Victorian Health Complaints Commissioner.
- Yooralla’s contact details
Clients and relevant others for whom Yooralla holds information can contact Yooralla if they have any queries about the personal information that Yooralla hold about them or the way Yooralla handles that personal information. Yooralla’s contact details for privacy queries are set out below.
Yooralla's Privacy Officer
PO Box 238,
Collins Street West, VIC 8007
Phone:03 9666 4500
Changes to this Policy
The Chief Practitioner is responsible for fulfilling the role of Privacy Officer and for compliance with this policy.
Employee Training and Development
NDIS Quality, Safety and You
Privacy Awareness for Australian Government Agencies
Cybersecurity – General Awareness