Privacy policy

This policy relates to all employees, contractors, volunteers and students on placement responsible for collecting, storing, using or disclosing individuals’ information on behalf of Yooralla.

Yooralla is generally exempt from the Privacy Act when it collects and handles employee records and this privacy policy does not apply to that information. However, the Privacy Act still applies to personal information about job applicants, contractors and volunteers, and the Health Privacy Principles still require Yooralla to protect the privacy of employee health information. This privacy policy will apply in those circumstances.

Yooralla (ABN 14 005 304 432) is committed to protecting privacy in accordance with applicable privacy legislation. This privacy policy explains how Yooralla collects, uses, discloses and otherwise handles personal information.

Failure to appropriately collect, store, use and disclose information can leave Yooralla without key information to support clients efficiently and effectively and it also exposes clients to risk. This policy assists employees to:

• understand their obligations in relation to privacy and information security
• become familiar with the relevant legislative and compliance frameworks, including how Yooralla will be monitored in relation to privacy and information security
• develop a privacy aware culture through best practice information management
• know where to get further information and resources.

What personal information does Yooralla collect?

The kind of personal information that Yooralla collects about individuals depends on the type of dealings they have with Yooralla. For example, if a person:

is someone Yooralla supports or is connected to a person Yooralla supports (e.g. a family member, carer, advocate or nominated representative), Yooralla may collect their:

• name, address, telephone and email contact details
• gender, date of birth and marital status, information about their disability and support needs
• health and medical information
• Medicare number and other identifiers used by Government Agencies or other organisations to identify individuals
• financial information and billing details including information about the services individuals are funded to receive, whether under the National Disability Insurance Scheme or otherwise
• records of interactions with individuals such as system notes and records of conversations individuals have had with Yooralla’s employees
• information about the services Yooralla provides to individuals and the way in which Yooralla will deliver those to individuals

becomes a member of Yooralla, Yooralla may collect their name, organisation, contact details and hold records relating to their membership including renewal and billing information

registers for a subscription to a Yooralla publication, Yooralla may collect their name, organisation and contact details and details about the information individuals access in Yooralla’s publications

makes a donation, Yooralla may collect their name, organisation, contact details, the amount and frequency of their donation and payment details from individuals directly or from another fundraising entity that allows Yooralla to contact their supporters and provides Yooralla with their contact details

attends a Yooralla event, Yooralla may collect their name, organisation, contact details, payment details (if applicable) and any dietary and accessibility requirements

participates in Yooralla’s surveys, Yooralla may collect their name, organisation contact details and their survey responses

sends Yooralla an enquiry, Yooralla may collect their name, contact details and details of their query

visits Yooralla’s website, Yooralla will use ‘cookies’ and may use tools to track visits to the Yooralla website including how individuals arrive at the website and which pages they use. Yooralla may also collect data to enable Yooralla to personalise a webpage or pre-fill a form with their details

makes a complaint, Yooralla may collect their name, contact details, the details of their complaint, information collected in any investigation of the matter and details of the resolution of the complaint

applies for a job or volunteer role at Yooralla, Yooralla may collect the information individuals included in their application, including their cover letter, resume, contact details and referee reports, their tax file number and other identifiers used by Government Agencies or other organisations to identify individuals, information from police checks, working with children checks (or similar), and information about their right to work in Australia

Sensitive information

Yooralla employees must only collect sensitive information where it is reasonably necessary for Yooralla’s functions or activities and either:

• the individual has consented or
• Yooralla is required or authorised by or under law (including applicable privacy legislation) to do so. Yooralla will use tools that protect client privacy when disclosing sensitive information such as multi factor authentication and/or password protection.

Yooralla is obliged to dispose of sensitive information when it is no longer required. For example, to provide Yooralla’s services to a client or to respond to a potential client’s inquiries about services, Yooralla may be required to collect and hold their sensitive information including health and medical information and information relating to their disability and support requirements.

What if a client doesn't provide Yooralla with their personal information?

The nature of the business carried on by Yooralla means that, generally, it is not possible for Yooralla to provide services to clients or otherwise deal with individuals in an anonymous way.

However, in some circumstances Yooralla allows individuals the option of not identifying themselves, or of using a pseudonym, when dealing with Yooralla (for example, when viewing Yooralla’s website or making general phone queries). Donations may also be made anonymously, but in this case Yooralla may not be able to issue a tax-deductible receipt.

How does Yooralla collect personal information?

Yooralla employees must only collect personal information by lawful and fair means as required by the Privacy Act. Yooralla employees must also only collect personal information directly from clients or their representatives where this is reasonable and practicable.

Yooralla collects personal information in a number of ways, including:

• through Yooralla’s websites (for example, if individuals choose to donate to Yooralla online through the secure payment gateway)
• when individuals correspond with Yooralla (for example by letter, fax, email or telephone)
• on hard copy forms
• in person
• from referring third parties (for example, the National Disability Insurance Scheme or a support coordinator)
• at events and forums
• from third party funding and Government Agencies such as the NDIA or NDIS Quality and Safeguards Commission
• from third party fundraising entities and fundraising service providers who permit access to their donors lists for fundraising purposes.

Collection notices

Where Yooralla collects personal information about individuals, Yooralla employees must take reasonable steps to notify them of certain matters. Employees must do this at or before the time of collection, or as soon as practicable afterwards.

Why does Yooralla collect personal information?

Yooralla provides a wide range of support services for children and adults with disability, their families and carers. This range of essential, quality services includes: accommodation services, respite, in-home support, therapy, personalised support, specialised equipment, employment assistance, recreation, information and training, and practical skills for everyday living. Yooralla also addresses disability related issues through policy work and education, using evidence from case work and the stories of Yooralla’s clients to promote Yooralla’s work and bring about change.

The main purposes for which Yooralla collects, holds, uses and discloses personal information are set out below.

Provision of support services:

• Providing individuals with information about Yooralla’s services and supports
• Answering their inquiries and deliver service to clients
• Administering Yooralla’s services and supports and process payments
• Conducting quality assurance activities including conducting surveys, research and analysis and resolving complaints
• Complying with laws and regulations and to report to funding and Government Agencies.

Advocacy

• Carrying out law reform and policy work (for example, National Disability Insurance Scheme policy work on safeguarding people’s rights)
• Promoting Yooralla and its activities, including through events and forums
• Conducting research and statistical analysis relevant to Yooralla's activities (including inviting individuals to participate in research projects and activities)
• Preparing case studies of clients for use in advocacy work and in publications (individually identifying case studies will only be used with consent).

Education and information

• Providing disability related information or resources
• Running professional development / community training programs (for example, educating Public Transport Victoria’s employees on the challenges people with a disability experience when using public transport.

Fundraising

• Seeking funding and donations
• Organising fundraising events
• Reporting to funding providers.

General administration

• Recruiting employees, contractors and volunteers
• Processing payments
• Answering queries and resolving complaints
• Evaluating Yooralla’s work and reporting externally
• Carrying out internal functions including administration, training, accounting, audit and information technology.

Other purposes

Yooralla may also collect, hold, use and disclose personal information for other purposes which are explained at the time of collection, purposes which are required or authorised by or under law (including, without limitation, privacy legislation) or purposes for which an individual has provided their consent.

Information collected about individuals that does not identify individuals may be used for research, evaluation of services, quality assurance activities, and education. If individuals do not wish for their de-identified data to be used this way, they should contact Yooralla.

Direct marketing

Yooralla may use individuals’ personal information to keep them informed and up to date about Yooralla’s work, for example, changes to the National Disability Insurance Scheme or information about disability supports, either where Yooralla has their express or implied consent, or where Yooralla is otherwise permitted by law to do so. Yooralla may send this information in a variety of ways, including by mail, email, SMS, telephone, or social media.

Where individuals have consented to receiving marketing communications from Yooralla, that consent will remain current until they advise Yooralla otherwise. However, individuals can opt out at any time, as explained below.

Opting out

Individuals can opt out of receiving marketing communications from Yooralla by:

• advising they have received a marketing call and that they no longer wish to receive these calls;
• using the unsubscribe facility that Yooralla includes in its commercial electronic messages (such as emails and SMS’s) to opt out of receiving those messages; or
• contacting Yooralla by email at marcoms@yooralla.com.au, by phone on
  03 9666 4500 or by sending a letter to Marketing, Yooralla, PO Box 238 Collins Street West, Melbourne, VIC 8007.

Yooralla website cookies

Yooralla uses ‘cookies’ to manage and improve users’ experience on the Yooralla website. A cookie is a small text file that Yooralla’s site may place on their computer as a tool to remember their preferences. Individuals may refuse the use of cookies by selecting the appropriate settings on their browser.

Yooralla uses tools that tell Yooralla when a computer or device has visited or accessed Yooralla’s content. This allows Yooralla to tailor advertising, both on Yooralla’s website and through advertising networks on other websites, based on their visits or behaviour through cookies on their device. Individuals can control how cookies are used and for what through the settings on their chosen browser.

Yooralla also uses Google Analytics to track visits to the Yooralla website, using this information to track the effectiveness of the website. While this data is mostly anonymous, sometimes Yooralla will connect it to individuals, for instance in personalising a webpage, or pre-filling a form with their details. For more information on Yooralla’s analytics tools, read Google’s privacy policy.

The Yooralla site also uses a Marketo tracking cookie, which allows Yooralla to collect information about how individuals use Yooralla’s site after they have received a marketing email from us. The cookie tracks data linked to their email address and includes data such as how individuals arrived at the site, how often they visited, and which pages they have viewed.

Client Privacy Statement

Through Yooralla’s Customer Privacy Statement clients and relevant others are also informed about how their personal information will be used and disclosed, including how their personal information is protected from misuse, loss, unauthorised access, modification and disclosure.

What third parties does Yooralla disclose personal information to?

Yooralla may disclose personal information to third parties where appropriate for the purposes set out above, including disclosure to:

• Yooralla’s funding providers;
• Government and regulatory bodies, including the National Disability Insurance Agency, Medicare, the Department of Social Services, the Department of Families, Fairness and Housing, and the Australian Taxation Office;
• NDIS Quality and Safeguards Commission
• people acting on their behalf including their nominated representatives, legal guardians, executors, trustees and legal representatives;
• the police, or to the Disability Services Commissioner, or to comply with compulsory notices from courts of law, tribunals or Government Agencies;
• financial institutions for payment processing;
• referees whose details are provided to Yooralla by job applicants; and
• Yooralla's contracted service providers, including:

• information technology service providers

• invoice processing service providers

• conference, function and training organisers

• marketing and communications service providers including call centres

• research agencies

• freight and courier services

• printers and distributors of direct marketing material including mail houses

• external business advisers (such as recruitment advisors, auditors and lawyers).

In the case of these contracted service providers, Yooralla may disclose personal information to the service provider and the service provider may in turn provide Yooralla with personal information collected from individuals in the course of providing the relevant products or services.

Cross border disclosure of personal information

Yooralla utilises technology infrastructure that makes use of cloud infrastructure or servers that are located interstate or located out of Australia. Other than this, Yooralla does not typically transfer personal information interstate or overseas. By providing their personal information to Yooralla or using Yooralla’s services and supports, individuals are taken to have consented to this transfer.

If Yooralla transfers information overseas for other purposes, it will only do so with their consent or otherwise in accordance with Australian law. Yooralla will require that the recipient of the information complies with privacy obligations to maintain the security of the information.

Data quality and security

Yooralla holds personal information in a number of ways, including in hard copy documents, electronic databases, email contact lists, and in paper files held in drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.

Yooralla employees must take reasonable steps to:

• make sure that the personal information that Yooralla collects, uses and discloses is accurate, up to date and complete and (in the case of use and disclosure) relevant;
• protect the personal information that Yooralla holds from misuse, interference and loss and from unauthorised access, modification or disclosure; and
• destroy or permanently de-identify personal information that is no longer needed for any purpose that is permitted by the APPs, subject to other legal obligations and retention requirements applicable to Yooralla.

Unfortunately, there are inherent risks in the management of personal information and Yooralla cannot and does not guarantee that unauthorised access to individuals’ personal information will not occur.

Security

The steps Yooralla takes to secure the personal information Yooralla holds include website protection measures (such as multi factor authentication, encryption, firewalls and anti-virus software), security restrictions on access to Yooralla’s computer systems (such as login and password protection), controlled access to Yooralla’s premises, policies on document storage and security, personnel security (including restricting the use of personal information by Yooralla employees) and training and workplace policies.

Online credit card payment security

Yooralla processes donations and other online credit card payments using a secure payment gateway. The donor’s complete credit card number cannot be viewed by Yooralla and all transactions are secured using 128-bit SSL encryption.

Website security

While Yooralla strives to protect the personal information and privacy of users of Yooralla’s website, Yooralla cannot guarantee the security of any information that individuals disclose online and individuals disclose that information at their own risk. If individuals are concerned about sending their information over the internet, individuals can contact Yooralla by telephone or post (details under heading 5.13 below).

Individuals can also help to protect the privacy of their personal information by letting Yooralla know as soon as possible if individuals become aware of any security breach.

Third party websites

Links to third party websites that are not operated or controlled by Yooralla are provided for users’ convenience. Yooralla is not responsible for the privacy or security practices of those websites, which are not covered by this privacy policy. Third party websites should have their own privacy and security policies, which Yooralla encourages individuals to read before supplying any personal information to them.

How Yooralla handles personal information

Employee Training

All Yooralla employees must complete the e-learning training about privacy, data security and data quality requirements and learn how the Information and Health Privacy Principles apply to their day-to-day work.

Handling personal information

Yooralla employees must only access and use personal information for a valid work purpose. When handling personal information, employees should:

• confirm recipient details before sending faxes or emails
• always store any hard copies of confidential information that is not being used in a secure cabinet or room
• be aware of the surroundings and people nearby
• limit taking hard copy information away from secure sites
• secure information when travelling e.g. in briefcase, folder etc.
• dispose unneeded copies of information securely
• ensure the information is available to people who need to access it

Sharing personal information

Yooralla employees may only share personal information as set out under this policy and in circumstances permitted under law. To minimise the risk of unauthorised disclosure, employees should:

• check with a manager before sharing confidential information if the basis for sharing is not clear
• not use Internet-based file sharing software to share confidential information (e.g. BitTorrent, Dropbox).

When sharing information with authorised persons via email, employees should:

• ensure all confidential information is attached to the email in a password protected zip folder
• enable encryption where available
• not include confidential information in the subject line or body of the email
• not send information to or from free web-based email accounts such as Gmail, Hotmail or Yahoo!
• not share or discuss confidential information on social networking applications such as Instagram, Facebook and/or Twitter

Passwords

User IDs and passwords for access to computer services are for the sole use of the person to whom they are allocated. Yooralla employees should:

• make passwords difficult to guess
• keep all passwords secret and not provide them to another person
• change passwords regularly

Downloading software and applications

Software and applications downloaded from the Internet can contain viruses that threaten the security of information stored on users’ computers. Employees should:

• not download unauthorised software from the Internet onto a computer
• lodge a formal request with a manager if software needs to be installed in order to complete work activities

Unsolicited and suspicious emails

Unsolicited emails can contain viruses that threaten the security of information stored on users’ computers. If an employee receives an email from an unknown sender and it looks suspicious, an employee should:

• not open the email or click on links contained in its subject line or body
• report the email to a manager and delete the email immediately.

Free web-based email accounts and file sharing software

Free web-based accounts and file sharing software are often owned by international companies in foreign jurisdictions. Information is stored on systems outside of Australia with differing legislation applied to the information. Examples of free web-based email accounts include:

• Gmail
• Hotmail
• Yahoo!

Examples of file sharing programs include:

• Dropbox
• OneDrive
• Google Drive

Once information has been sent to web-based email accounts or uploaded onto file sharing programs it can no longer be controlled. Personal information should not be sent:

• to or from a free web-based email account
• via internet-based file sharing software.

Clear desks and screens

Work environments should be clear of personal information when unattended. This means employees should:

• not leave documents containing confidential information unattended on photocopiers, fax machines or printers
• lock a computer’s screen when leaving it unattended
• only print documents when absolutely necessary
• store portable storage devices and hard copies of confidential information in a secure drawer or cabinet, not on a desk.

Information disposal

Employees should ensure record retention requirements have been met prior to the disposal of any personal information.

When disposing of personal information, employees should:

• Place unneeded working documents or copies of information in secure bins or adequate shredders.
• Ensure any electronic media including computers, hard drives, USB keys etc. are sanitised when no longer required.

Visitors

To help minimise the risks to the security of personal information, employees should:

• ensure all visitors are registered and accompanied at all times
• be aware of unaccompanied people who are not known
• notify a manager if an unauthorised person is present on premises.

Portable storage devices

Portable storage devices are usually small and capable of storing large amounts of information, and in some cases can be used to copy, transmit or share information. Examples of portable storage devices include:

• removable media (e.g. external hard drives, DVDs, USB drives)
• laptops, tablet computers and slates (e.g. iPads)
• smartphones
• mobile phones.

Using portable storage devices to access, store or transport personal information involves considerable risk because:

• they can be easily lost or stolen, and then accessed by unauthorised people
• using portable storage devices in public or non-work premises increases the chance of accidentally disclosing personal information to unauthorised people.

To minimise the information security risks associated with using portable storage devices, employees should:

• only use encrypted portable storage devices to store personal information
• avoid storing personal information on portable storage devices, where possible
• secure portable storage devices when unattended e.g. lock in a drawer
• be careful of what is said and what information is viewed in public
• report lost or stolen portable storage devices immediately to a manager.

Privacy incidents

Privacy incidents may result from unauthorised people accessing, changing or destroying personal information. Examples of situations from which incidents may arise include:

• accidental download of a virus onto an agency computer
• discussing or sharing of personal information on a social networking website such as Facebook
• loss or theft of a portable storage device containing personal information
• non-secure disposal of hard copies of personal information (i.e. placing readable paper in recycle bin or hard waste bin)
• documents sent to the wrong fax number or email address
• documents sent to a free web-based email account such as Yahoo!, Gmail or Hotmail.

Privacy incidents can:

• occur due to accidental or deliberate actions
• result from human error or technical failures
• apply to information in any form, whether electronic or hard copy.

Incident reporting

It is vital all privacy incidents are reported as soon as possible so that their impact may be minimised. Employees should be aware of:

• how to identify potential privacy incidents
• the reason for reporting incidents is so their impact can be minimised - not to punish individuals
• the need to report all incidents to their manager as soon as they become aware of them.

A breach of client privacy may have a major impact, a non-major impact, or be a near miss or an incident with no apparent impact on a client. In each case, the incident has to be reported as a client incident on RiskMan. Depending on the severity of the privacy breach, Yooralla must report a client related privacy incident to the Office of the Australian Information Commissioner.

Access and Correction

Individuals have a legal right to request access or correction of their personal information held by us.

Yooralla may ask individuals to verify their identity before processing any access or correction requests, to ensure that the personal information Yooralla holds is properly protected.

Requests for information are generally managed under the Freedom of Information Act 1982 – (Vic). However some requests for personal information may be dealt with informally (outside the Freedom of Information Act 1982). Individuals can contact their Yooralla contact or Yooralla’s Privacy Officer (details below) to discuss their requirements.

Freedom of Information requests need to be in writing stating as precisely as possible what information is required or needs correction. Yooralla has a Freedom of Information request form which is available on request or individuals may wish to use the Victorian Information Commissioner’s form.

Any Freedom of Information requests should be addressed to:

Freedom of Information Officer
PO Box 238
Collins Street West VIC 8007
Phone: 03 9666 4500
Email: foi@yooralla.com.au

Individuals need to include the relevant application fee or give evidence of hardship if they are asking for a waiver. Any fees charged for copies of documents released will be in accordance with Freedom of Information (Access Charges) Regulations 2014 (Vic).

Complaints

If individuals have a complaint about how Yooralla has collected or handled their personal information, please contact Yooralla’s Privacy Officer (details below).

Yooralla will ask individuals to explain the circumstances of the matter that they are complaining about, how they believe their privacy has been interfered with and how they believe their complaint should be resolved.

Yooralla will complete a review of their complaint in accordance with its Customer Feedback and Complaints Policy. This may include, for example, gathering the relevant facts, locating and reviewing relevant documents and speaking to relevant individuals.

Yooralla will try to resolve their complaint in a fair and reasonable way. In most cases, Yooralla expects that complaints will be investigated and a response provided within 21 days of receipt of the complaint. If the matter is more complex and the investigation may take longer, Yooralla will write and let the complainant know, and tell them when Yooralla expects to provide a response.

If the person is unhappy with Yooralla’s response, they can refer their complaint to the NDIS Quality and Safeguards Commission, the Office of the Australian Information Commissioner or, in some instances, other regulatory bodies, such as the Victorian Information Commissioner or the Victorian Health Complaints Commissioner.

1. Yooralla’s contact details

Clients and relevant others for whom Yooralla holds information can contact Yooralla if they have any queries about the personal information that Yooralla hold about them or the way Yooralla handles that personal information. Yooralla’s contact details for privacy queries are set out below.

Yooralla's Privacy Officer
Mail:

PO Box 238,

Collins Street West, VIC 8007
Phone:03 9666 4500
Email: privacy@yooralla.com.au

Changes to this Policy

Yooralla may amend this Privacy Policy from time to time. The current version will be posted on Yooralla’s website and a copy may be obtained from Yooralla’s Privacy Officer.

Responsibilities

All managers and employees are responsible for compliance with this Privacy Policy when collecting, managing, releasing and storing personal or health information relating to any client, family member, donor, employee, volunteer, contractor or student on placement.

The Chief Practitioner is responsible for fulfilling the role of Privacy Officer and for compliance with this policy.

Employee Training and Development

NDIS Quality, Safety and You

Privacy Awareness for Australian Government Agencies

Cybersecurity – General Awareness