Privacy Policy

We will protect your information fiercely. We will not sell your data to anyone. We will, however, use it in order to contact you if you asked us to.

In order to provide services, support and to conduct our business activities, we may need to collect personal information about you. This may include your name, home and email addresses and your telephone numbers. If this information is not provided, we may not be able to supply you with the services you request.

We take reasonable steps to ensure the personal information we collect about you is accurate, complete, up-to-date, relevant, secure and that it is not accessed or disclosed to anyone without authority. We will only disclose your information to people within our organisation who may need to know that information to provide you with the best services. We can only do this in ways that comply with the Australian Privacy Principles.

We use Google Analytics to track visits to our website, and use this information to track the effectiveness of our website, like visits, length of visit, viewed pages and the technical capabilities of our visitors. For more information on our analytics tools, read Google’s Privacy Policy.

1.1 This policy sets out how ChangePath Incorporated, ABN 97 700 781 885, (ChangePath) fulfils its obligations under the Privacy Act 1988 (Cth) (the Privacy Act), including the Australian Privacy Principles (APPs).

1.2 The APPs require ChangePath to have clearly expressed policies about the management of personal information.

1.3 This policy outlines the type of personal information ChangePath may hold and how it manages that information.

2.1 People will understand their rights under the Privacy Act. This includes:

• knowing what information ChangePath holds about them;
• information regarding the collection, use, disclosure and storage of the information; and
• to correct that information if it is out of date or inaccurate.

2.2 ChangePath will have in place practices, policies and procedures to make sure that the APPs are complied with, and to deal with questions and complaints about the APPs (APP1).

2.3 ChangePath will have a clear, up to date and easy to access policy about its management of personal information (APP1). This policy is available through the ChangePath website.

3.1 This policy applies to all of ChangePath’s services, activities and operations.

3.2 The policy affects anyone whose personal information is held by ChangePath, including officers, employees, contractors, volunteers, and donors.

4.1 “Personal Information” (as defined in the Privacy Act) means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether or not the information is documented.

4.2 “Sensitive information” means personal information about a person’s:

• racial or ethnic origin;
• political opinion or membership of a political association;
• trade union or professional association membership;
• religious beliefs or affiliations or philosophical beliefs;
• sexual orientation or practices;
• criminal record;
• health information;
• genetic information; or
• biometric information or templates.

5.1 All officers, employees, contractors and volunteers of ChangePath have a responsibility to make sure personal information is handled in a way that complies with this policy.

5.2 Chief Privacy Officer: ChangePath has a Chief Privacy Officer. The role of the Chief Privacy Officer is to:

• accept and answer any concerns, complaints or alleged breaches about privacy issues;
• receive and answer any requests for access to or correction of personal information; and
• be the contact for the Australian Information Commissioner in relation to any privacy issues.

1.1 The personal information that ChangePath may request from a person will depend on the type of relationship the person has with ChangePath, for example, whether the person is an officer, employee, volunteer or donor.

1.2 It is ChangePath’s usual practice to collect personal information directly from the person.

1.3 Where a person is not able to provide the information, ChangePath may collect the information from another person who has legal responsibility for the person.

1.4 ChangePath allows people to have the opportunity to remain anonymous or to use a false name, except where it is not practical to do so (APP2).

1.6 ChangePath only collects personal information for purposes directly related to our activities (APP3), such as:

• communications;
• fundraising;
• responding to enquiries about our services; and
• administrative activities.

1.7 ChangePath may also collect personal information in its normal communications, including when a person:

• emails officers or employees;
• phones ChangePath as we may store their phone number on our telephone system;
• provides us with their business card.

1.8 ChangePath will endeavour to store personal information securely. Backups of electronic information may be kept with a third party storage provider.

1.9 There are some circumstances where ChangePath may receive personal information that it has not asked for. When this happens, ChangePath will decide whether or not we could have collected the information from that person, if we had asked. ChangePath may use or disclose that information to help us make that decision (APP4).

1.10 If allowed to, ChangePath will destroy or de-identify the information (APP4) if:

• ChangePath decides that we could not have collected the personal information if we had asked the person; and
• the personal information is not found in a Commonwealth record.

1.11 ChangePath does not sell, loan or give away any information that we collect.

1.12 Before, at the time of, or as soon as possible after ChangePath collects personal information, it takes steps to tell or make sure that the person whom it is about, is aware of the following:

• who ChangePath is and how to contact us;
• the fact that ChangePath has collected the information, if it was collected from someone else and how it was collected;
• whether the collection of the information is allowed under an Australian law or a court/tribunal order;
• the reasons why ChangePath collected the information;
• what will happen if the information is not collected;
• whether there is anyone else that ChangePath usually discloses personal information to including whether ChangePath is likely to disclose the personal information to anyone overseas; and, if yes, the countries in which those people are located (APP5);
• that ChangePath’s privacy policy is available and contains details regarding access and correction of the information;
• that ChangePath’s privacy policy contains information about how the person may complain about a breach of the APPs, and how it will deal with any complaint.

2.1 ChangePath only holds personal information for the primary purpose it was given to us. It is not to be used or disclosed to anyone else for a secondary purpose unless one of the following applies:

• the person has agreed;
• the person would expect ChangePath to use or disclose the personal information for the secondary purpose as it relates to the primary purpose;
• it is required or authorised by law;
• a permitted general situation exists (see s.16A of the Privacy Act);
• a permitted health situation exists (see s.16B of the Privacy Act), in which case, steps must be taken to de-identify the information before it is disclosed.

2.2 ChangePath believes that the use or disclosure of the information is necessary for an enforcement related activity (e.g.: Federal Police, Immigration, ATO) (APP6).

3.1 ChangePath will not use or disclose personal information for use in direct marketing.

3.2 Exceptions include where a person has agreed to, or would expect ChangePath to use or disclose the information for direct marketing.

3.3 ChangePath will provide an easy way for the person to request not to receive direct marketing and will include a prominent statement that the person may make such a request.

3.4 A person may ask how ChangePath got their information. ChangePath will give them that information at no charge and within a reasonable timeframe.

4.1 Before ChangePath discloses personal information about a person to someone who is not in Australia, it will make sure that the person overseas does not breach the APPs in relation to the information.

4.2 Exceptions include:

• if ChangePath believes that the overseas person is subject to a law that can protect the information in a way that is similar to the APPs;
• if the person agrees to the disclosure, after being told about this APP;
• the disclosure of the information is required by law;
• a permitted general situation exists (see s.16A of the Privacy Act);
• the disclosure of the information is required under an inter-Australian agreement; or
• ChangePath believes that the disclosure of the information is necessary for enforcement related activities.

4.3 ChangePath may disclose personal information about a person to officers resident in the United Kingdom or the United States of America, if required for the uses outlined in this policy.

5.1 ChangePath will not adopt a government related identifier of a person (e.g.: Medicare or Driver’s Licence number) as its own identifier of that person unless it is allowed to do so.

5.2 ChangePath will not use or disclose a government related identifier of a person unless:

• it is necessary for ChangePath to verify the identity of the person;
• it is necessary for ChangePath to fulfil its obligations to an agency or a State or Territory authority;
• it is required by law or a court/tribunal order;
• a permitted general situation exists (see s.16A of the Privacy Act); or
• ChangePath believes it is necessary for an enforcement related activity.

6.1 ChangePath takes reasonable steps to make sure that the personal information it collects is accurate, up to date and complete.

6.2 ChangePath takes reasonable steps to make sure that the personal information that it uses or discloses is, considering the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

6.3 These steps include maintaining and updating personal information when we are advised by a person that their personal information has changed.

7.1 ChangePath takes steps to protect the personal information it holds against misuse, interference, loss, unauthorised access, modification or disclosure. These steps include password protection for electronic files, securing paper files in locked cabinets and physical access restrictions.

7.2 When it is no longer required, personal information is destroyed, deleted or deidentified in a secure manner, unless ChangePath is required by law to keep the information (APP12).

7.3 If a person asks for access to their personal information held by ChangePath, we will allow access unless there is a reason under the Privacy Act or any other law not to give access to the information. These reasons include:

• a serious threat to the life, health or safety of any individual, or to public health/safety;
• it would impact on the privacy of other individuals;
• the request is frivolous or vexatious;
• the information relates to existing or anticipated legal proceedings;
• it would prejudice negotiations with the individual;
• it would be unlawful;
• denying access is authorised by law;
• unlawful activity, or serious misconduct relating to ChangePath’s functions may be engaged in and giving access would prejudice the taking of appropriate action;
• enforcement related activities may be prejudiced; or
• evaluative information generated within ChangePath in connection with a commercially sensitive decision-making process may be revealed.

7.4 ChangePath will respond to the request for access to the personal information within a reasonable time and will give access in the way requested by the person, if it is able to do so.

7.5 If ChangePath refuses to give access to the information or to give access in the way requested by the person, it will take steps to give access in a way that meets both its needs and those of the person, including through the use of a mutually agreed intermediary.

7.6 If ChangePath does not agree to provide access to personal information, we will advise the person in writing of the reasons why and how to complain about the refusal.

7.7 There is no fee for making a request to access personal information and any fee charged by ChangePath will not be excessive (e.g.: copying charges).

7.8 Further information about how to request access to the information we hold about a person can be obtained by contacting the Chief Privacy Officer. Further, anyone may seek advice from the Australian Information Commissioner by calling 1300 363 992 or by email: enquiries@oaic.gov.au

8.1 ChangePath will take reasonable steps to correct personal information that it holds if:

• it is satisfied that, considering the purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
• the person requests that ChangePath correct the information.

8.2 If ChangePath corrects personal information that it previously disclosed to someone else, if requested, it will take reasonable steps to notify the other person of the correction.

8.3 If ChangePath refuses a request to correct the personal information, it will give the person a written notice that sets out the reasons for the refusal and how they may complain about the refusal.

8.4 Where ChangePath refuses a request to correct the personal information, the person may request that it associate or attach a statement that the information is inaccurate, out-of date, incomplete, irrelevant or misleading. ChangePath will take reasonable steps to associate or attach the statement so that it can be seen by anyone using the information.

8.5 If ChangePath is asked to correct personal information, it will respond within a reasonable time and will not charge the person for making the request, for making the correction or for associating the statement with the information.

9.1 Officers, employees, contractors and volunteers who may have access to personal and sensitive information in the course of their duties are bound by their commitment to confidentiality.

9.2 Breaches of confidentiality by officers, employees, contractors and volunteers will be dealt with in accordance with the conditions of appointment of those individuals and ChangePath’s policy.

10.1 The request should be made in writing and directed to:

Chief Privacy Officer

ChangePath Incorporated

privacy@changepath.com.au

10.2 You should expect a response within 7 days of the request being received. You will be advised of the time it may take to provide the information, or if there is any reason why the information cannot be provided or changed in accordance with your request. If you have requested access to information, you will also be advised of how you may need to access the information.

10.3 Generally the information will be available free of charge, unless substantial copying is required, in which case, ChangePath may request a reasonable fee to cover the cost of copying.

11.1 If you have a complaint in relation to privacy, it should be made in writing, directed to:

Chief Privacy Officer

ChangePath Incorporated

privacy@changepath.com.au

11.2 You should expect an acknowledgement within 7 days of the complaint or concern being received. You will be advised of how your complaint or concern will be dealt with.

11.3 Your complaint or concern will be investigated by the Chief Privacy Officer in consultation with the Chief Executive.

11.4 You will receive written advice of the response to your concern or complaint, or advice of further processes required, within 28 days.

11.5 If ChangePath’s response is not acceptable to you, we may suggest conciliation or arbitration on the matter. You may also make a formal complaint to the Australian Information Commissioner by calling 1300 363 992 or by email: enquiries@oaic.gov.au