The Privacy Act 1988 requires entities bound by the Australian Privacy Principles to have a privacy policy. This privacy policy outlines the personal information handling practices of the ASHA Global Foundation.
This policy is written in simple language. The specific legal obligations of the OAIC when collecting and handling your personal information are outlined in the Privacy Act 1988 and in particular in the Australian Privacy Principles found in that Act. We will update this privacy policy when our information handling practices change. Updates will be publicized on our website and through our email lists.
These functions and activities include:
At all times we try to only collect the information we need for the particular function or activity we are carrying out.
The main way we collect personal information about you is when you give it to us. For example, we collect personal information such as contact details and complaint, review, request, data breach notification or report details when you:
We may also collect information from you when we investigate or review a privacy or FOI matter. If we open a file about your matter, it will often include our opinion on your matter.
We may also collect contact details and some other personal information if you are on our committees or participating in a meeting or consultation with us.
Sometimes we may need to collect sensitive information about you, for example, to handle a complaint. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.
In the course of handling and resolving a complaint, data breach notification, review or an investigation, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as:
We also collect personal information from publicly available sources to enable us to contact stakeholders who may be interested in our work or in participating in our consultations.
Where possible, we will allow you to interact with us anonymously or using a pseudonym. For example, if you contact our Enquiries line with a general question we will not ask for your name unless we need it to adequately handle your question.
However, for most of our functions and activities we usually need your name and contact information and enough information about the particular matter to enable us to fairly and efficiently handle your inquiry, request, complaint or application, or to act on your report.
Our public website, www.ashaglobalfoundation.org.au, is hosted in Australia. There are a number of ways in which we collect information though our website.
We use Godaddy to collect data about your interaction with our website. The sole purpose of collecting your data in this way is to improve your experience when using our site. The types of data we collect with these tools include:
Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to enhance functionality on the website.
Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing our website.
The cookies from our website are generally created by godaddy and start with _pk_ref, _pk_ses or _pk_id.
Embedded videos on our website use YouTube’s Privacy Enhanced Mode. When you play an embedded video from our website, the video and associated assets will load from the domain www.youtube-nocookie.com, and other domains associated with Google’s YouTube player. If the domain www.youtube-nocookie.com is blocked, a local version of the video will be played instead, if available. The only data we collect about this is whether you received the YouTube version or the local version. You can access the privacy policy for YouTube on its website.
We will collect information that you provide to us when signing up to mailing lists and registering for our events, or when submitting feedback on your experience with our website.
Analytics are performed when you click on links in the email, or when you download the images in the email. They include which emails you open, which links you click, your mail client (eg ‘Outlook 2016’ or ‘iPhone’), if your action occurred on ‘mobile’ or ‘desktop’, and the country geolocation of your IP address (the IP address itself is not stored).
We use the services of microsoft forms to collect voluntary feedback on your experience with our website. We also use microsoft forms to conduct anonymous stakeholder surveys to gather feedback to help us improve our performance. We do not collect personal information via microsoft form . Information about how micorosoft manages personal information is available in the privacy and data collection policies on its website.
We use social networking services such as Twitter, Facebook and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook and YouTube (a Google company) on their websites.
Common situations in which we disclose information are detailed below.
If you make a privacy or FOI complaint, or apply for an FOI review, we will usually give a copy of the complaint or application to the respondent and, where relevant, affected third parties.
If a complainant or applicant requests that only limited information is disclosed to the respondent, we may not have enough information to be able to fairly proceed with the matter. The respondent must have sufficient information to respond to the matter in a meaningful way.
If you notify us about a data breach we will not disclose personal information about you unless you agree, or would reasonably expect us to. If the breach relates to the My Health Records Act, we may disclose your personal information to the My Health Records System Operator under s 73A of that Act.
Generally, when we publish decisions, determinations or reports (on our website and on the Australasian Legal Information Institute website) if you are a party who is an individual we will not publish your name unless you ask for it to be published.
We may also publish other information about cases that we have resolved without a formal decision. We will not publish your name.
We generally only provide the media with personal information relating to a complaint if you have agreed.
The asha global uses a number of service providers to whom we disclose personal information. These include providers that host our website servers, manage our IT and manage our human resources information.
To protect the personal information we disclose we:
We only disclose your sensitive information for the purposes for which you gave it to us or for directly related purposes you would reasonably expect or if you agree, for example, to handle a complaint.
We may disclose information that relates to complaints or investigations to other Australian or international regulators, or to external dispute resolution (EDR) schemes. We will generally only disclose your personal information to other regulators or EDR schemes if you agree and where the information will assist the OAIC or the other regulator or EDR scheme investigate a matter.
Generally, we only disclose personal information overseas so that we can properly handle the complaint or application. For example, if:
Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries.
When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
To ensure that the personal information we collect is accurate, up-to-date and complete we:
We also review the quality of personal information before we use or disclose it.
We take steps to protect the security of the personal information we hold from both internal and external threats by:
For further information on the way we manage security risks in relation to personal information we hold see our supplementary material on information technology security practices, below.
Under the Privacy Act (Australian Privacy Principles 12 and 13) you have the right to ask for access to personal information that we hold about you, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.
We will ask you to verify your identity before we give you access to your information or correct it, and we will try to make the process as simple as possible. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.
If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.
If we refuse to correct your personal information, you can ask us to associate with it (for example, attach or link) a statement that you believe the information is incorrect and why.
You also have the right under the FOI Act to request access to documents that we hold and ask for information that we hold about you to be changed or annotated if it is incomplete, incorrect, out-of- date or misleading. For further information see the Access our information page on the OAIC website.
If you wish to complain to us about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.
We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.
If you are not satisfied with our response you may ask for a review by a more senior officer within the OAIC (if that has not already happened) or you can complain to the Commonwealth Ombudsman.