The Waalitj Foundation (The Foundation) collects and administers a range of personal information for purposes including, but not limited to:
- Human resources and volunteering management
- Program administration
- Delivery of services
- Contract management
The Foundation is committed to respecting and protecting the privacy of personal and sensitive information that the organisation collects, holds, and administers. The disclosure of this information is restricted in its circulation for privacy, ethical or commercial reasons, or to safeguard the intellectual property of the organisation.
The Foundation recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected from unauthorised disclosure whilst also being accessible to them, these privacy values are supported by this policy which is compliant with the following legislation:
- Privacy Act (1988)
- Freedom of Information Act 1992 (WA)
- The Australian Privacy Principles Guidelines
- Principles of Human Rights and Responsibilities
1. Collection of information
The Waalitj Foundation will only collect personal information that is necessary for the provision of the services delivered and the personal information is only used for purposes that are related to the services requested. These purposes include, but are not limited to:
- Enquiry about
- Referral to
- Participant/client health care
- Contractual and reporting
- Providing support to
- For purpose of actioning a referral (including transferral of personal information to other external providers which are education or employment related).
- Community development
- Compliment, compliant and feedback
Staff members must provide a consent form to individuals before the Foundation gains access to their personal information, for the purpose of providing the best possible service. Only those staff who require access for legitimate purposes will have access to the individual’s personal information
If the Waalitj Foundation needs to use their personal information for anything outside of the stated purpose it was collected for, the Foundation will seek additional consent from the individual prior to any action.
1.2. Personal Information Collected by the Foundation
The personal information that the Foundation collects from individuals include:
- Names, date of birth, addresses, contact details including emergency
- Health care information including medications, allergies, adverse events, and other risk
Note: Participants and Clients COVID-19 vaccination certificates will be not collected by the organisation.
On some occasions the Foundation may collect information about:
- Race or ethnic origin, language group, and the existence or otherwise of any native title claims or groups to which you are a member
- Financial information – Bank details
- Medicare number for identification and emergency purposes
- Tax File Number, Centrelink and Superannuation information
- Educational qualifications
- Criminal history
- COVID-19 vaccination
2. Use and Disclosure
The Foundation may use or disclose and otherwise process individuals’ personal information for the primary purpose of conducting and supporting its functions or activities as the operator of a range of education, business and employment services across Australia.
The organisation may use or disclose the individual’s personal information:
- To provide the person with education, business or employment services
- To send updates and newsletters
- To contact the individual as required by the Foundation
- To address any enquiries, complaints or feedback
- To do anything the Waalitj Foundation is required or authorised by law to
Additionally, the Foundation may disclose personal information to:
- Third parties where individuals have given their consent (express or implied)
- Government agencies or other similar entities as required or permitted by law
- Professional advisors, contractors or other service providers whom the Waalitj Foundation may engage from time to time to carry out, advise or assist with the operation or activities of the Waalitj
The Waalitj Foundation will not use clients’ personal information for a secondary purpose unless:
- Individuals consent to the use or disclosure, or they would reasonably expect the Foundation to use it for the secondary purpose which is related to the primary purpose
- When it is necessary to reduce or prevent a serious threat to a person’s life, health or safety or
public health or safety
- To assist in locating a missing person when required or authorised by law
- The use or disclosure is required or authorised by law
- The use or disclosure is otherwise permitted by the Privacy Act (for example, as a necessary part of an investigation of suspected unlawful activity)
- Unless authorised or required by law, the Waalitj Foundation will only use or disclose personal information where necessary to fulfil the purposes for which that information was collected.
When an individual’s personal information is to be used or disclosed for a purpose not previously identified, the new purpose will be communicated to the person before such use or disclosure, and their consent will be required unless the use is authorised or demanded by law.
2.1. Direct Marketing
The Waalitj Foundation may use individuals’ personal information for marketing purposes to send them news, information about the Foundation’s activities and general promotional material which the Foundation believes may be useful or of interest to the person.
If individuals do not want that the Foundation to use their personal information in this manner, please contact the Foundation using the contact details provided on the website.
The Waalitj Foundation will implement and maintain steps to ensure that personal information is protected from misuse or loss, unauthorised access, interference, unauthorised modification or disclosure.
Before the Foundation discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, the IT area must establish that they are privacy compliant. In addition, the Foundation has systems in place which provide sufficient information security.
The Foundation will destroy personal information once it is not required to be kept for the purpose for which it was collected, including from obsolete laptops, mobile phones and storage devices
4. Data Security
The Foundation’s staff take reasonable steps to protect individuals’ data from misuse, interference and loss, and from unauthorised access, modification or disclosure.
These steps include reasonable physical, technical and administrative security safeguards for electronic and hard copy or paper records as identified below.
- Reasonable physical safeguards include:
- Locking filing cabinets and unattended storage
- Physically securing the areas in which the personal information is stored
- Not storing personal information in public
- Positioning printers and fax machines so that they cannot be accessed by unauthorised people or members of the public.
- Reasonable technical safeguards include:
- Using passwords to restrict computer access, and requiring regular changes to passwords
- Establishing different access levels so that not all staff can view all information
- Ensuring information is transferred securely where possible or where not possible ensuring that appropriate safeguard measures have been taken.
- Installing virus protections and firewalls
- Reasonable administrative safeguards include not only the existence of policies and procedures for guidance but also training to ensure staff are competent in this area.
5. Data Quality
The Foundation takes steps to ensure that the personal information collected is accurate, up-to-date and complete. These steps include maintaining and updating personal information when the Foundation is advised by individuals that the information has changed (and at other times as necessary.
5.1. Access and correction to personal information
Subject to any exceptions in the Privacy Act, if an individual has provided the Foundation with personal information, they have a right to request access to it.
If individuals believe that the Waalitj Foundation holds personal information relating to them and they wish to obtain access to this information, please contact the Waalitj Foundation on firstname.lastname@example.org.
The Foundation may ask individuals to provide proof of their identity if they request access to or correction of their personal information. In the event that a request for access is made, the Foundation will review the records to determine what personal information relating to the person the organisation holds and endeavour to respond to the person’s request within a reasonable period after the request is made, but in any event, within 30 days, unless there is lawful reason not to do so. If this happens, the Foundation will, where reasonable:
- Give a written notice explaining why
- Let the individual know how they can make a complaint
- At the individual requests, make a note on their file detailing the information they believe to be
The Waalitj Foundation will ensure stakeholders are aware of its Privacy and Confidentially Policy and its purpose. The Foundation will make the policy available in relevant publications and on the organisation’s website.
7. Anonymity and pseudonymity
In most circumstances, it is impractical for people to communicate with the Foundation anonymously. The Foundation needs to identify the person to assist them effectively. However, in circumstances where it is lawful and practicable to do so, the Waalitj Foundation will provide the person with the option of not identifying themselves, or using a pseudonym, when entering communications with the Foundation.
Breach of Privacy and Confidentiality
If a Foundation staff member is dissatisfied with the conduct of a co-worker regarding privacy and confidentiality of information, the matter should be raised with their General Manager. If this is not appropriate, the relevant staff member should follow the Managing Misconduct and Grievance procedure (Click HERE). Staff who are deemed to have breached privacy and confidentially standards may be subject to disciplinary actions.
If a client/participant is dissatisfied with the conduct of a staff member or board director, a complaint should be raised in accordance with the Feedback and Complaint Management Procedure (Click HERE). Information about making a complaint will be made available to clients/participants and this information is on the Foundation Website. Additionally, a complaint can be taken over the phone or in person by any staff member.
If individuals are not satisfied with the Foundation complaint handling, they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). For more information about doing so, visit https://www.oaic.gov.au/privacy/privacy-complaints/.
Notifiable Data Breaches
A notifiable data breach is likely to result in serious harm to any of the individuals to whom the information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
All suspected and/or confirmed data breaches are required to be reported to the IT Manager and IT helpdesk email@example.com and the WF Cyber incident procedure will be followed.
Chief Executive Officer is responsible for:
- Providing adequate resources to ensure this policy is appropriately implemented and applied across the Waalitj Foundation.
Chief Financial Officer is responsible for:
- Overseeing the compliance of WF Privacy and Confidentiality process according to Australian laws
- Updating this policy as per laws or organisational
- Identifying privacy threats / risks and implementing the appropriate controls.
Staff members are responsible for:
- Handling Client’s personal information according to the Office of the Australian Information Commissioner (OAIC).
- Completing privacy training given by the
- Cooperating with authorised WF information security personnel in the investigation of security