Stride has created this Privacy Management Plan in accordance with the Privacy and Personal Information Protection Act 1998 (PPIP Act).
This Plan outlines:
- Stride’s policies and practices for complying with the PPIP Act and the Health Records and Information Privacy Act 2002 (HRIP Act)
- How Stride will make staff aware of these policies and practices
- Stride’s procedures for dealing with privacy internal reviews under Part 5 of the PPIP Act
- Other relevant matters relating to the protection of the personal and health information that the organisation holds (section 33 of the PPIP Act)
A copy of this Plan will be provided to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended.
The General Manager, People & Culture will be responsible for the ongoing review of the Privacy Management Plan with support from Stride’s Continuous Quality Improvement Committee.
3.0 Guiding Principles
3.1 How we Manage Personal and Health Information
The Privacy Act 1988 defines personal information as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Stride will only solicit sensitive information where consent is given by the individual
The types of personal information held by Stride could include, but are not limited to, name, age, sex, address, contact details, background information, health information, support systems and details of family and friends. Stride will only use this information as part of its primary function such as providing a service, complaints handling or recruitment.
Information can be given to Stride by third parties or directly from the individual. Any personal or health information which is received and is not necessary for the primary functions of Stride’s functions will be de-identified, discarded or kept in accordance with Australian Privacy Principles (APP’s) 5-13 and the Health Privacy Principles (HPP’s) under the HRIP Act.
Stride will take reasonable steps either to notify or to make aware to the individual that personal information has been received.
Stride takes reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure including locked filing cabinets and password protected systems. Some of these reasonable steps include workplace policies, ICT security and governance.
Stride is obligated to destroy or de-identify personal information in certain circumstances. Personal information obtained by Stride is not sent overseas.
Where a correction needs to be made to an individual’s personal identity, Stride will take reasonable steps to correct the personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.
3.2 How to Access and Amend Personal and Health Information
When personal and/or health information is given to Stride by an individual, Stride relies on individuals to give accurate information and to advise of any changes to their personal information. Clients and stakeholders of Stride may access their personal information by written request.
Stride will provide this information within 30 days of receiving such notice unless:
- the request is made vexatiously
- Stride feels that the release of the information would be harmful to the individual or to the public
- releasing the information would give impact on the privacy of others
- it would be unlawful
- the information relates to existing or anticipated legal proceedings between Stride and the individual, and would not be accessible by the process of discovery in those proceedings
Stride will also refuse the release of personal and/or health information if:
- the request would reveal the intentions of Stride in relation to negotiations with the individual in such a way as to prejudice those negotiations;
- denying access is required or authorised by or under an Australian law or a court/tribunal order;
- Stride has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Stride’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
- giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body or if giving access would reveal evaluative information generated within Stride in connection with a commercially sensitive decision-making process.
3.3 Review Rights and Complaints
A person who is aggrieved by the conduct of Stride is entitled to a review of that conduct by Stride. An application for review must be in writing, addressed to Stride, specify an address to which the notice may be sent and be lodged at a Stride office within 6 months of the time the applicant first became aware of the misconduct.
The application will be dealt with by an individual within Stride who is directed by Stride to deal with the situation. This person will not be involved in the matter, will be an employee of Stride and will be someone who is qualified to deal with such matters. The allocated staff member will consider all materials submitted by the applicant, the Privacy Commissioner and be completed as soon as practicable.
However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned.
Following the completion of the review, Stride will:
- take no further action on the matter; or
- make a formal apology to the applicant; or
- take action that Stride sees as appropriate; or
- provide undertakings that the conduct will not occur again and implement administrative measures to ensure that the conduct will not occur again.
Stride will not pay monetary compensation under subsection (7) if the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, or if the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.
As soon as practicable (or in any event within 14 days) after the completion of the review, Stride are will notify the applicant in writing of:
- the findings of the review (and the reasons for those findings); and
- the action proposed to be taken by Stride (and the reasons for taking that action); and
- the right of the person to have those findings, and Stride’s proposed action, administratively reviewed by the Tribunal.