Farrer School Foundation: Privacy
Our business is bound by the Privacy Act 1988 (the Act) and the Australian Privacy Principles (APP).
We collect and hold personal information relating to our members, donors and to other people and entities associated with our members and donors as may be provided or disclosed to us in the course of business, including from Farrer Memorial Agricultural High School and its associated entities. Such personal information may include, but is not limited to, names, addresses, telephone numbers, social media details, email addresses, occupations, bank account details and records of your communications and interactions with us.
Personal information is collected from our members, donors and associated parties in the following ways:
- by providing it to us directly, including by submission to our website;
- by authorising third parties to provide it to us;
- by other parties providing it to us either voluntarily or pursuant to compulsory processes we conduct on our members or donor’s behalf.
How is personal information received and held?
Personal information may be received and held either as a hard copy, paper, or a soft copy being electronic data, in any available form. In either case, we take the security of personal information very seriously. We secure hard copy documents carefully in and out of our office. We use cyber-security systems to protect soft copy documents. We never ask for bank details or other sensitive information by email.
For what purpose is personal information collected, held, used and disclosed?
All data processed by the business is done on a lawful basis. The purposes for which we collect, hold, use and disclose personal information are:
- to fulfill our functions and responsibilities under our Constitution
- to raise and manage funds. In doing so we may disclose personal information to other people or entities involved in the process of fundraising, such as government departments and individuals. Unless compelled by law, we will never disclose personal information without the client’s knowledge and consent;
- to facilitate our internal and external administrative processes including financial and business operations and reporting requirements;
- to obtain, maintain and comply with the terms of any applicable insurance policies;
- to comply with applicable laws.
How can personal information be accessed or corrected?
Clients may access their personal information and seek correction of it at any time by applying to our office in person or in writing. Clients will be formally identified before releasing or amending any personal information.
There may be circumstance where it is appropriate for us to deny access to information, including but not limited, to where giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety, or access may have an unreasonable impact on the privacy of another individual. Other reasons for denying access may include;
- the request is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings between you and us and the information would not be accessible by the process of legal discovery in those proceedings;
- giving access would reveal our intentions in relation to negotiations with you and prejudice those negotiations;
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, relating to our functions or activities has been, is being or may be engaged in; and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
- providing access would be unlawful or if denying access is required or authorised under Australian law or a court/tribunal order;
- giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
- giving access would reveal evaluative information generated within the Foundation in connection with a commercially sensitive decision-making process.
Is personal information disclosed outside of Australia?
We do not disclose personal information outside of Australia, other than where it may be held on the servers of service providers (such as web site hosts) we use from time to time who may be located outside of Australia.
Internet transmission of information: Where appropriate we use secure transmission facilities. However, no transmission of information over the Internet can be guaranteed to be completely secure and we do not warrant the security of any information transmitted by or to us over the Internet.
Cookies: We may collect personal information through software such as cookies. A cookie is a text-only string of information that a website transfers to the cookie file of the browser on the hard disk of a user’s computer so that the website can remember that user. Without cookies, websites and their servers have no memory. This means that every time a user opens a new webpage on a website, the server where that webpage is stored will treat the user as new and require logon and password. In short, a cookie facilitates a user’s passage through a website.
What is the complaints process relating to personal information?
All office holders, members and staff are responsible for protecting the confidentiality of client information and business information. Refer any data breaches, or suspected data breaches, to the President or Secretary as soon as possible.
What is an eligible data breach?
An eligible data breach, defined in s 26WE(2) of the Act, is when:
- both of the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the information is lost in circumstances where:
- unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
- assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;…
If there is a suspicion of a breach
If we suspect that there has been an eligible data breach, a reasonable and expeditious assessment will be conducted within 30 days.
If we believe or have reasonable grounds to believe there has been a breach, then a statement will be prepared setting out:
- the business’s details;
- a description of the breach;
- the kind or kinds of information concerned; and
- recommendations about the steps that we will take in response to it.
If practicable, we will advise the contents of the statement to each of the affected members, donors or associates who may be at risk from the breach. If this is not practicable, we will publish the statement on our website and take other reasonable steps to publicise its contents. Communications with individuals will be via their preferred communication method. The statement will be submitted to the Privacy Commissioner.
Exception to reporting
Mandatory notification requirements are waived if remedial action can be taken that results in a reasonable person concluding that the access or disclosure is not likely to result in serious harm to any of those individuals.
Further information may be provided by contacting the President or Secretary.