This document sets out ROAM’s policy regarding the collection, use, storage, disclosure of and access to personal and sensitive information, including health information. ROAM is bound by the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) (“Privacy Act”) as amended from time to time.
This Policy aims to foster and maintain public trust and confidence in the integrity and professionalism of ROAM by ensuring that ROAM complies with the Australian Privacy Principles which protect personal information in our possession.
When an individual provides personal information to ROAM they are agreeing to be governed by the terms of this Policy.
This policy applies to personal, sensitive and health information pertaining to any hardcopy or electronic record collected or created by ROAM.
This policy does not apply to:
- any statistical information or data that does not identify individuals, that might be released to third parties except those of our clients requiring that information for the purposes of evaluating a ROAM offer for professional services, research and analysis, or in compliance with a request from a bona fide law enforcement agency;
- information about a corporation; or
- employee records.
Australian Privacy Principles
ROAM is bound by the Australian Privacy Principles as set out in the Privacy Act. A summary of the most relevant of these principles, as adapted for ROAM, is set out below:
Principle 2 – Anonymity and Pseudonymity
Because of the nature of ROAM’s core business, it will usually be impractical for individuals transacting with ROAM to have the option of not identifying themselves or using a pseudonym. However where it is lawful and practical to do so, ROAM will consider a written request by the individual.
The circumstances in which you can deal with ROAM anonymously or using a pseudonym include:
- making a general enquiry about the programs or projects that ROAM is involved in;
- when asked to participate in a survey for research purposes where identifying information is not essential;
- when making an enquiry about a position advertised at ROAM; and
- when offering general feedback outside of structured program feedback channels
An individual may request at the start of any telephone call with ROAM, in relation to a general enquiry, to remain anonymous (or to use a pseudonym).
Principle 3 – Collection
ROAM will collect information only if the information is necessary for one or more of its functions or activities and with consent. ROAM must collect information only by lawful and fair means and not in an unreasonably intrusive way.
ROAM may collect and/or hold the following personal information (not including sensitive information):
- contact information such as name, address, email address, telephone numbers, fax numbers and date of birth;
- contact information for next of kin;
- results data;
- prior employment details or character references;
- financial details, including bank account details and credit card details;
- citizenship status;
- driver’s licence details;
- passport details;
- curriculum vitae (“CV”) application criteria, academic records/transcripts
- Police clearance records;
- Application data;
- Visa documents; and
ROAM may collect and/or hold the following sensitive information:
- Medical information directly related to ability and/or competence to undertake a role, or fitness for duty assessments; and
- criminal record through a national police check; and
ROAM will not collect sensitive information about an individual unless:
- the individual has consented and the collection is reasonably necessary for ROAM’s functions or activities;
- the collection is required under law;
- the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, or to public health or safety; or
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
ROAM may collect and/or hold the following health information:
- information about the health or disability of an individual;
- information about a health service provided, or to be provided to an individual; and
- an individual’s expressed wishes about the future provision of health services to that individual
ROAM collects, holds, uses and discloses personal, sensitive or health information to enable us to:
- market or promote our programs, projects, services and events directly to individuals;
- assess an applicant’s eligibility for employment, volunteer programs, scholarships, awards etc;
- resolve a complaint;
- provide further information about a program or project;
- administer our programs and projects;
- work with government agencies and other stakeholders to implement and run our programs and projects;
- record all relevant interactions with an individual; and
- for other purposes related to any of the above.
If it is reasonable and practicable to do so, ROAM will collect personal, sensitive and health information about an individual only from that individual through online application forms and hard copy documentation. However, there will be instances where ROAM will obtain such information from other sources, e.g. references for employment purposes, results data for prospective students / Award Holders / Volunteers etc. In such instances ROAM will take reasonable steps to ensure that the individual is or has been made aware except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
If ROAM does not collect the required personal, sensitive or health information it may not be able to provide an individual with the services requested, including access to a particular program or project.
Principle 6 – Use and Disclosure
Personal, sensitive or health information collected and held by ROAM will only be accessed and used in a manner consistent with the original purpose stated at the time of collection.
If required, information may be used or disclosed for a secondary purpose:
- with the individual’s written consent;
- if the individual would reasonably expect the information to be used or disclosed for this secondary purpose;
- to reduce or avoid a threat to an individual’s life, health or safety;
- to reduce or avoid a serious threat to public health and safety;
- when the use or disclosure is required or is specifically authorised by law;
- if ROAM has reason to suspect that unlawful activity or misconduct of a serious nature has or is being engaged in, in relation to ROAM’s functions or activities and the use or disclosure is necessary to allow ROAM to take appropriate action; or
- as required by law to certain government departments and statutory bodies.
ROAM discloses information to necessary third parties, who assist to implement, provide, manage and administer our programs and projects. The third parties include (but are not limited to):
- program stakeholders (includes government agencies and private sector organisations) such as the Department of Defence, the Department of Education, the Department of Foreign Affairs and Trade;
- Australian educational institutions for the purposes of accessing scholarship applications;
- entities that have a role in running the projects and programs that we offer, such as host organisations or sub-contractors
We may disclose information to overseas parties for the purposes of undertaking our projects and programs.
On receipt of personal, sensitive and health information, third parties are responsible for the management, use and disclosure of the information provided. ROAM’s Policy will no longer apply to this information.
Principle 7 – Direct Marketing
ROAM may use personal information (excluding sensitive information) for the purposes of marketing and promoting our programs, projects, services and events to an individual. Examples include sending scholarship recipients invitations to alumni events.
If an individual no longer wishes to receive marketing/promotional material they may select the ‘opt-out’ option provided within the material sent to them or may send an opt-out request to the Program Manager using the contact details provided in this Policy.
Principle 8 – Transborder Data Flow
ROAM will only disclose personal, sensitive or health information about an individual to someone who is outside Australia if:
- the individual consents to the transfer; or
- ROAM reasonably believes that the recipient is subject to privacy laws similar in scope to the Australian Privacy Principles and there are mechanisms for the individual to take action to enforce these laws.
Principle 9 – Government Related Identifiers
ROAM will not adopt unique government related identifiers of an individual as its own (unless expressly allowed under the Privacy Act) nor will it require an individual to provide a unique identifier in order to obtain a service.
Principle 11 – Security
ROAM holds all information in hard copy documents and/or in electronic format.
- Take reasonable steps to ensure that personal, sensitive or health information is protected by all reasonable safeguards against loss, interference, unauthorised access, modification, disclosure or any other misuse.
- Ensure that personal, sensitive or health information is kept for no longer than is necessary for the purposes for which it may lawfully be used. Hard copy records no longer required will be disposed of securely and in accordance with any requirements for the retention and disposal of personal information.
ROAM implements this by using the following safeguards:
- imposing confidentiality requirements on employees;
- imposing our Code of Conduct policy expectations and requirements on employees;
- implementing policies in relation to document storage security;
- implementing security measures to govern access to ROAM’s systems;
- only providing access to personal information once proper identification has been given;
- controlling access to premises; and
- implementing website protection measures.
Principle 12 and 13 – Access and Correction
If ROAM holds personal, sensitive or health information about an individual it will provide the individual with access to that information on request by the individual, except to the extent that ROAM is governed by legal processes.
Where providing access would reveal evaluative information generated within ROAM in connection with a commercially sensitive decision-making process, ROAM may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
If ROAM holds personal, sensitive or health information about an individual and the individual is able to establish to the satisfaction of ROAM that the information is inaccurate, incomplete, irrelevant, misleading or not up-to-date, ROAM will take reasonable steps to correct the information, having regard to the purpose for which it is held.
A request for access to, or correction of, an individual’s information should be directed to the Program Manager via the contact details provided in section 2 of this Policy.
Such a request will be dealt with by the Program Manager as soon as reasonably practicable. If the individual’s request is denied, ROAM will provide a written notice detailing reasons for the refusal and the process for an individual to make a complaint about the refusal to grant the request.
ROAM may deny access to an individual’s personal information if:
- access would pose a serious threat to the life or health of any individual or the public;
- access would have an unreasonable impact on the privacy of other individuals;
- the request for access is considered “frivolous” or “vexatious”;
- the information relates to a commercially sensitive decision making process;
- access would be unlawful or denying access is required or authorised by law or a court order;
- ROAM has reason to suspect that unlawful activity or serious misconduct is being, or has been, engaged in with regard to our business functions or activities and the granting of access would prejudice ROAM’s ability to take appropriate action;
- access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security function, or negotiations with the individual;
- the information relates to negotiations or legal proceedings that are in place, or anticipated, between an individual and ROAM; or
- access would be likely to prejudice enforcement related activities conducted by an enforcement body.
ROAM will take appropriate steps to verify an individual’s identity (or the person’s authority to act as a legal guardian or authorised agent of the individual concerned) before granting a request to access or correct personal, sensitive or health information.
An individual also has a right under the Freedom of Information Act 1982 (Cth) (“FOI Act”) to request access to documents held by a government body and to seek correction or annotation of those documents. Due to the nature of ROAM’s activities and involvement with a number of government bodies, ROAM may hold information to which an FOI request relates. ROAM will comply with a request for information (or the correct or annotation of information) made by a government body in relation to an individual’s FOI request, in accordance with the requirements of the Privacy Act.
Managing Data Breaches
ROAM maintains strict ICT controls and risk mitigation strategies to ensure the safety and security and management of our data. In the unlikely event of a data breach occurring, the relevant Manager must immediately notify ROAM’s Program Manager.
A data breach can defined by instances of personal information being held by ROAM that is lost, subjected to unauthorised access, modification, disclosure, or other misuse or interference. This could include:
- a database containing personal information being hacked or
- personal information mistakenly provided to the wrong person, or;
- a device or laptop containing personal information is lost or stolen
Any instances of data breaches will be managed in accordance with the Notifiable Data Breaches (NDB) requirements as outlined in the Data Breach Notification Guide and recorded on ROAM’s Privacy Breach Incident / Complaint Form.
Any person, who on reasonable grounds believes that ROAM has breached this Policy may complain in writing to the Program Manager specifying details of the alleged breach. A written complaint can be emailed or posted to the Program Manager using the contact details set out in this Policy.
It is requested that the written complaint be forwarded within six (6) months of the time the complainant first became aware of the breach. If a complaint is received after this time, ROAM may not be able to investigate the complaint.
The Program Manager shall investigate complaints as expeditiously as practicable and shall provide a written copy of the findings of fact and recommendations made to the (“Executive Team”) and to the complainant within 30 days of receipt of the complaint.
The Executive Team will determine what action will be taken on any recommendation contained in the findings as presented by the Program Manager.
The Program Manager will keep a confidential record of complaints and resolutions.
If an individual is unsatisfied with the outcome of a complaint, the complaint may be referred to the Office of the Australian Information Commissioner to be resolved.
If an individual wishes to:
- make a complaint about ROAM’s compliance with the Australian Privacy Principles;
- gain access to or seek correction of personal, sensitive or health information;
- contact ROAM with a query about how an individual’s personal, sensitive or health information is collected or used; or
an individual can speak directly to a ROAM staff member who will do their best to try to resolve the issue as simply as possible. Alternatively, an individual can write or send an email to ROAM so that the Program Manager can consider the matter. The Program Manager will respond as soon as reasonably practicable.
ROAM’s contact details are as follows:
Position: Program Manager, ROAM
Phone: +61 8 8364 8500
Email address: email@example.com
Postal address: 41 Dequetteville Terrace, Kent Town SA 5067
For more information on privacy, visit the Office of the Australian Information Commissioner’s website.
This Policy was last updated on 10 November 2017.