Policy, Legislation, Scope
We respect your right to privacy under the Privacy Act 1988 (Cth) and we comply with all of the Act’s requirements in respect of the collection, management and disclosure of your personal information.
This policy is not a replacement for any Act or Regulation. The criminal law and legislation still apply to all staff. If any conflict arises between this policy and the provisions of any Act or Regulation, the latter provisions will prevail.
The following legislation and conventions are relevant to this policy:
- Charitable Fundraising Act 1991 (NSW)
- Health Records and Information Privacy Act 2002 (NSW)
- National Disability Insurance Scheme Act 2013 (Cth)
- Privacy Act 1988 (Cth)
- Privacy Amendment, Private Sector, Act 2000 (Cth)
- Privacy and Personal Information Protection Act 1998 (NSW)
Who is this policy for?
Clients, members, donors, staff, volunteers, supporters and board of MDNSW, users of the MDNSW website.
What type of information do we collect, hold and how do we collect it?
What type of information do we collect and hold?
MDNSW is a member-based association, not-for-profit charity, and service provider, delivering NDIS services and supports. For MDNSW to carry out our activities, we collect personal information from people involved with the association.
MDNSW only collects personal information by lawful means and will not collect information in any unreasonably intrusive way.
We collect the following information:
- your name, address, email, phone number/s, gender, date of birth
- payment information for a service or a donation
- information on family members, carers, and relationship to client
MDNSW will only collect sensitive information that is necessary to provide services and supports to clients.
The type of sensitive information collected may include:
- health or medical information
- information about a client’s disability
- information about a client’s cultural background and/or religious beliefs
- billing information and Medicare/NDIS number/Tax file number
- information generated by a health service provider (e.g. notes, opinions about an individual and their health)
We do not use or disclose Medicare, NDIS or tax file numbers unless we need to by law or you have consented to disclose this information to a third party.
We may also collect information that doesn’t identify a person directly – like statistics from a survey / consultation, or how many people access our website and what they click on so we can improve our website.
How do we collect your information?
We collect your information directly from you in most cases, including:
- from our website, when you sign up for something or donate to MDNSW
- from surveys and evaluations, you complete (unless you chose to be anonymous)
- from social media – e.g., interactions on our Facebook page or community fundraising pages
- over the phone or in person as part of our client services and supports
- over the phone or in person as part of our fundraising activities
- from an application form for a MDNSW event or program
- from a MDNSW Service Agreement
What happens if we can't collect your information, and for what purpose do we hold, use and disclose information?
What happens if we can’t collect your personal information?
You have the right to choose what information you will share. If you choose not provide us with the personal information described above:
- we may not be able to provide the requested services to you, either to the same standard or at all.
- we may not be able to send you information about programs and services that you may be interested in if we don’t for example have your contact details.
- your experience of our website may not be as enjoyable or useful
- we may not be able to process payments, issue receipts and other administrative actions.
For what purposes do we collect, hold, use and disclose your personal information?
We collect personal information about you so that we can perform our activities and functions and to provide best possible quality of customer service.
We collect, hold, use and disclose your personal information for the following purposes:
- to provide services to you and to send communications requested by you
- to keep your personal details up to date
- to distribute information about fundraising events and opportunities to donors and supporters
- to keep accurate records about MDNSW membership, including payments
- to inform clients about MDNSW’s programs, supports, and events that might be of interest
- to process and respond to any complaint made by you; and
- to comply with any law, rule, regulation, lawful and binding determination, decision, or direction of a regulator, or in co-operation with a governmental authority.
We will only collect, use and share your information with your consent unless it is required by law.
At all MDNSW multi-day events, we have an obligation to ensure all participants, staff members and volunteers are kept safe, and any potential or real outbreaks of illness are planned for and dealt with appropriately. To do this, we have implemented the following procedures:
- Completion of Rapid Antigen Tests on all arriving participants, staff members and volunteers at events, and again on the third day of the event (for longer events)
- Collection of all participants, staff members, volunteers and visitors’ details and contact information, to ensure adequate record keeping in the event of a COVID-19 outbreak, to assist with contact tracing.
Personal information will only be used or disclosed on a ‘need-to-know’ basis, for example to NSW Health or the NDIS.
We will only collect and use the minimum amount of personal information reasonably necessary to prevent or manage a potential COVID-19 outbreak.
From whom do we collect your information, and when do we disclose this information?
From whom do we collect your information?
MDNSW will generally collect information directly from the client but may also collect information from relevant third parties including families, carers, service providers and government organisations.
Where information is collected from third parties, MDNSW will use reasonable endeavours to:
- ensure the information is accurate
- inform the client of the information collected
MDNSW will take reasonable steps to ensure the client is aware of:
- the name of the person/organisation MDNSW received information from
- their right to access the information
- the purpose for which the information is collected
- any law that requires the information to be collected
- what will happen if we don’t receive this information
In what circumstances may we disclose your information?
MDNSW may disclose personal and sensitive information:
- where necessary to provide services or supports
- in an emergency where failure to disclose the information may cause adverse outcomes for the client
- to organisations providing services for MDNSW such as legal, financial, reporting, surveying – provided those organisations also undertake to protect the confidentiality of that information.
- when required by law.
Where a client is incapable of making decisions about the provision or disclosure, a responsible person as defined by legislation may make this decision on behalf of the client.
MDNSW encourages family support and communication between family members. However, MDNSW will not provide personal information about a client aged over 16 years to family members without the individual’s consent.
Information may be disclosed for other purposes permitted by privacy legislation including but not limited to where legislation requires that the information be released, MDNSW is subpoenaed to provide information for court proceedings, or there is an overwhelming public interest in disclosing the information.
Unsolicited information, Personal dignity and privacy and disclosing information outside of Australia
Unsolicited information is personal, sensitive and/or health information that a staff member may have received taking no active steps to collect it.
If MDNSW receives unsolicited personal information, staff need to consider whether they could have lawfully collected the information. That is:
- was the information reasonably necessary for one or more functions or activities?
- was it sensitive information requiring consent?
If you could have lawfully collected the information, then you may keep the information, but you must handle it in accordance with the relevant Privacy Laws. This includes notifying the person concerned where reasonable.
If the information is not reasonably necessary for one or more of your organisation’s functions or activities, then you will need to destroy or de-identify the information. However, before you destroy any information, you must make sure there is no other legal requirement to retain it. If you are not sure, seek legal advice before destroying or de-identifying information you have on file.
Personal dignity and privacy
Where MDNSW provides services of a highly personal nature with clients, such as dressing, showering and other personal services, MDNSW will provide clients with as much privacy as possible to protect their personal dignity.
MDNSW will ensure all staff providing personal care services are appropriately trained and deliver services sensitively and professionally.
Do we disclose your personal information to anyone outside Australia?
It’s rare that MDNSW would be asked to disclose personal information to a person outside of Australia. MDNSW will only do so:
- with your consent
- if we reasonably believe the recipient is subject to a law, binding scheme or contract which are substantially like the Australian Privacy Principles
- if the transfer of information is for your benefit.
A cookie is a small data file stored on your computer’s browser. Cookies allow our website to “remember” what a user has done on previous pages or interactions with the website to enhance users’ experience.
Most websites and internet browsers support cookies; however, users can set their browsers to decline certain types of cookies or specific cookies or delete cookies at any time. You will usually find information on cookies and how to manage them under ‘options’ or ‘settings’ in your browser. This may inactivate some of the features of our website.
Disclosure of Donors’ personal information and Direct marketing materials
Disclosure of Donors’ personal information
Personal information may be disclosed to third parties for marketing purposes: we may provide your contact details to other like-minded organisations to contact you with information that may be of interest to you. From time to time, we participate in data collectives where we share your personal information (other than sensitive information) with other organisations.
If you would prefer not to receive communications from other organisations, please let us know. Contact us at Muscular Dystrophy NSW – PO Box 1450 Parramatta NSW 2124, Tel: +612 9888 5711 and email: email@example.com
Otherwise, we will only share your personal and sensitive information in accordance with your consent and instructions, as provided through the exclusions set out in the Australian Privacy Principles, or in accordance with the specific collection statement provided to you by us at or near the time of collection of your personal and sensitive information.
Direct marketing materials
We may send you direct marketing communications and information about our products and services that we consider may be of interest to you. These communications may be sent in various forms, including mail and email, in accordance with applicable marketing laws.
At any time, you may opt-out of receiving marketing communications from us by contacting us at: Muscular Dystrophy NSW – PO Box 1450 Parramatta NSW 2124 Tel: + 612 9888 5711 or via email: firstname.lastname@example.org
We do not provide your personal information to other organisations for the purposes of direct marketing. If you do not elect to opt out, we will assume we have your implied consent to receive similar information and communications in the future.
Accessing and correcting your personal information and Security of personal information
How can you access and correct your personal information?
You may request access to any personal information we hold about you at any time by contacting us.
Where we hold information that you are entitled to access, we will try to provide you with suitable means of accessing it, for example, by mailing or emailing it to you within 30 days of your request. We will need to verify your identity first. This information will not be unreasonably withheld.
There may be instances where we cannot grant you access to the personal information we hold. For example, if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.
Security of personal information
MDNSW takes reasonable steps to ensure your personal information is protected from misuse and loss and from unauthorised access, modification, or disclosure. We may hold your information in either electronic or hard copy form.
Access to personal information in electronic records is restricted to authorised staff and is password protected. MDNSW uses multi-factor authentication (MFA) processes to further enhance security across systems and data is stored on Australian-based servers.
Any hard copy records are securely stored or disposed of according to the relevant law or regulation.
All staff complete screening checks before commencing employment with MDNSW, including Working with Children checks, NDIS Worker Checks and National Police checks.
Privacy breach process
What is the process for complaining about a breach of privacy?
If you believe that your privacy has been breached, please contact us using the contact information below and provide details of the incident so that we can investigate it.
Our procedure for investigating complaints of this nature is explained in our Complaints Feedback and Resolution Policy and you can contact us by phone, email, and website or at our office – details at the end of this policy.
Where a serious breach has been suspected, MDNSW will comply with the Privacy Act requirements. We will investigate, act to mitigate any further breach, we will notify the affected people and report the breach to the Office of the Australian Information Commissioner (OAIC).
Photos, video and written material, De-identified data, Anonymity and Links to external websites.
Photos, video and written material
MDNSW uses images, videos, and stories of the people in the MDNSW community, including children, on our website, social media and in other communications including email, newsletters, promotional materials, and annual reports.
MDNSW includes image and video consent in all program and service applications, however staff will attempt to seek your consent if your/your child’s image is selected to be used in MDNSW communications.
Crowd photos/video taken at events are an exception because it can be very difficult to identify and contact every person in a crowd photo. Event participants will be notified if photographs or video will be taken at the event in the promotional material and at the event. The images/videos will only be used to promote our services, programs, or fundraising activities.
People whose image, video or story is being used by MDNSW can withdraw their consent at any time by contacting us by phone, email or via the website. MDNSW will make our best efforts to remove the image/other media in a timely manner. However, where images are used in print publications or in a video, removing an image from circulation might be impossible. If this is the case, MDNSW will advise the person.
Personal information where details are removed so a person cannot be reasonably identified is de-identified data.
MDNSW uses de-identified data to:
- report statistical information to funding bodies and donors.
- conduct research and service improvement initiatives.
This information is not personal or sensitive because it is de-identified. When using data for this purpose MDNSW will ensure that no individual could reasonably be identified from the data used even after primary identifiers have been removed.
Only de-identified data will be used for research purposes. Any research requiring identification of a client requires their explicit consent.
Where it is lawful and practicable, individuals may interact with MDNSW without identifying themselves, or use a pseudonym if they choose to.
However, when accessing member services and other direct services it is not practicable to do so without individuals identifying themselves.
Links to external websites
Our website contains links to other websites operated by third parties. These links are provided for your information and convenience and are not an endorsement by MDNSW of the content of third party websites.
If you use these links, you leave our website. We make no representations or warranties in relation to the privacy practices of any third party website and we are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing you about their own privacy practices.
Contact and Complaints
We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to discuss your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in timely and appropriate manner.
Please contact us at:
More information on making complaints and contacting external bodies to make a complaint is available in our Compliments Suggestions and Complaints information.
Updated policy approved by Board February 2021, received minor amendments and is due for review April 2023.
Download a PDF of this policy HERE