This policy describes how Bankstown Canterbury Community Transport (BCCT) protects and handles personal information, including sensitive information, in accordance with its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).
Staff and volunteers of BCCT have a responsibility to uphold and respect the privacy and confidentiality of all BCCT Stakeholders as described within the Privacy Act and APPs.
Why do BCCT collect personal information?
BCCT collects personal information to perform the day to day operations of a Community Transport organisation within the Commonwealth Home Support Program and Disability Services guidelines. These functions include:
- Day to day transport for frail and/or aged and people with a disability.
- For referral to other service providers in collaboration with service users.
How do BCCT collect personal information?
In general, BCCT collect personal information directly from people when they deal with BCCT by telephone, letter, email, face-to-face or through our website where it is reasonably necessary for, or directly related to, our functions or activities.
Personal information the service user gives to BCCT
BCCT may collect personal information directly from the service user in the following instances:
- At referral by either telephone, email, fax or website form.
- At assessment by telephone.
- When booking for transport by telephone, email, fax or website form.
- If the service user is a complainant: when a complaint is submitted either by letter or telephone.
If the service user provides BCCT with personal information which is also sensitive information, the service user will be asked to consent to our collection of their sensitive information. BCCT will only collect sensitive personal information about the service user when the information is reasonably necessary, or directly related to, one or more of BCCT’s functions. For example, BCCT will collect health information from a service user only if it is reasonably necessary for, or directly related to their transport or referral to another service provider.
Personal information BCCT may collect from third parties
In carrying out our functions, BCCT may also collect personal information from other parties related to a service user’s transport including:
- Another service provider.
- If appropriate, a guardian, partner, carer or close relation of the service user.
If BCCT collect personal information from other sources, BCCT will seek a service users’ consent to collect the information unless:
- It is impracticable or unreasonable to obtain the information directly from the service user.
- BCCT are concerned about their safety or whereabouts when the service user is scheduled to have an appointment with us.
If BCCT collect their personal information from another source, BCCT will take reasonable steps in the circumstances to ensure that the service user is notified:
- That BCCT collected their personal information from another source.
- What BCCT will do with the information.
- Of any other person or body to whom BCCT may share or disclose the information. For example: mandatory reporting for abuse disclosures.
What kind of personal information do BCCT collect and hold?
The types of personal information BCCT collect and hold will depend on the function or activity being undertaken. Examples of personal information that BCCT collect and hold include:
- Name, email, telephone, address and any personal information that relates to the transport required (including health information).
Examples of sensitive information BCCT collect and hold include:
- Health information, including information or opinion about the health or disability of an individual, the provision of a health service, or the person’s wishes about the provision of a health service.
Can the service user deal with BCCT anonymously or pseudonymously?
Where it is practicable, the service user may choose to remain anonymous or adopt a pseudonym when dealing with BCCT.
Due to the nature of BCCT’s operations it is impossible to access BCCT services anonymously, though a pseudonym maybe used at the behest of a service user.
A service user may choose to make a complaint about the processes of BCCT anonymously. However, if the service user chooses to interact with BCCT anonymously or to use a pseudonym, the extent to which BCCT may be able to respond to their enquiry or process their complaint may be limited.
Alternatively, the service user may ask BCCT to process their complaint confidentially. This means that their identity will be known to the Executive Officer but not provided to the other parties to the complaint. Whether the Executive Officer will accept their request for confidentiality will depend on the circumstances of the matter.
To make a complaint about a decision of BCCT, BCCT will need to collect the service users’ name and contact details. The Executive Officer is required to collect this personal information to determine if the service user has standing to make a complaint.
How BCCT deal with unsolicited information
If the service user sends BCCT their personal information when BCCT doesn’t ask for it (unsolicited personal information), BCCT will determine whether or not the information is related to one or more of BCCT’s functions. If the information is not relevant, BCCT may destroy or de-identify the personal information if it is lawful and reasonable to do so.
How BCCT keeps personal information secure
BCCT uses a range of physical and electronic security measures to protect personal information from misuse and loss and from unauthorised access, modification or disclosure. For example, BCCT restrict physical access to our office and areas housing personal information, use lockable cabinets, secure databases, permission restrictions and password protection. Emails the service user send to us are screened by our email security systems and may be viewed by authorised staff members for security purposes.
How does the service user access and correct their personal information?
A service user has the right to request access to their personal information held by BCCT and to request the information be corrected in certain circumstances.
BCCT will provide the service user with access to their personal information or take reasonable steps to correct their personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading, subject to any applicable exceptions under the Privacy Act.
To obtain access or seek correction of their personal information, the service user should contact BCCT and make a request to the relevant officer. The service user request should state that they are seeking access to, or correction of, personal information in accordance with the Privacy Act. They should also specify the information they are seeking access to or if they are seeking for it to be corrected, including the reasons why the information should be corrected.
Before providing access to or correcting a service users’ personal information, BCCT may require the service user to verify their identity. A service user will not be charged for lodging a request to access or correct their personal information.
In general, BCCT will respond to the request within 30 days of the request being made. If access or correction is refused, BCCT will provide the service user with a written notice setting out the reasons for the refusal and information about how the service user can make a complaint. If their correction application is refused, BCCT will take reasonable steps to associate a statement with their personal information which provides that the service user believes that their personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Alternatively, the service user may request that BCCT handle their request for information or their amendment or annotation request under the Freedom of Information Act 1982 (FOI Act). Any requests under the FOI Act must be in writing and should be sent to the Executive Officer at BCCT.
How does the service user make a complaint about BCCT privacy practices?
If the service user has a concern about the way BCCT handled their personal information, the service user can make a complaint under the Privacy Commissioner Complaints Mechanism.
Under the Privacy Act, the Australian Information Commissioner or the Privacy Commissioner have the power to investigate complaints or acts or practices that may be a breach of privacy even if there is no complaint. If the service user has made a complaint to BCCT about a BCCT practice that the service user thinks amounts to an arbitrary or unreasonable interference with their privacy; and the service user does not believe that the matter has been resolved satisfactorily, the service user should either write to the Privacy Commissioner setting out the details of the practices which the service user thinks interfere with their privacy, or telephone the Privacy Hotline 1300 363 992 (local call charge).
If the service user wishes, the service user may make a complaint directly to the Privacy Commissioner rather than to BCCT. In most cases, however, it is likely that the Privacy Commissioner would refer the service user to BCCT, in the first instance, to see if their complaint can be resolved without requiring the involvement of the Privacy Commissioner.
Consequences for breach of Privacy or Confidentiality
Breaches of privacy and confidentiality are considered to be very serious and severe disciplinary action may arise (which may include termination of employment and/or referral to relevant authorities), following appropriate investigations.