Hear and Say adheres to the Privacy Act definition of privacy as ‘personal information’, as any information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
This policy applies to all Hear and Say activities and those involved including families, partners, donors, volunteers, board members and staff. Furthermore, this policy applies to written, verbal and electronic forms of information.
The policy also covers health information which is classified as ‘sensitive information’ and special care is taken in the maintenance and storage of health records and the release or alteration of health information.
We will not provide personal information to any other individuals or organisations without prior consent except where required by law to do so.
At times, we may also disclose information on a confidential basis with:
- contractors who provide services, for example, database management, printing and mailing to Hear and Say;
- overseas recipients, such as a medical practitioner, about an individual if they are using our health services and they reside outside Australia; and
- emergency services in the case of an emergency.
In these cases, we will take reasonable steps to ensure use of information in accordance with the Privacy Act. We will seek consent before any information is disclosed.
3. Policy Statement: Our commitment
Hear and Say is committed to protecting the privacy and rights of individuals in relation to how we collect, store and use their personal information, their needs and the services we provide them. We want our families, partners, donors, volunteers and staff to have confidence that we take these responsibilities seriously.
To implement this policy, we will:
- provide Hear and Say families and donors with information about their rights regarding privacy;
- take all precautions necessary to ensure privacy for Hear and Say families and donors when they are being interviewed or discussing matters of a personal or sensitive nature with staff and/or volunteers by using private rooms;
- store information as per the File Storage and Information Sharing Procedure;
- maintain up-to-date Policies and Procedures which are accessible to staff and management; and
- update personal information on an annual basis and archive or delete (as necessary) old information.
The Australian Government introduced legislation that came into effect on 21 December 2001 to protect the privacy of individuals. This legislation is comprised of 13 National Privacy Principles that apply to private sector organisations. From 12 March 2014, the Australian Privacy Principles (APPs) replaced the National Privacy Principles and Information Privacy Principles and applies to organisations and Australian Government (and Norfolk Island Government) agencies. Further information about these principles can be obtained by calling the Office of the Australian Information Commissioner on 1300 36 39 92 or through their website at www.oaic.gov.au.
We abide by the 13 Australian Privacy Principles of:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
From 22 February 2018 amendments to the Privacy Act 1988 took effect, introducing a mandatory notification procedure for data breaches.
Hear and Say collects personal information which is required for us to carry out our work and deliver hearing health services to the community. We collect information from:
- Families (parents and children)
Where practicable, we will collect personal information directly from the individual or family:
- In person at Hear and Say
- In person at an event
- Over the phone
- On our website
The types of personal information that Hear and Say collects may include:
- Name (wherever practicable, you have the option of not identifying yourself or of using a pseudonym when dealing with us)
- Contact information (both home and work), email address, postal address, phone numbers
- Date of birth
- Educational qualifications
- Details related to normal business practices
- Details relating to the goods and services you obtain from us
- Details relating to the donations you make to us
- Details related to your health care (see section below on health information), your opinions and feedback on our services via surveys and questionnaires
We collect personal information to communicate our services, operations, activities and objectives, which may include:
- Clinical and health support services
- Professional and community education
- The promotion of listening and spoken language development
- Training services and conferences
- Research activities and publications
- Ways to support us financially
- Employment and volunteering opportunities.
In relation marketing and communications, we will provide you with options to ‘opt out’ of some or all communications and/or marketing.
Integrity of personal information
We will take reasonable steps to ensure that the personal information we collect is accurate, up-to-date and complete. The accuracy of personal information depends largely on the information provided to us by the individual.
We recommend that you:
- Inform us if there are any errors in your personal information; and
- Keep us updated with changes to your personal information (such as your name or address)
We will take reasonable steps to correct personal information we hold when we are satisfied that it is inaccurate, outdated, incomplete, irrelevant or misleading for the purpose for which it is held.
Correcting your personal information
The quality of personal information we hold is important to us, and we have processes in place to monitor. Where we are satisfied that personal information we hold is incorrect having regard to the purpose for which we are holding it, we will correct it to ensure it is accurate, up-to-date, complete, relevant and not misleading.
You may also request us to correct your personal information at any time. If you wish to request access to your personal information, or to correct it, please contact us initially in writing either by email to firstname.lastname@example.org or by mail to:
Hear and Say
PO Box 930
Toowong, Qld Australia 4066
We will take reasonable steps to verify your identity before granting access or making any corrections to or deletion of your information. We will not charge you for making your request nor for correcting the personal information.
If we correct or update personal information that has been previously disclosed to another entity, and you request that we notify the other entity of the correction, we will take reasonable steps to give that notification unless it is impracticable or unlawful to do so.
Health information and other sensitive information we collect
Hear and Say is a health service, and as part of providing our services we collect health information and other sensitive information. Sensitive information we collect includes personal information such as:
- Medical history
- Racial or ethnic origin
- Religious beliefs or associations
- Philosophical beliefs
- Health information
We seek to limit the collection and use of sensitive information to what is essential. Wherever practicable, we seek consent before we collect this information.
We may also collect personal information from other entities in relation to providing our health services. We will only collect personal information if consent to disclose personal information has been granted.
If we receive unsolicited personal information we will determine whether this information is directly related to our activities and functions. If we determine that this is not the case, we will either destroy the information or ensure that it is de-identified before we store it.
If no or only some personal information is provided, we may not be able to offer services.
We do not collect, hold or disclose sensitive information for the purpose of direct marketing.
At times we may disclose personal information to overseas recipients, such as a medical practitioner, about an individual if they are using our health services and they reside outside Australia. We will take reasonable steps to ensure the overseas recipient uses the information in accordance with the Privacy Act. We will seek your express consent before this health information is disclosed.
We take reasonable steps to ensure your personal information is protected from misuse and loss and from unauthorised access, modification or disclosure.
Access by staff to personal or sensitive information is strictly controlled through passwords and documented procedures.
We may hold your information in either electronic or hard copy form. Hard copy information is stored in our offices, which are secured to prevent entry by unauthorised people.
If we hold personal information that we no longer require we will take reasonable steps to destroy the information or to ensure that the information is non-identified. Certain information contained in a Commonwealth record, or information we are required to retain by Australian law, or a court/tribunal order will not be destroyed.
As we are bound by the Australian Privacy Principles we abide by the new data breach reporting obligations, if there is an “eligible data breach”. We will notify the Office of the Australian Information Commissioner and any parties who are “at risk” because of the breach.
An “eligible data breach” is either:
- unauthorised access or disclosure of information that a reasonable person would conclude is likely to result in serious harm to any individuals to whom the information relates; or
- information that is lost in circumstances where unauthorised access or disclosure of information is likely to occur and it can be reasonably concluded that such an outcome would result in serious harm to any of the individuals to whom the information relates.
The Act provides that it may not be an “eligible” data breach if circumstances allow action in response to the breach before any disclosure or serious harm occurs. In this case there is no need to go through the notification steps.
When you use our websites, we may utilise ‘cookies’ which enable us to monitor web traffic patterns and serve you more efficiently if you revisit the site. A cookie does not identify you personally, but it does identify your computer. You can set your browser to notify you when you receive a ‘cookie’ and this will provide you with an opportunity to either accept or reject in each instance.
How we may use and disclose your personal information
Hear and Say will only use or disclose personal information for the purpose it was collected.
Hear and Say will not provide your personal information to any other individuals or organisations without your prior consent except where required by law to do so or where that information is provided on a confidential basis to contractors who provide services, for example, database management, printing and mailing to Hear and Say.
Hear and Say at times utilises social media-based custom audience functions, which enables customised audiences to be developed based on uploaded data for promotion of Hear and Say’s activities. Your disclosed contact data may be used for audience-matching purposes. If you wish to opt out of having your details used in this manner, please contact us via email@example.com.
Research, analysis and management, funding and monitoring of our services
We are permitted to collect health information for research which is relevant to public health or safety, analysis of statistics, or the management, funding or monitoring of our health service. We undertake these types of activities in order to improve hearing health, to educate, to promote listening and spoken language development, to set clinical benchmarks and to prevent and manage childhood hearing loss and/or diseases. When we use or disclose personal information for these purposes we will always take reasonable steps to protect the individual’s privacy. Non-identifying information from which all identifiers have been removed such that no specific individual can be identified will be implemented for all research publications and presentations. Please refer to our research policy (1.21) and procedure for more detailed information related to client confidentiality and research.
Direct marketing communication is any information we may send you to tell you about our services, products, fundraising or any other activity which we consider may be of interest to you. In general, we collect this information directly from you, such as when you make a donation to us. These communications may be sent by various means including mail, email, SMS or telephone, according to applicable marketing laws, such as the Spam Act 2003 (Cth).
You may opt out of receiving further direct marketing communications from us by using an opt out facility provided in the direct marketing communication. We seek to make this as simple as practicable, and will comply with your request.
You can also opt out at any time by contacting us by email at firstname.lastname@example.org or writing to us at:
Hear and Say
PO Box 930
Toowong Qld Australia 4066
We do not collect, hold or disclose sensitive information for the purpose of direct marketing.
At times, we may collect, use or disclose personal information collected from a third party, such as a data list provider for direct marketing purposes. We will provide you with an opt out facility in the direct marketing communication and draw your attention to this fact.
If we engage another organisation to assist us in carrying out direct marketing on our behalf, we will ensure contractual arrangements with our supplier reflect our obligations under the Privacy Act.
Accessing your personal information
You are entitled to have access to any information relating to you which we hold, except in some exceptional circumstances permitted under the Privacy Act.
You may request access to your personal information, and we will deal with your request as promptly as possible, within a reasonable period. We reserve the right to charge you our reasonable costs incurred in supplying you with access to this information.
If we refuse to grant you access to your personal information, we will provide you with a written notice explaining the grounds for our decision and the avenues available for you to complain about the refusal. Wherever practicable, we will inform you in writing of any steps to assist you that may be taken that would mean that access would not be refused, such as by reframing the request or limiting the scope of your request.
In protecting the privacy of our families and donors, we ensure they are well informed about their rights and that we take our responsibilities seriously.
- Privacy and confidential forms are part of all enrolment packs for families.
- All forms of communication to donors have the option to ‘opt-out’.
- All clinical services are provided in a private room.
- Paper files are stored in staff-only access rooms.
- Access by staff to personal or sensitive information is strictly controlled through passwords and documented procedures.
In particular, we pay attention to the physical layout of our premises in regard to privacy. We make the following provision for private interview space when interviewing clients or talking with them about matters of a sensitive or personal nature:
- Clinical areas are locked with swipe access by staff members only;
- Administration areas are secure; and
- Alternative meeting rooms are available for face to face or phone calls that may contain sensitive conversations.
Contacting Hear and Say
Our representative will contact you within a reasonable time to discuss your concerns and outline options regarding how they may be resolved. If you are dissatisfied with our response, you may refer the matter to the Information Commissioner, and we will provide you with information on how to do this.
You can email us at email@example.com or write to us at:
Hear and Say
PO Box 930
Toowong, Qld Australia 4066
When purchasing from Hear and Say your financial details are passed through a secure server using the latest 128-bit Secure Sockets Layer (SSL) encryption technology.128-bit SSL encryption is approximated to take at least one trillion years to break, and is the industry standard.