Introduction
The Privacy Act 1988 (Cth) (Privacy Act) requires entities bound by the Australian Privacy Principles to have a privacy policy dealing with the management of personal information held by those entities.
This privacy policy has been developed to ensure that personal information that is collected by Central Australian Women’s Legal Service Inc (CAWLS) is handled appropriately in line with the Australian Privacy Principles and the Privacy Act. We are committed to handling all personal information that we collect and hold in accordance with the Australian Privacy Principles and the Privacy Act. This commitment is demonstrated in this policy.
The specific legal obligations of CAWLS when collecting and handling your personal information are outlined in the Privacy Act and in particular, in the Australian Privacy Principles found in Schedule 1 of the Privacy Act. The website of the Office of the Australian Information Commissioner contains useful information on the Privacy Act and the Australian Privacy Principles and it can be accessed by going to https://www.oaic.gov.au.
This Policy applies to all records, whether hard copy or electronic, containing personal information about individuals, and to interviews or discussions of a sensitive personal nature, including CAWLS organisational and internal records, client records and unpublished materials of CAWLS. We may be required to update this policy from time to time. Our information handling practices may change due to technological changes, changes in CAWLS’s practices, and feedback from stakeholders and the general public as well as changes in the Privacy Act and corresponding regulations. Our privacy policy as updated from time to time will be publicised on our website and any updated versions will be emailed to all CAWLS employees and volunteers who are required to familiarise themselves with any updates.
Scope
This policy applies to any person (these include all clients, volunteers and contractors) for whom we currently hold, or may in the future collect, personal information but it does not apply to the current and former employees.
This policy does not apply to acts and practices that relate directly to the employee records of our current and former employees. However, this policy does apply to our handling of personal information of CAWLS volunteers.
We collect, hold, use and disclose personal information to carry out our functions and activities as a specialist community legal centre assisting women in Central Australia & the Barkly region.
These functions and activities include:
- Providing legal services and referrals for women in the areas of domestic & family violence, family law, child protection, some areas of sexual assault; other civil law matters and some areas of criminal law.
- Maintaining relationships with stakeholders including government, peak bodies, funding bodies, corporate sponsors and donors;
- Developing and participating in law reform activities, such as writing law reform submissions and appearing and giving evidence before parliamentary inquiries;
- Providing community legal education for service providers, service volunteers and women in Central Australia & the Barkly region;
- Developing media releases and campaigns on legal and social issues affecting women;
- Assessing suitable candidates for career opportunities with CAWLS;
- Running our website and social media pages; and
- Engaging in fundraising events.
Collection of your personal information
Personal information includes a broad range of information, or an opinion, about an identified or reasonably identifiable individual. At all times, we endeavour to only collect the personal information we need for a particular function or activity we are carrying out.
The main way we collect personal information about you is when you give it to us, such as when you:
- Contact us to ask us for information;
- Use any of our services such as our Domestic Violence drop in service, our law advice clinics, financial counselling clinics, or our duty lawyer services;
- Receive legal services from us, or are referred to us, through our Health Justice Partnerships and other referral pathways
- Attend our Community Legal Education or education/training workshops.
- Attend a fundraiser or function;
- Attend or register for a community education event organised by us;
- Ask for access to information that we hold about you or other information about CAWLS’s operation; and
- Apply for a job vacancy or volunteer role at CAWLS.
We collect personal information through a variety of methods including, but not limited to:
- New client intake forms;
- Copying of disclosure documents and other information particulars during the course of a legal matter;
- Other party details during the life of a file (no consent by the other party given necessarily);
- Attendance at community legal education seminars or other meetings;
- Comments or complaints made to CAWLS; and
- Training or fundraising events.
What kinds of personal information do we collect and hold?
We collect different personal information depending on our relationship with you and the service being provided or the function or activity for which we are collecting the information. This includes collecting personal information from our sponsors/funders, prospective employees and volunteers.
The types of information that we may collect from you to provide client services include:
- Contact information such as your name, address and phone number;
- A case summary containing the information relating to your particular matter;
- Safe methods of contact and safety regarding leaving a phone message;
- Information about domestic violence, urgency of matter and housing stability;
- Demographics such as CALD and Indigenous status, language, whether an interpreter is required, visa status and disability;
- Name, date of birth, and relationship of any other parties involved in the matter, including any legal representatives;
- Name and age of your children (if applicable), and who they reside with;
- Services requested or reason for contacting us;
- Sensitive information (see further below);
- Financial and employment information;
- Family circumstances;
- Gender;
- Referral information relating to internal and external referrals of clients such as date of referral, referral entities and reasons for referral;
- Descriptions of domestic violence acts or history of domestic violence committed against you;
- Information relating to court orders;
- Information otherwise required by law; and
- Any other personal information required to provide legal or other services to you.
We collect this personal information from you so that we can assist you with your legal issues and can provide you with any support or referrals that you require. When information is being sought from you to provide client services, we will obtain your consent to collect the information. We will also answer or address any concerns about the way your personal information will be recorded and managed.
We also collect personal information that you provide when you apply for a role with us. This includes:
- Contact information such as your name, address and phone number;
- Education details;
- Employment history and reference details;
- Any other personal information that you submit if you apply for a position with us.
If you are a volunteer at CAWLS, the types of personal information we may collect from you include:
- Contact information such as your name, address and phone number;
- Emergency contact/next of kin details;
- Services to be provided on our behalf;
- Employment history and reference details; and
- Resumés and practicing certificate.
If you are involved in fundraising or sponsorship activities with CAWLS, the type of personal information that we may collect from you includes your name, contact details and dietary requirements. In order to make payment to us for fundraising, third party companies that are independent to CAWLS may collect your credit card or banking information. This information is not collected by or shared with us.
We may also collect your name and contact details and some other personal information if you participate in a meeting with us or assisting in our law reform or campaigning endeavours.
What kinds of sensitive information do we collect and hold?
Sometimes we may need to collect sensitive information about you, for example, to handle your legal matter. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal records, genetic or biometric information.
In particular, to enable us to provide legal services to you, we may collect information on whether you are First Nations, have a disability or are from a non-English speaking background. We will not collect sensitive information without your consent to which the information relates unless permitted under the Privacy Act and required by us to provide you with the services requested.
Indirect collection
In the course of assisting you with a legal matter, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties (such as experts or witnesses). We will only collect personal information about you from publicly available sources and/or third parties in legal matters where you would reasonably expect us to do so or with your consent.
We may also receive unsolicited personal or sensitive information relating to you from third parties such as the other side in a legal matter. In such circumstances we will notify you of such provision of personal information from the third party as soon as practicable after the event.
Destruction of personal and sensitive information
We will destroy or permanently de-identify personal information that is no longer needed or after legal requirements for retaining documents and personal records have expired.
Records are kept for seven years from the last point of service provision unless special circumstances exist which require the client record to be held for a longer period for example, ongoing legal proceedings. Once records have reached the seven-year destruction date, the hard copy records are disposed of securely by shredding via an external agency (e.g. where the files are held in off-site archiving) and any electronic client data that we hold will also be deleted.
Anonymity
We generally require your details to provide legal advice to ensure we meet our ethical obligations as solicitors and comply with the CLCA practice guidelines. Only in very limited circumstances are we able to provide legal advice anonymously or without full client details.
Website and social media
You can access our website and social media platforms and browse the site without disclosing any personal information to us. No attempt will be made by us to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider’s logs.
We will only record your email or contact address if you send us a message. It will only be used for the purpose for which you have provided it and will not be added to a mailing list, unless expressly requested by you. We will not use your e-mail address or contact for any other purpose and will not disclose it to a third party without your consent.
We only collect general data analytics from our social media sites that are de-identified e.g. the number of interactions and followers. Participants in law reform, research, advocacy marketing projects Personal information is collected for purposes of law reform, research, advocacy or marketing projects. The personal information collected is limited to that which is required for the conduct of the project/publication.
We will not collect any information that may be led to you being identified in any form without your express written permission.
If you are invited to participate in a research project you will be:
- Given a choice about participating or not;
- Given the right to withdraw at any time;
- Informed about the purpose of the research project, the information to be collected, and how information they provide will be used/distributed; and
- Offered copies of any subsequent publications.
Disclosure
We take all reasonable steps to use and disclose personal information for the primary purpose for which it is collected.
The primary purpose for the collection, use and disclosure of your personal information varies, depending on the particular service being provided. However, it is generally to provide legal advice and other services to women in Central Australia and the Barkly.
For a job applicant, the primary purpose for our collection and use of your personal information is to assess your suitability and eligibility for a position with us and we will not use or disclose this personal information for any other purpose.
For volunteers, the primary purpose for our collection and use of your personal information is to manage our volunteering arrangement with you. Access to personnel information is restricted to the Volunteer Program Manager, CEO and the volunteer’s supervisor.
For persons involved in fundraising or sponsorship activities, the primary purpose for our collection and use of your personal information is to obtain funding. For these purposes, we may share your name and dietary requirements with suppliers involved in these activities e.g., caterers.
We may also use or disclose your personal information for secondary purposes that you would reasonably expect and that are related to the primary purpose of collection. In a legal matter, for instance, we may disclose personal information to other service providers, such as barristers, experts and solicitors, to enable us to carry out our primary purpose of providing legal services to you. If identifiable information about you will be shared with another agency (for example, for facilitated referrals or partner agencies) we will obtain your consent for this, preferably in writing, but verbal consent if writing consent is not possible. We will record the date of the verbal consent or obtain your signature on our ‘Consent to Share Information’ Form.
We will only disclose personal information to third parties with your consent, if compelled under limited circumstances (such as a Court Order or by law) to disclose such information or if the disclosure is permitted by the Privacy Act.
Disclosure to Community Legal Centres Australia
If you are a client, we share your information with Community Legal Centres Australia through their community legal services system for reporting, funding and law reform purposes. The community legal services system is designed for community legal centres in Australia as a case management and funder reporting database.
The storage of this information must be in compliance with the Australian Privacy Principles and your information is entirely private and not accessible to other community legal centres. However, there is general information that will be accessible in reports to funding bodies, state managers and community legal centres in Australia, but those reports contain no personal information.
Disclosure to overseas recipients
We are unlikely to disclose personal information about you to overseas recipients. We will only disclose your personal information to overseas recipients in accordance with Australia Privacy Principle 8, such as in circumstances where you consent to the disclosure of the information to an overseas recipient or if the disclosure is required by Australian law.
Disclosure to service providers
We use a number of service providers to whom we may disclose personal information. These include providers that host our website servers, our domain and manage our IT.
Quality of your personal information
To ensure that the personal information we collect is accurate, up-to-date and complete we:
- record information in a consistent format;
- where necessary, confirm the accuracy of information we collect from a third party or a public source; and
- promptly add updated or new personal information to existing records.
We also review the quality of personal information before we use or disclose it.
Storage and security of your personal information
We hold personal and sensitive information:
- In hard copy:
- In the compactus or relevant solicitor or social worker’s filing cabinet, and
- At external archiving facilities following all legislative requirements for storage and confidentiality of legal documents.
- Electronically, through:
- Internal servers and websites and a private cloud;
- On electronic storage devices, including USB;
- Email systems on Microsoft Outlook; and
- Through a third-party document storage service called Microsoft SharePoint.
Staff solicitors, staff social workers, staff financial counsellors, paralegals, administration officers, administration volunteers and volunteer support workers are authorised to access the compactus and filing cabinets for the purposes of filing or retrieving legal or social work client files.
We have security measures in place to protect against the loss, misuse and alteration of personal and sensitive information under our control. Some of these security measures include:
- All hardcopy personal and sensitive information is kept securely;
- All personal and sensitive information kept electronically is held on secure servers with substantial security measures in place;
- We regularly assess the risk of misuse, interference, loss and unauthorised access, modification or disclosure of personal information;
- Staff are provided with regular privacy and data breach training and every new staff member is required to undergo an induction program that includes information on these topics;
- We have a data breach response plan setting out the process to follow in the event of an actual or suspected data breach;
- We have designated client meeting areas to ensure personal information privacy and security;
- We use tools such as WithSecure, and regularly monitor our systems (for example, through anti-virus alerts);
- We adopt Australian Cyber Security Centre best standards regarding passwords, including requiring users to periodically reset passwords, implementing a lockout for multiple failed login attempts, and discouraging users from reusing the same password across critical services or sharing passwords;
- We keep operating systems, browsers and plugins up-to-date with patches and fixes;
- We make sure that the latest versions of software are in use and that processes are in place to ensure that patches and security updates to applications are installed as they become available;
- We employ multi-factor authentication for remote access to CAWLS’s systems and multifactor security on email accounts, and use anti-virus and firewall software; and
- We keep audit logs in case of a data breach, including tracking on files.
However, we cannot guarantee that personal and sensitive information cannot be accessed by an unauthorised person or that unauthorised disclosures will not occur.
We are not responsible for the content of other internet sites, including links to external websites from CAWLS’s webpages. Other internet sites or services that are accessible through CAWLS’s website have separate data and privacy practices independent of us. We recommend that you read and familiarise yourself with the privacy policy of other websites that you visit or any links that you may click on when browsing our website. Please contact other entities directly if you have any questions about their privacy policies.
Data breaches and loss of data
A data breach happens when personal or sensitive information is accessed, used, modified or disclosed without authorisation or is lost. We have developed a data breach response plan to mitigate potential harm to any persons affected by a data breach.
In summary, our data breach response plan:
- outlines the responsibilities of staff members when there is a data breach or suspected data breach and directs them as to the steps that they should take;
- appoints a data breach response team;
- sets out a strategy for containing, assessing and managing data breaches;
- specifies the process for notifying any affected persons and the Privacy Commissioner about an eligible data breach; and
- outlines the review process to help prevent data breaches in the future.
If it becomes apparent to us that your personal or sensitive information is involved in an eligible data breach, you will be notified in accordance with the provisions of the Notifiable Data Breach Scheme of the Privacy Act.
Please contact us if you suspect or would like more information about a possible data breach or to request a copy of our data breach response plan.
Accessing and correcting your personal information
Under Australian Privacy Principles 12 and 13 of the Privacy Act, you have the right to request access to the personal information that we hold about you or ask for your personal information to be corrected.
You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to. If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.
We will ask you to verify your identity before we give you access to your information or correct it. We are entitled to deny access to, or refuse correction of, your personal information in certain circumstances. Some examples of when we will deny access are if your request is impractical or unreasonable, or providing access would have an unreasonable impact on the privacy of another person. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.
If we refuse to correct your personal information, you can ask us to associate with that particular personal information (for example, attach or link) a statement that you believe the information is incorrect and why.
If you need to access or correct any personal information we hold about you or your organisation, please contact us using the contact details below.
How to make a complaint
If you wish to complain about an alleged privacy breach, you should follow the following process:
- A complaint must be made to us in writing about how we have handled your personal information, using the contact details outlined below. We will respond to your complaint within 30 days.
- If you are not satisfied with our response to your complaint, you may take your complaint to the Office of the Australian Information Commissioner who can be contacted at the following details:
- Phone number: 1300 363 992
- Fax number: 02 9284 9666
- Electronic www.oaic.gov.au.
- Postal address: GPO Box 5218, Sydney, NSW, 2001
Contact details
If you would like to make a complaint or request to access or correct personal information that we hold about you, you may make the request in writing. Our contact details are as follows:
- Phone number: (08) 8952 4055
- Email: enquiries@cawls.com.au
- Postal address: PO Box 3496, Alice Springs NT 0871