Last reviewed September 2014
Cancer Council SA supports the importance that the community places on the maintenance of confidentiality of individuals’ personal and/or sensitive information. This extends to the collection and management of information held in the records regarding individuals.
Cancer Council SA is a non-government charitable organisation. Our core business is cancer control, through cancer research, raising community awareness, education programs and provision of counselling and support services to people with cancer, their family, friends and carers. Cancer Council SA activities are largely funded by public donations and bequests.
We value the privacy of personal information. Our procedures ensure that personal information (also referred to as information or details) and privacy rights are protected.
Cancer Council SA is bound by the Australian Privacy Principles (APPs) in the Commonwealth Privacy Act 1988 (Privacy Act). These principles regulate the way that we collect, hold, use and disclose information. You can find out more about these principles by calling the Office of the Privacy Commissioner or visiting the website at www.oaic.gov.au.
(a) how we collect, use, disclose and store personal information;
(b) how someone can contact us if they want to access or correct personal information; and
(c) how someone can make a complaint about an alleged breach of the APPs by us, and how Cancer Council SA will deal with that complaint.
1. Personal Information
The Privacy Act defines “personal information” to mean information or an opinion about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in material form or not.
1.1 Sensitive information
Sensitive information is a subset of personal information. It means, for example, information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, that is also personal information, or health information about an individual.
In general, we attempt to limit the collection of sensitive information, but given the counselling and support services offered by Cancer Council SA this is not always possible and we may need to collect sensitive information in order to carry out the services provided. However, we do not collect sensitive information without an individual's consent (unless the Privacy Act allows us to do so, for example under a permitted general or health situation).
The type of sensitive information we may collect or record, is dependent on the services provided by Cancer Council SA and we will not collect it unless the information is reasonably necessary for one or more of Cancer Council SA's functions or activities. We do not use your sensitive information to send you direct marketing communications without your consent. We may seek your consent to do so when we collect sensitive information from you.
2. Collection of personal information
2.1 Types of information we may collect
Cancer Council SA collects and holds personal information from customers, employees, contractors, and from other individuals. We only collect personal information that is reasonably necessary for what we do.
Where it is practicable and lawful to do so, Cancer Council SA will enable you to interact with it anonymously or pseudonymously (such as when using Cancer Council Helpline 13 11 20 or Quitline, in some circumstances). Given the nature of what we do, however, anonymous or pseudonymous dealings with us will not often be practicable, and will not allow us to provide many of our products or services.
In additional to certain types of sensitive information (such as health information), the type of personal information we may collect includes the following:
(a) contact information (both home and work) such as full name (first and last), e-mail address, current postal address and phone numbers;
(b) date of birth;
(c) employment details, including but not limited to job title, any training and skills;
(d) financial details;
(e) insurance policies and details, if applicable;
(f) your opinions via surveys and questionnaires, if applicable;
(g) details relating to the goods and services obtained from us;
(h) details relating to your donations made to us;
(i) any relevant payment or billing information (including bank account details, credit card details, billing address and invoice details); and
(j) username and password when setting up an account on our website.
2.2 Direct collection
As much as possible, we will collect information directly from an individual, unless it is unreasonable or impracticable for us to do so (in which case we may collect information from other sources). We may also collect individuals' personal information from publicly or commercially-available sources.
2.3 Optional activities
Cancer Council SA may collect personal information through the conduct of certain activities, such as when individuals purchase a product, sign up for a service, enter a contest or promotion, fill out a survey or send us feedback. Participation in these activities is voluntary.
2.4 Mandatory information
Depending upon the reason for requiring the information, some of the information we ask for may be identified as either mandatory or voluntary. If mandatory information (or any other information we require) is not provided, we may be unable to effectively provide our services or products. For example, we will not be able to process donations if we do not receive the relevant payment or billing information.
2.5 Website “cookies”
Our website may utilise "cookies" which enable us to monitor traffic patterns and to serve users more efficiently. A cookie does not identify individuals personally but it does identify their computer. Browser settings can notify the receipt of a cookie and provide an opportunity to either accept or reject it in each instance.
IP addresses may be gathered as part of our business activities and to assist with any operational difficulties or support issues with our services. This information does not identify individuals personally.
3. Use and disclosure of personal information
3.1 Use and disclosure
We will only use or disclose personal information for the primary purposes for which it was collected (or as consented to by individuals and/or as set out in this section 3). We will generally not use or disclose the information for another purpose (that is, a secondary purpose) without the individual's consent, or in the circumstances set out in this section 3.
The purposes for which we use or disclose personal information generally include:
(a) if required, the verification of your identity;
(b) fundraising, including the processing of your donations and grants;
(c) the processing of scholarships, awards and courses;
(d) undertaking and publishing the results of research and related documentation;
(e) processing your orders, including to communicate concerning such orders;
(f) the provision of our goods and services to you (as applicable), including but not limited to counselling, support services, volunteering and fundraising;
(g) the administration and management of your donations or our goods and services, including charging, billing, credit card authorisation and verification and collecting debts to the extent that such information is not directly provided to our third party hosted payment system for processing;
(h) the improvement of our services (including contacting you about those improvements and participation in surveys about the goods and services);
(i) the maintenance and development of our goods and services, products, business systems and infrastructure;
(j) sending you direct marketing information about our products, services, events, fundraising, conferences and other promotional activities, either in relation to us, other Cancer Councils, or like-minded organisations (see paragraph 4(f)), which we consider may be of interest to you (including by direct mail, telemarketing, email, SMS and MMS messages);
(k) to provide our customer service functions, including handling customer enquiries and complaints;
(l) to offer you updates, or other content or products and services
(m) our compliance with applicable laws;
(n) your employment (or potential employment) by us; and
(o) any other matters reasonably necessary to facilitate the primary purpose and to continue to provide our goods and services.
3.2 Circumstances where we may not seek consent
We may use or disclose personal information without consent :
(a) for a secondary purpose, where the individual would reasonably expect us to use or disclose their information for that purpose, and where that secondary purpose is related to the primary purpose of collection (or directly related, in the case of sensitive information);
(b) if we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety;
(c) if we have reason to suspect that unlawful activity or misconduct of a serious nature, relating to Cancer Council SA's functions or activities, has been, or is being, engaged in, and we reasonably believe the use or disclosure is necessary in order to take appropriate action; or
(d) if the use or disclosure is required or authorised by or under an Australian law, or a court or tribunal order,
or otherwise where the Privacy Act permits us to do so.
3.3 Additional consent required
If you have received communications (such as direct marketing materials) from us or from organisations that work with us, and you no longer wish to receive those sorts of communications, please contact our Privacy Officer by:
- e-mail at email@example.com
- by telephone on (08) 8291 4111
- facsimile on (08) 8291 4122, or
- by post at PO Box 929 Unley BC SA 5061, 202 Greenhill Road, Eastwood South Australia, 5063, and we will ensure you are removed from the relevant mailing lists and that the relevant communications cease.
4. The types of organisations to which we may disclose personal information
We will not disclose personal information to organisations outside of Cancer Council SA unless:
- we have your consent to do so and such disclosure is in relation to the goods or services we provide; or
- you would reasonably expect us to disclose your personal information to an organisation of that type; or
Furthermore, we will not make such disclosures to third parties unless we have taken such steps as are reasonable to ensure that these organisations and/or parties have agreed to use personal information for the purposes that Cancer Council SA prescribes and in accordance with the terms of the Privacy Act.
Examples of organisations and/or parties that personal information may be provided to, where appropriate, given the goods or services that we are providing to you (or where we have consent to do so), include:
(a) our contractors, third party service providers, volunteers and agents;
(b) offshore service providers, if any;
(b) charitable or like-minded organisations, grant and award providers which are aligned with Cancer Council SA, and third party service providers that facilitate the sharing of information between such types of charitable or like-minded organisations;
(c) third party service providers, Government departments and agencies, volunteers and medical health personnel that may assist Cancer Council SA with financial support, transportation and accommodation services;
(d) third party service providers, Government departments and agencies, volunteers and medical health personnel that may assist Cancer Council SA with counselling, fundraising and support services;
(e) third party service providers, Government departments and agencies, research institutions including but not limited to hospitals and universities, volunteers and medical health personnel that are concerned with cancer research and prevention;
(f) Cancer Council Australia and State and Territory Cancer Councils that are members of Cancer Council Australia (Cancer Councils); and
Refer to Section 6.1 and 6.2 below for more information about the disclosure of information to offshore service providers.
6. Cross Border Disclosure
6.1 Disclosure of personal information overseas
Cancer Council SA may from time to time utilise data hosting facilities or enter into contractual arrangements with third party service providers to assist Cancer Council SA with providing our goods and services to you. As a result, personal information provided to Cancer Council SA may be disclosed to, and stored at destinations outside Australia, including but not limited to, New Zealand, Netherlands, China, Singapore, Hong Kong, Japan, Ireland, Canada, United States of America and the United Kingdom.
Personal information may also be processed by staff or by other third parties operating outside Australia who work for us or for one of our suppliers, agents, partners or other Cancer Councils.
Prior to disclosing personal information to third party service providers operating outside Australia, Cancer Council SA takes reasonable steps (in those circumstances) to ensure that the overseas recipient will handle that information in a way that does not breach the APPs. Cancer Council SA engages all third party service providers operating outside Australia under contractual arrangements that require those parties to comply with the Privacy Act and the APPs.
7. Data quality and security
At all times we will take reasonable steps to ensure personal information is safe including:-
(a) making sure that the personal information we collect, use or disclose is accurate, complete up to date and relevant;
(b) protecting personal information from misuse, interference, loss, unauthorised access, modification or disclosure both physically and through computer security methods; and
(c) destroying or permanently de-identifying personal information if it is no longer needed for any purpose for which we are permitted to use or disclose it.
We cannot guarantee the security of all transmissions or personal information, especially where the Internet is involved. Notwithstanding this, we have implemented appropriate internal procedures to respond to the unauthorised access, modification or disclosure of personal information in a manner which constitutes a data breach (Security Incident) including, but not limited to, taking reasonable steps to contain the Security Incident, undertaking a preliminary assessment of the Security Incident and (where appropriate following the results of that assessment) implementing appropriate changes. Where required under the Privacy Act, or in any instance where we feel it is appropriate to do so, we will notify affected individuals and the appropriate authorities if a Security Incident occurs.
8. Access, correction and deletion of personal information
An individual is entitled to have access to personal information relating to them which we possess, except in some circumstances provided by law. We may also charge a fee for providing access (which will be limited to the amount of our reasonable expenses incurred in responding to your request, including photocopying and administrative expenses). We will not charge a fee for you to lodge a request for access.
The accuracy of your personal information held by us depends largely on the information you provide to us. If you become aware that the personal information we hold about you is inaccurate, incomplete, out of date, irrelevant or misleading, then you should contact us. We will correct our records of your personal information.
If we disagree with you about the accuracy of the personal information we hold about you, we will keep a record that there is a difference of opinion about that information.
If we do not correct your personal information, as requested, we will give you a written notice setting out our reasons for refusal, along with details of how you may complain about the refusal.
Individuals wishing to access, or to correct or update their personal information should contact the Privacy Officer.
8.3 Destruction of personal information
Generally, we will destroy personal information we no longer need for the purposes for which we collected it, or for the purposes of fulfilling our legal obligations.
However, we do maintain some personal information, such as past transactions for our accounting and audit requirements.
Alternatively, a copy may be requested from the Privacy Officer.
10. Contacting our Privacy Officer
Cancer Council SA has appointed a Privacy Officer to:
- address compliance with the Privacy Act generally;
- address concerns about the manner in which Cancer Council SA collects, uses and discloses personal information; and
- handle any complaints about an alleged breach of the Privacy Act by Cancer Council.
Any complaints about an alleged breach of the Privacy Act must be made in writing to the Privacy Officer at the contact details set out below. Cancer Council SA aims to respond to any requests for access and queries (or complaints) at first instance within 30 days of the date of receipt of the request or query (or complaint).
Please contact our Privacy Officer by email at firstname.lastname@example.org or write to us:
PO Box 929
Unley BC SA 5061,
202 Greenhill Road,
Eastwood South Australia, 5063.
If you are not satisfied with the manner in which we have handled your request, enquiry or complaint, you are entitled to contact the Australian Privacy Commissioner by telephone on: 1300 363 992 or by email: email@example.com.
More information about Privacy Act and the APPs is available from the Office of the Australian Information Commissioner at www.oiac.gov.au.