At Gippsland Community Legal Service (GCLS), we recognise the importance of client privacy and understand client concerns about the security of the personal information they provide to us.
We comply with the Australian Privacy Principles (APPs) as contained in the Privacy Act 1988 (Cth), the Information Privacy Principles (IPPs) as contained in the Information Privacy Act 2000 (Vic), and the Health Privacy Principles (HPPs) as contained in the Health Records Act 2001 (Vic).
The APPs, IPPs and HPPs detail how personal, sensitive and health information may be collected, used, disclosed, stored and destroyed, and how an individual may gain access to or make complaints about the information held about them.
This policy details how GCLS manages personal information about clients (including sensitive information and health information); whether they are:
- A GCLS client;
A person on the other side of a CLE legal matter;
or A volunteer for GCLS.
- Personal information is information or an opinion about an identified individual, or about an individual who is reasonably identifiable.
- Sensitive Information, a sub-set of personal information, is information or an opinion about an individual’s racial or ethnic origin, political opinions, political association membership, religious beliefs or affiliations, philosophical beliefs, professional or trade association membership, trade union membership, sexual orientation or practices or criminal record, and includes health information and genetic information.
- Health Information is information or an opinion about an individual’s health or disability, the health services provided or to be provided to them, their expressed wishes for the provision of future health services, personal information collected to provide a health service, personal information collected in connection with organ and body-part donation, and predictive genetic information.
- Consent: means written and verbal consent.
- An individual’s personal information can generally be used or disclosed for any purpose to which he or she has consented.
- Consent must be obtained before the personal information is used or disclosed and is best obtained at the time of collection.
- Consent must be voluntary (not given under pressure) informed (the consequences of providing consent have been explained) and current (not provided earlier under different circumstances).
- The Privacy Act applies to children in the same way it applies to adults. To determine if a child is competent to make their own privacy decisions regard should be had to the child’s maturity, understanding of the issues, and degree of autonomy and sensitivity of the information.
WHAT INFORMATION WE COLLECT AND HOLD
Clients and other parties
The kinds of personal, sensitive and health information we collect from clients (or prospective clients) or about clients depends on the services they have engaged us to provide.
The kinds of personal, sensitive and health information that we commonly collect and hold from clients or about clients include: their name, address, phone, fax and mobile numbers, email address, family composition, nationality and cultural background, religious beliefs and affiliations, date/s of birth, gender/s, occupation/s, employment details, financial records, income details, asset listings, taxation records, bank account details, insurance policies, medical history, disability status, criminal record and court records, applicable welfare and agency referrals, and the history of and a client’s relationship with others involved in the matter. We may also collect other personal, sensitive or health information, depending on the nature of the matter.
It is possible for GCLS to collect, hold, use and disclose personal, sensitive and health information about people who are not clients or people with whom we have only limited contact. This will commonly occur where we are engaged to act against a person or in a matter with which a person is otherwise involved. In these cases, we may collect personal, sensitive and health information from a person directly, or about a person from our client, other third parties or publicly available sources. We may do this without the consent of the person, and without notifying the person of the collection of this information.
The kinds of personal, sensitive and health information that we commonly collect and hold from or about prospective and current volunteers include: name, address, phone, fax and mobile numbers, email address, occupation, professional association membership, qualifications, emergency contact and next-of-kin details, and photographs.
When a person browses our website or contacts us electronically, we may record: statistical data, the date and time of the visit to the site, the pages accessed and documents downloaded, the previous sites visited and the type of browser used. Note that none of the statistical information we collect allows us to identify a visitor to our website. The information we collect from a visit to our website is used by us to help administer and improve the website.
In our website, we do not use ‘Cookies’. Cookies are small text files placed on your hard drive by website hosts. Cookies recognise a repeat visitor to its site and enable sites to store information on the user’s computer so that the information can be referenced later.
Note that our website does not have facilities for the secure transmission of emails. If a person is concerned about the security of any personal information submitted by email, they should contact us using an alternative method (eg. telephone, fax, secure post or encrypted message).
HOW WE COLLECT AND HOLD INFORMATION
Information clients provide
We will generally collect personal, sensitive and health information only directly from a client, unless it is unreasonable or impracticable for us to do so.For exam ple, we collect personal, sensitive and health information from a client or about a client from correspondence that a client submitted to us, meetings and interviews with us, telephone calls with us, the instructions provided to us, and fromsubmissions made on our website.
Information provided by other people
In some instances we may receive personal, sensitive and health information about clients from third parties, such as associated businesses, government agencies, welfare agencies and referrers (eg. other law firms or financial counsellors).We may also receive personal, sensitive and health information about clients from their family members, authorised third parties and publicly available sources.
Anonymity and pseudonymity
A person can be anonymous or use a pseudonym when dealing with us, unless:
- The use of a person’s true identity is a CLE legal requirement; or
- It is impracticable for us to deal with a person on such basis.
WHY WE COLLECT, HOLD, USE & DISCLOSE INFORMATION
We collect, hold, use and disclose personal, sensitive and health information from clients or about clients where it is reasonably necessary for us to carry out our business functions and activities, and to provide CLE legal advice and assistance. For example, we collect, hold, use and disclose personal, sensitive and health information as necessary to act for a client or in a matter against another person.
We work closely with many other businesses and agencies, such as other law firms, financial counsellors, barristers, courts, police, and welfare agencies. We routinely disclose a client’s personal information to these third parties where it is reasonably necessary for them to assist us to provide our CLE legal services to a client, or to enable them to provide related service offerings that a client has requested.
We may collect sensitive information from a client or about a client where there is a CLE legal requirement to do so, or where we are otherwise permitted by law. In all other situations, we will specifically seek a client’s consent.
We also collect, hold, use and disclose a client’s personal, sensitive and health information for purposes related to the provision of our CLE legal services that would reasonably be expected, such as file research, services planning, our own internal administrative and accounting functions, our professional obligations, data backups, marketing and promotions, educational briefings and other service offering updates, conducting client satisfaction surveys and feedback requests, statistical collation, government reporting and website traffic analysis.
Where we wish to use or disclose a client’s personal, sensitive and health information for other purposes, we will obtain the client’s consent.
We may also disclose personal information to third parties (including government departments, enforcement bodies and professional registration and accreditation bodies) where required or permitted by law.
If we do not collect, hold, use or disclose a client’s personal, sensitive and health information, or if a client does not consent to the provision of such information, then we may not be able to answer their enquiry, or provide the CLE legal services we have been engaged to provide.
HOW WE HOLD AND STORE INFORMATION
Personal, sensitive and health information is held and stored on paper, by electronic means or both. We have physical, electronic and procedural safeguards in place and take reasonable steps to ensure that all personal, sensitive and health information is protected from misuse, interference and loss, and from unauthorised access, modification and disclosure. These safeguards are outlined in the GCLS Confidentiality Policy and in the Anglicare Victoria, Storage, Protection and Backup of Client
DESTRUCTION AND DE-IDENTIFICIATION
We will retain personal, sensitive and health information whilst it is required for any of our functions, or for any other lawful purpose. For example, we necessarily retain records of client names and the names of opposing parties indefinitely, so as to avoid conflicts of interest.
We will also retain personal, sensitive and health information for the time periods required by law (commonly, 7 years).
We use secure methods to destroy or to permanently de-identify personal, sensitive and health information when it is no longer needed.
We do not share personal, sensitive or health information overseas.
REQUESTS FOR ACCESS AND CORRECTION
We have procedures in place for dealing with and responding to requests for access to, and correction of, the personal, sensitive and health information held about a client. A client’s right to request access may arise under Privacy Legislation, their retainer with us, the CLE legal Profession Uniform Law or the common law.
In most cases, we expect that we will be able to comply with a client’s request. However, if we do not agree to provide a client with access or to correct the information as requested, we will give the client written reasons why.
To assist us to keep our records up-to-date, we require that client’s notify us of any changes to their personal, sensitive and health information.
COMPLAINTS AND CONCERNS
We have procedures in place for dealing with complaints and concerns about our privacy practices.
We will respond to a complaint in accordance with our policies.
Clients have a right to lodge a complaint if they believe their rights relating to their privacy have been breached.
GCLS staff, students and volunteers are responsible for ensuring all clients are aware of this right and are fully informed on how to lodge a complaint.
All complaints must be in writing (assisted by a staff member when required), signed by the individual and clearly set out the breach of their privacy that is the cause of their complaint.
Complaints must be immediately referred to the Principal Lawyer/Privacy Officer who will acknowledge receipt of the complaint and respond to it.
It is the intention that complaints are resolved internally and before reference by the individual to the Privacy Commissioner.