The Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Data Protection Act 2014 and other State and Territory laws relating to privacy, regulate the handling of personal information about individuals.

Thirrili Ltd is bound by privacy laws relating to the protection of an individual’s personal information and is committed to ensuring full compliance with the principles in the legislation in the collection and handling of that information.

This Policy is to:
• ensure that Thirrili Ltd Board Directors, staff, clients, contractors, consultants, and others engaged in Thirrili Ltd activities, comply with legislative requirements in relation to privacy and managing information.
• set out how we collect, use, and manage personal and sensitive information.
• provide an understanding of rights and responsibilities relating to privacy.
• guide Thirrili Ltd’s complaints handling procedure.
• ensure individuals’ rights to privacy are respected and protected.
• ensure all information gathered is stored securely and destroyed securely.

This Policy applies to all Thirrili Ltd Board Directors, staff, clients, contractors, consultants,
and others engaged in Thirrili Ltd activities, or who may collect, access, use, disclose or
manage personal information.

Personal information is any information or an opinion, about an identified individual who is reasonably identifiable, whether the information is true or not and whether the information or opinion is recorded in material form or not. This includes both sensitive and health information.

Sensitive information includes information or an opinion about an individual's health, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or membership of a trade union, sexual orientation or practices, or criminal record biometric information.

Pseudonym is a name that an individual assumes for a particular purpose and where Thirrili Ltd is not obliged to collect that individual’s true name.

Authorised Officer includes Executive Manager, Corporate for staff-related information, Executive Manager, Programs and Policy with respect to client information, the Chief Executive Officer for all information.

Thirrili Ltd respects every individual’s legal right to privacy and seeks to manage information it handles responsibly and fairly.
It is Thirrili Ltd’s responsibility to protect all individual’s privacy and protect all personal information collected from:
• Thirrili Ltd clients
• Thirrili Ltd staff
• Contractors and consultants engaged by Thirrili Ltd
• Representatives and agents of Thirrili Ltd, and
• Board Directors.

Thirrili Ltd may disclose information for certain legislative or funding requirements that may be placed upon Thirrili Ltd from time to time.

Thirrili Ltd primarily collects personal information when it is reasonably necessary for or directly related to one or more of its activities or functions. The kind of personal information collected will depend on the relationship an individual has with Thirrili Ltd and may include when they:
• receive Thirrili’s support as clients.
• work for Thirrili Ltd or apply for a job.
• interact with or request information from Thirrili Ltd.
• make a donation.
• join a mailing list or contact list.
• provide a service to Thirrili Ltd (i.e., supplier or service provider).
• correspond with Thirrili Ltd.

Thirrili Ltd also collects information for planning, funding, monitoring, and evaluating services.

Where possible, Thirrili Ltd collects all personal information directly from the individual it relates to or from an authorised representative and will only collect personal information by lawful and fair means. This may be in person, on the telephone, on-line or through a form or document.

Where it is reasonably necessary, Thirrili Ltd may collect information from third parties. If Thirrili Ltd collects solicited information about an individual from a third party, Thirrili Ltd will take reasonable steps to ensure that the individual is or has been made aware that the information has been collected, how it was collected, and from whom.

Non-identifying information may be collected where:
• collection is necessary for research, or compilation or analysis of statistics relevant to government funding requirements, or
• the information relates to an individual’s Indigenous status is collected for the purpose of meeting government funding targets.

Personal information collected will be used and disclosed only for the primary purpose for which it was collected. Thirrili Ltd may use personal information to:
• provide support and assistance to our clients, or to refer to other services and programs.
• identify individuals.
• process donations and receipts.
• evaluate, develop, and improve our programs and services.
• facilitate and manage a staff member’s employment relationship.
• respond to queries or concerns.
• respond to lawful information requests from government agencies, courts or lawyers.
• provide promotional materials or marketing communications where consent has been provided.
• keep in contact with someone who is a supporter of Thirrili Ltd.

Thirrili Ltd may disclose personal information to others to carry out its activities. This may include its:
• client’s representatives (i.e., parent or carer of a client.)
• third party service providers who perform services on our behalf (i.e., payment processing, banking, professional services, superannuation funds, salary packaging provider).
• funding bodies or government agencies.
• third parties to check referees, police checks, verifying information, or law enforcement agencies.

Thirrili Ltd may use and disclose personal information for a secondary purpose where it is directly related to the primary purpose of collection. Thirrili Ltd will seek consent from an individual unless it is impracticable to do so or where Thirrili Ltd is obligated or authorised under certain exemptions set out in the privacy laws, e.g., when required under a court order or where it is necessary to prevent or lessen a serious and imminent threat to the life or health of a person.

Non-identifying information may be disclosed where the use or disclosure is necessary for research, or the compilation or analysis of statistics as part of government funding requirements.

Thirrili Ltd will take all reasonable steps to protect personal information it holds from misuse, interference and loss, unauthorised access, modification, or disclosure.

All personal information is securely stored and accessed by staff on a need-to-know basis only.

Thirrili Ltd will archive, destroy or de-identifies personal information if it is no longer needed in accordance with Privacy Laws and Thirrili Ltd’s Records Policy.

Thirrili Ltd seeks to protect personal information through policies on document storage and security, security measures for accessing computer systems, controlling access to confidential files, restricted user access and secure servers. Where Thirrili Ltd stores information with a third party, it will require the service provider to maintain security of the information.

An individual has the right to access their personal information except under law to the extent:
• where providing access would have an unreasonable impact on the privacy of others
• Thirrili Ltd reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety.
• denying access is required or authorised by or under an Australian law or a court/tribunal order.
• where providing access would be unlawful.
• the information relates to existing or anticipated legal proceedings between Thirrili Ltd and the individual.
• the request for access is frivolous or vexatious.
• where providing access would be likely to prejudice the taking of appropriate action where Thirrili Ltd has reason to suspect that unlawful activity or misconduct of a serious nature that relates to Thirrili Ltd’s functions or activities, has been, is being, or may be engaged in.

Requests for access should be made in writing detailing the type(s) of information requested. Thirrili Ltd will endeavour to respond as soon as is practicable and will provide access in the manner requested by the individual if it is reasonable and practicable to do so. Where Thirrili Ltd denies access, a written notice about the refusal and reasons will be supplied.

If Thirrili Ltd refuses to provide access in the manner requested, Thirrili Ltd will take all reasonable steps possible to give access in a way that meets both needs of the individual and Thirrili Ltd.

Thirrili Ltd will take reasonable steps to ensure that all personal information it holds is accurate, complete, up-to-date, and relevant for the purpose for which it is held. An individual may make a written request to correct personal information held about them at any time. Where Thirrili
Ltd refuses to correct the personal information as requested, a written notice about the refusal and the reason will be supplied. Thirrili Ltd will also take such action to amend information it holds that is found to be inaccurate, out of date, incomplete, irrelevant, or misleading.

For security reasons, Thirrili Ltd will take all reasonable steps to verify identity before actioning the request and may require an individual to answer several questions. Written requests must include the person’s full name, address and contact number.

Where Thirrili Ltd has previously disclosed personal information about the individual to another agency or third party, an individual can request Thirrili Ltd to notify the other party of corrections made to their personal information.

Unique identifiers (numbers or a combination of letters) may be assigned to individuals where it is reasonably necessary for Thirrili Ltd to carry out its services efficiently. The identity of Thirrili Ltd clients will be verified prior to a unique identifier being assigned to that client. Unique identifiers will not contain any identifying information and will not be a government related identifier assigned to individuals (e.g., tax file numbers, pension numbers or Medicare numbers) or of another organisation. Thirrili Ltd will not disclose a unique identifier unless it is reasonably necessary to do so.

Where it is not unlawful and/or impractical, an individual has the option of not identifying themselves by using a pseudonym when associating with the organisation. However, the nature of activities conducted by Thirrili Ltd, means that generally, it may not be possible for us to provide a full range of service to a client anonymously or using a pseudonym.

If personal information requires transfer or is stored by a third party at an outside destination, Thirrili Ltd will take all reasonable steps to ensure that the third party follows the Australian Privacy Principles (Privacy Act, 1988).

Thirrili Ltd will only use or disclose personal information for the purposes of direct marketing if it was collected for such purposes and the individual would reasonably expect to receive direct marketing or has provided consent.

Thirrili Ltd respects the privacy of all current and prospective supporters and clients and will allow individuals to ‘opt out’ from receiving communication and will act on an individual’s request to ‘opt out’.

If Thirrili Ltd is to be wound up and it is not expected to continue to provide services, notice will be given of the closure to individuals and what will happen with their personal information.

Thirrili Ltd will provide a copy or written summary of an individual’s health information available to another health service provider only if requested or authorised by that client.

If a client has a privacy issue or concern, the matter will be dealt with in accordance with the Thirrili Ltd Complaints Policy.

Non-client related queries or concerns will be dealt with in accordance with the Complaints Policy.

Thirrili Ltd is subject to a range of privacy laws. Nothing in this Policy is intended to limit Thirrili Ltd’s obligations or permitted handling of personal information under those laws. Changes may be made to this Policy from time to time. We will give notice of these changes on our website and intranet.

A quality record keeping program is fundamental to Thirrili Ltd’s commitment to administrative transparency and accountability, as it enables Thirrili Ltd to account for decisions and actions by providing evidence in the form of records and ensures the preservation of the collective memory of Thirrili Ltd. The Privacy Act 1988 allows for documents to be destroyed after seven years.

In general, we will exercise discretion in determining how long to keep documents, keeping in mind the type of matter contained in the file.
We will ensure we:
• protect client confidentiality when destroying files.
• keep records of what has been destroyed.

Where original documents are provided, we will scan these documents and note the originals have been sighted, and return the originals to the individuals, families or communities that own those documents.