An important update on our Privacy Principles

An important update on our Privacy Principles

Extensive changes to the existing privacy laws took effect on 12 March 2014. From this date, the Uniting Church must comply with 13 Australian Privacy Principles that govern the collection and handling of personal information.

The Synod Privacy Policy has been updated to reflect the new requirements which include:

  • Privacy policies must contain certain information which they did not need to have before.
  • Prescribed or specific details must be included in the collection notice that is given to individuals before or at the time of collecting personal information.
  • There are new obligations in relation to the way we handle “unsolicited personal information” (i.e. personal information an organisation does not actively seek).
  • There are new requirements in relation to direct marketing such as the need to obtain consent and the requirement to include an opt-out mechanism.

What is personal information?

Personal information is “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion”.  It can include information such as a name or address, bank account details, photographs or information about an individual’s opinions.

If your congregation or organisation wants to tailor the privacy policy to reflect its own needs and methods of collection, it is important to make sure any changes do not detract from the minimum requirements set out in the legislation.  If unsure, contact the privacy officer by email on privacyofficer@nswact.uca.org.au for assistance in this regard.

Repeated or serious failures to comply with the privacy laws may result in a penalty. The Privacy Commissioner also has the ability to initiate an investigation without a complaint being made.

Top 10 privacy tips for Congregations and Church organisations

If you are responsible for the collection of an individual’s personal information, keep in mind the following ten steps to help ensure you are protecting that person’s privacy:

  1. Only obtain information you need for the purposes and activities your organisation is carrying out at the time. Do not use it for a secondary purpose unless that individual consents to such use.  If practical to do so, make sure the individual you are dealing with has the option of either remaining anonymous or using a pseudonym.
  2. Advise individuals how you are going to handle and use their personal information and who you may be giving it to – direct them to the Synod Privacy Policy and give a collection notice.
  3. Make sure the personal information you hold is up to date and accurate and that you have a record of the source of that personal information (eg from Joe Bloggs on 13/2/2012). Consider whether an audit of personal information your organisation holds is necessary or a good idea.  For instance, if a Congregation collected personal information from various members of its congregation in 2000, it would definitely be worthwhile carrying out an audit of such personal information, making sure it is still accurate and the individual consents to their details being retained and used by the Congregation for church purposes.
  4. If you ever want to disclose personal information for reasons other than the reason for which you collected it, seek the individual’s consent before doing so.
  5. Comply with individual’s requests for personal information or if you are unwilling or unable to comply, contact the Privacy Officer for assistance. Always comply promptly with an individual’s request for correction of any personal information.
  6. Keep all personal information secure and safe from unauthorised access. If your congregation has a visitors book in which visitors to the church complete their name, address and email or phone number then it would be prudent to change the visitor book to a note pad or sheet which each person can complete and then place in a box to avoid any other visitors from seeing their personal information and identifying them. The box should be removed and kept in the office with the information entered into a database and the paper destroyed or kept securely if a database is not used.
  7. Destroy (i.e. shred paper or delete electronic files and check deletion occurred) any personal information your organisation no longer needs (unless you’re legally required to keep the files, e.g. HR files are exempt from the Act and must be retained for at least 7 years). Contact the Privacy Officer if you are ever unsure about whether or not to delete or destroy personal information.
  8. Consider appointing a member of your organisation to act as a contact in relation to privacy for your organisation.
  9. Familiarise yourself in relation to the privacy laws. The Office of the Australian Information Commissioner website has extensive information and examples and APP Guidelines at https://www.oaic.gov.au/ and the Synod website also has information including the process for dealing with unsolicited information, the Synod collection notice and Synod privacy policy.
  10. Examples of direct marketing are telemarketing, advertising via email, SMS or mail.  If carrying out any direct marketing, make sure there is an opt out facility and make sure your direct marketing practices and databases are adequate as far as privacy requirements are concerned, eg the source of personal information and the date it is obtained is recorded.

Please note, this is not intended to constitute legal advice. Please contact our Privacy Officer on 02 8267 4300 if you require advice.

Share

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top