An important update on our Privacy Principles
Extensive changes to the existing privacy laws took effect on 12 March 2014. From this date, the Uniting Church must comply with 13 Australian Privacy Principles that govern the collection and handling of personal information.
- Privacy policies must contain certain information which they did not need to have before.
- Prescribed or specific details must be included in the collection notice that is given to individuals before or at the time of collecting personal information.
- There are new obligations in relation to the way we handle “unsolicited personal information” (i.e. personal information an organisation does not actively seek).
- There are new requirements in relation to direct marketing such as the need to obtain consent and the requirement to include an opt-out mechanism.
What is personal information?
Personal information is “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion”. It can include information such as a name or address, bank account details, photographs or information about an individual’s opinions.
Repeated or serious failures to comply with the privacy laws may result in a penalty. The Privacy Commissioner also has the ability to initiate an investigation without a complaint being made.
Top 10 privacy tips for Congregations and Church organisations
If you are responsible for the collection of an individual’s personal information, keep in mind the following ten steps to help ensure you are protecting that person’s privacy:
- Only obtain information you need for the purposes and activities your organisation is carrying out at the time. Do not use it for a secondary purpose unless that individual consents to such use. If practical to do so, make sure the individual you are dealing with has the option of either remaining anonymous or using a pseudonym.
- Make sure the personal information you hold is up to date and accurate and that you have a record of the source of that personal information (eg from Joe Bloggs on 13/2/2012). Consider whether an audit of personal information your organisation holds is necessary or a good idea. For instance, if a Congregation collected personal information from various members of its congregation in 2000, it would definitely be worthwhile carrying out an audit of such personal information, making sure it is still accurate and the individual consents to their details being retained and used by the Congregation for church purposes.
- If you ever want to disclose personal information for reasons other than the reason for which you collected it, seek the individual’s consent before doing so.
- Comply with individual’s requests for personal information or if you are unwilling or unable to comply, contact the Privacy Officer for assistance. Always comply promptly with an individual’s request for correction of any personal information.
- Keep all personal information secure and safe from unauthorised access. If your congregation has a visitors book in which visitors to the church complete their name, address and email or phone number then it would be prudent to change the visitor book to a note pad or sheet which each person can complete and then place in a box to avoid any other visitors from seeing their personal information and identifying them. The box should be removed and kept in the office with the information entered into a database and the paper destroyed or kept securely if a database is not used.
- Destroy (i.e. shred paper or delete electronic files and check deletion occurred) any personal information your organisation no longer needs (unless you’re legally required to keep the files, e.g. HR files are exempt from the Act and must be retained for at least 7 years). Contact the Privacy Officer if you are ever unsure about whether or not to delete or destroy personal information.
- Consider appointing a member of your organisation to act as a contact in relation to privacy for your organisation.
- Examples of direct marketing are telemarketing, advertising via email, SMS or mail. If carrying out any direct marketing, make sure there is an opt out facility and make sure your direct marketing practices and databases are adequate as far as privacy requirements are concerned, eg the source of personal information and the date it is obtained is recorded.
Please note, this is not intended to constitute legal advice. Please contact our Privacy Officer on 02 8267 4300 if you require advice.
2020 Safe Church Awareness Workshops08/08/2020 - 07/11/2020
NYALC - Online19/10/2020 - 11/12/2020
Webinar Series: New Connections: What ways can we overcome isolation and loneliness?20/10/2020 - 04/11/2020
Emerging Gen Workers Day02/11/2020