Privacy and Security
The Board of the Lishman Health Foundation (LHF) is committed to protecting the privacy of personal information, which the organisation collects, holds and administers. Personal information is information that directly or indirectly identifies and provides private details about a person.
This policy outlines how LHF will comply with The Privacy Act 1988 (The Act), which regulates the handling of personal information about individuals.
- LHF collects and administers personal information for a range of purposes including staff and volunteer employment, Board and LHF membership and donors and supporter details.
- The Foundation is committed to protecting the privacy of personal information it collects, holds and administers.
- The Act includes thirteen Australian Privacy Principles (APPs) that set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information.
- LHF is bound by The Act, which imposes specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.
- LHF will:
- Collect only information which the LHF requires to fulfill its Objects as defined in its Constitution;
- Ensure that, where required, stakeholders are informed as to why we collect the information and how we administer the information gathered;
- Use and disclose personal information only in pursuit of its Objects or a directly related purpose, or for another purpose with the person’s consent;
- Store personal information securely, protecting it from unauthorised access; and
- Provide stakeholders with access to their own information, and the right to seek its correction.
- The CEO and the Board Audit & Governance Committee are responsible for developing and reviewing this policy.
- LHF’s CEO is responsible for the implementation of this policy, for monitoring changes in Privacy legislation, and for advising on the need to review or revise this policy as and when the need arises.
- Only collect information that is necessary for the fulfilment of the Objects of LHF.
- Advise stakeholders about why we collect the information, how it is administered and that it is accessible to them.
- Collect personal information directly from the person wherever possible. If collecting personal information from a third party, maintain a record of from where their personal information has been sourced.
- Collect Sensitive information only with the person’s consent. (Sensitive information includes health information and information about religious beliefs, race, gender, etc.).
- Where unsolicited information is received, make a judgment about whether the personal information could have been collected legitimately. If it is determined that it could not have been, it must be destroyed, and the person whose personal information has been destroyed will be notified about the receipt and destruction of the information.
- Use and Disclosure
- Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose. For other uses, LHF will obtain consent from the affected person.
- In relation to a secondary purpose, use or disclose the personal information only where:
- A secondary purpose is related to the primary purpose and the individual would reasonably have expected us to use it for that purpose;
- The person has consented; or
- Certain other legal reasons exist, or disclosure is required to prevent serious and imminent threat to life, health or safety.
- In relation to personal information which has been collected from a person, use the personal information for direct marketing, where that person would reasonably expect it to be used for this purpose, and LHF has provided an opt out and the opt out has not been taken up.
- In relation to personal information, which has been collected, other than from the person himself or herself, only use the personal information for direct marketing if the person whose personal information has been collected has consented (and they have not taken up the opt-out).
- Provide all individuals access to personal information except where it is a threat to life or health or it is authorized by law to refuse and, if a person is able to establish that the personal information is not accurate, then LHF must take steps to correct it.
- Make no charge for making a request for personal information or correcting the information.
- Implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorized access, interference, unauthorized modification or disclosure.
- Before LHF discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, establish that they are privacy compliant.
- Destruction and de-identification
LHF will destroy personal information once it is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones.
- Data Quality
LHF will take reasonable steps to ensure the information LHF collects is accurate, complete, up to date, and relevant to the functions we perform.
- Access and Correction
LHF will ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date.
- Making information available to other organisations
LHF can release information to third parties where it is requested by the person concerned.