The below Statement summarises how Coast2Bay Housing Group and its associated charities ‘RISE2’ and ‘The Coast2Bay Housing Foundation’ handle personal information in order to provide housing and other related services and activities. Our full Privacy and Confidentiality Policy can be viewed here.
Overview – Collecting and protecting personal information
Personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable.
All personal information will be collected in accordance with the following guidelines:
- Only relevant and necessary personal information will be collected
- Confidentiality will be maintained regardless of the method used to collect the personal information
- Personal information will be collected in a fair, legal and transparent way
- Reasonable steps will be taken to collect personal information in a private and secure manner
Personal information will be restricted to authorised persons only and for the purpose it was collected.
Personal information will only be disclosed with consent from the individual or for a ‘permitted general situation’ as defined by the Office of Australian Information Commissioner (OAIC).
A legal representative may be in place to provide consent on behalf of an individual. The entity will ensure evidence of this is obtained and kept on the relevant file.
Individuals reserve the right to withdraw consent at any time. This will be recorded on the relevant file to ensure information is not disclosed. Information disclosed external to the entity is considered uncontrolled and staff will take reasonable steps to ensure information will be kept confidential.
The entity will provide an individual access to their personal information unless there are grounds for refusal as per the NPPs.
Where access to personal information has a financial impact on the entity, reasonable costs may be recovered from the individual at the discretion of management.
The entity will take all reasonable steps to ensure the security of personal information, and to ensure that information is kept up to date. Any changes to information will be processed as soon as practicable. Personal information will be maintained in a secure manner at all times within the entity’s protected systems with strict access subject to both passwords and dual authentication.
Personal information that is no longer required to be kept by the entity will be destroyed or de-identified, as required. This will be done in a secure manner to ensure the information is irretrievable.
The entity will take immediate and appropriate action in the event of a suspected data breach pursuant to the Cyber Incident Response Plan.
All suspected data breaches/incidents will be managed in accordance with the CIRP and other ICT policies as relevant. The CIRP includes many aspects including investigation, containment of the breach, assessment of the incident, notification and review in a formalised manner.
The entity will notify the OAIC, relevant bodies (as required) and individuals of a data breach involving personal information that is likely to result in serious harm as identified in the CIRP.
Privacy and confidentiality documents are read and signed by Directors, staff, volunteers and relevant stakeholders upon induction and annually.
The entity will ensure staff are adequately trained and provided up to date information regarding their privacy and confidentiality obligations. Records of training will be maintained.
Failure to comply with the entity’s Privacy and Confidentiality obligations will be taken seriously and is considered a breach of conduct. This may result in disciplinary action.
How information is collected
The entity may collect personal information by:
- directly over the phone or via our Customer Services staff
- contact in person
- participate in public or closed surveys, questionnaires or conference events
- register for face-to-face or digital events (such as webinars, fundraisers)
- interact with us online, including through our websites, email, webchats, mobile applications and social network services (such as Facebook, Twitter, YouTube, Instagram or LinkedIn – the social network providers will also handle your personal information for their own purposes and have their own privacy policies)
- and individual donating to the organisation and have consented to receiving information for future fundraising
- and individual applying for a position with the entity (either as an new board member, employee, or as a volunteer or as a contractor).
This collection may be required to allow several activities to be conducted in the normal course of business including:
- making a donation or participating in a fundraising event
- receive information from the entity including alerts via email or SMS communications
- being a shareholder
- being a member of a community organisation that the entity is engaged with
- registering as a volunteer
- register as a RISE Ambassador or Speaker or committee member
- being a debtor (owing money to the entity) or being a creditor (being owed money by the entity)
- participate in tenancy and community engagement activities and programs
- being subject to involvement with any business program (including government funded programs)
- being a tenant or ex-tenant in one of our properties that we own or manage on behalf of others
- being an investor or client who has a headlease or provided outsourced servicing to the entity to manage their property(s).
- receive information about or become involved in our programs, campaigns or other initiatives
- use our mobile applications
- register with centrepay and other government support services
- would like to or will be appointed as an employee with information collected in relation to paying the employee for services and facilitation of superannuation, PBI and employee leave entitlements.
Third party information
There may be occasions when the entity gathers personal information about an individual from a third party, for example, from recruitment services, community groups and government support providers, IT or telecommunications provider or our delivery partners. These third parties also have their own privacy policies.
How personal information is used
The personal information you collected by the entity may be used by us for the following purposes:
- managing preferences for receiving further information about the entity’s programs, events, campaigns or activities;
- additional types of personal information such as job title or role, department name, educational institution information; and
- demographic information and unique identifiers in order to provide clients with a more personalised experience and to verify who the client is
- ensuring a lease arrangement for housing is in place
- to allow you to obtain access to the interactive elements of our mobile applications and websites (including the online forums, our campaign websites etc.)
- to provide stakeholders with the information, resources or merchandise they have requested
- to involve clients in programs, campaigns, research, activities or other initiatives undertaken
- to show the donators name and the amount of any donation or sponsorship that they may wish to may make on our website (unless chosen to be a private or anonymous donation)
- for the marketing and research purposes of the entity, its contractors or service providers
- for internal administrative purposes
- to respond to ‘Contact Us’ form enquiries, general website feedback or assistance, or media enquiries
- to update our records and keep client contact details up to date
- for research, advice and information, including for benchmarking purposes
- to send emails about our programs, campaigns or activities if stakeholders have agreed to receive our emails
- in the case of marketing automation, to improve the emails that are sent to donators and to improve the personalisation, services, programs, content and resources that are offered to them
- to understand how stakeholders interact with us by recording information about them in a database
- to enable like-minded organisations to contact our client with information that may be of interest to them (if they have consented to this)
- to assess any application from relating to a vacant position
- if you lodge a complaint or query with the entity, and then to process and respond to that complaint or query.
Other than for the purposes described above, the entity will not use personal information without their prior consent.
Disclosure of personal information
Personal information will only be disclosed to third parties in accordance with this Policy or as permitted by law.
The entity will only use or disclose your personal information for the purposes for which it has been collected or for a secondary purpose if permitted by law, which includes:
- where have consent has been received
- where it is reasonably expected of the entity to do so, and where related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
- where required or authorised by or under an Australian law or a court/tribunal order
- where a permitted situation exists under the Privacy Act, such as lessening or preventing a serious threat to the life, health or safety of an individual, or to public health or safety, or locating a person reported as missing.
Information may be provided to third parties where services relating to the purpose for which the personal information is collected are outsourced or you would reasonably expect us to disclose it to a third party for a particular purpose. For example, we may disclose your personal information to:
- our service support providers
- our delivery partners
- our third-party service providers (such as our IT and maintenance contractors)
- our marketing team
- our professional advisors (such as accountants, auditors and legal representatives)
- pending on the formal provisions of terms and conditions within our contracts with government, information pertaining to community housing statistics and other reportable data
Our third-party service providers may store personal information overseas when providing support or other services. For example: If a stakeholder has communicated with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold their personal information overseas.
Accessing personal information
Stakeholder may request access to their personal information collected by the entity and ask for correction or update of that personal information. They can ask for access or correction by contacting us and we will usually respond within a very reasonable time. If there is a refusal to provide access to, or correct, their personal information, the entity will notify them in writing setting out the reasons.
Notifiable data breach
In the event of any unauthorised access or unauthorised disclosure or loss of a stakeholders personal information that is likely to result in serious harm to them, and where remedial action has not been able to prevent the likely risk of serious harm, the entity will investigate and notify them and the Office of the Australian Information Commissioner in accordance with the Privacy Act 1988.
How to contact us
If you have any question in relation to your personal information, its use or our policy, please contact us here.