Policy Protocols

Confidentiality refers to the obligation of non-disclosure by this agency of personal information unless it has the consent of the person concerned.

The Service will ensure privacy and confidentiality by:

• Collecting only the information required for service delivery;
• Informing people of the purpose for collecting the information;
• Providing individuals with access to their information held by the Service;
• Disclosing personal information to 3rd parties only with the written consent of the individual;
• Securely storing Service Users personal information; and
• Destroying information in accordance with the Archives Act 1983.

Community Connect Transport has an obligation to report personal information where there is:

• Disclosure of a crime or intended crime;
• Where the person is suicidal, his/her safety is at risk of personal harm or being abused by another; and
• To warn a third party who is in danger.

Community Connect adheres to

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Commonwealth legislation) which outlines 11 Australian Privacy Principles (APPs).

Principle 1: Open and transparent management of personal information
‘To ensure that APP entities manage personal information in an open and transparent way’, this enhances the accountability and builds trust in the community over the organisations handling of personal information. The organisation must have an up-to-date Privacy policy which is accessible to all stakeholders.

Principle 2: Anonymity and pseudonymity
‘Provides that individuals must have the option of not identifying themselves or of using a pseudonym, when dealing with an APP entity in relation to a particular matter’. This will not apply if under court order or impractical for service provision.

Principle 3: Collection of solicited personal information
‘The entity must not collect personal information unless the information is reasonably necessary for one or more of the entity’s functions or activities’.

Principle 4: Dealing with unsolicited personal information
The entity will, if it comes into possession of personal information that may not be required for service delivery, determine if the information was a result of standard data collection and if not required it will destroy the information or ensure it is de-identified.

Personal 5: Notification of the collection of personal information
The entity must take steps as soon as practicably possible to notify the individual of the reasons for collecting personal information and who is collecting it.

Principle 6: Use or disclosure of personal information
‘If an entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not disclose the information for another purpose (the secondary purpose) unless the individual has consented. If an organisation passes on personal information to third parties with the consent of the service user it must be de-identified.

Principle 7: Direct marketing
‘If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.’

Principle 8: Cross-border disclosure of personal information
This principle refers to the transfer of personal information to an overseas location which is not applicable to the service at this time.

Principle 9: Adoption, use or disclosure of government related identifiers
An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless it is required or authorized by law or a court/tribunal order.

Principle 10: Quality of personal information
An entity must take such steps as are reasonable in the circumstances to ensure that the personal information that is collected, used or disclosed is accurate, up-to-date, complete and relevant.

Principle 11: Security of personal information
If an entity holds personal information they must take steps as are reasonable to protect the information from misuse, interference, unauthorised access, modification, loss and disclosure. The entity must ensure that if information is no longer required that it is destroyed and/or de-identified.