Duke Of Edinburgh logo
MENU
Resource

Policy 1.12 - Privacy Compliance

Introduction

The Duke of Edinburgh’s International Award - Australia Inc (National Award Operator/NAO) is committed to ensuring the privacy and protection of personal information in accordance with the requirements of the Australian Privacy Principles (APPs) found in the Privacy Act 1988 (Cth) which regulate the collection, storage, use, disclosure and other processing of personal information.

Certain NAO activities with respect to employee records are exempt from this regulation. These exemptions do not apply to the collection of personal information of employees (i.e the obligations described in section 3 of this Policy).

Any organisation or person licensed to administer, manage or coordinate the Duke of Ed in Australia (including without limitation the NAO, Divisions/ Duke of Ed Offices, and Duke of Ed Centres) must comply with this policy.

Purpose of the Policy

This policy sets out how the Duke of Ed handles the personal information of the Duke of Ed Volunteers, Supporters and Duke of Ed Registered Users.

  1. Definitions
    1. The Duke of Ed Framework: means The Duke of Edinburgh’s International Award - Australia.
    2. The Duke of Ed: includes any organisation or person licensed to administer, manage or coordinate the Duke of Ed Framework, including without limitation the NAO, Divisions/ Duke of Ed Offices, and Duke of Ed Centres.
    3. Personal Information: is any information or opinion, whether true or not and whether recorded in a material form or not, about an identified or reasonably identifiable individual.
    4. Privacy Laws: includes the APPs, the Spam Act, the Do Not Call Register Act, health records legislation in ACT, Victoria and NSW, state-based surveillance and workplace surveillance laws and other laws protecting particular types of personal information including tax file numbers and criminal records.
    5. Sensitive Information: is a special type of personal information, being any information or opinion about an individual’s health, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and certain genetic and biometric information. There are additional restrictions on the collection, use and disclosure of sensitive information in the Privacy Laws. Note that health information includes information about use of health services and is also subject to health records laws in ACT, NSW and Victoria.
  2. Compliance management
    1. The Duke of Ed must take reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs and is able to deal with inquiries and complaints from individuals.
    2. The Duke of Ed must have a clearly expressed and up to date privacy policy dealing with:
      1. the kinds of personal information The Duke of Ed collects and holds;
      2. how personal information is collected and held by The Duke of Ed;
      3. the purposes for which The Duke of Ed collects, holds, uses and discloses personal information;
      4. how individuals can access and correct their personal information;
      5. complaint processes; and
      6. the countries to which The Duke of Ed is likely to disclose personal information.
    3. The Duke of Ed must make its privacy policy freely available in an appropriate form (e.g. online) and in another form on request
  3. Collection of personal information
    1. The Duke of Ed must give individuals the option of not identifying themselves or using a pseudonym when dealing with The Duke of Ed, unless impractical or required or authorised by law.
    2. The Duke of Ed must only collect personal information that is necessary for one or more of its functions or activities. Personal information must be collected lawfully and fairly, e.g. not in an unreasonably intrusive way.
    3. The Duke of Ed generally collects personal information in order to manage, administer, record and support the utilization of The Duke of Ed Frameworkin the Duke of Ed. Information is also collected to keep employees, volunteers, supporters and Registered Users informed about Duke of Ed activities and events. When or before collecting personal information, The Duke of Ed must take reasonable steps to ensure the individual is aware of the identity of the collecting organisation, contact details, the purposes for which the information is required and to whom it will be provided, together with any other matters required by the Privacy Laws.
    4. The Duke of Ed must collect personal information directly from the relevant individual or their authorised intermediaries, unless unreasonable or impractical. The Duke of Ed must take reasonable steps to ensure that when information is collected from a third party that the subject of the information has been made aware of this action.
    5. In certain circumstances, The Duke of Ed may collect sensitive information about individuals. For example, an individual may provide information on their health or racial origin in the Registered Users Application Form. The Duke of Ed only collects, uses and discloses sensitive information with consent or otherwise in accordance with law. For example, the Privacy Act allows sensitive information to be collected by non-profit organisations where the information relates to the organisation’s activities and does not relate to anyone other than members of the organisation or individuals who have regular contact with the organisation in connection with its activities.
    6. If The Duke of Ed receives any unsolicited personal information, it must assess in a reasonable time whether the information could have been collected under APP 3 (as described in sections 3.1, 3.3 and 3.4 above). If yes, The Duke of Ed must comply with APPs 5–13. If not, The Duke of Ed must destroy or de-identify the information as soon as reasonably practical, if lawful and reasonable to do so.
  4. Use and Disclosure of Personal Information (other than for direct marketing)
    1. The Duke of Ed generally limits its use and disclosure of personal information to the purpose for which it was collected and other related purposes that would be expected by the individual.
    2. In special circumstances, the Duke of Ed may also use and disclose personal information where it is otherwise allowed under the Privacy Laws (for example, some circumstances relating to law enforcement, emergency situations, legal claims and suspected unlawful activity or serious misconduct).
    3. If The Duke of Ed wishes to use or disclose personal information in other circumstances, it must obtain the individual’s consent to do so.
    4. Personal information may also be used to inform Volunteers, Supporters and Registered Users of relevant activities and events and, if they have agreed, activities, events and special offers from carefully selected partners. Individuals who no longer wish to receive such promotional information may advise The Duke of Ed using the contact details below. The Duke of Ed’s records will normally be amended in five working days. (See section 5.3 for when this timeframe is mandatory).
    5. Personal information may be shared between the various Duke of Ed organisations and persons responsible for administering The Duke of Ed Framework in Australia. Each of these organisations and persons agree to comply with this policy.
    6. The Duke of Ed may also transfer personal information (including sensitive information) to the Duke of Ed organisations located outside of Australia such as the International Award Foundation (for example delegate details including health information for international exchanges/camps). Once this personal information is held outside of Australia it may not receive the level of privacy protection required by the Australian Privacy Laws. Individuals who object to the overseas transfer of their personal information may advise the relevant Duke of Ed organisation using the contact details below. When disclosing personal information to third parties outside of Australia, The Duke of Ed should generally have suitable contracts in place with the foreign information recipients to ensure an appropriate level of privacy protection. There are some other exceptions including obtaining particularly strong consents from the individuals.
    7. The Duke of Ed may also disclose personal information to its contractors and service providers that assist in the operation or administration of The Duke of Ed Framework from time to time (for example, The Duke of Ed’s mailing house or internet services provider). This strictly excludes advertising or third-party commercial activity. As a matter of Duke of Ed policy, this strictly excludes disclosure for a third party’s advertising or commercial activity.
    8. The Duke of Ed must not adopt a government related identifier of an individual unless authorised by law or regulation. Examples of government related identifiers are State and Territory driver’s licence numbers and Australian passport numbers. ABNs are excluded. The Duke of Ed must not use or disclose a government related identifier unless reasonably necessary for identity verification or for fulfilling obligations to a government agency. There are some other limited exceptions in APP 9.
    9. Tax file numbers must only be used or disclosed for a purpose authorised by taxation, assistance agency or superannuation law. This includes any use or disclosure for matching personal information about the individual.
  5. Direct marketing
    1. The Spam Act regulates ‘commercial electronic messages’. This includes emails and SMSs sent for a commercial purpose – including marketing, offering, selling or advertising goods or services or promoting a supplier of goods or services. A message which directs a recipient to a location (such as a website) where goods or services are sold or advertised is also regarded as a commercial electronic message. A message seeking donations without promoting a supplier of goods or services is not covered by the Spam Act.
    2. There are three key requirements of the Spam Act:
      1. Consent: a restriction on sending unsolicited messages.
      2. Unsubscribe: a requirement to include a functional unsubscribe facility.
      3. Identify: a requirement to include accurate sender information.
        Consent may be ‘express’ (i.e. opt-in) or ‘inferred’ from conduct or existing relationships. Note that ‘inferred’ does not mean ‘opt-out’. Inferred consent can arise where, for example, there is an ongoing relationship between The Duke of Ed and the recipient which would give rise to the recipient’s reasonable expectation about receiving commercial electronic messages from The Duke of Ed.
    3. The Duke of Ed must action unsubscribe requests within 5 working days.
    4. Registered charities are exempt from the consent and unsubscribe requirements where sending commercial electronic messages about goods and services for which they are the supplier.
    5. Registered charities are also exempt from the Do Not Call Register Act in relation to telemarketing calls, unless the call relates to goods and services supplied by another company. Where the Do Not Call Register Act does apply, telemarketing contact lists must be ‘washed’ against the Register through www.donotcall.gov.au.
    6. Where personal information is used or disclosed for direct marketing to promote the sale of goods or services, APP 7 applies to the extent that the Spam Act and Do Not Call Register Act do not apply. For example, APP 7 applies in relation to direct marketing by mail, or to website advertising that is targeted based on personal information.
    7. Under APP 7, consent is not required to use or disclose personal information for direct marketing where:
      1. the use or disclosure is within the individual’s reasonable expectations;
      2. the personal information was collected by us directly from the individual (rather than from a third party); and
      3. no sensitive information is used or disclosed.
    8. Under APP 7, The Duke of Ed must provide a simple means to opt out in all direct marketing communications and comply with opt-out requests within a reasonable time.
    9. On request, The Duke of Ed must identify the source of personal information used for direct marketing.
  6. Access to and correction of personal information
    1. An individual may request access to the personal information that The Duke of Ed holds about them or request The Duke of Ed to correct their personal information using the contact details below. Requests to provide access to personal information must be dealt with in a reasonable time, generally 30 days.
    2. An individual may also request The Duke of Ed to take reasonable steps to notify third party of a correction where The Duke of Ed previously provided the uncorrected information to that party.
    3. In some circumstances, The Duke of Ed may not be required by law to provide an individual with access or to correct their personal information. In these circumstances, The Duke of Ed must provide the individual with the reason(s) for refusal. If the individual disagrees with The Duke of Ed’s refusal to make a correction, they can request The Duke of Ed to take reasonable steps to associate a statement with the information noting their disagreement.
  7. Data Quality
    1. The Duke of Ed must take reasonable steps to ensure that personal information it collects, uses, or disclose is accurate, complete, up-to-date, relevant and not misleading.
  8. Security of Personal Information
    1. The Duke of Ed must take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure.
    2. The Duke of Ed must take reasonable steps to destroy or permanently de-identify personal information collected which is no longer required for any permitted purpose.
  9. Complaints
    1. Any individual who believes The Duke of Ed has not complied with applicable Privacy Laws with respect to the handling of their personal information should write to the relevant Duke of Ed organisation. The letter should describe in detail the nature of the enquiry or the ways in which the individual believes that a Privacy Law has not been complied with.
    2. If a privacy complaint cannot be resolved between The Duke of Ed and the individual, the individual may contact the Office of the Australian Information Commissioner. Such complaints should be made in writing to the Office of the Australian Information Commissioner at GPO Box 5218, SYDNEY, NSW, 2001 or via their online privacy complaint form at www.oaic.gov.au.

 

Contact Details

Attn: Privacy Officer
National Award Operator
Level 3, 189 Kent St
Sydney NSW 2000
Phone: +61 2 8241 1500 (prompt 3)
Email: admin@dukeofed.com.au

crossmenu