About this document
Girl Guiding in Australia must at all times comply with Australian Privacy Laws. In addition:
- if an individual is resident in New South Wales, the Health Records and Information Privacy Act 2002 (NSW) will apply to health information collected and handled by Girl Guiding in Australia;
- if an individual is resident in Victoria, the Health Records Act 2001 (Vic) will apply to health information collected and handled by Girl Guiding in Australia; and
- if you are resident in the Australian Capital Territory, the Health Records (Privacy and Access) Act 1997 (ACT) will apply to health information collected and handled.
1. Collection of Personal Information
Workers must only:
- ask for personal information relevant to the business of Girl Guiding in Australia or for an actual or potential relationship with an individual;
- collect personal information where it is necessary for, or directly relevant to, one or more of the functions or activities of Girl Guiding in Australia; and
- collect the personal information by fair and lawful means.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
Where a Girl Guiding in Australia Member or their parent/guardian do not provide the information required to provide and maintain the services of Girl Guiding in Australia, Girl Guiding in Australia may not be able to provide them with services. Where job applicants for paid or unpaid work do not provide the information required, they may not be offered employment or another type of engagement.
Workers must collect personal information from individuals directly, unless it is impractical to do so. For example, Workers may collect personal information directly from Members when they provide it by phone, letter, electronic form, or in other documents.
There may, however, be some instances where Workers collect personal information indirectly from third parties, because it is unreasonable or impractical to collect personal information directly from the individual concerned. Workers are required to notify individuals about these instances in advance or, where that is not possible, as soon as reasonably practicable after the information has been collected.
- the Girl Guiding in Australia identity and contact details;
- the facts and circumstances of collection;
- whether collection is required or authorised by law, and if so, the names of such laws;
- the purposes for which the personal information is collected;
- the consequences for the individual if Girl Guiding in Australia does not collect the personal information;
- the third parties or the types of third parties to whom Girl Guiding in Australia normally discloses personal information;
- whether an individual’s personal information is likely to be disclosed to overseas recipients and, if so, the countries in which such recipients are located (if it is practical to specify).
A privacy collection statement is available for inclusion on standard Girl Guiding in Australia forms. If a Worker is collecting information outside of a standard form, the Worker is required to provide a separate privacy collection statement, a template of which is available from Guide Lines. Where information is collected over the phone, the worker is required to read out the privacy collection statement script, available from Guide Lines.
Where personal information has been provided to Girl Guides and that information has not been requested, workers must consider whether the information could have been collected and retained and treated as solicited personal information. Where personal information could not have been solicited, the Worker must destroy or de-identify the personal information as soon as practicable.
Sensitive information is a subset of personal information which is afforded greater protection under Australian Privacy Laws. Sensitive information includes health and medical information, racial or ethnic background, sexual orientation or practices, criminal record, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, genetic information, biometric information, and biometric templates.
Workers must not collect sensitive information about a person without their consent, unless we are required or authorised by law to do so.
2. How Girl Guides hold personal information
Personal information is collected and retained on past and present Adult Members, as well as Youth Members and their parents/guardians, for the primary purpose of operating Girl Guides. Girl Guides also collects and retains personal information on its Workers, donors and event attendees.
Personal information is entered and stored in a centralised database in each State Girl Guide Organisation. Data may also be retained in electronic or hardcopy format. Personal information can only be accessed by an authorised Worker in the State Girl Guide Organisation to which the Member belongs.
Girl Guiding in Australia has a duty to ensure that personal information is secure and protected from misuse, interference and loss, as well as unauthorised access, modification, or disclosure.
Workers must comply with all security directions and protocols with respect to personal information for both physical and digital security.
All Workers must attend regular security training to ensure compliance with security directions and protocols.
When personal information is no longer required, it must be securely destroyed or permanently de-identified in accordance with the Girl Guiding in Australia’s procedures, subject to our obligations to retain information in accordance with the GGA Child Safe Child Friendly framework.
Under the Privacy Act, consent is not required to collect personal information that is not sensitive information, or to use or disclose personal information for a purpose for which it was collected for.
Consent is required to collect sensitive information, or to use or disclose personal information for a purpose other than the purpose it was collected for (unless an exemption applies).
Where consent is required, it may be express or implied. When an individual provides consent, the consent must be provided voluntarily, they must be informed of what they are consenting to, they must have the capacity to understand and communicate their consent, and the consent must be current and specific.
A Worker cannot rely on implied consent if the individual has not been provided with an opportunity to opt out of consenting.
Workers must not engage in ‘consent bundling’, where a single request for consent covers multiple requests to collect, use, and disclose information and does not let the individual choose which ones they consent to and which ones they don’t. In these circumstances, it is not possible to determine whether consent has actually been provided for all requests. Where it’s practical or preferable to include multiple requests for consent on the one form (or another method), each request must be outlined separately, include the reason for why the consent is required and the consequence if the consent is not granted.
Consent may be revoked (which may cause difficulties for Girl Guiding in Australia internal operations), and so Girl Guiding in Australia’s policy is that where consent is not required, it should not be sought. Workers must cease using personal information if an individual has withdrawn their consent at any time, subject to Girl Guiding in Australia’s obligations to hold attendance and membership data in accordance with the Child Safe Child Friendly framework.
4. Using Personal Information
- provide information, goods and services to Members, donors, Workers, and anyone else seeking them on their behalf or on behalf of another person;
- process donations or purchases and provide receipts, and communicate with a person about how their donation is used;
- facilitate Girl Guiding in Australia’s internal business operations, including
- the fulfilment of any legal requirements;
- maintaining a register of our membership;
- establishing a relationship with a person;
- assessing suitability of an Adult in Guiding to be in charge of Youth Members;
- maintaining and managing our relationship with a person and communicating with them in the ordinary course of that relationship (including responding to requests, feedback, or complaints);
- directing membership enquiries to relevant Girl Guides organisations;
- maintaining and managing the engagement of a Worker (including criminal record checks and working with children checks), and terminating that engagement;
- organising and facilitating activities and events;
- analysing our goods and services, membership needs, customer needs, and Worker needs with a view to developing new or improved goods and services or business operations;
- ensuring the health, safety and well-being of Members and Workers; and
- facilitating the use or hire of Girl Guiding in Australia’s property;
- provide information to people about other goods, services, and activities, events, promotions or special offers that Girl Guiding in Australia offers them;
- facilitate communication between Members of Girl Guiding in Australia where Members have consented for their information to be used in this way; and
- assess, process and investigate claims made under any insurance products we provide to support the safe and effective roll out of Girl Guiding activities and events.
Workers may also use and disclose personal information for the purposes for which it was collected.
If Workers are unsure of whether personal information may be used for a particular purpose, or for a purpose which has not been consented to, Workers must consult the Girl Guiding in Australia Privacy Officer in their State or Territory (details of which are included at the end of this document).
Direct Marketing and Privacy
Workers may only use individuals’ personal information, including contact details, collected from those individuals for direct marketing of Girl Guiding in Australia’s own products and services or products and services of Girl Guiding in Australia’s business partners, provided the individual received a privacy collection statement at the time of collection, or would otherwise reasonably expect their personal information to be used for the purposes of direct marketing.
Individuals can ‘opt out’ of Girl Guiding in Australia’s direct marketing by notifying us that they do not wish to receive this material. For all digital direct marketing communications, the communication must draw attention to the individual’s opt-out rights with a simple and easy-to-use unsubscribe function. Workers should ensure that any requests to unsubscribe are addressed in a timely fashion, and in any event, within 5 working days.
Workers must also comply with the Spam Act 2003 (Cth) when sending electronic marketing messages.
Workers must also abide by the Australian Direct Marketing Association (ADMA) Code of Ethics in relation to all direct marketing and electronic marketing to Members.
5. Disclosure and Sharing of Information
- a Youth Member’s parent or guardian or in accordance with a Family Court Order;
- a Member’s Leader or Manager;
- Girl Guiding in Australia Workers and other parties who require the information to assist Girl Guiding in Australia with facilitating our internal business processes, providing the individual with goods and services and information, and with establishing, maintaining, managing, or ending our relationship with a person;
- Girl Guiding in Australia’s related entities to facilitate Girl Guiding in Australia and their internal business processes, including directing membership enquiries to relevant State Girl Guide Organisations;
- third party service providers who assist Girl Guiding in Australia in operating its business and providing information, goods and services (including payment processors, payroll processors, insurers, superannuation funds, IT and technology service providers, event organisers, and professional advisers such as lawyers, accountants, and auditors);
- third parties to whom the individual has agreed Girl Guiding in Australia may disclose the individual’s information or where the information was collected from the individual for the purposes of passing it on to the third party;
- anyone to whom Girl Guiding in Australia’s assets or business (or any part of them) are transferred (on consent or direction from the Board); and
- any other entity as otherwise permitted or required by law, including enforcement and regulatory bodies such as WorkSafe and child protection authorities.
Workers may also disclose Member information to another Member if the first Member has consented.
Workers must not disclose an individual’s personal information to an overseas entity (including a technology service provider located overseas) if the individual has not received a privacy collection statement which sets out that disclosure may be to overseas entities, and that the individual consents to APP 8.1 no longer applying. Disclosure to an overseas entity without this consent in place will leave Girl Guiding in Australia open to liability if the overseas entity engages in conduct which would breach the APPs.
Workers must not provide access to Girl Guiding in Australia data to external organisations or individuals who wish to offer a product or service that they believe will be of benefit to our Members without direction from the relevant national or State Girl Guide Organisation CEO.
If Workers are unsure of whether personal information may be disclosed for a particular purpose, or where Workers consider disclosure is for another purpose, Workers must consult the Girl Guiding in Australia Privacy Officer in their State or Territory (details of which are included at the end of this document).
Child safety issues
Any child safety issues must be managed in accordance with Element 8 of Child Safe Child Friendly framework.
6. Accessing and Updating Personal Information
Individuals can request at any time to be given a copy of the personal information that is held about them. This request can be made by contacting the Girl Guiding in Australia Privacy Officer in the relevant State or Territory (details of which are included at the end of this document).
Girl Guiding in Australia will provide an individual with access wherever possible and within a reasonable time, usually 14 days.
Girl Guiding in Australia may charge a fee for access to cover costs, but there is no fee for requesting access. If Girl Guiding in Australia denies a request for access, it will provide the person applying for access with reasons for that denial and inform the person of how to complain about the refusal.
Before giving a person access to, or amending, a person’s records, either in person or over the phone, Girl Guiding in Australia must require the person to prove their identity to ensure against data breaches. Girl Guiding in Australia should ask a person to verify their full name, membership number, date of birth and address. This should be standard practice to avoid a Data Breach.
Girl Guiding in Australia relies on the accuracy of the information provided to it. A person from whom we collect personal information can contact Girl Guiding in Australia and ask to change information held about them if it is incorrect. Any such requests must be referred to the Girl Guiding in Australia Privacy Officer in the relevant state or Territory (details of which are included at the end of this document).
Girl Guiding in Australia will take reasonable steps to correct personal information it holds or associate a statement with personal information it holds. Girl Guiding in Australia has a duty to ensure that the information held is accurate, up-to-date complete and relevant, and Workers must comply with this duty. Girl Guiding in Australia also has a duty to take reasonable steps to ensure that, where any information is altered, it has verified the identity of the person requesting the change and the accuracy of the new information provided before the records are changed, and workers must comply with this duty.
7. Handling Complaints
Girl Guiding in Australia must effectively deal with privacy related incidents and complaints. If Worker is contacted regarding a privacy complaint, the Worker must immediately refer that complaint to the Girl Guiding in Australia Privacy Officer in the relevant State of Territory (details of which are included at the end of this document) so that it can be resolved in accordance with the Grievance Resolution Procedure, available on Guide Lines (https://www.guidelinesforgirlguides.org.au/).
In the first instance, the Privacy Officer will acknowledge that complaint within 2 working days and notify the person making the complaint or enquiry of the name of the person responsible for investigating the matter.
Where a matter is not resolved within 10 working days, the relevant Privacy Officer will contact the person making the complaint or enquiry and inform them as to its progress and status and when Girl Guiding in Australia expects the matter to be resolved.
If, after this process, the person making the complaint or enquiry is not satisfied with Girl Guiding in Australia response, they can submit a complaint to the Office of the Australian Information Commissioner.
8. Receiving Information from Overseas
Personal information of people residing overseas will be governed by the laws of that person’s country of residence. Girl Guiding in Australia may not be compliant with these laws. Where possible, prior to accepting any information from overseas, Workers should consult with the Gir Guiding in Australia Privacy Officer in their State or Territory (details of which are included at the end of this document) about whether the information should be received. Receiving information about a person residing overseas may be a breach of the privacy laws of that person’s country of residence, and so the relevant Privacy Officer must be able to make an informed decision of the potential risk to Girl Guiding in Australia. In some circumstances, Girl Guiding Australia may have a contract in place with the entity providing the information which requires certain processes and procedures to be followed.
In all circumstances, where Girl Guiding in Australia are provided personal information from overseas, the information must be stored securely and access must be restricted to only those that need access. If a person no longer needs access, access should be removed from that person. Once access is no longer required for any person at Girl Guiding in Australia, the information must be secured and retained in accordance with Girl Guiding in Australia’ obligations under Australian law. Information must not be destroyed without consulting with the relevant Privacy Officer.
9. Breaches and Reporting
The law imposes strict requirements and deadlines in relation to the actions that Girl Guiding in Australia has to take in the event of an actual or suspected Data Breach. A Data Breach occurs when personal information held by Girl Guiding in Australia is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples include where:
- there has been unauthorised access to personal information by a Worker who did not have a valid reason to access the personal information;
- there has been unauthorised access to personal information by an external third party who has hacked into Girl Guiding in Australia systems or network;
- an unauthorised person has gained physical access to Girl Guiding in Australia premises and has obtained personal information;
- there has been unauthorised access to personal information by an external third party due to a Worker clicking on a phishing email, giving the third party access to Girl Guiding in Australia system or network;
- there has been unauthorised access to personal information by an external third party after an information access request, because the individual’s identity was not verified;
- a Worker has (intentionally or unintentionally) modified an individual’s personal information in Girl Guiding in Australia systems without being authorised to do so;
- a Worker has (intentionally or unintentionally) made personal information accessible or visible to third parties outside Girl Guiding in Australia, such as by sending an email containing personal information of a Member to the incorrect recipient; or
- accidental or inadvertent loss of personal information in circumstances where that loss is likely to result in unauthorised access or disclosure. For example, where a Worker leaves documents, a laptop or another portable storage device on public transport.
Any actual or suspected Data Breach must be immediately reported to the Girl Guiding in Australia Privacy Officer in the relevant State or Territory (details of which are included at the end of this document) in accordance with Data Breach Response Plan in Girl Guides Australia or each State Girl Guide Organisation.
It is imperative that actual or suspected Data Breaches are reported as soon as possible so that Girl Guiding in Australia can comply with its legal obligations. Girl Guiding in Australia understands that Workers make mistakes and that accidents can happen. There will be no reprisal action taken against workers for such mistakes and accidents. However, failure to report an actual or suspected Data Breach may involve reprisal action.
Privacy Office Contact Details
Any privacy or other enquiries can be made to the Privacy Officer in your State or Territory.
The National Office of Girl Guides Australia will refer a person in the first instance to their State Girl Guide Organisation (SGGO) office on matters relating to personal information.
For the Girl Guides Australia matters please contact firstname.lastname@example.org
Last Modified: 26/04/23 at 3:25 PM