Privacy policy

Definitions

Anonymity—is where an individual is not required to, and does not, provide identifying information in their interactions with St John.
Consent—is where an individual, or their parent, legal guardian or other legally appointed person, voluntarily agrees to something St John does.

De‐identification—is the process of removing or altering information that identifies an individual or is reasonably likely to do so. It may involve removing identifiers such as birth date, name or address for example, or removing or altering information that may allow someone to be identified through personal characteristics or a combination of personal characteristics.
Personal information—is any information or opinion about an individual who is reasonably identifiable, whether or not the information is true or not and whether the information or opinion is recorded in a material form or not.
Primary purpose—is the specific function or activity (or main reason) the organisation collects the personal information.
Pseudonymity—is a nickname given by the individual where the individual does not wish for their true name to be collected.
Secondary purpose—is the use or disclosure of information for reasons other than the primary purpose.
Sensitive information—is a subset of personal information and relates to information about for example, an individuals’ racial or ethnic origin, political opinions, membership of a political association, religious beliefs or attitudes, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record.
Solicited information—is personal information about an individual St John takes deliberate steps to collect.
Unsolicited information —is personal information about an individual that St John has not asked for but receives in some other way, such as through a third party.

Policy Statement

St John Ambulance Australia respects every person’s legal right to privacy and is committed to its legislative responsibility to protect the personal information of customers, casualties, donors, employees, volunteers and members of the public.

Information management systems rely on restrictions regarding the free circulation of information. Employees and volunteers are required to handle information with sensitivity and integrity and should be aware of their rights and responsibilities with respect to information sharing as well as the rights and responsibilities of other individuals with respect to privacy.

This policy sets out the procedures relating to the collection, retention, use and disclosure by St John of personal and sensitive information, in accordance with the Privacy Amendment (Enhancing Privacy Protection) Act 2013 (Cth) (‘the Act’) and the Australian Privacy Principles (‘APPs’) upon which this policy is based.

Purpose

The purpose of this document is to provide a framework for St John Ambulance Australia with respect to matters of privacy, confidentiality and information sharing.

Responsibilities

All employees, contractors and volunteers are responsible for observing privacy and information sharing principles and procedures in the workplace.

Policy

1. Information Collection

St John Ambulance has diverse operations and collects information for our interactions with individuals for a variety of purposes. For example when an individual requests or uses our products or services, when a purchase using a credit card is made, or an individual visits our website(s) or uses our mobile applications.

St John will only collect information (other than sensitive information) when the information is reasonably necessary or directly related to one or more of St John’s functions or activities and/or the primary purpose of the information. St John will not use or disclose information for a secondary purpose unless:

  • consent is given by the individual to do so
  • the individual would reasonably expect St John to use or disclose the information for secondary purposes, or
  • a permitted general situation exists in accordance with APP 3, clause 6.2.

St John will only collect such information by lawful and fair means. Where reasonably practicable, St John will only collect personal information from the individual it relates to.

1.1 Our websites and apps

When you visit a St John website(s), the personal information we collect is:

  • what you voluntarily tell us about yourself or your organisation, for instance via (but not limited to) emailing us, booking a course, purchasing a product online or registering an Automatic External Defibrillator
  • information from other sources if necessary, with your consent
  • passwords where required for accessing the St John Members’ Area or discussion forums your IP address for certain applications.

St John uses Google Analytics, a web analytics service provided by Google Inc. (Google). Google Analytics uses cookies and JavaScript code to enable analysis of usage of these websites and apps.

The information logged about visitors to our website are for statistical purposes only; your server address, your top level domain name (for example, .com, .gov, .au, .uk, etc.); the date and time of your visit to the site; the pages you access and documents downloaded; the previous site you have visited; and the type of browser you are using.

You may refuse the use of cookies by selecting the appropriate settings on your browser. By using St John websites and apps, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

St John websites contain links to other sites. St John Ambulance Australia is not responsible for the privacy practices of the content of such websites.

1.2 Employees & volunteers

St John Ambulance collects personal information about its employees and volunteers for human resources purposes. Examples of information collected about employees and volunteers include:

  • date of birth
  • Tax File Number
  • contact details
  • next of kin details relevant health information.

1.3 Members

St John records personal information from members (and consumers) when they elect to be involved in the organisations activities, such as being sent newsletters, oblations, participation in e‐ mail or postal networks or being involved in specific St John activities (such as Priory or Chapter). St John endeavours to collect any personal information from members and consumers directly.

Members and consumers may opt out of such services at any time by emailing enquiries@stjohn.org.au. All St John Ambulance Australia Inc. newsletters have an option for recipients to ‘unsubscribe’ at any time they wish to do so.

1.4 Commercial operations

St John collects personal information for its commercial operations, such as an individual’s:

  • name
  • contact details
  • credit card details.

Please refer to clauses 5 and 6 respectively regarding our use and storage of such information.

1.5 Sensitive information

The Act protects an individuals’ sensitive information. If St John needs to obtain this type of information from an individual, we will:

  • ask for your consent
  • adhere to all relevant laws
  • ensure the information is reasonably necessary for St John to carry out one or more of itsfunctions or activities.

2. Information we collect from others

2.1  St John endeavours to collect personal information from the individual it relates to.

2.2  From time to time however, where it is reasonable to do so, St John may collect information from others. This information may be solicited or unsolicited information.

2.3  Where St John collects solicited information from a third party, we will take all reasonable steps to ensure that the individual is, or has been, made aware that the information has been collected, how it was collected, who from, and will comply with the Act and APPs.

2.4  Where St John receives unsolicited information, we will decide, within a reasonable period, whether the personal information about the individual could have reasonably been collected under APP 3 as if St John had solicited the information.

2.5  Where St John determines that such information could not have reasonably been collected by St John from the individual, and the information is not contained in a Commonwealth record, St John will, as soon as practicable, and where it is reasonable and lawful to do so, destroy or de‐ identify the information.

2.6 Where St John receives unsolicited information with respect to matters that constitute permitted general situations (as per APP 3, clause 6.2), St John may be required to disclose such information to the relevant enforcement body.

3. Open and transparent practices

3.1  St John has implemented procedures to ensure that it complies with the Australian Privacy Principles with respect to the open and transparent management of information.

3.2  St John will make this Privacy Policy available on its public website at www.stjohn.org.au and will take reasonable steps to provide this policy, free of charge, to anyone who asks for it. An individual may obtain a copy of this policy by contacting us using the details supplied in clause 8 below.

3.3  When requested by an individual, St John will take reasonable steps (subject to legislative requirements) to let the individual know what sort of personal information St John holds about them, for what purposes it is stored, and how we collect, store, use and disclose that information.

3.4  Individuals may approach St John with any questions or complaints about St John’s compliance with Privacy Laws. Refer to clause 8 of this Policy for further details.

3.5  Unless otherwise required by law, St John will only use and disclose the information that you supply to us for the purposes it was collected.

3.6  In exceptional circumstances, St John has the right to refuse access to information in accordance with APP 5 (clause 12.3).

4. Anonymity and pseudonymity

4.1  Where practicable and lawful, individuals dealing with St John may choose to not identify themselves (be anonymous), or use a nickname (or pseudonym), in their dealings with St John.

4.2  While it may not always be possible or lawful to allow individuals this choice, in situations where this is possible, St John will offer this option.

5. Using and disclosing information

5.1  St John may use personal information collected from an individual for the primary purpose of its collection.

5.2  From time to time, St John may share information with other St John entities (both nationally and internationally). If St John intends to share such information, we will endeavour to obtain your consent.

5.2  St John will only exchange your information with third parties with your consent or where permitted by law. For example:

  • law enforcement agencies, authorities, bodies or regulators responsible for administering or performing a function under the law
  • entities established to help identify illegal activities and prevent fraud
  • authorised by or under an Australian law or a court/tribunal order.

5.3  St John will share information with third parties, including international third parties, in permitted general situations in accordance with s 16A of the Act. In such situations, St John may be required to disclose information without your consent, for example where St John:

• believes the use of disclosure is necessary to lessen or prevent serious threat to the life, health or safety of an individual or to public health or safety has reason to suspect an individual may have engaged in unlawful activity or serious misconduct reasonably believes that the use of disclosure of personal or sensitive information is reasonably necessary to assist in locating a person who is reported as missing.

5.4 Where St John must use or disclose personal information to a third party in a cross border or overseas situation, St John will take reasonable steps to ensure that the overseas recipient does not breach the APPs.

5.5  Where the individual is under the age of 18 or has special needs, St John may share information with the individual’s parent or legal guardian, or any other legally appointed person.

5.6  Where St John has been required to use or disclose information in accordance with APP 3, St John will make a written note of the use or disclosure.

6. Keeping information secure

St John takes reasonable steps (including the implementation of this policy) to ensure personal information is protected from misuse, loss, unauthorised access, modification or inappropriate disclosure.

St John keeps both hard copy and electronic records on our premises and systems offsite using trusted third parties. Our security safeguards include:

6.1 Staff and volunteer education

St John undertakes:

  • training of employees and volunteers in the requirements of this policy
  • steps to ensure that any information on which restrictions have been placed shall be, as far as practicable, clearly identified and communicated to employees and volunteers.

6.2 Electronic system security

St John:

  • has firewalls and anti‐virus software systems to protect against unauthorised access to our systems
  • has an information management back‐up system with our externally contracted IT provider
  • ensures external IT providers contracted by St John are contractually bound to comply with all laws, including the Privacy Act.

6.3 Building security

St John has appropriate building security including back‐to‐base alarm system and suitable locking mechanisms for all access points (such as windows and doors).

6.4 Destroying data no longer required

Where practical, we keep information only for as long as required (for example to meet legal requirements or our internal needs).

6.5 Accidental or unauthorised access

St John will take very seriously, and act promptly regarding, any accidental or unauthorised use or disclosure of personal information.

6.6  Any employee or volunteer, current or former, or contracted service provider who discloses information unlawfully may be subject disciplinary sanctions including, in the most serious circumstances, termination of employment/contract and/or criminal penalties.

6.7  Use of external providers or software

From time to time, St John may use external or third party software providers to collect information from you with your consent, such as via an online or web survey tool. For such information collection purposes, St John may engage an external provider who may or may not be an Australian company or may or may not store data offshore or in ‘the cloud’.

St John will take all reasonable steps to:

  • read the external providers privacy and/or confidentiality polies with a particular focus on identifying the situations in which the provider may disclose information
  • examine the terms and conditions of use of the external providers product to determine how information will be handled, and if the company sells or trades information for marketing purposes
  • determine in which country they company’s servers are located
  • ensuring that the external provider we use is a reputable organisation
  • form a reasonable belief the external provider is subject to laws at least substantially similar to the way in which the Australian Privacy Principles would protect such information if it was stored in Australia
  • make you aware that the external provider is not located in Australia and may store your information in servers offshore or in the cloud.

If you think that a company storing information on behalf of St John has breached Privacy laws, please advise St John via the complaints mechanism detailed in 8 below.

7. Accessing, updating and correcting information

7.1  St John aims to ensure, as far as reasonably practicable, that information kept and shared is accurate, complete and up to date.

7.2  An individual can ask for access to their basic information by contacting St John using the contact details supplied in clause 8 below.

7.3  There is no fee for an individual accessing their personal information, however in some cases St John reserves the right to charge for the amount of time spent locating, compiling and explaining the information requested. If there is a fee, we will give the individual an estimate of this fee up front and confirm with the individual that they would like St John to proceed.

7.4  St John aims to make an individual’s information available within a reasonable timeframe. Before St John hands over personal information, the individual may be requested to confirm their identity.

7.5  St John reserves the right to deny access to information in certain circumstances (as per APP 5, clause 12.3), particularly if the information is commercially sensitive or compromises the intellectual property of St John Ambulance Australia Inc. Should St John deny access to information, we will write to the individual explaining the reasons for our decision.

7.6  An individual can request St John correct or update personal information at any time if the individual believes the information is out of date, inaccurate, incomplete, irrelevant or misleading. An individual can update or correct their information by contacting St John using the contact details supplied in clause 8 below.

7.7  If information to be updated or corrected is information that has been provided to us by a third party, the individual can request St John can write to that entity and notify them of the correction. With respect to updating and correcting information, we reserve the right to confirm an individual’s identify before doing so.

8. Making a complaint

8.1  Sometimes, St John might get things wrong. If you have a concern about your privacy, you have the right to make a complaint and we will do everything we reasonably can to rectify the situation. If you wish to make a complaint, contact us at finance@stjohn.org.au or via post at:

National Privacy Officer
St John Ambulance Australia PO Box 292
Deakin West ACT 2600

8.2  St John will endeavour to respond to all complaints within a reasonable timeframe, usually within 30 days. If for any reason, we require additional time to respond to a complaint, St John will contact the complainant to explain the delay and give a revised timeframe.

8.3  If you are not happy with the way St John handles your complaint, you may contact the Office of the Australian Information Commissioner by calling them on 1300 363 992, online at www.oaic.gov.au, via email at enquiries@oaic.gov.au, or writing to the Office of the Australian Information Commissioner, GPO Box 2999, Canberra ACT 2601.

9. Updates to this Privacy Policy

This policy will be reviewed annually and in accordance with any amendments to privacy laws.

Related Policy

Code of Conduct (NOPOL:1.1)
Termination & Redundancy Policy (NOPOL:7.5) Counselling and Disciplinary Policy (NOPOL:7.8)

Legislation

Privacy Act 1988 (Cth)
Privacy Amendment (Enhancing Privacy Protection) Act 2013 (Cth) Australian Privacy Principles