1. Purpose
The purpose of this Privacy Policy (the ‘Policy’) is to explain how The Australian Organisation For Young People Living With Cancer (ABN 77 052 040 516), including Canteen Australian Canteen Connect and Parenting Through Cancer— collectively “Canteen”, (referred to in this Policy as “Canteen”, “we”, “us” or “our) collects, uses, discloses, stores, transmits, retains and destroys or deletes personal information and sensitive information about Canteen’s service users, their caregivers, parents, friends, donors, volunteers and team members(referred to in this Policy as “you” or “your”).
Canteen is committed to protecting the privacy and confidentiality of our young people, their caregivers, parents, friends, donors, team members, volunteers, corporate supporters, third party suppliers and customers, and complying with our obligations including those in the Australian Privacy Principles and the Privacy Act 1988 (Cth), as well as under the National Safety and Quality Digital Mental Health Standards (‘DMH Standards’).
We have prepared this Policy, in line with Canteen’s commitment to best practice, to inform you of the personal and sensitive information we may collect and hold about you and how we use and store that information.
This Policy also provides information about your privacy rights as an individual and how to contact us if you have any privacy concerns.
This Policy may change from time to time and it is therefore important that you review it regularly. We will notify you of changes to this Policy.
2. Definitions
- Personal information is information or an opinion about an individual who is identified by the information, or whose identity can be easily ascertained from the information. Examples of Personal Information we may collect include name, gender, email address, phone number, date of birth, address, referee reports, employment history, Medicare number, tax file number, credit information or any information from social media, and online data collection. Please refer to the relevant section(s) below that are applicable to you for further details as to the specific type of personal information we may collect.
- Sensitive Information: sensitive information is a sub-set of Personal information and covers information for example about a person’s health (including health records), ethnic background, sexual orientation, religious beliefs and family relationships.
- Informed consent: a person’s decision, given voluntarily, to agree to a service following the provision of accurate and relevant information about the service and alternative options available, and with knowledge of the benefits and risks of the service.
- Research and evaluation studies: Canteen conducts research and evaluation studies to inform our service direction and delivery. Research Canteen Privacy Policy 2023 Page 2 of 10 studies generate new knowledge about the impact of cancer on young people and families, which helps us decide on the types of services we should be offering. Evaluation studies generate insights about whether our services, policies, or initiatives are being delivered as intended and/or achieving intended outcomes. This can help Canteen decide whether to remove, change, or add to our services.
- Monitoring and evaluation activities: Canteen reviews information about our services to identify strengths, weaknesses, gaps, or areas for improvement. Monitoring activities refer to the ongoing and routine review of information for quality assurance purposes. Evaluation activities refer to systematic review of information to make a judgement about a service or to inform continuous improvement. Both help Canteen to know if we are delivering high-quality services and to identify ways to improve our services.
3. Before we collect your personal and sensitive information
Before we collect any personal and/or sensitive information we will seek your informed consent.
Before you access our services, you are required to complete an Initial Consent Form, if consent is withheld, we will not be able to provide you with services. On occasions where your information is required for additional purposes, we will seek additional consent from you. You may withdraw or withhold your consent at any time in relation to collection, storage or distribution of personal and/or sensitive information. This decision can be made without fear of negative consequences and will not adversely impact your relationship with Canteen.
You may also opt out of sharing your personal and/or sensitive information in any manner which we may collect or use it for as described at paragraph 4 below. If you would like to opt out, please contact us on the details listed below or via the Contact Us page on our website.
4. What personal information do we collect and handle?
We only collect personal and/or sensitive information that is reasonably necessary to provide our services to you.
We collect most of your personal and/or sensitive information directly from you. We may collect, from time to time, personal and/or sensitive information from third parties such as your parents/caregivers, family, friends, social media or other sources, but only if:
- you provide us with your consent to do so; and
- where you have given your consent to the third party to disclose the personal and/or sensitive information on your behalf.
4.1. Photographs
We may feature photographs of various individuals on our Website, social media and advertising material. We will seek your permission to take, publish and/or display any photograph which features you on our Website, social media and Canteen Privacy Policy 2023 Page 3 of 10 advertising material. If you are in one or more of these photos and would like those photos removed, please contact us on the details listed below or via the Contact Us page on our website.
4.2. Monitoring and evaluation activities
Monitoring and evaluation activities draw on service user demographics, activity records, and feedback from our service users. Your personal information and activity records might be included in aggregated data, such as communications to the public highlighting how Canteen services have positively impacted service users. The information from monitoring and evaluation activities is primarily used internally by Canteen or our third-party partners. The use of data for monitoring and evaluation activities by Canteen is covered by this Privacy Policy and Canteen’s internal data management guidelines.
4.3. For young people
For the purposes of this Policy and the services provided by us, young people includes people aged 0 to 25 inclusive.
The types of personal and sensitive information we may collect about you and handle may include, but are not limited to:
- your name, contact details, date of birth and gender;
- your emergency contact details;
- information that you share in forums or blogs on our Website;
- photographs, if you attend one of our events or submit photographs to us;
- enquiry/complaint details, posts and other submissions to our Online Services (as described at section 9 below);
- information about your use of our services; and
- information about your other dealings with Canteen, including records of any telephone, email or online interactions.
In addition to the personal and sensitive information listed above, we may also collect additional personal and sensitive information that you provide directly to us during, or in connection with the provision of support services and related services.
We may collect personal information directly from you as well as from third parties including public sources, your carers, family, friends and other representatives, social media and other sources with whom we exchange information as described in this Policy, but will never do so without your consent.
Canteen requires that if you are under the age of 16 years old, you will need to ask for your parent’s or guardian’s permission to share your personal information with us to access Canteen services.
For specific privacy information related to Canteen Connect, you can access the Canteen Connect Privacy Policy.
4.4. For parents, caregivers, friends and other Canteen service users
The types of personal and sensitive information we may collect about you and handle may include, but are not limited to:
- your name, contact details, date of birth and gender;
- your emergency contact details;
- information that you submit in forms and survey responses;
- information that you share in forums or blogs on our Website;
- photographs, if you attend one of our events or submit photographs to us;
- enquiry/complaint details, posts and other submissions to our Online Services (as described at section 9 below);
- information about your use of our services; and
- information about your other dealings with Canteen, including records of any telephone, email or online interactions.
In addition to the personal and sensitive information listed above, we may also collect additional personal and sensitive information that you provide directly to us during, or in connection with the provision of support services and related services.
We may collect personal information directly from you as well as from third parties including public sources, family, friends and other representatives, social media and other sources with whom we exchange information as described in this Policy, but will never do so without your consent. For more information about this, please see item 6 of this Privacy Policy.
During your interactions with Canteen, you may discuss other people in your life. If you are providing Canteen with detailed personal information about someone else, you should obtain that person’s consent to do so.
4.5. For donors, corporate supporters and customers and referrers
The types of personal information we may collect about you may include, but are not limited to:
- your name and contact details;
- your organisation, employment, positions held;
- photographs, if you attend one of our events or submit photographs to us;
- information in forms that you submit and survey responses; and
- payment details.
4.6. For volunteers, team members and contractors
The types of personal information we may collect about you prior and during your engagement with Canteen may include, but are not limited to:
- your name and contact details;
- your emergency contact details;
- Bank account details;
- Tax file number;
- Superannuation details;
- relevant medical information and vaccination certifications; and
- information about your qualifications, skills, experience, character, relevant screening checks (including health, reference, background, Working With Children Checks and Clearances, Working With Vulnerable People Checks and Registrations, Blue Card, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks) and employment history.
This information is stored in Canteen’s team member management systems.
5. How do we collect your personal information?
We collect personal information through various avenues, including:
- when you or a third party you have given consent to provide information to us directly, for example:
- when you communicate or interact with us by telephone, email, online (including through our website and our social media channels), offline or in person;
- when you complete a form or a survey;
- when you provide us with a case study;
- when you complete a referral form prior to receiving services from us; - information you provide to us during attendance at our events or participation in our monitoring and evaluation activities;
- information from third parties, including:
- your organisation;
- our sponsors;
- our suppliers and other third parties who provide services to us; and
- hospitals, medical practitioners, education providers, community organisations, family and friends (if they have your consent to provide your information to us).
During your interactions with Canteen, you may discuss other people in your life. If you are providing Canteen with detailed personal information about someone else, you should obtain that person’s consent to do so.
6. Why do we collect your personal information?
We collect, use, disclose, store, transmit, and retain personal information for a variety of reasons, including:
- to provide, administer, promote and develop and evaluate our programs, services and fundraising activities as part of routine monitoring and evaluation activities;
- to contact you about participation in research and evaluation studies;
- to process payments and refunds;
- to verify your identity and personal information;
- to maintain and update our records;
- to manage our relationship with you;
- to support your health and well-being; to conduct health and social research; to train and manage our people;
- to protect our lawful interests;
- to deal with enquiries and disputes;
- for people who work, volunteer, or apply to work or volunteer with us, to assess your application, conduct screening checks and consider and contact you about other positions;
- to provide marketing communications and targeted advertising to you on an ongoing basis by telephone, electronic messages (e.g. email), online (including websites and mobile apps), offline and other means, unless you opt out or we are subject to legal restrictions; and
- to meet reporting obligations to government agencies or as required by law.
Should you be contacted to participate in a research or evaluation study, you can choose whether to take part; participation is always voluntary. Research and evaluation studies are reviewed by a Human Research Ethics Committee, which means that data collected as part of a research or evaluation study will be managed according to the privacy and data management guidelines for that study. If you are participating in a research or evaluation study, you will be provided further information regarding the privacy and security of your information by Canteen’s Impact team.
7. What if we can’t collect your personal information?
If you do not provide us with the personal information we need, some or all of the following may occur:
- we may not be able to provide you with our services, including any psychological and emotional support you may request;
- we may not be able to consider your application to join us as a team member, contractor or volunteer; or
- we may not be able to respond to your requests for information.
You may also communicate with Canteen anonymously or by using a pseudonym. If you do elect to engage with Canteen in this manner, you should know that we may not be able to provide the services you require.
8. Who might we disclose your personal information to?
We may disclose your personal information to various third parties, who assist us in supplying our services, for any of the purposes identified above. Some of the third parties described below may be located in the United States of America, the United Kingdom, and other countries. Before we disclose any personal and/or sensitive information to an overseas third party, we will ensure that their privacy policies and procedures comply with the Australian Privacy Principles and Privacy Act 1988 (Cth). Any disclosure to an overseas third party will only be disclosed for the primary purpose for which it was collected.
The types of third parties with whom we may disclose or transmit your personal information include:
- a parent, guardian, representative or carer;
- our service providers that assist us with archival, auditing, accounting, legal, business consulting, banking, payment, delivery, data processing, data analysis, document management, monitoring and evaluation activities, website and technology services;
- various third-party suppliers and partners that provide services and support for our programs, fundraising and operations;
- for people who work or volunteer with us, or apply to work or volunteer with us, your current and previous employers, academic institutions, recruiters, professional and trade associations, referees and screening check providers (e.g. for background, identity, eligibility to work, vocational suitability, health and criminal record checks);
- where your health and well-being is at risk, in which case we may notify relevant health services and other parties that can help us to protect you;
- health service providers involved in your ongoing care or to provide treatment, including your general practitioner, home service provider or mental health practitioner;
- government health bodies and departments; and
- to law enforcement agencies and other organisations where required or permitted by law.
We will not use, disclose or transmit personal and/or sensitive information unless you have consented to the use, disclosure and transmission.
Where we use your personal and/or sensitive information for research purposes as described above, we will not use it unless we have your consent and the information is deidentified.
Where any personal information we handle is subject to the General Data Protection Regulation (GDPR) (EU) 2016/679 (‘GDPR’) we handle that information in accordance with the GDPR to the extent required.
In addition to the rights to access, review and correct your personal information set out elsewhere in this Policy, if you live in the EU, EEA or the UK you have the right to:
- request a copy of data you supplied to us, in a machine-readable format or for the transfer of this data to another company;
- request the restriction of processing of your personal data;
- object to us processing your personal data; and
- request the erasure of your personal data (right to be forgotten).
For any privacy issues relating to Europe, including the UK, please contact us on the details listed below or via the Contact Us page on our website.
If the GDPR applies to you and you feel we have not handled your data correctly, or you are unhappy with our response to any requests regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office, (ICO), in the UK, or your National Supervisory Authority or data regulator.
You can contact the ICO by calling +44 303 123 1113 or go online to www.ico.org.uk.
9. Visitors to our Website
We seek to engage with you through a range of online services, including websites, social media profiles, mobile apps, blogs, forums, advertising on partner websites and email communications (Online Services).
We sometimes collect clickstream data that logs which parts of those Online Services you have visited. We may also use cookies in some of our Online Services so that we have a way of reviewing a user’s activity. We use clickstream data and cookies to help users have a better experience of the Online Services.
Where we engage third party partners for online advertising, the techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can visit networkadvertising.org to opt out of our partners’ targeted advertising.
10. How do we protect your personal information?
We take all reasonable steps to keep personal information protected from loss, interference, misuse or unauthorised access, modification or disclosure, including information that was provided anonymously or using a pseudonym. These steps may include access controls, encryption, and secure premises. We store personal information in both physical and electronic form, sometimes with the assistance of third parties such as data hosting providers.
We only store your personal or sensitive information for as long as it is required by us to properly perform our services and as required or permitted by law. We also have systems in place to record and monitor the secure destruction or deidentification (where necessary) of personal and sensitive information we no longer require or is no longer permitted by law to store. If you make a request to have your personal or sensitive information deleted or deidentified, we will do so but only to the extent that the deletion, destruction or deidentification does not conflict with our obligations under various legislation, including but not limited to the:
- Privacy Act 1988 (Cth);
- Health Records and Information Privacy Act 2002 (NSW).
Where your information is anonymous (or provided under a pseudonym) or has been deidentified, we have systems in place to prevent the unauthorised reidentification of anonymous, pseudonymous or deidentified data.
11. How can you access and correct your personal information?
The accuracy of the personal information we hold and use is important to us. We take reasonable steps to ensure that the personal information we handle is accurate, complete and up-to-date. To help us keep your personal information accurate, please let us know if there are any errors or changes in your personal information.
You can request access to the personal information we hold about you at any time by contacting us via the contact details at the bottom of this Policy or by contacting your primary contact at Canteen. You may also request the correction of any of the personal information we hold about you. In most cases, we can help you promptly and informally with these requests. In other cases, we may need to verify your identity and ask you to make your request in writing.
In some cases, such as where it would be unlawful to do so, or where providing access would have an unreasonable impact upon the privacy of other individuals, we may restrict access to all or part of the information requested. We are unable to provide access to information where data has been provided anonymously
From time to time, we may need to refuse your request to access or correct the personal information we hold about you, if we believe it to be necessary and to the extent allowed by law. We will provide a written explanation if we deny your request for access to, or correction of, your personal information. If we disagree with a requested change, we will on request keep a record of the requested changes with the relevant personal information.
12. How can you make a privacy complaint?
You can contact us via the contact details at the bottom of this Policy if you have any concerns about how we have handled your personal information. We will respond to let you know who will be handling your matter and when you can expect a further response. We may request additional details from you regarding your concern, and we may need to engage or consult with other parties to investigate and deal with your issue. We will keep records of your request and any resolution. If you are not satisfied with the manner in which we have dealt with your complaint, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au or you can call them on 1300 363 992. You may also make a complaint directly to the Information Commissioner, however, the Commissioner may recommend you try to resolve the complaint with us first.
13. Changes to our Services or ownership
Canteen will notify you as soon as reasonably practicable of any change in ownership or if we cease to provide our services. At that time, you are entitled to request deletion or deidentification of your personal and/or sensitive information.
14. How to contact us
If you have any questions or comments about this privacy policy, please don’t hesitate to contact us.
15. Variation to this Policy
We will review this Policy regularly and may make changes from time to time. We will update this Policy on the Canteen website to reflect those changes.
The updated version of this Policy will be effective from the date of posting on the Canteen website. We recommend that you visit our website regularly to keep up to date with any changes.
16. Related documents
External legislation and standards:
- Australian Privacy Principles
- Privacy Act 1988 (Cth)
- Health Records and Information Privacy Act 2002 (NSW)
National Safety and Quality Digital Mental Health Standards:
- 1.16 Healthcare records
- 1.29, 1.30 Privacy
- 1.31 Transparency
Internal policies, procedures and supporting documents:
- Canteen Consent form
- Information and Data Security Policy
- Service User Records Policy & Procedure
17. Governance
Canteen GG015- POL Privacy Policy 122023
Effective date: 11 December 2023
Review date: 11 December 2026
Policy owner: CEO
Policy endorser: Board
Full name: Peter Orchard
Signature: