1. POLICY STATEMENT
1.1 Foundation Australia (LFA) is committed to respecting the privacy of the personal information you may provide to us when we deal with you – for example as volunteers, members, donors, customers, patients, carers, employees and stakeholders. The way we manage your personal information is governed by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) established under the Privacy Act.
3.1 This policy applies to anyone whose personal information is held by LFA.
4.1 Your acknowledgement and consent
4.2 What is personal information?
Examples of personal information include an individual’s name, address, telephone number and date of birth.
4.3 Collecting personal information
What kinds of personal information do we collect and hold?
The types of personal information we may collect include, but are not limited to:
(a) contact details and other details including:
(i) your full name and date of birth, and personal contact details (including your address, landline or mobile telephone numbers, fax number and e-mail address); and
(ii) contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney or in relation to bequests an Executor of your Estate);
(b) banking and payment details including tax file numbers, ABN, bank account and credit card information, and any other information required for us to sell online products, accept donations and membership fees;
(c) where relevant, your employer details (for example if you participate in workplace giving);
(d) corporate details including your company name, job title and business sector, and any other information required for us to engage in a corporate partnership relationship with you;
(e) volunteering details including your resume, and any other information required for us to approve you as an LFA volunteer;
(f) if you are a health professional, your professional information including but not limited to:
(i) professional accreditation details;
(ii) practice details (including address, contact details and banking information);
(iii) relevant employment history; and
(iv) academic / publication history.
(g) any information required for security and screening purposes (for example your
photograph or copy of your Blue Card);
(h) any correspondence between you and LFA; and
(i) any other personal information provided to us when you make an inquiry,
request information (including our information packs and information about our related products and services), respond to marketing or lodge a complaint.
4.4 Sensitive Information
We may also collect sensitive information from you. Sensitive information is defined by the Privacy Act to be certain kinds of personal information. Examples of sensitive information that we may collect from you through providing information and other services to you include:
(a) health and medical information – for example: patient or treatment history provided when seeking advice from the LFA Information & Support Centre or participating in disease registries, research programs or clinical trials; and
(b) criminal history, affiliations with any advocacy / political groups (if you are dealing with us on behalf of a particular groups).
4.5 How do we collect personal information?
Where possible, we will always try to collect personal information directly from you – for example when you:
(a) request information, contact or deal with us through our website or Information Support Centre, or contact us by telephone;
(b) correspond with us in writing (such as letters and emails); or
(c) meet with us in person.
We may also obtain your personal information from third parties we deal with, such as:
(a) any person you authorise to deal with us on your behalf; and
(b) any other organisation with whom we deal.
Where we collect personal information from third parties you refer to us, we will assume, and you should ensure, that you have made that third party aware of the referral and the purposes of collection, use and disclosure of the relevant personal information.
4.6 Dealing with us anonymously
Whenever it is lawful and practicable, you will have the option of not identifying yourself when dealing with us. For example, general access to our website does not, and general telephone queries do not, require you to disclose personal information about yourself.
However, there are parts of our website where we may need to collect personal information from you for a specific purpose – for example, to provide you with certain information or publications you request, or to process transactions, or for access to specialized forums or training.
4.7 Why do we collect, hold, use and disclose personal information?
We collect, use and disclose your personal information to enable us to provide services, products and information to assist individuals and health care professionals in their understanding, involvement with and support of lung disease, and to otherwise carry out our functions and activities.
In particular, we may collect, use and disclose your personal information in order to:
(a) respond to your requests or inquiries;
(b) provide you with the services, products and information you requested. For example, providing you with information, upcoming event information, promotions or special offers such as sending you a free quarterly newsletter;
(c) enable you to make a donation or purchase a product from us online including:
(i) making a personal donation or a donation on behalf of a company, organisation, community club or school;
(ii) making a bequest; and
(iii) making a donation in memoriam;
(d) enable you to become an LFA member, corporate partner, volunteer, employee or affiliated health care professional, and engaging in a business or other commercial relationship with you;
(e) process your registration for any training courses we provide;
(f) enable you to participate in research initiatives;
(g) enable you to engage in fundraising initiatives and awareness campaigns for LFA;
(h) communicate with you during the course of your relationship with us;
(i) notify you about important changes or developments to our functions,
activities, services or our website and improving our customer services (for example, using customer feedback to improve our website’s ease of use and efficiency);
(j) administer, support, improve and develop our organisation and services;
(k) update and maintain our records – for example, account management and administering records of our subscription services;
(l) if you lodge a complaint with us – process and respond to your complaint;
(m) any other purpose which relates to or arises out of requests made by you;
(n) do anything which you authorise or consent to us doing; and
(o) take any action we are required or authorised by law to take.
FA will not sell, trade or rent personal information we hold about you to unaffiliated third parties without your prior consent.
4.8 Disclosing your personal information
LFA will not provide your personal information to any other individuals or organisations without your prior consent except where required by law to do so (for example: government agencies and regulatory authorities) or where that information is provided on a confidential basis to contractors who provide services to LFA (for example database management, printing and mailing). In these cases, we ensure that our contractors are also bound by the Australian Privacy Principles to keep your personal information confidential.
LFA is very thankful to people who are willing to share their personal stories of lung disease with others through media stories and in our newsletters. We will only use your personal information for publicity purposes or as stories in newsletters with your express written permission.
LFA may, from time to time, include selected messages from LFA event sponsors, collaborators or third parties in our communications, however we will not provide your details to any third party for marketing purposes without your prior consent.
LFA will sometimes use third party service providers to conduct surveys and facilitate information collection and event registration. Some of these service providers conduct all or part of their business overseas and so your personal information may be transferred overseas as a result. LFA conducts a due diligence process before entering into an agreement with these service providers and will take all reasonable steps to ensure that your information is not used in a manner inconsistent with the Australian Privacy Principles.
4.9 Direct Marketing
If you consent to your personal information being used for direct marketing, we may use your personal information to provide you with information about products, fundraising activities, services and promotions.
If you do not wish to receive such information, you can opt-out at any stage. If you decide to opt-out, you will be removed from LFA’s marketing database to ensure that you do not receive future direct marketing material.
There may be times, however, when the law requires us to provide certain information to you (for example health and safety information). We will continue to send this information to you.
4.10 Overseas Disclosure of Personal Information
Transfer of information overseas would normally only occur for data processing purposes, for example third party payment facilitators may process their data off-shore. LFA’s payment gateway currently processes data in Australia. LFA will not transfer your personal information overseas or into the “cloud” unless we have taken reasonable steps to ensure that the information which is being transferred will not be held, used or disclosed by the recipient of the information in a manner which is inconsistent with the Australian Privacy Principles.
4.11 Dealing with us online
When you visit our website, we and/or our contractors may collect certain information about your visit. Examples of such information may include:
(b) Site visit information
We also collect general information about your visit to our website. The information we collect is not used to personally identify you, but instead may include your server address, the date and time of your visit, the pages you accessed and the type of internet browser you use. This information is aggregated and used for the purposes of system administration, to prepare statistics on the use of our website and to improve our website’s content.
(c) Online payment systems
We use third party payment process providers whose services meet stringent security requirements including Level 1 PCI DSS compliance, EMV certification and ISO 9002 accreditation. When you enter your payment details online, you are using a secure site which uses 1024 bite tunnelling encryption to protect your information during transmission. Transactions are protected by encryption technology and a combination of firewalls and intrusion detection systems.
(d) Login information
Some functions of the website and other online tools are subject to specific login credentials before access is granted. This may include forums and health professional related information. We may also collect personal information (including financial details) to facilitate future visits or use of our website (for example: payment details for repeated online shopping).
We seek to keep current with available security encryption technology so as to maintain the effectiveness of our security systems. However, no transmission over the internet can be guaranteed as totally secure and accordingly, we cannot warrant or ensure the security of any information you provide to us over the internet. Please note that you transmit information at your own risk.
4.12 Social Media
We collect personal information from our followers/subscribers on social media channels
4.13 Personal Information Storage and Security Arrangements
We take reasonable steps to protect your personal information from interference, loss, misuse, unauthorised access, modification or disclosure. We may store your personal information in different forms, including in hardcopy and electronic form. We have established policies, procedures and systems to keep your personal information secure (including but not limited to password protection and securing physical storage arrangements).
When we no longer require your personal information, we will take reasonable steps to destroy, delete or de-identify your personal information in a secure manner. However, we may sometimes be required by law to retain certain personal information.
4.14 Accessing and Correcting your Personal Information
Correcting your personal information
So that we can carry out our activities and functions, it is important that the personal information we hold about you is complete, accurate and up to date. At any time, while we hold your personal information, we may request that you inform us of any changes to your personal information. Alternatively, if you believe that any of the personal information, we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading or needs to be corrected or updated, please contact us using our Contact Details below. We will respond to a request to correct your personal information within a reasonable time.
If we refuse to correct your personal information, you may request that we associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Accessing your personal information
You may also request access to the personal information we hold about you by contacting us using our Contact Details provided below. We will respond to a request for access within a reasonable time – either by giving you access to the personal information requested, or by notifying you of our refusal to give access.
Access and correction arrangements generally
We may require you to submit your requests in writing and require that you verify your identity before we respond to any request.
We will not charge you an application fee for making a request to access the personal information we hold about you or for requesting any correction to your personal information.
However, in certain circumstances we may charge you a fee for providing you with access to your personal information, for example if you make multiple request for information, the information requested is voluminous or we incur third party costs in providing you with access to your personal information.
If we cannot respond to you within a reasonable time (generally within 30 days), we will contact you and provide a reason for the delay and an expected timeframe for finalising your request.
Please note that in certain circumstances, we are permitted by law to refuse to provide you with access to your personal information.
If we decide not to provide you with access to or correct your personal information, we will- provide you with written reasons for our decision and advise you of the further complaint mechanisms available to you.
4.15 Lodging a complaint
If you have a complaint about how we handled your personal information or about any decision to refuse access or correction of your personal information, please contact us using the Contact Details below. We will request that you lodge your complaint in writing.
We will acknowledge receipt of your complaint as soon as possible after receiving your written complaint. We will then investigate the circumstances of your complaint and provide you with a response within a reasonable timeframe.
If you are still not satisfied with how your complaint is handled by us, then you may lodge a formal complaint with the Office of the Australian Information Commissioner at:
(a) Telephone: 1300 363 992 (if calling from outside Australia including Norfolk Island please call: +61 2 9284 9749)
(b) National Relay Service:
(i) TTY users phone 133 677 then ask for 1300 363 992
(ii) Speak and Listen users phone 1300 555 727 then ask for 1300 363 992
(iii) Internet relay users connect to the National Relay Service then ask for 1300 363 992
(c) Post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
(d) Fax: +61 2 9284 9666
(e) Email: email@example.com
(f) Website: http://www.oaic.gov.au/privacy/making-a-privacy-complaint
4.16 Our Contact Details
You may contact us on:
(a) Telephone: (07) 3251 3600 and ask for the CFO.
(b) Post: CFO, Lung Foundation Australia, PO Box 1949, MILTON QLD 4064
(c) Fax: (07) 3368 3564
(d) Email: firstname.lastname@example.org
4.17 Notifiable Data Breaches
The Privacy Act Amendment Notifiable Data Breaches (NDB) Act 2017 requires Lung Foundation Australia to notify particular individuals and the Office of the Australian Information Commissioner about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the personal or sensitive information relates. Lung Foundation Australia will make an objective assessment of whether a data breach is likely to result in serious harm and take remedial action according to its data breach response plan. See www.oaic.gov.au for further information.
Approved by CEO October 2022
Review date October 2023