1.1 St John Ambulance (Qld) (St John) is a charitable organisation dedicated to helping people in sickness, distress, suffering or danger.
1.2 Our operations fall under three broad categories:
(a) Event Services: which includes the provision of first aid and medical assistance at sporting and cultural events, as well as at certain workplaces such as coal seam gas worksites;
(b) Social Services: which includes the provision of the Silver Cord Service and Community Transport Access Project; and
(c) Training Services: which includes the training of the St John Cadets and the provision of general first aid training courses.
1.3 Our operations, including those listed above, are referred to in this policy as “Services”.
1.5 We are committed to complying with the Privacy Act 1988 (Cth) (Privacy Act) in relation to all personal information we collect. Our commitment is demonstrated in this policy. The Privacy Act incorporates the Australian Privacy Principles
(APPs). The APPs set out the way in which personal information must be treated.
1.7 This policy applies to any person for whom we currently hold, or may in the future collect, personal information.
1.8 This policy applies to personal information. In broad terms, ‘personal information’ is information or opinions relating to a particular individual who can be identified.
1.9 Information is not personal information where the information cannot be linked to an identifiable individual.
2. How do we manage the personal information we collect?
2.1 We manage the personal information we collect in numerous ways, such as by:
(a) implementing procedures for identifying and managing privacy risks;
(b) implementing security systems for protecting personal information from misuse, interference and loss from unauthorised access, modification or disclosure;
(c) regularly providing staff with training on privacy issues;
(d) appropriately supervising staff who regularly handle personal information;
(e) implementing procedures for identifying and reporting privacy breaches and for receiving and responding to complaints;
(f) appointing a privacy officer within the business to monitor privacy compliance.
(g) having access to audit trails of information accessed; and
(h) allowing individuals the option of not identifying themselves, or using a pseudonym, when dealing with us in particular circumstances.
2.2 We will take reasonable steps to destroy or permanently de-identify personal information if that information is no longer needed for the purposes for which we are authorised to use it.
2.3 In limited circumstances, it may be possible for you to use a pseudonym or remain anonymous when dealing with us. If you wish to use a pseudonym or remain anonymous you should notify us when making first contact with us. We will use our best endeavours to deal with your request, subject to our ability to perform the Services for you without using your name. In most cases, we will require you to deal with us using your real name.
3. What kinds of information do we collect and hold?
3.1 We may collect and hold personal information about you, which may include:
(a) sensitive information (see below);
(b) contact information;
(c) financial information;
(d) date and place of birth;
(e) insurance information;
(f) credit information; and
(g) any other personal information required to perform our Services.
3.2 ‘Sensitive information’ is a subset of personal information and includes personal information that may have serious ramifications for the individual concerned if used inappropriately.
3.3 We may collect sensitive information if it is relevant in providing any of our Services. The sensitive information we generally collect in the provision of our Services and hold about you may include any of the following:
(a) health information;
(b) racial or ethnic origin;
(c) criminal records; and
(d) religious affiliation (generally, this is only collected in relation to our Social Services).
3.4 We will not collect sensitive information without the individual’s consent to whom the information relates unless permitted under the Privacy Act.
4. How and when do we collect personal information?
4.1 Our usual approach to collecting personal information for all our Services is to collect it directly from you.
4.2 We may also collect personal information in other ways, which may include:
(a) from your relatives;
(b) from your employers (for our Training Services);
(c) from government bodies (such as Centrelink);
(d) from your doctors or other medical service providers;
(e) through referrals from individuals or other entities;
(f) from paid search providers;
(g) through marketing and business development events; and
(h) from third party providers and suppliers.
5. How do we hold personal information?
5.1 We generally hold personal information:
(a) physically at our premises (securely); and
(i) on various St John databases;
(ii) on an internal server; and
(iii) by an external data centre.
5.2 We secure the personal information we hold in numerous ways, including:
(a) using security systems to access areas that contain personal information;
(b) using secure servers to store personal information;
(c) keeping physical copies of certain personal information in locked filing cabinets;
(d) quarantining information so that only those in the relevant area have access to the relevant database;
(e) using unique usernames, passwords and other protections on systems that can access personal information; and
(f) holding certain sensitive documents securely.
5.3 In relation to our Event Health Services, personal information collected can only be accessed by managers and those working at the specific event.
5.4 In relation to our Social Services:
(a) personal information is destroyed upon the death of the individual; and
(b) credit card information is destroyed immediately after use.
5.5 Our Finance department destroys:
(a) credit card information the same day it is used; and
(b) all other information in physical form after seven years.
6. Why do we collect, hold, use or disclose personal information?
6.1 We take reasonable steps to use and disclose personal information for the primary purpose for which we collect it. The primary purpose for which information is collected varies depending on the Service being provided, but can include:
(a) event health and first aid services;
(b) first aid training;
(c) first aid equipment and resources; and
(d) other care services.
6.2 In the case of our potential employees or volunteers, the primary purpose the information is collected is to assess the individual’s suitability and qualifications for the role.
6.3 Personal information may also be used or disclosed by us for secondary purposes that are within your reasonable expectations and that are related to the primary purpose of collection. For example, we may collect and use your personal information in relation to our Services for:
(b) processing payments; and
(c) further sales.
6.4 We may also disclose personal information collected in relation to:
(a) any of our Services to:
(i) other service providers that assist us in performing the Services (such as accounting firms and law firms);
(ii) third party storage providers;
(iii) other St John entities; and
(iv our IT consultant (see section 7 of this policy);
(b) Event Services to:
(i) the Queensland Ambulance Service;
(ii) the organiser of the relevant event;
(iii) a family member of a patient;
(iv) employers at worksites where we provide medical services; and
(v) medical staff;
(c) Social Services to:
(i) the taxi service providers; and
(ii) public and private hospitals; and
(d) Training Services to:
(i) government bodies (in circumstances where the government is funding the training); and
(ii) employers which engage us for training.
6.5 Our Finance department may disclose personal information to:
(a) our external auditors; and
(b) credit reporting bodies.
6.6 Otherwise, we will only disclose personal information to third parties if permitted by the Privacy Act.
7. Will we disclose personal information outside Australia?
7.1 We disclose personal information to an IT consultant located in Canada, under a long-standing relationship.
7.2 From time to time, we may also disclose information to international St John Ambulance organisations.
7.3 Your personal information will not be disclosed to the overseas recipient unless we are satisfied that the receiving party provides commitments to privacy and confidentiality that are at least equal to the Australian Privacy Principles or the recipient is subject to privacy protection laws that offer at lease the same level of protection as required under the Privacy Act in Australia.
8. How do we manage your credit information?
What kinds of credit information may we collect?
8.1 In the course of providing our Services, we may collect and hold the following kinds of credit information:
(a) your identification information;
(b) information about any credit that has been provided to you;
(c) your repayment history;
(d) information about your overdue payments;
(e) if terms and conditions of your credit arrangements are varied;
(f) if any court proceedings are initiated against you in relation to your credit activities;
(g) information about any bankruptcy or debt agreements involving you;
(h) any publicly available information about your credit worthiness; and
(i) any information about you where you may have fraudulently or otherwise committed a serious credit infringement.
8.2 In some circumstances, we may collect credit information and personal information from credit reporting bodies (e.g. Dun & Bradstreet). The kinds of information we collect may include any of those kinds of information outlined in sections 3.1 and 8.1 of this policy.
8.3 We may also collect personal information that may affect your credit worthiness from other credit providers that collect that information from credit reporting bodies. The kinds of personal information we collect may include any of those kinds of personal information outlined in section 3.1 of this policy.
How and when do we collect credit information?
8.4 In most cases, we will only collect credit information about you if you disclose it to us and it is relevant in providing our Services.
8.5 Other sources we may collect credit information from include:
(a) government bodies (such as the Australian Taxation Office and the Australian Securities and Investment Commission);
(b) credit reporting bodies;
(c) banks and other credit providers; and
(d) other individuals and entities via referrals.
How do we store and hold the credit information?
8.6 We store and hold credit information in the same manner as outlined in section 5 of this policy.
Why do we collect the credit information?
8.7 Our usual purpose for collecting, holding, using and disclosing credit information about you is to enable us to provide our Services.
8.8 We may also collect the credit information:
(a) to process payments;
(b) to assess eligibility for credit; and
(c) for other purposes incidental to our Services.
Overseas disclosure of the credit information
8.9 Other than disclosures to our IT consultant located in Canada, we will not disclose your credit information to entities without an Australian link unless you expressly request us to.
How can I access my credit information, correct errors or make a complaint?
8.10 You can access and correct your credit information, or complain about a breach of your privacy in the same manner as set out in section 9 of this policy.
9. How do you make complaints and access and correct your personal information or credit information?
9.1 It is important that the information we hold about you is up-to-date. You should contact us if your personal information changes.
Access to information and correcting personal information
9.2 You may request access to the personal information held by us or ask us for your personal information to be corrected by using the contact details in this section.
9.3 We will grant you access to your personal information as soon as possible, subject to the request circumstances.
9.4 In keeping with our commitment to protect the privacy of personal information, we may not disclose personal information to you without proof of identity.
9.5 We may deny access to personal information if:
(a) the request is unreasonable;
(b) providing access would have an unreasonable impact on the privacy of another person;
(c) providing access would pose a serious and imminent threat to the life or health of any person; or
(d) there are other legal grounds to deny the request.
9.6 We may charge a fee for reasonable costs incurred in responding to an access request. The fee (if any) will be disclosed prior to it being levied.
9.7 If the personal information we hold is not accurate, complete and up-to-date, we will take reasonable steps to correct it so that it is accurate, complete and up-to-date, where it is appropriate to do so.
9.8 If you wish to complain about an interference with your privacy, then you must follow the following process:
(a) The complaint must be firstly made to us in writing, using the contact details in this section. We will have a reasonable time to respond to the complaint.
(b) In the unlikely event the privacy issue cannot be resolved, you may take your complaint to the Office of the Australian Information Commissioner.
Who to contact
9.9 A person may make a complaint or request to access or correct personal information about them held by us. Such a request must be made in writing to the following address:
St John Ambulance (Queensland)
Level 4/451 St Pauls Terrance
Fortitude Valley Qld 4006
Phone: (07) 3632 9971
Email: [email protected]
10. Changes to the policy
10.2 This policy is effective May 2015. If you have any comments on the policy, please contact the privacy officer with the contact details in section 9 of this policy.