Spinal Cord Injuries Australia (SCIA) respects the privacy of its members, clients, volunteers, beneficiaries, donors, business partners, app users, and online users and is committed to safeguarding the personal information that is provided to us.

This Privacy Policy applies to all SCIA members, clients, volunteers, beneficiaries, donors, business partners, app users, and online users.

Our obligations under the Privacy Act
This privacy policy sets out how we comply with our obligations under the Privacy Act 1988 (Cth). We are bound by the Australian Privacy Principles (APPs) contained within the Privacy Act which regulate how organisations may collect, use dispose and store personal information, and how individuals may access and correct personal information held about them.

Definitions
Online users refer to anyone that accesses the SCIA website.
App Users refers to any user of the apps associated with the Wheelchair Book & Ride service provided by SCIA. This includes, but is not limited to, customers, drivers and vehicle owners.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not.
Sensitive information is information or opinion (that is also personal information) about an individual’s racial or ethnic origin, religious beliefs or affiliations, membership of a professional or trade association, criminal record or health information that is also personal information.

Overview of SCIA’s Programs and Services
SCIA provides support, information and resources for people with a spinal cord injury at every stage of their life journey. SCIA’s focus is to get people ‘back on track’ following a spinal cord injury – finding solutions to obstacles that may arise and providing information and resources to ensure people with a spinal cord injury remain actively involved in personal, social and vocational activities. SCIA’s services encompass all of life, from hospital to home to workplace, and the organisation strives to develop programs to educate and support the SCI community. In carrying out this mission SCIA engages volunteers and employees and receives donations, funding and support from members of the community, corporations, groups and governments. In addition to the services which we provide from funds donated by the public and corporations, SCIA also holds contracts to deliver State and Commonwealth government programs. In providing such services, we comply with the relevant state or national privacy principles and any additional obligations under the contract.

Confidentiality practices of SCIA
Any personal or sensitive information obtained from an individual will be regarded as confidential and will not be used for any purpose other than that for which it has been given. Employees of SCIA understand their obligations for privacy and confidentiality and have signed a Staff Code of Conduct which states the confidentiality obligations under their employment contract with SCIA.

Who does SCIA collect personal and sensitive information from?
SCIA collects personal and sensitive information from members, clients, volunteers, beneficiaries, donors, business partners, app users, and online users. The nature and extent of personal and sensitive information collected varies depending on the particular interaction with SCIA.

What are the types of information SCIA collects?
SCIA will only collect personal and sensitive information that is directly relevant to a service of SCIA and for the purposes of delivering our services in an efficient and timely manner. This information may include:

• Contact details (such as name, address, email, phone numbers)
• Date of birth, gender, income
• Family background, supports clients may have in the community
• Health information and/or medical history
• Areas of interest
• Information on personal issues and experiences
• Criminal information
• Religious beliefs or affiliations
• Membership of professional or trade associations
• Financial information which may include credit card numbers or bank account details
• Donation history
• If business partner – the type of support (eg workplace giving, goods in kind, program support, volunteering), the contact’s person name, name of the organisation which employs the person and contact details, Australian Business Number (ABN)
• If volunteer or prospective employee – emergency contact person/s details, country of birth, citizenship or residency details, details of current/previous employment, skills and experience, languages spoken and written, qualifications, references, police checks.
• If app users – the apps associated with the Wheelchair Book & Ride service provided by SCIA use location data in the foreground (app open and on-screen) and the background (app open but not on-screen) of user’s mobile devices. This enables the apps to continue providing services to the user, such as tracking bookings and receiving new bookings, without impeding the use of their device. This use of location data can be stopped by logging out of the apps. This location information is not stored, other than location data associated with timestamps – see section “How does SCIA keep personal information secure” for further details.
• If online users – non-personal information eg visitor navigation and statistics, server address, browser type, date and time of visit. This information is collected to analyse website usage and to make improvements to the website. SCIA does not match personal information collected with non-personal information. Additional Information: The website may from time to time contain links to other websites, SCIA stresses that when an online user accesses a website that is not the SCIA website, it may have a different privacy policy. To verify how that website collects and uses information, the user should check that particular website’s policy.

Does SCIA use Government related identifiers?
If an individual has an identification number assigned from a government agency, SCIA will ensure that this identification is not used in the collection of personal information. An example of an identification number could be a Medicare number, Centrelink reference number or Passport number. This will ensure that an identification number will not be used to jeopardise privacy by enabling personal information from different sources to be matched and linked in ways that an individual may not agree with or expect. There are exceptions to this rule, namely if SCIA needs to verify the identity or verify that the individual is who or what they claim to be, for example to verify their name and age and it hasn’t been possible to obtain this information through other disclosures of personal information.

What does SCIA do with unsolicited personal or sensitive information?
If SCIA obtains unsolicited information that has not come from the individual or that is not contained in a Commonwealth record, we will ensure that the individual is aware of the receipt of this information and if the individual decides that they do not wish SCIA to have this information, SCIA will as soon as practicable destroy the information or ensure that the information has been de-identified.

How does SCIA collect personal and sensitive information?

• In application forms
• Online registration
• Through apps
• In-person interviews
• By telephone
• Communications, email flyers
• Where possible, we collect your personal and sensitive information directly from you. If you feel that the information that we are requesting via any of the channels noted above, is not information that you wish to provide, please feel free to raise this with us.
  In some situations we may obtain personal information about you from a third party source. If we collect information about you in this way, we will take reasonable steps to contact you and ensure that you are aware of the purposes for which we are collecting your personal information and the organisations to which we may disclose your information, subject to any exceptions under the Privacy Act. For example, we may collect information about you from a health care professional, such as your doctor or social worker.

  How does SCIA gain your consent?
  The collection of sensitive information requires consent from you. Consent can mean ‘express consent’ or ‘implied consent’. There are four elements of consent to consider including:

• It must be provided voluntarily. The individual must have a genuine opportunity to provide or withhold their consent,
• The individual must be adequately informed of what they are consenting to – that is, the individual will be made aware of the implications of providing or withholding consent, for example whether the individual is able to access a service,
• It must be current and specific. We will seek consent at the time that we collect, use or disclose sensitive information,
• The individual must have the capacity to understand and communicate their consent. That is, the individual must be capable of understanding the issues relating to the decision to consent.
• SCIA will not use sensitive information beyond the consent provided by you, unless your further consent is obtained or is in accordance with one of the exceptions (see following) under the Privacy Act or in compliance with another law. If SCIA uses your health information for research or statistical purposes, it will be de-identified if practicable to do so.

  Exceptions under the Privacy Act to which consent is not required when collecting sensitive information

• The collection is required by or authorised by law
• The collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual
• Unlawful activity or misconduct of a serious nature relating to SCIA’s functions or activities is suspected
• Collection is required to assist any person with locating a missing person
• Collection is necessary to establish, exercise or defend a legal or equitable claim
• The collection is necessary for research relevant to public health or public safety or the compilation of statistics and the particular purpose cannot be served by de-identifying information.
• How does SCIA use and manage personal and sensitive information collected?
  SCIA will only use and manage personal and sensitive information for the purposes for which it has been given to us, or for purposes which are related to one of our functions or activities. Specifically SCIA will use and manage personal and sensitive information to:
• Provide SCIA services
• Provide clients or beneficiaries with the most appropriate services for their needs
• Meet any requirements for government funding for programs
• Monitor and evaluate existing services and plan for future services
• Comply with legal obligations
• Process donations and provide accurate receipts
• Facilitate on-going fundraising and marketing activities
• Provide transparency relating to donated funds
• Facilitate your use of our Wheelchair Book & Ride apps
• Wheelchair Book & Ride Apps
  Personal and sensitive information is managed in the Wheelchair Book & Ride apps as follows:
• Personal information is collected by SCIA for the purpose of booking fulfilment and record keeping. Booking and journey data is used by SCIA, Transport for NSW, and its partner organisations for service analysis and improvement.
• This privacy policy can be accessed directly from the app listing in the App Store and Google Play. It is also linked to from within the app. Driver location data is collected when drivers are online (signed in to a vehicle in the app); Driver location requests are used to locate suitable drivers for booking dispatch; Driver location data is not stored.
• All data collected and used by the apps is transmitted using HTTPS with SSL 1.2. Internal communication resides in a single Virtual Private Cloud (VPC).
• Prior to being able to access the app, all users will be presented with an opt-in notice regarding data collection and use, with a link to this policy, that they are required to actively accept. The application requires access to location permissions “all the time” to ensure that user location is known if the device attempts to put the application into sleep mode due to inactivity.
• SCIA will never sell user personal or sensitive information.
• Does SCIA disclose personal or sensitive information to a third party?
  We may disclose your personal or sensitive information to a third party including:
• Government departments/agencies who provide funding for SCIA services
• Doctors and health care professionals, who assist us to deliver our services
• Other regulatory bodies
• Our professional advisors, including our accountants, auditors and lawyers, and
• Referees and former employers of SCIA employees and volunteers, and candidates for SCIA employee and volunteer positions.
• Overseas recipients
• SCIA will not disclose an individual’s personal or sensitive information to a third party unless one of the following applies:
• The individual has consented
• It is required under the funding agreement SCIA holds with Government departments
• The individual would reasonably expect us to use or give that information for another purpose related to the purpose for which it was collected (or in the case of sensitive information – directly related to the purpose for which it was collected)
• It is otherwise required or authorised by law
• It will prevent or lessen a serious threat to somebody’s life, health or safety or to public health or safety.

Can an individual be anonymous or use a pseudonym?
Users of SCIA’s services do have the option if they wish, to not identify themselves or to use a pseudonym when using a service but clients should be aware that this may have an impact on the ability of SCIA to provide a service to the client.

Will personal information be used for the purpose of direct marketing?
Personal information held by SCIA will not be used for the purpose of direct marketing (undertaken by SCIA through mail or email for example) unless the individual has given consent and would reasonably expect that their personal information may be used for direct marketing. If personal information is used by SCIA for direct marketing, the individual will always be given the option to ‘opt out’ of receiving any correspondence.

How does SCIA keep personal information secure?
SCIA takes reasonable steps to protect the personal and sensitive information we hold against misuse, interference, loss, unauthorised access, modification and disclosure. These steps include password protection for accessing our electronic IT systems, securing paper files in locked cabinets and physical access restrictions. Only authorised personnel are permitted to access these details. When the personal information is no longer required, it will be destroyed in a secure manner, or deleted according to our Records Disposal Policy.

No location information used by the Wheelchair Book & Ride apps is stored in our systems, other than that associated with timestamps, such as locations when bookings are accepted and completed. This information is required to keep an accurate record of all journeys made using the Wheelchair Book & Ride service. All other location information is used in real time to facilitate journeys only.

How does SCIA maintain accurate and quality personal and sensitive information?
SCIA will undertake regular reviews to ensure that the personal information held on an individual is accurate, up to date, complete and relevant at the time it is to be used or disclosed.

How can individuals get access to and make corrections of their personal information?
If an individual requests access to the personal information we hold about them, or requests that we change that personal information, we will allow access or make the changes unless we consider that there is a sound reason under the Privacy Act or other relevant law to withhold the information, or not make the changes. Requests for access and/or correction should be made to the Privacy Officer. For security reasons, you will be required to put your request in writing and provide proof of your identity. This is necessary to ensure that personal information is provided only to the correct individuals and that the privacy of others is not undermined. We will take all reasonable steps to provide the information requested within 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take all reasonable steps to provide access to the information requested within 30 days.

If an individual is able to establish that personal information SCIA holds about her/him is not accurate, complete or up to date, SCIA will take reasonable steps to correct our records.

Access will be denied if:

• The request does not relate to the personal information of the person making the request,
• Providing access would pose a serious threat to the life, health or safety of a persona or to public health or public safety,
• Providing access would create an unreasonable impact on the privacy of others
• The request is frivolous and vexatious
• The request relates to existing or anticipated legal proceedings
• Providing access would prejudice negotiations with the individual making the request
• Access would be unlawful
• Denial of access is authorised or required by law
• Access would prejudice law enforcement activities.

If we deny access to information we will set our reasons for denying access. Where there is a dispute about your right of access to information or forms of access, this will be dealt with in accordance with the complaints procedure set out below.

What is the complaint process if a breach of privacy has occurred?
If you have a complaint about SCIA’s privacy practices or our handling of your personal and sensitive information please contact our Privacy Officer. This could include matters such as how your information is collected or stored, how your information is used or disclosed or how access is provided to your personal and sensitive information.

We will aim to achieve an effective resolution of your complaint within a reasonable time frame, usually 30 days or as soon as is practicable.

Once the complaint has been made, we will try to resolve the matter in a number of ways such as:

• Asking for further information,
• Investigating the issues,
• Discussing of options for resolution,
• Reviewing the conduct of our employees,
• The complaint is substantiated: If your complaint is found to be substantiated, you will be informed and appropriate steps will be taken to resolve the complaint, address your concerns and prevent the problem from recurring,
• If the complaint is not substantiated or cannot be resolved to your satisfaction, but this Privacy Policy has been followed, SCIA may decide to refer the issue to an appropriate intermediary. For example, this may mean an appropriately qualified lawyer or an agreed third party, to act as a mediator.
• At the conclusion of the complaint, if you are still not satisfied with the outcome you are free to take your complaint to the Office of the Australian Information Commissioner at www.oaic.gov.au.

Changes to this Privacy Policy
SCIA reserves the right to review, amend and/or update this policy from time to time. We aim to comply with the APPs and other privacy requirements required to be observed under State or Commonwealth Government contracts. If further legislation and/or self-regulatory codes are introduced or our Privacy Policy is updated, we will summarise any substantial modifications in this section of our Privacy Policy.

How to Contact SCIA
Individuals can obtain further information in relation to this privacy policy, or provide any comments, by contacting the Privacy Officer.

Privacy Officer
E: privacy@scia.org.au
T: 1800 819 775
Spinal Cord Injuries Australia
1 Jennifer St, Little Bay NSW 2036
PO Box 397, Matraville NSW 2036