INTRODUCTION
The Board of GROW is committed to protecting the privacy of personal information which the organisationm collects, holds and manages. Personal information is information which directly or indirectly identifies a person.

PURPOSE
The intention of the Privacy Policy is to create trust between GROW and the community that it serves. The purpose of this document is to provide a framework for GROW in dealing with privacy considerations.

POLICY
GROW collects and administers a range of personal information for the purposes of human resources management, client care and stakeholder engagement. The organisation is committed to protecting the privacy of personal information it collects, holds and administers. GROW recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand, and made accessible to them on the other. These privacy values are reflected in and supported by our core values and philosophies and also reflected in
our Privacy Policy, which is compliant with the Privacy Act 1988 (Cth). GROW is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information.

GROW will
• Collect only information which the organisation requires for its primary function;
• Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;
• Use and disclose personal information only for our primary functions or a directly related purpose, or for another purpose with the person’s consent;
• Store personal information securely, protecting it from unauthorised access; and
• Provide stakeholders with access to their own information, and the right to seek its correction.

RESPONSIBILITIES
GROW’s Board is responsible for developing, adopting and reviewing this policy. GROW’s CEO has overall accountability for privacy within all GROW branches, and the Privacy Officer is responsible for handling internal and external privacy enquiries, complaints, and access and correction requests.

PROCESSES
Collection
GROW will:
• Only collect information that is necessary for the performance and primary function of GROW.
• Notify stakeholders about why we collect the information and how it is administered.
• Notify stakeholders that this information is accessible to them.
• Collect personal information from the person themselves wherever possible.
• Collect Sensitive information only with the person’s consent. (Sensitive information includes health information and information about religious beliefs, race, gender and others). If the person has any kind of mental disability that affects their capacity to consent, GROW will collect consent from a representative of the person instead.
• Determine, where unsolicited information is received, whether the personal information could have collected it in the usual way, and then if it could have, it will be treated normally. (If it could not have been, it must be destroyed)

Use and Disclosure
GROW will:
• Only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose.
• For other uses, GROW will obtain consent from the affected person.
• In relation to a secondary purpose, use or disclose the personal information only where:
 – a secondary purpose is related to the primary purpose and the individual would reasonably have expected us to use it for purposes; or
 – the person has consented; or
 – certain other legal reasons exist, or disclosure is required to prevent serious and imminent threat to life, health or safety.
• In relation to personal information which has been collected from a person, use the personal information for direct marketing, where that person would reasonably expect it to be used for this purpose and GROW has provided an opt-out and the opt-out has not been taken up.
• In relation to personal information which has been collected other than from the person themselves, GROW will use the personal information collected for direct marketing and provide an easy and accessible opt-out option.
• Provide all individuals access to personal information except where it is a threat to life or health or it is authorized by law to refuse and, if a person is able to establish that the personal information is not accurate, up to date or complete, then GROW must take steps to correct it. GROW may allow a
person to attach a statement to their information if GROW disagrees it is inaccurate.
• Where for a legal or other reason we are not required to provide a person with access to the information, consider whether a mutually agreed intermediary would allow sufficient access to meet the needs of both parties.
• Not charge a person for making a request to access personal information or to correct personal information, neither for giving access to the requested personal information, or for correcting or associating a statement.

Storage
• GROW will implement and maintain steps to ensure that personal information is protected from misuse and loss, unauthorized access, interference, unauthorized modification or disclosure.
• Before GROW discloses any personal information to an overseas recipient including a provider of IT services such as servers or cloud services, ensure that they are privacy compliant.
• Ensure that GROW data is up to date, accurate and complete. Destruction and de-identification
• Destroy personal information once is not required to be kept for the purpose for which it was collected, including from decommissioned laptops and mobile phones.
De-identify personal information to preserve the privacy of the person, if so required by the person whose information GROW holds. The de-identification process includes the removal of personal identifiers, such as an person’s name, address, date of birth or other identifying information, and the removal or alteration of other information that may allow the person to be identified, for example, because of a rare characteristic of the person, or a combination of unique or remarkable characteristics that enable their identification. GROW will not use any government related identifiers unless they are reasonably necessary for our functions.

Data Quality
GROW will:
• Take reasonable steps to ensure the information GROW collects and holds is accurate, complete, up to date, and relevant to the functions we perform.

Data Security and Retention
GROW will:
• Only destroy records in accordance with the organisation’s Information Management Policy.

Openness
GROW will:
• Ensure stakeholders are aware of GROW’s Privacy Policy and its purposes.
• Make this information freely available in relevant publications and on the organisation’s website. Access and Correction
GROW will:
• Ensure individuals have a right to seek access to information held about them and to correct it if it is
inaccurate, incomplete, misleading or not up to date.

Anonymity
• Allow people from whom the personal information is being collected to not identify themselves or use a pseudonym unless it is impracticable to deal with them on this basis.

Making information available to other organisations
GROW can:
• Release information to third parties where it is requested by the person concerned.

PRIVACY POLICY
Your privacy is important
This statement outlines the GROWs policy on how the GROW uses and manages personal information provided to or collected by it. GROW is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act being, therefore, compliant with the Privacy Amendment (Enhancing Privacy Protection) Act 2012. GROW may, from time to time, review and update this Privacy Policy to take account of new laws and
technology, changes to GROWs operations and practices and to make sure it remains appropriate to the changing legal environment. What kind of personal information does GROW collect and how does GROW collect it?
The type of information GROW collects and holds includes personal information, including sensitive information, about:
• Name
• Address
• Email address
• Medication
• Medical and or mental health history ( for those in Residential Programs)

Personal Information you provide:
GROW will generally collect personal information held about an individual by way of phone calls, forms, meetings, surveys. You do have the right to seek to deal with us anonymously or using a pseudonym, but in some (not all) circumstance it will not be practicable for us to deal with you or provide any services to you except for the most general responses to general enquiries unless you identify yourself. 

Personal Information provided by other people:
In some circumstances, GROW may be provided with personal information about an individual from a third party, for example, a case manager or government employee.

In relation to employee records:
Under the Privacy Act, the Australian Privacy Principles do not apply to an employee record. As a result, this Privacy Policy does not apply to the GROWs treatment of an employee record, where the treatment is directly related to a current or former employment relationship between the GROW and employee. However, the GROW must provide access and ensure compliance with the Health Privacy Principles under
the Victorian Health Records Act 2001.

How will the GROW use the personal information you provide?
GROW will use personal information it collects from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected, or to which you have consented. In relation to direct marketing, GROW will use your personal information for direct marketing where you have provided that information, and you are likely to expect direct marketing: only then you will be sent direct marketing containing an opt-out. If we use your personal information obtained from elsewhere we will still send you direct marketing information where you have consented and which will also contain an opt-out. We will always obtain your consent to use sensitive information as the basis for any of our direct marketing.

We may use video surveillance for security purposes and the footage will be used only by GROW and by the providers of our security services for security purposes. Surveillance videos are not used by GROW for other purposes and the footage is not publicly available. Surveillance cameras are not located in any bathrooms or change room facilities.

Job applicants, staff members and contractors:
In relation to personal information of job applicants, staff members and contractors, GROWs primary purpose of collection is to assess and (if successful) to engage the applicant, staff member or contractor, as the case may be. The purposes for which GROW uses personal information of job applicants, staff members and contractors
include:
• for insurance purposes;
• for payroll purposes
• for Tax purposes
• to satisfy GROWs legal obligations,

Where GROW receives unsolicited job applications these will usually be dealt with in accordance with the unsolicited personal information requirements of the Privacy Act.

Volunteers:
GROW also obtains personal information about volunteers who assist the GROW in its functions or conduct associated activities, such as to enable the GROW and the volunteers to work together.

Marketing and fundraising:
GROW treats marketing and seeking donations for the future growth and development of the GROW as important. Personal information held by the GROW may be disclosed to an organisation that assists in the GROWs fundraising and the GROW reasonably expects that any third party organisations we rely on attend to applicable privacy regulatory requirements.

To whom might GROW disclose personal information?
GROW may disclose personal information, including sensitive information, held about an individual to:
• government departments;
• people providing clinical or professional health services to the GROW and
• anyone you authorise the GROW to disclose information to.

Where GROW is providing health service to an individual and discloses health information about the individual, GROW will do so if necessary and to the extent necessary for the provision of the services.

Sending information overseas:
The GROW will not send personal information about an individual outside Australia without:
• obtaining the consent of the individual (in some cases this consent will be implied), or
• otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

How does the GROW treat sensitive information?
In referring to ‘sensitive information’, GROW means:
“information relating to a person’s racial ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences or criminal record, that is also personal information; and health information about an individual”. Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law. 

Management and security of personal information

GROWs staff are required to respect the confidentiality of personal information and the privacy of individuals.

GROW has in place steps to protect the personal information GROW holds from misuse, loss, unauthorised access, modification, interference or disclosure by use of various methods including locked storage of paper records and passworded access rights to computerised records. When you use our website, having your cookies enabled will allow us to maintain the continuity of your browsing session and remember your details when you return. We may also use flash local stored objects and JavaScript. If you adjust your browser settings to block, reject or delete these functions, the webpage may not function in an optimal manner. We may also collect information about your IP address, although this may not identify you. Updating personal information GROW endeavours to ensure that the personal information it holds is accurate, complete and up-to-date. A person may seek to update their personal information held by the GROW by contacting the Privacy Officer at any time.

The Australian Privacy Principles and the Health Privacy Principles require the GROW not to store personal information longer than necessary. In particular, the Health Privacy Principles impose certain obligations about the length of time health records must be stored. Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to obtain access to any personal information which the GROW holds about them and to advise the GROW of any perceived inaccuracy. There are some exceptions to this right set out in the applicable legislation. To make a request to access any information the GROW holds about you, please contact the Privacy Officer in writing.

GROW may require you to verify your identity and specify what information you require. Although no fee will be charged for accessing your personal information or making a correction, the GROW may charge a fee to retrieve and copy any material. GROW If the information sought is extensive, the GROW will advise the likely cost in advance. How long will the GROW keep my information? Under our destruction and de-identification policies, your personal information that is no longer required will be de-identified or destroyed.

Enquiries and privacy complaints
If you have any privacy enquiries or would like to make a complaint about the way we have managed your personal information, or if you think there has been a breach of privacy, please contact the Company Secretary. We will endeavor to reply to your requests within 30 days. Accessing and correcting information GROW holds about you If you would like to have access to the information we hold about, or would like to request correction of an information we hold about, please contact the Privacy Officer. We will follow our internal Privacy & Confidentiality Policy and Procedure when dealing with your case and will endeavor to reply to your requests within 30 days.

Privacy Officer contact details
Email: company.secretary@grow.org.au
Postal address: PO Box 178, Holland Park West, Queensland, 4121
Please specify that your contact refers to a privacy matter if contacting the Privacy Officer by letter.