1.1 EDFA respects everyone’s right to privacy and is committed to safeguarding the privacy
of our community and those who seek to engage the provision or receipt of our services
and those who visit our website.
2.1 EDFA has opted in to be bound by the provisions of the Privacy Act 1988, including the
Australian Privacy Principles. The APPs set out standards, rights and obligations for how we
handle and maintain Personal information. This includes how we collect, store, use, disclose,
quality assure, and secure Personal information, as well as your rights to access or correct
your Personal information. The specific legal obligations that apply to us when collecting and
handling your Personal information are outlined in the Privacy Act 1988 and in particular in
the APPs found in that Act.
2.2 This policy outlines:
● EDFA’s obligations.
● What constitutes personal information.
● How EDFA can collect, store, use or disclose personal information in the course of
● Steps in response to a notifiable breach.
3. Relationship to other EDFA policies and documents
3.1 This Policy needs to be read in conjunction with other EDFA policies, procedures, and
documents that define and support EDFA’s commitment to a diverse and inclusive workplace
and the expected behaviour and conduct of our people.
3.2 These include:
● EDFA Code of Conduct
4.1 The EDFA Board is responsible for:
● ensuring all staff, contractors, and volunteers are aware of relevant laws, EDFA
organisational policies and procedures, and EDFA’s Code of Conduct;
● Ensuring all adults and guardians within the EDFA community have provided
informed consent of their involvement in services and how their personal
information may be used/stored.
4.2 The Executive Director/National Support Program Manager is responsible for:
● promote the proper practices that maintain privacy and confidentiality throughout
● facilitate the reporting of any behaviour that contravenes the organisation’s
privacy and consent policy.
4.3 All other staff/volunteers/contractors share in the responsibility for the proper
implementation of privacy and consent principles:
● familiarise themselves with the relevant laws, the Code of Conduct, and EDFA’s
policies and procedures in relation to consent and privacy.
5.1 Privacy is the protection of an individual’s personal and/or sensitive information.
5.2 Confidentiality is a guideline or procedure that limits access or places restrictions on
personal and/or sensitive information.
5.3 Personal Information – means information or an opinion whether true or untrue, and
whether recorded in material form or not, about an individual whose identity is apparent, or
can reasonably be ascertained from the information or opinion.
5.1.4 Health Information – information or opinion about:
● The health or disability of an individual
● An individual’s expressed wishes about the future provision of health services to
him or her
● A health service provided or to be provided to an individual
5.1.5 Sensitive Information – means information or an opinion about an individual’s:
● Racial or ethnic origin
● Political opinions
● Religious beliefs or affiliations
● Philosophical beliefs
● Membership of trade or professional associations
● Sexual practices or preferences
● Criminal record
● Health information
6. Implementing the Australian Privacy Principles
6.1 Collection of information
EDFA only collects Personal information where that information is reasonably necessary for,
or directly related to, one or more of our functions or activities or when Personal
information is volunteered by you and given to us.
EDFA tries to only collect information necessary to provide individuals and the community
with our services. You are not obliged to give us your Personal information. The main way
we collect Personal information about you is when you give it to us. However, if you choose
not to provide us with your Personal information, we may not be able to provide you with
our services or fulfil one or more other purposes for which your Personal information is
EDFA will only collect sensitive information (such as health information) if you consent to
doing so and it is reasonably necessary for, or directly related to, one or more of our
functions or activities. We will not collect any Personal information if we do not need it.
6.2 Use and disclosure
EDFA only uses or discloses Personal information for the purpose for which it was collected
and where we are permitted to do so by law. We will not give your Personal information to
anyone else unless you consent in ways which have been made explicit or if one of the
following exceptions applies:
● You would reasonably expect us to use the information for that purpose.
● It is legally required or authorised, such as by an Australian law, or court or tribunal order.
● We reasonably believe that is necessary to lessen or prevent a serious threat to the life,
health or safety of any individual, or to public health or safety.
● It is reasonably necessary for the establishment, exercise or defence of a legal or equitable
● It is reasonably necessary for the purposes of a confidential dispute resolution process.
EDFA represents views and opinions of persons with lived/living experience. When it does
so, it is done with the express consent from that person to be named as someone with a
lived experience of mental illness. You have the right to have your view represented by EDFA
6.3 Data quality
EDFA will take all reasonable steps to ensure that the Personal information we collect, use or
disclose is as accurate and as current as possible.
6.4 Data security
EDFA will take all reasonable steps to ensure that all Personal information is kept safe and
secure. EDFA takes reasonable steps to protect Personal information from misuse, loss,
unauthorised or unnecessary access, alteration or disclosure. EDFA stores all Personal
information securely and restricts access to those employees who need access in order to
perform their duties or to assist individuals. In general, Personal information is stored
electronically in record-keeping systems, on hard drives or in emails. When Personal
information is no longer required, we delete or destroy it in a secure manner, unless we are
required to maintain it because of a law, or court or tribunal order.
Disorders Families Australia (edfa.org.au). EDFA has a Complaints policy for anyone who
believes their information is not being handled properly or in accordance with this policy. A
copy of EDFA’s complaints procedure may also be obtained on our website.
6.6 Access and correction
You also have a right to access Personal information we hold about you and have rights
under the Privacy Act to request corrections to any Personal information that we hold about
you if you think the information is inaccurate, out-of-date, incomplete, irrelevant, or
We will ask you to verify your identity before we give you access to your information or
correct it, and we will try to make the process as simple as possible. If we refuse to give you
access to, or correct, your Personal information, we must notify you in writing setting out
the reasons and advise of the mechanisms available to you to dispute the decision.
To access Personal information, a written request should be sent to email@example.com We
can decline access to, or correction of, Personal information under circumstances set out in
the Privacy Act.
7.1 Confidentiality is the assurance that all written, verbal and electronic information is
protected from access and use by any unauthorised person. With respect to confidentiality,
Directors, members, employees, lived experience representatives, volunteers, students and
contractors must note that disclosure or misuse of confidential information held by EDFA
may constitute a criminal act, and could also be subject to civil action by an individual or
group. EDFA Directors, employees, volunteers, contractors, and students are required to sign
a Privacy and Confidentiality Agreement on commencement of service, agreeing to maintain
the confidentiality of individuals, employees, volunteers and business operation issues of the
organisation. A copy of the agreement will be kept in the personnel file.
7.2 Data breach notification
EDFA is required to take all reasonable steps to ensure an assessment of an eligible data
breach is completed within 30 days. If an eligible data breach is confirmed, as soon as
practicable we must provide a statement to each of the individuals whose data was
breached or who are at risk, including details of the breach and recommendations of the
steps individuals should take. A copy of the statement must also be provided to the Office of
the Australian Information Commissioner.
Some examples of data breach include:
• Lost or stolen laptops, portable storage devices, or physical files containing Personal
information. Paper records inadequately recycled or left in garbage bins.
• Mistakenly providing Personal information to the wrong person, for example by sending
details out to the wrong address.
• Employee’s accessing Personal information outside the requirements or authorisation of
• Computer hard drives and other digital storage media (integrated in other devices, for
example, multifunction printers, or otherwise) being disposed of or returned to equipment
lessors without erasing contents.
• Databases containing Personal information being hacked into or otherwise illegally
accessed by individuals outside of EDFA.
• An individual deceiving an agency or organisation into improperly releasing the Personal
information of another person.
In the event of a notifiable data breach, EDFA is guided by legislation and the Office of the
Australian Information Commissioner’s information on its website at:
All reports of privacy breaches will be treated seriously and promptly with sensitivity and
complete confidentiality. If you wish to make a complaint, you should provide sufficient
detail so the issues and concerns can be investigated. If you are not satisfied with the
outcome of an investigation, a complaint can be submitted to the Office of the Australian
Information Commissioner (OAIC). Further details about making a privacy complaint to the
OAIC can be found at www.oaic.gov.au/privacy/making-a-privacy-complaint.
This Policy may change from time to time and is available on our website.