DGI Debt Management Pty Ltd ACN 631 021 184 (DGIDM) is committed to protecting employee and client privacy and confidentiality to the extent permissible by law. To achieve the required outcomes of its operations and services, DGIDM collects information about its clients and their employers (where applicable). Bound by the Australian Privacy Principles, this policy describes how DGIDM takes reasonable measures to protect the privacy of its staff and clients, in line with State and Federal legislation.
This document applies to the reasonable measures the organisation takes regarding collection, handling and disclosure of all information that identifies an individual, including both clients and staff of DGIDM. This policy does not cover internal operations or business practices such as billing, financial auditing or planning.
RELEVANT STANDARDS, GUIDELINES, LEGISLATION & REGULATIONS
- Privacy Act 1988
- Privacy Amendment (Enhancing Privacy Protection) Act 2012
- Office of the Australian Information Commissioner’s (OAIC) Australian Privacy Principles Guidelines
- Financial Authorisation Form
- Order Form
- Data Breaches
When personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.
- Direct Marketing
Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
- Moderation of Assessments
Moderation is the process of bringing assessment judgements and standards into alignment. It is a process that ensures the same standards are applied to all assessment results within the same Unit(s) of Competency. It is an active process in the sense that adjustments to assessor judgements are made to overcome differences in the difficulty of the tool and/or the severity of judgements.
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General’s portfolio.
- Personal information
Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
- Reasonable measures
DGIDM has put in place reasonable security safeguards and takes reasonable steps to protect the personal information held from loss and from unauthorised access, use, modification or disclosure, or other misuse.
DGIDM collects personal information to properly and efficiently carry out its functions. DGIDM only collects personal information that is required for the purposes of employment or education, the purpose of providing its service to a client, requests for Australian Government fee assistance or to meet government reporting requirements. DGIDM policies and procedures abide by the Australian Privacy Principles and outline reasonable measures taken to protect the privacy of individuals and staff in line with state and federal legislation. A mechanism exists in which individuals and staff can raise a complaint in relation to how their personal information is handled. All relevant client policies and procedures are available on the DGIDM website.
Rights and Choices of individuals
The rights and choices of individuals and staff:
- DGIDM has processes and systems in place that protect personal information and individuals are provided with details to access that information
- Information collected is only used for the purpose it is intended
- Access to view records and/or to correct personal information is available upon request
- Ability to make a complaint, if dissatisfied with how private information has been handled, stored or used
- Disclosure of information – information is not disclosed to a third party without the individual’s consent
- Information on how personal information is stored and destroyed.
Information Collected and how it is used
The type of information collected and held by DGIDM includes personally identifiable information, including sensitive information about clients before. Consent for client’s information is gained at the time of application for services.
Information may include;
- Client Name
- Current and previous address details
- Contact information
- Driver Licence or other identification details
- File notes
How Information is collected
Generally, information is provided to DGIDM by the individuals themselves. Individuals provide personal information over the phone, in person, online, via email and by completing various forms, including:
- General enquiry
- Online enquiry (via the DGIDM website)
- Financial Authorisation Form
- Order form
How we hold information
Depending on the circumstances, we may hold individual’s information in either hard copy or electronic form, or both. Our client database is held in electronic format. For more information, refer to the Storage, Security and Destruction of Personal Information section of this Policy.
How information is used
DGIDM only uses information for its intended purpose. We use personal information:
- For obtaining consumer credit information about from any credit reporting body;
- for data reporting;
- for internal purposes such as assessment policies, procedures and processes, risk management, program and assessment validation and moderation and staff training;
- to identify individuals and to address matters with financial institutions, creditors and/or service providers; and
- to administer our customer relationship with individuals.
Information collected or held by DGIDM will only be disclosed to financial institutions, creditors and/or service providers for the purpose of the services provided, or otherwise to third parties after written consent has been obtained by the individual.
This may include the individual’s authorised representative or legal advisors.
DGIDM will make all reasonable efforts to secure and protect confidential information from unlawful disclosure.
For the purpose of this document, DGIDM does not disclose personal information to overseas recipients. An ‘overseas recipient’ is a person who receives personal information from an APP entity (organisation) and is:
- not in Australia or an external Territory;
- not the APP entity disclosing the personal information; and
- not the individual to whom the personal information relates.
Access and requests for information correction
Individuals may request access to the personal information held and may also make requests to correct personal information if it is not accurate, up-to-date or complete. Individuals may request access to their personal information at any time by calling DGIDM during office hours or sending a written request to DGIDM by email or post (see contact details below). To protect the privacy of our clients and the privacy of others, DGIDM will ask for evidence of identity (refer to procedures) before DGIDM can grant access to information or change it. Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.
In rare circumstances, and only where it is permitted under the Privacy Act 1988 (Cth), we may not be able to provide individuals with access to information; for example, where it will have an unreasonable impact upon the privacy of others, where it relates to legal proceedings between us through which the information would not otherwise be available, where it would be prejudicial to negotiations, where we are required by law to withhold the information or where it would reveal information relating to our commercially sensitive decision making processes. If we are unable to provide individuals with access, we will provide an explanation in writing within five working days.
Individuals may make a complaint about how their personal information is handled, without incurring a fee (refer to the contact details below for access to these services). There are three stages in the complaint-handling process:
- The complaint is made directly to DGIDM in the first instance
- The complaint may be taken to a recognised external dispute resolution scheme (if applicable).
- The complaint may be taken to the OAIC.
Individuals can contact DGIDM by phone, email and drop into our office or send a request or complaint to the address below. DGIDM undertakes to respond to the complainant within 30 days. If the request or complaint takes longer to resolve, DGIDM provides individuals with a date by which they can expect a response.
Contact: Responsible Manager
Phone: 1300 890 471
Protecting Personal Information
To help protect the privacy of data and personal information that DGIDM collects and retains, DGIDM uses physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. All employees undergo privacy training, which emphasises the importance of confidentiality and the maintenance of client/employer privacy and security of personal information. Access to personal information is restricted to employees who need it to provide benefits or services to clients, also refer to ‘How Information is Used’ section of this Policy.
DGIDM practices ethical direct marketing. Where DGIDM is permitted to use or disclose personal information for direct marketing, it must always: allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and comply with that request. DGIDM will, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.
Storage, security and destruction of personal information
For the purposes of this policy, records include:
- Client Outcomes
- Administrative Records
- Client File
To ensure records are maintained in a safe and suitable condition, the following policy applies:
- Records are kept securely to prevent them being accessed by any non-authorised personnel.
- Records are kept confidential to safeguard information and to protect the privacy of clients and DGIDM staff.
- Through effective hazard reduction identification monitoring procedures, records are kept in such a manner to avoid damage by fire, flood, termites or any other pests.
- Client information is backed-up and stored electronically and are available to be retrieved by authorised persons at any time.
- Electronic client records are kept for 30 years.
- Hard copy records are kept for a minimum of 3 years.
- Where a complaint/appeal has been registered, the client file is kept for 3 years.
- Records of complaints and appeals are kept in the Complaints and Appeals Register for a period of 5 years.
- Electronic data is backed-up and kept off-site.
Destruction of Records
The Responsible Manager is the only person who can authorise the destruction of records. The Responsible Manager identifies records for destruction from the Archive Box Records. The Responsible Manager provides the approved external storage provider with a work order to destroy identified documents. Records will only be authorised for destruction by the Responsible Manager after the retention period has lapsed. To ensure confidentiality, an external approved provider is employed to destroy records.
DGIDM audits and monitors internal staff on a regular basis to ensure the correct procedures are undertaken for access, handling and destruction of personal information.
Security is a basic element of information privacy. In Australia, this principle is reflected in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Benchmark College takes reasonable steps to protect the personal information held from misuse and loss and from unauthorised access, modification or disclosure.
Depending on the circumstances, those reasonable steps may include the implementation of a data breach procedures contained within this policy; notification of the individuals who are or may be affected by a data breach; and notification to the OAIC, may also be a reasonable step.
Appropriate security safeguards for personal information need to be considered across a range of areas. This includes maintaining physical security, computer and network security, communications security and personnel security. To meet information security obligations, DGIDM undertakes the following activities:
- Risk assessment – Identifies security risks to personal information held by the organisation and the consequences of a breach of security.
- Privacy impact assessments – Evaluates, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.
- Policy development – Reviews and updates the policy that implements measures, practices and procedures to reduce the identified risks to information security.
- Staff training – Trains staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
- The responsible person or position – The Responsible Manager is the designated position within the organisation to deal with data breaches. This position has responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.
Policy and Procedure Review
- Records Retention
For information regarding records retention, please refer to the Records Retention Policy and Procedures
- Requests for personal information
Clients may request access to their personal information by calling DGIDM during office hours or sending a written request to DGIDM by email, facsimile or post (see contact details below). To protect the privacy of our clients and the privacy of others, DGIDM will ask for evidence of identity by requesting the following information:
- The client’s first name and last name (surname);
- Address, including post code; and
- Date of birth.
The staff person taking the enquiry will confirm this information is correct by accessing the client database system.
Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.
Step 1: Contain the breach and do a preliminary assessment
- Immediately contain the breach. Stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, revoke or change computer access privileges or address weaknesses in physical or electronic security.
- Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.
- The Responsible Manager is made aware of the breach. The Responsible Manager determines who else needs to be made aware of the breach (internally and potentially externally) at this preliminary stage. Appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
- Critical Incident Form is completed.
Step 2: Evaluate the risks associated with the breach
To determine what other steps are immediately necessary, the risks associated with the breach are assessed. The following factors are considered when assessing the risk(s):
- The type of personal information involved.
- The context of the affected information and the breach.
- The cause and extent of the breach.
- The risk of serious harm to the affected individuals.
- The risk of other harms.
Step 3: Notification
The particular circumstances of the breach are considered, and;
- Who should be notified and notify affected individuals
- What information should be included in the notification, and
- Who else (other than the affected individuals) should be notified.
Notification to the OAIC of a data breach occurs where the circumstances indicate that it is appropriate to do so:
- Contact Responsible Manager
Step 4: Prevent future breaches
- Monitoring of outcomes of critical review occurs through the Continuous Improvement Committee.