We take all reasonable steps to use and disclose personal information for the primary purpose for which it is collected.
The primary purpose for the collection, use and disclosure of your personal information varies, depending on the particular service being provided. However, it is generally to provide legal advice and other services to women in Queensland.
For a job applicant, the primary purpose for our collection and use of your personal information is to assess your suitability and eligibility for a position with us and we will not use or disclose this personal information for any other purpose.
For volunteers, the primary purpose for our collection and use of your personal information is to manage our volunteering arrangement with you. Access to personnel information is restricted to the Volunteer Program Manager, CEO and the volunteer’s supervisor.
For persons involved in fundraising or sponsorship activities, the primary purpose for our collection and use of your personal information is to obtain funding. For these purposes, we may share your name and dietary requirements with suppliers involved in these activities e.g., caterers.
We may also use or disclose your personal information for secondary purposes that you would reasonably expect and that are related to the primary purpose of collection. In a legal matter, for instance, we may disclose personal information to other service providers, such as barristers, experts and solicitors, to enable us to carry out our primary purpose of providing legal services to you. If identifiable information about you will be shared with another agency (for example, for facilitated referrals or partner agencies) we will obtain your consent for this, preferably in writing, but verbal consent if writing consent is not possible. We will record the date of the verbal consent or obtain your signature on our ‘Consent to Share Information’ Form.
We will only disclose personal information to third parties with your consent, if compelled under limited circumstances (such as a Court Order or by law) to disclose such information or if the disclosure is permitted by the Privacy Act.
Disclosure to Community Legal Centres Australia
If you are a client, we share your information with Community Legal Centres Australia through their community legal services system for reporting, funding and law reform purposes. The community legal services system is designed for community legal centres in Australia as a case management and funder reporting database.
The storage of this information must be in compliance with the Australian Privacy Principles and your information is entirely private and not accessible to other community legal centres. However, there is general information that will be accessible in reports to funding bodies, state managers and community legal centres in Australia, but those reports contain no personal information.
Disclosure to overseas recipients
We are unlikely to disclose personal information about you to overseas recipients. We will only disclose your personal information to overseas recipients in accordance with Australia Privacy Principle 8, such as in circumstances where you consent to the disclosure of the information to an overseas recipient or if the disclosure is required by Australian law.
Disclosure to service providers
We use a number of service providers to whom we may disclose personal information. These include providers that host our website servers, our domain and manage our IT.
Quality of your personal information
To ensure that the personal information we collect is accurate, up-to-date and complete we:
- record information in a consistent format;
- where necessary, confirm the accuracy of information we collect from a third party or a public source; and
- promptly add updated or new personal information to existing records.
We also review the quality of personal information before we use or disclose it.
Storage and security of your personal information
We hold personal and sensitive information:
- In hard copy:
- In the compactus or relevant solicitor or social worker’s filing cabinet, which is kept locked;
- At external archiving facilities following all legislative requirements for storage and confidentiality of legal documents.
- Electronically, through:
- Internal servers and websites and a private cloud;
- On electronic storage devices, including USB;
- Email systems on Microsoft Outlook; and
- Through a third party document storage service called Microsoft SharePoint.
Staff solicitors, staff social workers, paralegals, administration officers, administration volunteers and volunteer support workers are authorised to access the compactus and filing cabinets for the purposes of filing or retrieving legal or social work client files.
Volunteer solicitors do not have access to the compactus or filing cabinet and have limited access to matters on Microsoft SharePoint to ensure that your personal information is only accessed by volunteers or employees who require access to assist you with your matter.
We have security measures in place to protect against the loss, misuse and alteration of personal and sensitive information under our control. Some of these security measures include:
- All hardcopy personal and sensitive information is kept securely;
- All personal and sensitive information kept electronically is held on secure servers with substantial security measures in place;
- We regularly assess the risk of misuse, interference, loss and unauthorised access, modification or disclosure of personal information;
- Staff are provided with regular privacy and data breach training and every new staff member is required to undergo an induction program that includes information on these topics;
- We have a data breach response plan setting out the process to follow in the event of an actual or suspected data breach;
- We have designated client meeting areas to ensure personal information privacy and security;
- We use tools such as Microsoft Defender for Office 365, and regularly monitor our systems (for example, through anti-virus alerts);
- We adopt Australian Cyber Security Centre best standards regarding passwords, including requiring users to periodically reset passwords, implementing a lockout for multiple failed login attempts, and discouraging users from reusing the same password across critical services or sharing passwords;
- We keep operating systems, browsers and plugins up-to-date with patches and fixes;
- We make sure that the latest versions of software are in use and that processes are in place to ensure that patches and security updates to applications are installed as they become available;
- We employ multi-factor authentication for remote access to WLSQ’s systems and multifactor security on email accounts, and use Sophos anti-virus and firewall software; and
- We keep audit logs in case of a data breach, including tracking on files.
However, we cannot guarantee that personal and sensitive information cannot be accessed by an unauthorised person or that unauthorised disclosures will not occur.
Data breaches and loss of data
A data breach happens when personal or sensitive information is accessed, used, modified or disclosed without authorisation or is lost. We have developed a data breach response plan to mitigate potential harm to any persons affected by a data breach. Our data breach response plan can be accessed by clicking here.
In summary, our data breach response plan:
- outlines the responsibilities of staff members when there is a data breach or suspected data breach and directs them as to the steps that they should take;
- appoints a data breach response team;
- sets out a strategy for containing, assessing and managing data breaches;
- specifies the process for notifying any affected persons and the Privacy Commissioner about an eligible data breach; and
- outlines the review process to help prevent data breaches in the future.
If it becomes apparent to us that your personal or sensitive information is involved in an eligible data breach, you will be notified in accordance with the provisions of the Notifiable Data Breach Scheme of the Privacy Act.
Please contact us if you suspect or would like more information about a possible data breach or to request a copy of our data breach response plan.
Accessing and correcting your personal information
Under Australian Privacy Principles 12 and 13 of the Privacy Act, you have the right to request access to the personal information that we hold about you or ask for your personal information to be corrected.
You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to. If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.
We will ask you to verify your identity before we give you access to your information or correct it. We are entitled to deny access to, or refuse correction of, your personal information in certain circumstances. Some examples of when we will deny access are if your request is impractical or unreasonable, or providing access would have an unreasonable impact on the privacy of another person. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.
If we refuse to correct your personal information, you can ask us to associate with that particular personal information (for example, attach or link) a statement that you believe the information is incorrect and why.
If you need to access or correct any personal information we hold about you or your organisation, please contact us using the contact details below.
How to make a complaint
If you wish to complain about an alleged privacy breach, you should follow the following process:
- A complaint must be made to us in writing about how we have handled your personal information, using the contact details outlined below. We will respond to your complaint within 30 days.
- If you are not satisfied with our response to your complaint, you may take your complaint to the Office of the Australian Information Commissioner who can be contacted at the following details:
If you would like to make a complaint or request to access or correct personal information that we hold about you, you may make the request in writing. Our contact details are as follows:
- Phone number: (07) 3392 0644
- Email: [email protected]
- Fax: (07) 3392 0658
- Postal address: PO Box 119, Annerley QLD 4103