Privacy Policy

Your privacy is important

Purpose

CVGT Employment (CVGT) is committed to protecting an individual’s right to privacy and considers the responsible management of personal information a key aspect of good governance. The purpose of the policy is to provide guidance and advice on the way in which CVGT collects, holds, uses and discloses personal information of individuals. The policy also details how individuals can request access to their information and outlines the privacy complaint process. 

Scope

This policy applies to all personal information about an individual that is collected, stored, used or disclosed by CVGT.

All employees, Board Directors, Independent Sub Committee members, contractors and volunteers engaged by CVGT are required to adhere to this policy.

Definitions

Personal InformationDefined in the Privacy Act 1988 (Cth) as information or an opinion about an identified individual, or an individual who is reasonably identifiable:(a) whether the information or opinion is true or not; and(b) whether the information or opinion is recorded in a material form or not.
Sensitive InformationDefined in the Privacy Act 1988 (Cth) as(a) information or an opinion about an individual’s:(i)  racial or ethnic origin; or(ii)  political opinions; or(iii)  membership of a political association; or(iv)  religious beliefs or affiliations; or(v)  philosophical beliefs; or(vi)  membership of a professional or trade association; or(vii)  membership of a trade union; or(viii)  sexual orientation or practices; or(ix)  criminal record;that is also personal information; or(b)  health information about an individual; or(c)  genetic information about an individual that is not otherwise health information; or(d)  biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or(e)  biometric templates.
Health InformationDefined in the Privacy Act 1988 (Cth) as information or an opinion about:(i) the health, including an illness, disability or injury, (at any time) of an individual; or(ii) an individual’s expressed wishes about the future provision of health services to the individual; or(iii) a health service provided, or to be provided, to an individual;that is also personal information;
Australian Privacy PrinciplesA set of 13 principles set out in Schedule 1 of the Privacy Act 1988 (Cth) that regulate how personal information is handled.
IndividualDefined in the Privacy Act 1988 (Cth) as a natural person.

Policy

To ensure the privacy of individuals is protected, CVGT will adhere to the Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act). CVGT’s obligations to protect personal information also includes compliance with the Crimes Act 1914 (Cth).

The requirements of the Archives Act 1983 (Cth) relating to Commonwealth Records (including the disposal, alteration and destruction of such records) apply to CVGT’s records, including personal information.

Remaining anonymous

You may use a pseudonym or remain anonymous when interacting with us in most instances. However, you may have to provide certain personal information for us to be able to provide you with services or assess your eligibility for a program or service.

We will inform you if you are not able to remain anonymous or use a pseudonym when dealing with us.

Why we collect personal information

CVGT will not ask you for any personal information we do not need. The Privacy Act requires that we only collect information for purposes that are reasonably necessary for, or directly related to, the program or services of CVGT.

We may also collect sensitive information about you when you consent, when the collection is authorised or required by law, or the collection is otherwise allowed under the Privacy Act.

We collect, hold, use and disclose personal information for a range of purposes related to our functions and activities, including to:

  • Contact you to provide information about, and to deliver, our services to you and/or the person or organisation that referred you to us, such as your employer,
  • Manage our business,
  • Access and obtain medical records and history from treating healthcare providers,
  • Engage healthcare providers to assist in the provision of our services and assess medical conditions and/or diagnoses,
  • Provide seminars, conventions and educational training and work trial placement services,
  • Collate data for research and statistical purposes,
  • Meet compliance requirements under the terms of deeds and contracts CVGT enters and/or administers on behalf of statutory and legislative bodies and government departments,
  • Review, evaluate, develop and improve our services,
  • Meet our statutory and regulatory obligations,
  • Recruit personnel; and
  • For other purposes required or authorised by or under law, including purposes for which you have provided your express or implied consent.

How we collect personal information

The types of personal information we collect will depend on the activities and functions we are undertaking. We may collect personal information about individuals through surveys, email and phone communications, correspondence and submissions, forms and notices (including online portals), and via our websites. This includes:

  • from the individual directly, or through their authorised representative,
  • via a third party if permitted by law.

When we collect personal information, we will notify you using a privacy collection notice, if it is reasonable to do so. The notice will include reasons why we are collecting the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information. You may be asked to sign a consent form to confirm your understanding of the collection of your personal information and provide consent. Once completed, the consent form will be stored in one of our electronic databases linked to your secure electronic file.

We will also inform you how you can request access to, or correction of, your personal information, and who to contact if you have a privacy enquiry or wish to make a complaint. There may be some situations where we are not able to notify you using a privacy collection notice. See Appendix A – Collection Notices

How we safeguard personal information

CVGT takes seriously its obligations to protect the personal information it holds. We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include:

  • classifying and storing records securely per Australian government security guidelines
  • internal access to information is on a ‘need to know’ basis and only by trained authorised personnel
  • providing access to and monitoring systems with controls and authenticated credentials
  • ensuring our buildings are secure
  • regularly updating and auditing our storage and data security systems.

CVGT’s IT environment has been established to meet the international standards for Information Security (ISO/IEC27001) and designed to meet the Australian Signals Directorate (ASD) Essential Eight mitigation strategies and Australian Government Information Security Manual requirements. All CVGT Servers are located in secure data centres hosted inside Australia or secured on premises server rooms with Encryption at rest for all sensitive data. We may also use third party providers to deliver or otherwise communicate content. These third parties may collect and store your personal information outside of Australia. These third parties have their own privacy policy, CVGT’s Privacy Policy has no application to these third parties.

We will appropriately destroy, erase or de-identify any personal information that is no longer required for any purpose described in this policy or under any applicable laws and do not keep personal information longer than necessary.  This requirement applies except where:

  • the personal information is part of a Commonwealth Record, or
  • it is required by law or a court/tribunal order to retain the personal information.


Personal information contained in a Commonwealth Record is managed in accordance with the Archives Act 1983 (Cth).

If personal information that we hold is lost, or subject to unauthorised access or disclosure, we will respond in line with the Office of the Australian Information Commissioner’s Data breach preparation and response —a guide to managing data breaches in accordance with the Privacy Act and the CVGT’s Data Breach Response Procedure. We aim to provide timely advice to affected individuals if a data breach is likely to result in “serious harm”. CVGT’s Privacy Officer undertakes an assessment in line with the Notifiable Data Breaches scheme and the Data Breach Response Procedure to determine if the breach is likely to result in “serious harm” to one or more individuals.

The types of information we hold 

In performing our functions, CVGT may collect and hold the following kinds of personal information:

  • identity and contact details for individuals (e.g. name, phone, email and postal address),
  • information relating to individuals’ personal circumstances and health (e.g. age, gender, and family circumstances including spouses, carers and dependents),
  • information relating to individuals’ financial affairs (e.g. payment details, bank account details),
  • other information relating to identity (e.g. date of birth, signatures, citizenship and visa status),
  • information about employment (e.g. employment status and work history, education status, referee comments, salary), and
  • government identifiers (e.g. tax file number or customer reference number).

We may also collect and hold the following kinds of sensitive information:

  • racial and ethnic origin,
  • sexual orientation,
  • biometrics (such as photographs, video recordings (CCTV) and audio recordings of individuals, passport details, driver’s licences),
  • religious, cultural and linguistic background,
  • health (including information about your medical history and any disabilities or injuries)
  • information about political or union memberships and associations, and
  • information about criminal activities individuals may have been involved in.

Biometrics are at times captured on CVGT premises and when communicating with us. The biometric information may be used for law enforcement purposes. Where practicable individual signed consent will be obtained, in other circumstances CVGT will use other methods to inform you such as signage and recorded announcements.

We may also collect information about how you use our online services and applications. For example, we use social networking services such as Facebook, “X” (Twitter) and LinkedIn to talk with the public and our staff. These services have their own privacy policies. You can access the privacy policies for these services on their websites. When you talk with us using these services, we may collect your personal information to communicate with you and the public. These social networking services will also handle your personal information for their own purposes.

How we use and disclose information

CVGT uses and discloses collected personal information for the primary purpose of collection. We will take reasonable steps to give you information about the reason for collection at the time of collection, or as soon as practicable thereafter.

We may also use and disclose personal information for other purposes if the individual provides consent for a use or disclosure or when use or disclosure is required or authorised by or under an Australian law or court/tribunal order.

CVGT may disclose your personal information to:

  • the organisation who referred you to our services (such as your employer),
  • medical practitioners and / or allied health professionals engaged by us to provide services,
  • your treating healthcare providers,
  • persons or organisations assisting CVGT in carrying out our functions,
  • parties involved in a prospective or actual transfer of our assets or business, and
  • other organisations engaged or contracted by CVGT to assist us to carry out our functions and / or provide services. Such organisations may include:
    • recruitment agencies,
    • previous employers,
    • credit agencies,
    • state or federal police,
    • state or federal government agencies or departments, or
    • conformity assessment bodies. 

We may also disclose sensitive information regarding memberships of trade and professional associations and general information to government agencies, lawyers and other third parties who deal with CVGT as part of its delivery of services.

CVGT may disclose personal information to overseas recipients when that disclosure is consistent with the purposes of collection.

Releasing protected information to a third party (including the police) using a Public Interest Certificate

The Social Security (Administration) Act 1999 (Cth) (SS(Admin) Act) prohibits any person from misusing information about a person that is or was held in a Commonwealth Record for social security purposes.

Protected information is defined in the Social Security Act 1991 (Cth) as “information about a person that was obtained by an officer under the social security law; and is held or was held in the records of the Department or the Human Services Department”.

In limited circumstances, the Secretary can determine that protected information can be disclosed if it is in the public interest. The disclosure of that protected information is released by a Public Interest Certificate (PIC).

A PIC identifies the personal information that can be released about an individual; who it can be released to; who can release the information; and allows the information to be released if it is necessary in the public interest to do so. (Refer to the Release of Information Procedure.)

Using CVGT’s Website

When using CVGT’s website, we may collect the personal information that you have provided. We use network tools to identify your web browser, this may include the use of cookies and other technologies. Cookies are used to assist in enhancing your browsing experience. Cookies do not reveal your email address; however, we may record this if you transmit it to us electronically in an email message or through a web e-form. CVGT’s website may contain links to other websites; this privacy policy has no application to any other website.

Accessing your personal information 

You may access the personal information we hold about you by making a request in writing addressed to our Privacy Officer at [email protected] detailing:

  • your name and contact details,
  • the personal information you want to access,
  • the time period for which the request relates,
  • how you’d like access to the personal information (such as receiving a copy by email or post, or if you just want to look at the information), and
  • if you authorise a person or organisation to access the personal information on your behalf.

We must be satisfied the request came from you or a person you authorised and will require a minimum of 4 unique points of identification, including:

  • Full Name
  • Date of Birth
  • Address
  • Phone / Email

We may also ask for additional information to confirm your identity.

The Privacy Officer will confirm further details regarding the procedure and timeframes following a request for information. We will typically respond to requests within 30 days, however there may be delays associated with the nature of the information requested.

Requesting your personal information is free.

CVGT may charge a reasonable administration fee if permitted for providing you access.

The charge may include the cost of:

  • staff searching for, locating and retrieving the requested information, and deciding which personal information is relevant to the request,
  • staff reproducing and sending the personal information, and
  • the postage or materials involved in giving access.

We will advise you of the likely amount of the charge when you make the request.

We will discuss options with you for changing your request to minimise any charges.

When requesting your personal information contained within a Commonwealth Record, we will not charge for providing you access.

If we withhold access in accordance with the Privacy Act, we will give you written reasons.

Updating and correcting your personal information

 It is important for your information to be accurate, complete and up-to-date for us to perform our services.

We will endeavour to ask you, during the course of our relationship with you, to tell us of any changes to your personal information.

You have a right to request the correction of your personal information by writing to our Privacy Officer.

We will take all reasonable steps to correct personal information when the inaccuracy is identified by CVGT or when an individual requests CVGT to correct or update their information. If we correct the information, all relevant stakeholders will be advised. If we refuse to correct your information, we will provide you a notice outlining the reasons why we have not made the correction requested and available complaint mechanisms.

How to make a privacy complaint

If you are not satisfied with how we have collected, held, used, or disclosed your personal information, you can make a formal complaint to our Privacy Officer.

Your complaint should include:

  • A short description of your privacy concern,
  • Any action or dealings you have had with staff of CVGT to address your concern; and
  • Your preferred contact details so we can contact you about your complaint.

We will respond to your complaint within 30 days of receiving your written complaint.

If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).  

The OAIC can receive privacy complaints through:

  • the online Privacy Complaint form (refer to the OAIC’s website),
  • by email (email that is not encrypted can be copied or tracked) at [email protected]
  • by mail (if you have concerns about postal security, consider sending your complaint by registered mail) to:

Office of the Australian Information Commissioner  

Sydney Offices  

GPO Box 5218  

Sydney NSW 2001

  • by fax at +61 2 9284 9666
     

How to contact our Privacy Officer

Contact CVGT’s Privacy Officer if you want to:

  • Ask questions about our privacy policy, or if you need a copy of this policy in an alternative format,
  • Obtain access to or seek correction of your personal information held by CVGT, or
  • Make a privacy complaint about CVGT.

Email: [email protected]

Post: The Privacy Officer 

CVGT Employment

PO Box 473

Bendigo VIC 3552

Privacy Impact Assessments 

A Privacy Impact Assessment Threshold Test (PIATT) will be completed for all new projects to determine if a Privacy Impact Assessment is required. Completed PIATT’s must be provided and approved to the Privacy Officer prior to progressing the project. See Appendix B – Privacy Impact Assessment Threshold Test.

A PIA identifies how the new or revised project, activity or system can have an impact on an individual’s privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts. The PIA is to be completed using The Office of the Australian Information Commissioner (OAIC) PIA Tool to conduct the PIA, report findings and respond to recommendations. The PIA is to be completed by the Privacy Officer.  (Privacy impact assessment tool | OAIC).


Exclusions

The Fair Work Act 2009(Cth) requires employers to keep certain personal information about employees in their employee record including:

  • the employee’s personal and emergency contact details,
  • information about terms and conditions of employment,
  • wage or salary details,
  • leave balances,
  • records of work hours,
  • records of engagement, resignation or termination of employment,
  • information about training, performance and conduct,
  • taxation, banking or superannuation details, and
  • union, professional or trade association membership information.

Personal information held by an employer, relating to someone’s current or former employment, isn’t subject to the requirements of this policy. The Privacy Act and consequently the Australian Privacy Principles (APP) do not apply when the employee’s personal information is only used by the employer directly in relation to their employment. Outside of employment purposes the APPs apply.

Relevant Legislation

Archives Act 1983 (Cth)

Crimes Act 1914 (Cth)

Fair Work Act 2009 (Cth)

Privacy Act 1988 (Cth)

Social Security Act 1991 (Cth)

Social Security (Administration) Act 1999 (Cth)

Related Documents

  • Appendix A – Collection Notices
  • Appendix B – Privacy Impact Assessment Threshold Test
  • Policy – Confidentiality
  • Procedure – Data Breach Response Procedure
  • Procedure – Release of Information Procedure

Breach of policy

A breach of this policy is grounds for disciplinary action, up to and including termination of employment.

Authorisation

This policy was authorised by the Executive Management Team and the Board of Directors on 28 February 2024.

APPENDIX A – Collection Notices

What is a collection notice?-

The Privacy Act 1988 (Cth) and Australian Privacy Principle (APP) 5 requires CVGT to take reasonable steps to notify individuals of certain matters when collecting personal information.

It is important to include a collection notice to ensure individuals can provide informed consent for the collection, storage, use and/or disclosure of their personal information.

A collection notice should inform individuals about how their personal information will be handled, including:

  • the purpose for which CVGT is collecting their personal information-
  • whether CVGT will pass their information on to third parties-
  • that further information can be found in CVGT’s privacy policy.-

What should a collection notice include?-

The content of a collection notice is set out in APP 5.

The privacy notice should address each of the following points:

  • who is collecting the information (must identify CVGT, and if applicable the State or Federal Government program)
  • why the personal information is being collected
  • what the personal information will be used for (this must include all uses of the personal information)
  • who the personal information will be accessed by
  • who the personal information will be disclosed to
  • how the individual can opt out/withdraw consent in future
  • the consequences if personal information is not collected
  • a contact for further information
  • a link to the CVGT Privacy Policy.

When should a collection notice be used?

Collection notices should be included whenever personal information (including sensitive information) is collected by CVGT. This includes collection via online and in person (electronic or hardcopy).

The notice must be provided to the individual before, or at the time, that the personal information is collected.

It is a requirement under the Privacy Act 1988 to include a collection notice on communications that are managed on a consent basis, with details about how recipients may opt out.

Example collection notices have been provided for common activities that collect personal information.

Example collection notices

Email/distribution list sign-up

Privacy Collection Notice: The information on this form is being collected by CVGT Employment.

The information is being collected, with your consent, to provide you with regular updates on <<distribution list name>>.

The information will be used by authorised staff for the purpose for which it was collected, and any other purpose which you have expressly consented to.

You can opt out of this mailing list at any time by unsubscribing <<opt-out instructions>>.

If you do not provide all the information that is requested on this form, it may not be possible for us to add your details to the distribution list.

CVGT is committed to protecting personal information provided by you in accordance with the Privacy Act 1988 (Cth) and the information will be protected against unauthorised access and use.

All information collected by CVGT is governed by the CVGT Privacy Policy (hyperlink).

For further information about how CVGT deals with personal information, please refer to CVGT’s Privacy Policy or contact the CVGT Privacy Officer at [email protected]

You may access or request correction of any personal information you have provided to CVGT by contacting [email protected]

Email/distribution list communications-

Privacy Collection Notice: You have received this email from CVGT Employment, because you are subscribed to the <<distribution list name>>.

To unsubscribe please <<opt-out instructions>>.

CVGT is committed to protecting personal information provided by you in accordance with the Privacy Act 1988 (Cth) and the information will be protected against unauthorised access and use.

All information collected by CVGT is governed by the CVGT Privacy Policy (hyperlink).

For further information about how CVGT deals with personal information, please refer to CVGT’s Privacy Policy or contact the CVGT Privacy Officer at [email protected]

You may access or request correction of any personal information you have provided to CVGT by contacting [email protected]

APPENDIX B – Privacy Impact Assessment Threshold Test (PIATT)

Appendix B PIATT
Live Chat