To our valued clients, donors and partners
On Sunday 17th October 2021, Berry Street experienced a Ransomware attack, encrypting the folders housed on our servers.
Berry Street immediately contacted the Australian Cyber Security Centre and relevant Government Departments and engaged cyber-security specialists to investigate and assess the incident.
We do not believe any personal information has been lost, copied or stolen. Berry Street has been successful in fully restoring all folders and files impacted by the attack.
We want to assure our clients, staff, volunteers, corporate partners, and donors that we have taken extensive steps to ensure the security of their private information, and we have implemented further technology security measures to reduce the risk of such an event occurring again.
There are no immediate recommendations or necessary steps for Berry Street stakeholders, other than ongoing cyber security recommendations to remain alert to unusual communications.
If you have an concerns or questions regarding the Ransomware attack, I encourage you to reach out to your key contact at Berry Street, or to the Berry Street Privacy Office: firstname.lastname@example.org
We are committed to protecting the privacy of the information that we collect about you during your time with our service.
We are bound by the following legislation and standards that regulate how organisations may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them.
- Privacy Act 1988 (Commonwealth)
- Privacy and Data Protection Act 2014 (Victoria)
- Health Records Act 2001 (Victoria)
- Family Violence Protection Act 2008 (Victoria)
- Child Wellbeing and Safety Act 2005 (Victoria)
Standards and regulation
- Australian Privacy Principles (APPs)
- Notifiable Data Breaches Scheme 2017
- Information Privacy Principles (IPPs)
- Victorian Protective Data Security Standards 2016
- Health Privacy Principles
- Family Violence Information Sharing Scheme (2017)
- Child Information Sharing Scheme (2017)
Whose personal information do we collect?
We collect personal information from our clients and their families, staff, volunteers, foster carers and supporters of Berry Street.
How do we collect your personal information?
We collect personal information in a number of different ways including through forms, over the telephone and from our website. We collect and handle a range of personal information for the purposes of carrying out our services.
The services Berry Street offers include:
- residential care
- family violence services
- foster and kinship care
- family and disability services
- therapeutic services
- schools, education and training
- specialist homelessness services
- alcohol and other drug treatment services.
What personal information do we collect?
We will only collect information if it is relevant and reasonably necessary for one of our functions or activities. The information will be collected by lawful and fair means.
We will usually collect personal information directly from you and with your consent. However, we sometimes need to collect information from a third party, such as your carer, trustee or authorised representative, or from public sources.
If, as part of our service provision, personal information is given to us in confidence about an individual who is not receiving our service, we will:
- confirm with the person that the information is to remain confidential
- record the information only if it is relevant to the provision of our service or the care of the individual
- take reasonable steps to ensure that the information is accurate and not misleading
- take reasonable steps to record that the information is given in confidence and is to remain confidential.
Collection of sensitive information
Sometimes we may need to collect sensitive information about you. This might include information about your health, racial or ethnic origin, political opinions, association membership, religious beliefs, sexual orientation or criminal history.
As part of administering our services, we may collect health information. For example, Berry Street collects medical history from some clients who are part of specific programs, such as our residential services or foster care programs. When collecting health information from you, we will obtain your consent and explain how the information will be used and disclosed.
If we collect health information from a third party, such as your doctor, we will inform you that this information has been collected and will explain how this information will be used and disclosed.
Privacy legislation protects everybody’s information regardless of age. However, the legislation doesn’t identify an exact age at which people can make their own privacy decisions. For consent regarding information privacy to be valid, the person must have capacity to provide consent, including sufficient maturity and understanding of what is being proposed.
In line with Office of the Australian Information Commissioner recommendations, Berry Street will generally assume that any person aged over 15 will have capacity to consent, unless there are known reasons that impact the individual’s capacity.
In order to safeguard young people, the Children, Youth and Families Act (2005) stipulates that providing information about a child to their parents is not required if the child is older than 12 years and does not consent, as it may place the child or others at risk of harm including self-harm.
Similarly, the Child Information Sharing Scheme and Family Violence Information Sharing Scheme explicitly recognise that a child’s safety and wellbeing, and family violence victim survivor safety take precedence over any individual’s privacy. Therefore, consent to collect or disclose personal information is not required under the following circumstances:
- when assessing or managing the risk of family violence to a child
- to promote the wellbeing and safety of a child
- when information relates to a perpetrator of family violence - for assessing or managing family violence risk
- when information relates to an alleged perpetrator - for assessing family violence risk.
We will provide information about our consent process at the commencement of services and ensure that you are consulted regarding the use of your personal information.
Use and disclosure
We will normally use or disclose personal information only for the purposes that it was given to us, and for purposes that are related to one of our services or activities.
However, we may disclose personal information to external organisations including:
- government departments or agencies who provide funding for our services
- contractors who manage some of the services that we offer – we take steps to ensure that these contractors comply with the privacy legislation when they handle your personal information and ensure they are authorised to use it
- other information sharing entities prescribed under the Child Information Sharing Scheme – for the purposes of sharing information to protect the safety and wellbeing of children
- other risk assessment entities prescribed under the Family Violence Information Sharing Scheme – for sharing information to assess the risk of family violence
- other information sharing entities prescribed under the Family Violence Information Sharing Scheme – for managing the risk of family violence once risk has been established
- doctors and health care professionals who assist us to deliver our services
- other regulatory bodies
- referees or former employers of Berry Street employees and volunteers, and candidates for Berry Street employee and volunteer positions
- our professional advisors, including our accountants, auditors and lawyers.
Except as set out above, we will not disclose your personal information to a third party unless one of the following applies:
- you (or the individual for whom you are the representative) have consented
- we believe you would reasonably expect us to use or disclose the information for another reason related to the purpose for which it was collected (or in the case of sensitive information, directly related to the purpose for which it was collected)
- we are required to do so by law
- it will prevent or lessen a serious threat to somebody’s life, health or safety or to public health or safety
- it is necessary to provide a public health service
- it is necessary for the management, funding or monitoring of a health service relevant to public health or safety
- it is reasonably necessary for the enforcement of a law conducted by an enforcement body
- it is reasonably necessary to assist in locating a missing person
- it is reasonably necessary to the conduct of proceedings before a court or tribunal, or for a confidential dispute resolution process.
Marketing and communications
We may share information that we have received through our marketing activities to trusted third parties such as our mailing house and our bank. We may collect, use and disclose this information for purposes to process and record donations, provide receipts, contact you about our activities, and to provide you with our newsletters, reports, invitations and requests for support. We may contact you using a number of different mediums for example by phone, mail, email, social media or text message.
We may occasionally collaborate with other charitable organisations on mailings with information that we believe may be of interest to you. These organisations usually allow us to do the same, and by collaborating like this, we expand the number of people we can help.
You will be offered the opportunity to ‘opt out’ if you do not wish to receive this information. You can also contact us on 1800 237 797 if you prefer not to receive future communication from us.
When you access our website or connect with us through social media, we or our third party service providers may use ‘Cookies’. These small data files placed on your device do not identify individuals personally but do identify devices. We may also use software such as Java script, or similar technology.
This allows us to:
- remember your details and preferences when you return
- maintain the continuity of your browsing session
- use Google Analytics to collect information such as demographics and interests, visits to our websites, length of visit and pages viewed
- tailor our advertising through networks on other websites.
You can set your browser to notify you when you receive a Cookie and this will provide you with an opportunity to either accept or reject it in each instance. Please note that if you do this, it may affect some of the functions on our website.
We take great care to protect your personal information on our website and whenever you communicate with us. Once we receive your personal information, we take reasonable steps to protect its security.
Quality of the information that we hold
We take reasonable steps to ensure that the personal information that we collect, use or disclose is relevant, accurate, complete and up to date. If at any time you wish to update your personal information, you can do so by contacting our Privacy Officer (details below).
Security of the information that we hold
We take reasonable steps to protect the personal information that we hold from misuse, loss, interference and from unauthorised access, modification and disclosure.
These measures include password protection for accessing our electronic IT systems, securing paper files in locked cabinets and physical access restrictions. Our systems are regularly audited to ensure that only authorised personnel are permitted to access these details.
We will notify any affected individual in the event that a data breach will likely result in serious harm.
Retention and disposal of information
We only keep personal information for as long as is required. Information that is retained will be archived in such a way that facilitates easy retrieval yet does not compromise security.
When personal information is no longer required it is destroyed in a secure manner.
Access and correction of information that we hold
If you request access to the personal information we hold about you, or request that we change that personal information, we will allow access or make the changes to your personal information unless we consider there is a sound reason under the privacy legislation to withhold the information or not to make the changes.
Requests for access should be made to the Privacy Officer (details below). For security reasons, you will be required to put your request in writing and provide proof of identity. This is necessary to ensure that personal information is only provided to the correct individuals and the privacy of others is not undermined.
We will take all reasonable steps to provide access or the requested information within 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take reasonable steps to provide access to the requested information within 30 days.
In general, access will be denied where:
- the request does not relate to the personal information of the person making the request
- providing access would pose a serious threat to the life, health or safety of the person making the request
- providing the information would have an unreasonable impact on the privacy of other individuals
- the request for access is frivolous or vexatious
- the information relates to existing or anticipated legal proceedings
- providing access would prejudice negotiations with the individual making the request
- providing access would be unlawful
- denying access is required or authorised by law
- providing access would be likely to prejudice
- law enforcement activities
- an action relating to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of Berry Street
- access discloses a commercially sensitive decision making process or information
- any other reason that is provided for under the privacy legislation.
Where an individual is given access to personal information and establishes that the information is not accurate, complete or up to date, we will take reasonable steps to correct the information accordingly. If the individual and Berry Street disagree about the content of the information, the individual may request that we add a statement claiming that the information is not accurate, complete or up to date. We will take all reasonable steps to do this.
If we refuse to provide access or make changes, we will provide reasons for doing so to the individual.
Upon request for access to or correction of personal information we will:
- provide access or reasons for denial of access
- correct the personal information or provide reasons for refusal to correct personal information
- provide reasons for the delay in responding as soon as practicable but no later than 30 days after receiving the request.
If we deny access to information, we will set our reasons. Where there is a dispute about your right of access to information or forms of access, this will be dealt with in accordance with the complaints procedure set out below.
If you have provided us with personal and sensitive information, or we have collected and hold this information, you have a right to make a complaint and have it investigated and dealt with under this complaints procedure.
If you have a complaint about our privacy practices or our handling of your personal and sensitive information, please contact your past or current worker or our Privacy Officer (details below).
We will not normally adopt as our own, an identifier of an individual that has been assigned by other organisations. We will not disclose an identifier assigned to an individual unless the disclosure is permitted under the privacy legislation.
Where lawful and practicable, we will take all reasonable steps to comply with a request to access our services on an anonymous basis or using a pseudonym. However, we may not be able to deliver the services in question if you do not provide us with the personal information requested.
Transborder data flows
If we are otherwise required to send information overseas we will take measures to protect your personal information. We will ensure that either the destination country has similar protections in relation to privacy or that we enter into contractual arrangements with the recipient of your personal information that safeguards your privacy.
We reserve the right to review, amend and update this policy to ensure alignment with new legislation, standards and regulation. This policy was last reviewed and updated in September 2020.
How to contact us
For information about privacy generally, or if your concerns are not resolved to your satisfaction, you can contact: