We are committed to protecting the privacy of the information that we collect about you during your time with our service.
We are bound by the following legislation and standards that regulate how organisations may collect, use, disclose and store personal information, and how individuals may access, and correct personal information we hold.
- Privacy Act 1988 (Commonwealth)
- Privacy and Data Protection Act 2014 (Victoria)
- Health Records Act 2001 (Victoria)
- Fair Work Act 2009 (Commonwealth)
- Children, Youth and Families Act 2005 (Victoria)
- Family Violence Protection Act 2008 (Victoria)
- Child Wellbeing and Safety Act 2005 (Victoria).
Standards and regulation
- Australian Privacy Principles (APPs)
- Notifiable Data Breaches Scheme 2017
- Information Privacy Principles (IPPs)
- Victorian Protective Data Security Standards 2016
- Health Privacy Principles
- Family Violence Information Sharing Scheme (2017)
- Child Information Sharing Scheme (2017).
Whose personal information do we collect?
We collect personal information from our clients and their families, staff, volunteers, foster and kinship carers, donors, and supporters of Berry Street.
How do we collect your personal information?
We collect personal information several different ways including directly through conversation, through via referral forms and assessments, over email and telephone and from our website. We collect and handle a range of personal information for the purposes of carrying out our delivering services or to carry out activities that support our organisation.
The services Berry Street deliver include:
- residential care
- family violence services
- foster and kinship care
- post-care support services
- family and disability services
- therapeutic services
- schools, education, and training
- specialist homelessness services.
What personal information do we collect?
We will only collect information if it is relevant and reasonably necessary for one of our functions or activities. The information will be collected by lawful and fair means.
We will usually collect personal information directly from you and with your consent. However, we sometimes need to collect information from a third party, such as your carer, trustee, or an authorised representative, or from public sources.
If, as part of our service provision, personal information is given to us in confidence about an individual who is not receiving our service, we will:
- confirm with the person that the information is to remain confidential
- record the information only if it is relevant to the provision of our service or the care of the individual
- take reasonable steps to ensure that the information is accurate and not misleading
- take reasonable steps to record that the information is given in confidence and is to remain confidential.
Collection of sensitive and/or health information
Sometimes we may need to collect sensitive information about you. This might include information about your cultural or ethnic origin, political opinions, association membership, religious beliefs, or gender and sexual orientation.
We may collect health information about you (such as information regarding a person’s disability or ill-mental health) when we have your consent or when we are required or authorised by law to collect such information. For example, Berry Street collects medical history from some clients who are part of specific programs, such as our residential services or foster care programs.
Privacy legislation protects everybody’s information regardless of age. However, the legislation doesn’t identify an exact age at which people can make their own privacy decisions. For consent regarding information privacy to be valid, the person must have capacity to provide consent, including sufficient maturity and understanding of what is being proposed.
In line with Office of the Australian Information Commissioner recommendations, Berry Street will generally assume that any person aged over 15 will have capacity to consent, unless there are known reasons that impact the individual’s capacity.
In order to safeguard young people, the Children, Youth and Families Act (2005) stipulates that providing information about a child to their parents is not required if the child is older than 12 years and does not consent, as it may place the child or others at risk of harm including self-harm.
Similarly, the Child Information Sharing Scheme and Family Violence Information Sharing Scheme explicitly recognise that a child’s safety and wellbeing, and family violence victim survivor safety take precedence over any individual’s privacy. Therefore, consent to collect or disclose personal information is not required under the following circumstances:
- when assessing or managing the risk of family violence to a child
- to promote the wellbeing and safety of a child
- when information relates to a perpetrator of family violence - for assessing or managing family violence risk
- when information relates to an alleged perpetrator - for assessing family violence risk.
We will provide information about our consent process at the commencement of services and ensure that you are consulted regarding the use of your personal information.
Use and disclosure
We will normally use or disclose personal information only for the purposes that it was given to us, and for purposes that are related to one of our services or activities.
However, we may disclose personal information to external organisations including:
- government departments or agencies who provide funding for our services
- contractors who manage some of the services that we offer – we take steps to ensure that these contractors comply with the privacy legislation when they handle your personal information and ensure they are authorised to use it
- other information sharing entities prescribed under the Child Information Sharing Scheme – for the purposes of sharing information to protect the safety and wellbeing of children
- other risk assessment entities prescribed under the Family Violence Information Sharing Scheme – for sharing information to assess the risk of family violence
- other information sharing entities prescribed under the Family Violence Information Sharing Scheme – for managing the risk of family violence once risk has been established
- doctors and health care professionals who assist us to deliver our services
- other regulatory bodies
- referees or former employers of Berry Street employees and volunteers, and candidates for Berry Street employee and volunteer positions
- our professional advisors, including our accountants, auditors and lawyers.
Except as set out above, we will not disclose your personal information to a third party unless one of the following applies:
- you (or the individual for whom you are the representative) have consented
- we believe you would reasonably expect us to use or disclose the information for another reason related to the purpose for which it was collected (or in the case of sensitive information, directly related to the purpose for which it was collected)
- we are required to do so by law
- it will prevent or lessen a serious threat to somebody’s life, health or safety or to public health or safety
- it is necessary to provide a public health service
- it is necessary for the management, funding or monitoring of a health service relevant to public health or safety
- it is reasonably necessary for the enforcement of a law conducted by an enforcement body
- it is reasonably necessary to assist in locating a missing person
- it is reasonably necessary to the conduct of proceedings before a court or tribunal, or for a confidential dispute resolution process.
Marketing and communications
We may share information that we have received through our marketing activities to trusted third parties such as our mailing house and our bank. We may collect, use and disclose this information for purposes to process and record donations, provide receipts, contact you about our activities, and to provide you with our newsletters, reports, invitations and requests for support. We may contact you using several different mediums for example by phone, mail, email, social media or text message.
We may occasionally collaborate with other charitable organisations on mailings with information that we believe may be of interest to you. These organisations usually allow us to do the same, and by collaborating like this, we expand the number of people we can help.
You will be offered the opportunity to ‘opt out’ if you do not wish to receive this information. You can also contact us on 1800 237 797 if you prefer not to receive future communication from us.
This allows us to:
- remember your details and preferences when you return
- maintain the continuity of your browsing session
- use Google Analytics to collect information such as demographics and interests, visits to our websites, length of visit and pages viewed
- tailor our advertising through networks on other websites.
You can set your browser to notify you when you receive a Cookie and this will provide you with an opportunity to either accept or reject it in each instance. Please note that if you do this, it may affect some of the functions on our website.
We take great care to protect your personal information on our website and whenever you communicate with us. Once we receive your personal information, we take reasonable steps to protect its security.
Quality of the information that we hold
We take reasonable steps to ensure that the personal information that we collect, use or disclose is relevant, accurate, complete and up to date. If at any time you wish to update your personal information, you can do so by contacting our Privacy Office (details below).
Security of the information that we hold
We take reasonable steps to protect the personal information that we hold from misuse, loss, interference and from unauthorised access, modification and disclosure.
These measures include password protection for accessing our electronic IT systems, securing paper files in locked cabinets and physical access restrictions. Our systems are regularly audited to ensure that only authorised personnel are permitted to access these details.
We will notify any affected individual in the event that a data breach will likely result in serious harm.
Retention and disposal of information
We only keep personal information for as long as it is required by law. Information that is retained will be archived in such a way that facilitates easy retrieval yet does not compromise security.
If and when personal information is no longer required, it is destroyed in a secure manner.
Access and correction of information that we hold
If you request access to the personal information we hold about you, or request that we change that personal information, we will allow access or make the changes to your personal information unless we consider there is a sound reason under the relevant legislation to withhold the information or not to make the changes.
Requests for access should be made to the Privacy Office (details below). For security reasons, you will be required to put your request in writing and provide proof of identity. This is necessary to ensure that personal information is only provided to the correct individuals and the privacy of others is not undermined.
We will take all reasonable steps to provide access or the requested information within 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take reasonable steps to provide access to the requested information within 30 days.
In general, access will be denied where:
- the request does not relate to the personal information of the person making the request
- providing access would pose a serious threat to the life, health or safety of the person making the request
- providing the information would have an unreasonable impact on the privacy of other individuals
- the request for access is frivolous or vexatious
- the information relates to existing or anticipated legal proceedings
- providing access would prejudice negotiations with the individual making the request
- providing access would be unlawful
- denying access is required or authorised by law
- providing access would be likely to prejudice law enforcement activities
- an action relating to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of Berry Street
- access discloses a commercially sensitive decision making process or information
- any other reason that is provided for under relevant legislation.
Where an individual is given access to personal information and establishes that the information is not accurate, complete or up to date, we will take reasonable steps to correct the information accordingly. If the individual and Berry Street disagree about the content of the information, the individual may request that we add a statement claiming that the information is not accurate, complete or up to date. We will take all reasonable steps to do this.
If we refuse to provide access or make changes, we will provide reasons for doing so to the individual.
Upon request for access to or correction of personal information we will:
- provide access or reasons for denial of access
- correct the personal information or provide reasons for refusal to correct personal information
- provide reasons for the delay in responding as soon as practicable but no later than 30 days after receiving the request.
Where there is a dispute about your right of access to information or forms of access, this will be dealt with in accordance with the complaints procedure set out below.
If you have provided us with personal and sensitive information, or we have collected and hold this information, you have a right to make a complaint and have it investigated and dealt with under our complaints procedure.
If you have a complaint about our privacy practices or our handling of your personal and sensitive information, please contact your past or current worker or our Privacy Office (details below).
We will not normally adopt as our own, an identifier of an individual that has been assigned by other organisations. We will not disclose an identifier assigned to an individual unless the disclosure is permitted under the privacy legislation.
Where lawful and practicable, we will take all reasonable steps to comply with a request to access our services on an anonymous basis or using a pseudonym. However, our ability to do so may depend on the requirements of the program and we may not be able to deliver the services requested.
Transborder data flows
If we are otherwise required to send information overseas (e.g., data hosting) we will take necessary measures to protect your personal information. We will ensure that either the destination country has similar protections in relation to privacy, de-identify your information or enter into contractual arrangements with the recipient that safeguards your privacy.
We reserve the right to review, amend and update this policy to ensure alignment with new legislation, standards and regulation. This policy was last reviewed and updated in May 2023.
How to contact us
For information about privacy generally, or if your concerns are not resolved to your satisfaction, you can contact: